Recording date: Jun 14, 2021

Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.

“The executive order puts on paper for the very first time, a mechanism for the federal government at least to outline how they plan on shoring up their cybersecurity and more importantly, a framework that others whether it’s commercial entities or state, local, tribal, territorial governments could follow and build upon.” - Yosef Lehrman

Yosef first introduces himself, and his role as Deputy Commissioner of Information Security and Chief Information Security Officer at New York City’s Department of Information Technology and Telecommunications. We describe Yosef as one of the best people to talk to about the 12 May Executive Order on Improving the Nation’s Cybersecurity.

After disclaimers about not speaking on behalf of the department etc. Yosef outlines the purpose and importance of the Executive Order as “a roadmap for improving National Cybersecurity and also for protecting federal government networks”. The two key points are outlined as:

1. Information sharing
2. A plan to move towards a more secure architecture (using multi factor authentication, zero trust architecture etc.)

We then touch upon the software bill of materials (SBOM) content of the order, and the fact that secure software development and supply chain security are different things. Yosef draws parallels with the work of the National Transportation Safety Board (NTSB) and its work in investigating accidents. This leads to further discussion of the value and challenges in accreditation, and how it can be a double-edged sword.

Nick then asks how the changes are going to be funded, given that many agencies have struggled for IT budget, which is often seen as the cause of tech debt. Yosef points out that there’s no clear link to funding. For that reason it’s going to take time to implement, and will need strong leadership to be successful. This runs into some discussion of the challenges with cutting over services that can’t be taken down, but how that does get achieved with things like 911 call centres.

Yosef also sees the order as an opportunity to drive incrmental improvements that might fit into regular upgrade and refresh cycles. He also sees an opportunity with the shift from products to services, which leads to some discussion of public sector cloud adoption.

We wrap up with some discussion on how information sharing between agenecies has improved, with more happening in the open and available to all comers.

Season One finale.