Tech Debt Burndown Podcast Series 1 E12: Yosef Lehrman on the Executive Order

Posted on Saturday, Aug 7, 2021
Yosef Lehrman talks to Nick and Chris about the Executive Order on Improving the Nation’s Cybersecurity

Show Notes

Recording date: Jun 14, 2021

Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.

“The executive order puts on paper for the very first time, a mechanism for the federal government at least to outline how they plan on shoring up their cybersecurity and more importantly, a framework that others whether it’s commercial entities or state, local, tribal, territorial governments could follow and build upon.” - Yosef Lehrman

Yosef first introduces himself, and his role as Deputy Commissioner of Information Security and Chief Information Security Officer at New York City’s Department of Information Technology and Telecommunications. We describe Yosef as one of the best people to talk to about the 12 May Executive Order on Improving the Nation’s Cybersecurity.

After disclaimers about not speaking on behalf of the department etc. Yosef outlines the purpose and importance of the Executive Order as “a roadmap for improving National Cybersecurity and also for protecting federal government networks”. The two key points are outlined as:

  1. Information sharing
  2. A plan to move towards a more secure architecture (using multi factor authentication, zero trust architecture etc.)

We then touch upon the software bill of materials (SBOM) content of the order, and the fact that secure software development and supply chain security are different things. Yosef draws parallels with the work of the National Transportation Safety Board (NTSB) and its work in investigating accidents. This leads to further discussion of the value and challenges in accreditation, and how it can be a double-edged sword.

Nick then asks how the changes are going to be funded, given that many agencies have struggled for IT budget, which is often seen as the cause of tech debt. Yosef points out that there’s no clear link to funding. For that reason it’s going to take time to implement, and will need strong leadership to be successful. This runs into some discussion of the challenges with cutting over services that can’t be taken down, but how that does get achieved with things like 911 call centres.

Yosef also sees the order as an opportunity to drive incrmental improvements that might fit into regular upgrade and refresh cycles. He also sees an opportunity with the shift from products to services, which leads to some discussion of public sector cloud adoption.

We wrap up with some discussion on how information sharing between agenecies has improved, with more happening in the open and available to all comers.

Season One finale.

Guests

Yosef Lehrman

Yosef Lehrman

Yosef Lehrman is the Chief Information Security Officer (CISO) of a local government IT Department, where he is responsible for protecting the confidentiality, integrity, and availability of municipal information systems while meeting the varied technology needs of a modern and vibrant city. Prior to assuming this role, he was the CISO at a law enforcement agency where he developed and implemented an intelligence driven information security program. He is also an instructor of several information security courses at both the graduate and undergraduate level.

Mr. Lehrman has 15 years of experience in the cybersecurity industry and has published articles and presented on information security topics nationally and internationally. He is a member of several government task forces focused on defending critical infrastructure against cyber- attacks. He holds an MS in Internet Technology from Pace University, the Certified Information Systems Security Professional credential, as well as several industry certifications.

Hosts

Chris Swan

Chris Swan

Chris is a frequent speaker on topics such as serverless, DevOps, cloud, containers, security, networking and the Internet of Things. He’s also a cloud editor for InfoQ and a contributor to open source projects such as Docker, CoreOS and DXC’s Online DevOps Dojo.

Nick Selby

Nick Selby

Nick provides information security, disaster- and cyber incident-readiness assessments at Fuzz Technology, a subsidiary of EPSD, Inc. From 2021 to 2023, Nick served as VP of the Software Assurance Practice at Trail of Bits (where he was the voice and executive producer of its podcast), and from 2019 to 2021 as Chief Security Officer at Paxos Trust Company.

From 2018 to 2020, Nick served as Director of Cyber Intelligence and Investigations at the NYPD Intelligence Bureau, where he helped the department understand how it investigates online, and how Cyber Enabled crime affects New Yorkers.

In 2005 he founded the information security practice at industry analyst firm 451 Research, (now S&P Global Market Intelligence) where he served until 2009 as 451’s Vice President, Research Operations.