Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Q&A                                             EXPERTS ADDRESS TRENDING SECURITY TOPICSBeyond Security AwarenessTALKING A...
Upcoming SlideShare
Loading in …5

2012 09 Isc2 Info Security Professional Magazine Raj Goel Interview


Published on

InfoSecurity Professional Magazine\'s September 2012 interview with Raj Goel

  • Be the first to comment

  • Be the first to like this

2012 09 Isc2 Info Security Professional Magazine Raj Goel Interview

  1. 1. Q&A EXPERTS ADDRESS TRENDING SECURITY TOPICSBeyond Security AwarenessTALKING ABOUT SECURITY IS NOT ENOUGH. WE ALL NEED TOACT ON SECURITY PRACTICES.RAJ GOEL, CISSP, is CTO of Take HIPAA for example: You are aBrainlink International, Inc. and doctor. If your records go missing,an IT and infosecurity expert who you are personally liable for thatdevelops security solutions for data loss. The customer records arevarious industries. Senior Manag- lost, and the organization is helding Editor Joyce Chutchian spoke accountable for any breached data.with Raj about the state of IT In the cloud, if your vendorsecurity. loses data, the vendor is not liable. You are liable. I’m working withQ: You’ve written and spoken a nonprofit, underprivileged health-lot about social media threats and care organizations, and they wantrisks. What are your biggest concerns? to be compliant. They don’t have the budget, so First of all, there is the myth that cybercrime they are moving to Google Apps. Google says notand financial fraud is a recent concept, when in to use Google Apps for HIPAA or PCI. Vendorsfact, the problems started in the 1934 to 1936 era, have been carefully insulating themselves fromwhen the IRS issued Social Security cards. Your any liability without telling the customer. There isSocial Security number became your de facto ID no lemon law for cloud computing. If Google losesnumber, and it’s still used today, despite all the your data…oops! The liability is yours.corruption and identity fraud. I give a popular talk at conferences, on how Q: What can we do about this?social media and the cloud are over-collecting We need to educate everyone aged 18 to 60.worldwide, especially for the under-18 popula- This means educate ourselves, management, fami-tion. Kids who were born in 1983 and beyond have lies, and other members of our society who helpgrown up with computers. They do everything enforce the laws, design and pass them. Don’t justonline like SMSing and chatting. As teenagers, collect a paycheck. Be involved as citizens of ourthey are not wired to think of 34-year-old threats. society and in politics. As security professionals,We have built a surveillance engine; everything we are all citizens, and we are all consumers. It isa 12-year-old says online will never be forgotten. our charter that we have to be in the front lines ofAnd what they say and what their friends do and protecting fellow citizens, whether it be attorneys,say, whether it be on a game website, retail or Face- accountants, teachers, parents, medical profes-book, will follow them and haunt them for the rest sionals, etc. Go talk to your local parent/teacherof their lives. It’s all stored in the cloud, and they school groups. Talk to the Boy Scouts and Girldon’t even know what the cloud really is. Scouts; local attorneys and bar associations. I have spent more than fifteen years reading theQ: What are your biggest concerns about the cloud law on security—and it’s not how you can configureright now? a firewall, it’s how you can create a security policy. From a technical perspective, there is no clear Encrypt your laptop. Don’t be lazy. It’s not enoughdefinition of what the cloud is. Some people are to be educated—you need to enforce awareness. Justrelabeling it as private hosting, and private data cen- because a security question asks you for your moth-ters are relabeling it as the cloud. From a legal per- er’s maiden name, doesn’t mean you have to usespective—under current U.S. federal law—what the her real name. Change your passwords gives you technically, it takes from you legally. Don’t just talk about security, act on it. ISSUE NUMBER 19  INFOSECURITY PROFESSIONAL  21