Interview with Raj Goel – PenTest Market Magazine
Raj Goel, CISSP, is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries. He is a well-known authority on regulations and compliance issues. Raj has presented at information security conferences across the USA and Canada. He is a regular speaker on PCI-DSS, HIPAA, Sarbanes-Oxley, and other technology and business issues, and he has addressed a diverse audience of technologists, policy-makers, front-line workers, and corporate executives. Raj works with Small-to-Medium Businesses (SMBs 10-200 employees) to grow their revenues and profitability. He also works with hospitals and regional medical centers across the Northeast (NY, Vermont, New Hampshire, Maine, Pennsylvania) in helping them meet HIPAA compliance requirements and utilizing Health Information Systems (HIS) effectively. You can contact him at firstname.lastname@example.org.
You have more than 20 years of experience in IT, please tell us about your professional background in IT Security.
Raj Goel: I had my first IT consulting client at age 13, first business card at 16, and have been consulting ever since. In 1997, a large Health Insurance company in the US asked me to help them understand something called HIPAA. We had no idea what HIPAA was, nor did they – however, the client’s management knew that this proposed law needed to be understood, if the health portal project we were working on was going to succeed.
I learned what I could about the proposed legislation, and delved into the HIPAA Security standards. That led me to becoming a CISSP, and and gaining a real understanding how ISO27001, HIPAA, PCI-DSS, and other data security and privacy standards are related.
My first presentation on HIPAA compliance was in October 2001 – a month after 9/11. Since then, I have led, or conducted over 150 seminars, webinars and full-day conferences. I have also been published in INFOSECURITY Magazine, quoted in CSO Online, and appeared on TV on the Geraldo Show and PBS TV.
To date, I have delivered CLEs to over 3000 attorneys, approximately 1500 accountants/CPAs and thousands of CISSPs world-wide.
In short, I have been in IT for over 25 years, and IT security for 15+ years.
Please tell us about your company, services you offer and organizational growth in the past few years.
RG: I co-founded Brainlink Internatonal, Inc, with my wife, in 1994. We offer three sets of services:
- Managed IT support for Small Businesses (5-100 employees) in Manhattan, NYC.
- HIPAA, PCI-DSS and IT security audits across the USA to Hospitals, Medical Groups and Level 3 and Level 2 PCI merchants.
- Cyberforensics – data acquisition and evidence analysis to Matrimonial and Criminal Defense attorneys in NYC.
Managed IT is the fastest growing segment of the business and IT security compliance audits are holding steady. There is also a growing interest in CyberForensics from the attorneys.
You have presented to several C-level executives. What are some of their concerns related to IT Security and what is their approach towards organizational risk mitigation?
RG: That is a broad question. At a very high level, CEOs and CFOs are primarily concerned with lowering costs and increasing revenues. IT security does not really matter to them – I have met with very few CEOs or CFOs who actively seek out IT compliance or IT audit services. If they could avoid them, they would – with the exception of Sarbanes-Oxley (SOX) compliance which is the only regulation that has captured their attention and budgets.
The CIOs/CPOs/CSOs are more focused on becoming compliant and usually, their biggest concern is managing the conflicting standards and regulations. In some cases, the standard is poorly worded (e.g. PCI) or their realities do not mesh with the law (e.g. HIPAA).
For example, HIPAA requires that all systems be patched and updated. Contracts with vendors require that the hospital cannot update or apply Windows patches to MRI or XRAY machines without voiding warranty. That is still a challenge.
The other challenge is that HIPAA requires disaster recovery and standard DR is expensive. A LOT of cloud providers are selling their services as HIPAA-compliant, without really understanding (or intentionally ignoring) what impact ECPA and the Patriot Act have on HIPAA/PCI/GLBA compliance.
Since you do a lot of work in the New York City area, I am sure your international readers are curious to know if you are willing to take on any international assignments?
RG: Depending on the jurisdiction and the laws involved, yes, we are willing to take on international assignments. Acceptance of non-US assignments depend on current geopolitical issues, laws involved, and cultural issues. The biggest challenge we help clients deal with is the internal cultural issues. The corporate culture, local community standards, etc., so, before I accept an assignment, I take steps to understand the culture I will be stepping into.
What tips would you offer to young adolescents to protect their identity online?
RG: That is a great question. How should adolescents protect their identify online?
