Five Questions With... 

 
Download Article Article in Digital Form

Eugene LidermanEugene Liderman is the director of public sector technology within the office of the chief technology officer (CTO) at Good Technology. His primary responsibility is to assist customers in navigating the unique mobile security challenges that exist within the US Department of Defense (DoD) and federal spaces. Prior to this role, he served as the director of special markets and focused on emerging technology as well as alliances to help provide innovative solutions for Good Technology’s security-conscious customers.

Prior to joining Good Technology, Liderman was a senior exchange engineer with the Office of the Chief Technology Officer at the District of Columbia. His responsibilities included architecting and supporting the consolidation and migration of the district’s dispersed 40-plus NT 4.0 Domains into one central Active Directory Forest and Exchange 2003 organization, which housed more than 35,000 mailboxes. Additionally, Liderman was responsible for deploying the district’s first wireless initiative and maintained the infrastructure thereafter. He has spoken at numerous conferences on topics ranging from networking, directory services, email, wireless email, mobility and information security.

Outside of work, Liderman enjoys the same things he does at work—finding the ultimate smartphone apps, accessories and gadgets. He is a techie at heart.


Question

What do you see as the biggest threats being addressed by IT security professionals? How can businesses protect themselves?

Answer

IT security professionals address a wide variety of threats in today’s multitasking environment (i.e., multidevice [desktop, laptop, tablet, smartphone], multinetwork, multilocation [at the office, satellite office, from home, on the road]). Risk can be put into three buckets:

  1. External threat—When someone from outside is trying to gain access to sensitive data or cause malicious harm to the infrastructure and/or environment
  2. Internal threat—When someone from inside is trying to gain access to sensitive data or cause malicious harm to the infrastructure and/or environment
  3. Negligence—Often the biggest risk; in any security policy or framework, the end user could be the weakest link.

The first two areas of risk have typically been mitigated using common techniques in the information security/information assurance arena, such as intrusion prevention software (IPS), intrusion detection software (IDS), data loss prevention (DLP) and continuous monitoring (CM). The third risk type is often the hardest to combat because the user is unknowingly increasing the risk of sensitive data being leaked and/or exposed—not for malicious reasons, but as a result of doing too much or not enough. At the end of the day, the security and usability counterbalance is inversely proportional. When one is high, the other remains low. In cases where security is high and the usability is low, end users will often try to get around the system to make it easier for themselves. The best way to deal with this type of risk is to provide training on a regular cadence to the end user community regarding the common attack vectors they should be aware of on their desktop/laptop as well as their smartphone/tablet. In addition, the IT security group needs to find a balance between the security policies it implements and the usability it provides as the end result.

Question

How do you see cloud computing changing the way we do business? What risk is involved with cloud computing and how are our businesses addressing such risk?

Answer

Cloud computing is an interesting paradigm where the chief information officer (CIO) in any organization gets excited because of the potential cost savings and possible productivity gains as a result of having the organization’s data stored in a location that is convenient for the entire workforce. At the same time, the chief information security officer (CISO) in the organization gets nervous because the security controls in place to secure data and prevent them from being exposed are basically out of his/her control and, instead, he/she has to rely on the cloud provider for this. In addition, what happens in the rare case when the cloud goes down? Most organizations want to maintain control, and with a cloud solution that is not how things work.

I see many organizations both in the public as well as the private sector adopting cloud computing; the only difference is the type of data they allow to be stored in the cloud as well as the definition of the cloud service itself (e.g., public cloud vs. private cloud). The type of data stored in the cloud depends on the vertical market’s statutory requirements and the sensitivity of the enterprise’s data. In the US federal government, for example, aside from email being migrated to the cloud in a limited way, public-facing nonsensitive data get published to a commercial cloud, whereas, in the private sector, more companies are moving a greater percentage of their data to the cloud.

The US federal government (including the US Department of Defense) is a big proponent of a private cloud concept. Examples include the Defense Information Security Agency (DISA) providing email as a service (MAIL.MIL) to the US Army, or the Department of Homeland Security (DHS) providing centralized email and collaboration to all of their subordinate agencies. A private cloud enables the agency to have additional assurances that its data are stored in a more secure manner and in compliance with applicable regulatory requirements (e.g., the US Federal Information Security Management Act [FISMA] and the Federal Risk and Authorization Management Program (FedRAMP). Commercial clouds, on the other hand, have lower levels of compliance.

Question

How do you see the role of governance of enterprise IT (GEIT) changing in the long term?

Answer

I see the GEIT framework continuing to be utilized as a baseline methodology, but when it comes to things like smartphones and tablets that have a rapid life cycle, I envision a greater agility in managing changes. Otherwise, it becomes too much of a burden to onboard and manage newer technologies, which may stifle innovation.

Question

How can the cybersecurity problem be addressed? Is this something for government only or is the involvement of nongovernmental organizations required?

Answer

Cybersecurity impacts everyone, not just government. To combat this ongoing threat, the public and private sectors in the US have teamed up through various conferences, programs, committees and working groups. Sometimes these groups consist of specific verticals, such as system integrators/defense contractors, working specifically with their counterparts in the US Department of Defense, and other times, there is representation from various verticals such as health care, finance and government.

Two famous quotes by Sir Francis Bacon sum it up really well. First, “knowledge is power.” The hope is that these various means of interaction between private and public sector organizations provide a platform to share the knowledge gained by these various representatives so that everyone can increase their mitigation strategies against the ongoing cybersecurity threat. The other quote is, “Silence is the virtue of fools.” This applies because the common theme these days is: “It is not a matter of if we have been breached, it is just a matter of when we find out.” Organizations that have been breached need to speak up and educate other organizations on lessons learned around what the potential attack vector was, how they were able to discover it and how they will mitigate it in the future.

Question

What has been your biggest workplace or career challenge and how did you face it?

Answer

My biggest workplace/career challenge has always been around following our own advice, whether it was as an IT consultant, a system administrator working for the government or in my various roles working for a software company. In each one of these roles, it was essential to follow the exact same policies and procedures that we mandated or recommended to others, because if we could not put ourselves in that same situation, we would never have been able to catch some of the potential pitfalls or threats with that particular approach. This covers a wider spectrum than just information security; this also applies to productivity. For example, in my current role, to be truly credible with our customer base, I follow the same stringent guidelines around how I secure my smartphone devices, but at the same time, I make it a priority to try to accomplish as many tasks as I can using my smartphone and/or tablet device because that is what we preach to our customers. As a result, I have 250-plus applications on my iOS devices—I am constantly downloading the latest and greatest business-productivity applications to see whether they add any value as well as create any risk.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.