Hongwen Zhang, Ph.D.
Hongwen Zhang is the chief executive officer (CEO) and cofounder of Wedge Networks, as well as the co-inventor of Wedge Networks patented technology WedgeOS. He has had a long career as a technologist, inventor and entrepreneur. Zhang was a cofounder of 24C Group Inc., which developed the first digital receipt infrastructure for secure electronic commerce (acquired by Axway Corp.), as well as a principal of Servidium Inc. (now ThoughtWorks Inc.), a global leader in agile development methodology. He also served as the chief technology officer of Wedge until early 2009, during which time he brought WedgeOS from a technology concept to an award-winning network security product line.
Zhang has a doctorate in computer science from the Department of Computer Science, University of Calgary (Alberta, Canada); a masters of computer science in computer engineering from the Institute of Computer Technology—Chinese Academy of Sciences (Beijing, China), and a bachelor’s degree in computer science from Fudan University (Shanghai, China).
Away from the office, Zhang spends his time reading on a variety of topics such as history, science, information technology and security. In addition, he loves the mountains, and, in his spare time, he enjoys exploring the hiking trails in the Canadian Rockies with his family.
What do you see as the biggest risks being addressed by IT auditors and/or security professionals? How can businesses protect themselves?
There are all sorts of businesses, and each may have a unique perspective on what the biggest risks are. At a very high level, you can think of a business as a household in terms of managing risks: You do not want your valuables to leak out, and you do not want your house to be vandalized. These are exactly the kind of risks that businesses have to deal with.
For example, in the Sony Playstation Network security breach incident, users’ information was stolen. The financial damage to Sony has been estimated to be as high as US $2 billion, not to mention the damage done to the Sony brand and reputation. As another example, the Stuxnet malware, which targets industry control systems, demonstrates how critical infrastructure can be damaged by IT security breaches.
How can businesses protect themselves? Well, there are many best practices and viewpoints. Knowing that almost all attacks are coming in from network connectivity, the most important thing is to make sure that bad things do not sneak in from the network. Most businesses, especially enterprises and service providers, will tell you that they already have all the gears that guard the network pathways, e.g., firewalls, and intrusion detection and prevention systems. The truth is: Breaches are still happening. Why? Because many successful attacks are embedded into content, i.e., data-in-motion, that comes in via legal ports from sources that are either spoofed or reputable. Hence, technologies that detect the intent of the data-in-motion are becoming more and more important. Businesses also need to understand that when digital assets are stolen, they are usually snuck out via the network. Data leakage prevention (DLP) refers to approaches that make sure no valuable data can be stolen. How do you enforce DLP at the network pathway? You need to have technology that can understand what is embedded in the outbound data-in-motion and stop the leakage of confidential information.
How do you see information management practices in business changing in the short and long term? What are the biggest concerns with cloud computing, and how do you see them being addressed?
From IT’s point of view, there are three major drivers in the industry: the adoption of consumer-grade tools and applications, such as social networks, peer-to-peer (p2p) and file sharing, in businesses; the ubiquity of mobile computing; and the big pull from the cloud.
In the short term, I see IT practices trying to cope with these forces of change. There will be confusion caused by the lack of adequate ontology to understand and describe the changes. Skin-deep technology that deals with the symptoms of these pains will be developed, such as next-generation firewalls, which will block the usage of social media in the workplace or limit application usage on mobile devices. As a result, new policies will be developed on how information shall be stored, moved or audited.
In the long term, I see IT practices helping businesses take advantage of these changes. So, instead of the CEO coming to IT demanding to get his/her iPad connected to the company’s network and IT struggling to cope with security implications, IT will recommend and implement better ways for the business to operate anyplace and anywhere.
The biggest concern with cloud computing is data security across space and time: Organizations are questioning if their data are safe in the cloud, what happens to the data, who has access to the data and many other unknowns. The Cloud Security Alliance has been doing a good job of defining the many elements of cloud security issues, such as who has what responsibilities and what the government regulatory compliance requirements are in different geographical regions. From a pure technology point of view, security measures need to be taken to secure both the data-at-rest in the cloud and the data-in-motion to and from the cloud.
How do you think the role of the security professional is changing? What would you recommend to security students or new security professionals to better prepare them for this changing environment?
With IT assets moving to and from so many places, predators will have ample opportunities to make kills. In the last several years, the dark side has certainly progressed significantly. It is alarming to notice that some recent attacking techniques are very stealthy and are aimed at bypassing or disabling the defense mechanisms on which we rely. IT security has traditionally been divided into two parts: infrastructure security, which is managed by the network group, and data security, which is managed by the management information system (MIS). Given today’s blended attacks, there is no doubt that security professionals need to be well versed in both aspects.
Today’s security professionals should not only focus on the traditional IT security topics, but also be familiar with risk management. And, to do so, they must have a better understanding of the business as a whole.
Hence, the role of the security professional has evolved from that of a technical specialist of a particular area to that of a business professional who understands the system that supports business operations, its vulnerabilities, and the measures and costs to guard the system.
How do you see the role of governance of enterprise IT changing in the next five years?
ISACA is working on COBIT 5, which will cover many aspects of this topic. From the view of a practitioner, I can see that IT will no longer be an issue dealt with by a group of technicians, but rather by people who understand the business objectives and processes. If you take the view that enterprise IT is the automation and innovation of business processes, you can also see that chief information officers (CIOs) will play more important roles in organizations. In many organizations, they will be reporting to CEOs and be in the driver’s seat to execute business objectives.
What has been your biggest workplace challenge and how did you face it?
My career has led me down many paths from a programmer, to a software architect, to a product manager and marketer, to a chief executive. Each stage has its own “biggest” challenges. At the meta level, the biggest challenge has been to communicate a clear vision, gain support from stakeholders, and have the team members sing from the same song sheet to push toward the ideal state. I believe success comes through fostering a culture with the following core values:
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.