- AVOID Social Media – Facebook, Twitter, etc. Consume the content, if you want, but do NOT create profiles, or posts online. If you do create profiles on social media, limit the information that you post about yourself and your profile information. Do not provide too much information that someone can use against you. Remember that what you post in social media applications cannot be removed and will be available forever for people to read.
- Learn the risks that going online creates –you can see my video at www.Brainlink.com/what-to-teach-your-kids-employees-and-interns-about-social-media/ or on YouTube.
- Read/understand as much as you can that privacy is eroding fast and it is not in Facebook, Google, Match.com, your mobile phone company, your ISP, your employer OR your government’s interest to protect it. It is YOUR privacy, it is YOUR identity, and only YOU can protect it.
- Avoid using online dating sites.
- Use common (or uncommon) sense – never EMAIL, SMS, POST or TWEET anything that you would not want to defend in court.
- If you break laws (speeding, underage drinking, engaging in political or social protests, etc.), DO NOT to brag about it.
- Choose your friends carefully – in real life, and online. Not everyone who wants to friend you is a real friend and they could be opportunists, predators, robots, law enforcement or criminals.
Small and medium size health organizations find HIPAA/HITECH compliance requirements overwhelming. How do you help them in that domain?
RG: Everyone finds HIPAA/HITECH daunting – from the smallest to the largest. I assist clients in understanding why HIPAA/HITECH matters to them, why it is important to comply and most importantly, how we can INCREASE PROFITABILITY by becoming compliant.
That is the angle most consultants, IT professionals and businesses overlook. Compliance can lead to greater profits.
During your interaction with Attorneys and accountants, what were some of the cyber-security areas they were interested in?
RG: More and more, attorneys are concerned about digital evidence and cyber-forensics. Other than that, their interest in cybersecurity is pretty minimal. Getting better Google ranking, more business through LinkedIn, and more friends on Facebook – that attracts their interest – not cyber-security.
Social media has its own benefits, but privacy can be bit of a concern. What steps can individuals take to protect their civil liberties and privacy?
RG: That is too big of a question to answer. See the short answer above and then watch my video at http://www.Brainlink.com/what-to-teach-your-kids-employees-and-interns-about-social-media/, read the articles at http://www.brainlink.com/category/articles/ and then we can talk.
In US, Federal Trade Commission plays a vital role as an investigator of privacy and security breaches. What should IT Security professionals be aware of with respect to FTC’s role in security?
RG: The FTC is not an investigator in the traditional sense – they have become the guardians of consumer privacy in the US. I recommend watching the several webinars and presentations I have done on LESSONS LEARNED FROM THE FTC at http://www.rajgoel.com/lessons-learned-from-the-ftc-federal-trade-commission to get a better idea.
What are your thoughts on SOPA, PIPA and ACTA legislation from consumer perspective? Will consumer privacy and security be safeguarded due to these legislation?
RG: SOPA, PIPA, ACTA do NOT protect consumer privacy. These laws are bought-and-paid for by the RIAA and the MPAA to protect their business model and profits in a dying industry. It is like horse-buggy manufacturers passing laws that limit vehicles to no more than 20 MPH/30Kph.
As a consultant and prolific speaker, effective time management must be an important aspect of your life. Any tips on how you go about juggling various roles?
RG: Learn Time Management! I have taking courses at Landmark Education, read the 4-hour Work Week and Getting Things Done, and received personalized coaching that has helped me build and maintain my priorities.
How do you keep yourself up-to-date with latest development in IT. What are some of your information sources?
RG: Slashdot.org, TheRegister.co.uk, various industry journals and constant reading are how I keep up to date. In all my presentations, I use publicly disclosed data, and integrate disparate events and incidents into a coherent narrative.
Who are some of your role models in personal and professional life.
RG: Marcus Ranum, Bruce Schneier and Howard Schmidt are my personal cybersec heroes.
Aby Rao has several years experience in IT industry and has working knowledge in applying various security controls and implementing countermeasures related to Web Applications and Database. He is skilled at planning and leading all phases of Software Development Life Cycle, Project Management and Agile Software Development. Aby has a Bachelor Engineering in Computer Science, Master of Science in Information Science, Master of Science in Television Management and various IT certications including CISSP, CISA< Security+, ITIL, ISO/IEC 20000 etc. He is also an independent lmmaker and currently resides with his wife in Durham, North Carolina, USA.