Budapest, Miami, June 14, 2024 — A milestone in the life of XS Matrix, a renowned American-Hungarian IT security company, a specialist in IAM security, as Zoltán Vágvölgyi joins the cybersecurity startup as Commercial Director after tenures at IBM and Oracle. His tasks include strengthening the domestic and international market presence of THEFENCE, a solution developed for the discovery, review, analysis and risk management of corporate access rights.

-After working for the world’s largest multinational IT and software solution providers, why did you choose a startup developing cybersecurity solutions? What challenges motivated this switch?

The multinational environment has its own characteristics, but I believe that periodically one needs new challenges to leave a mark on the world. In our constantly changing globalized world, organizations are continually impacted by new factors such as the pandemic. Previous trends have shifted: COVID accelerated digitalization, leading to the automation of business processes and the replacement of certain infrastructure elements by cloud solutions. Digital transaction solutions have become more accepted, AI has emerged, and even remote work has been integrated into organizational cultures where it previously wasn’t, such as banks and financial institutions. The increasing prevalence of remote work and geopolitical changes have placed corporate access management systems at the forefront of defense strategies.

-Who do we need to protect our data from?

For instance, from market competitors, phishing attacks, or even our own employees or third parties with access to our systems, like suppliers, external partners or other contractors. Our focus is on ensuring that within a company, everyone has access only to what is (absolutely) necessary for their work, thereby preventing a potential data breach.

-How do you protect it?

First, we examine the access profiles within an organization, the associated roles and entitlements. We scale and categorize these permissions to identify the most critical roles from a data leakage perspective.

Our primary focus is on reducing risks caused by human error. This involves not just technological solutions but also addressing risks underlying in the human factor.

-In 2024, the NIS2 directive will be mandatory in EU member states, tightening requirements in areas such as access management. What should we know about this?

From 2024, the NIS2, the EU’s new directive, will impose stricter requirements on information systems security. The directive aims to provide digital protection for critical infrastructures like financial institutions, energy networks, transportation, banking services, financial market infrastructures, and the healthcare sector as well.

Another interesting regulation is the Digital Operational Resilience Act (DORA), focusing on the operational resilience of the financial sector. It sets rules and requirements for protecting, detecting, localizing, recovering, and repairing ICT-related events within financial institutions.

These directives emphasize the need to minimize operational risks associated with unnecessary or conflicting access rights.

-Could you give specific examples that illustrate the problems caused by mismanaged access rights?

A former employee of the US National Security Agency (NSA) was sentenced to nearly 22 years in prison for attempting to transmit secret documents to Russia. The employee worked as an information systems security designer and had access to sensitive information. This example shows that access to certain data can lead to market advantages or even compromised war information. It’s crucial to consider carefully who gets access to confidential or sensitive documents.

Another example is when a supplier of Bank of America accessed customer data, affecting approximately 57,000 people whose personal identifiers and social security numbers were stolen due to improper access rights management.

These are just a few examples, and although they didn’t happen in our country, they well illustrate the point. According to ISACA’s 2023 information security survey, excessive access rights ranked first among deficiencies revealed during IT audits, a trend that has been increasing for two years. Organizations often determine access based on habitual practices, creating security gaps that sophisticated cybercriminals exploit.