Most of us don’t think about the scary dark world lurking behind our computer screens. The concept of what, or who, lurks behind the screen is not often considered until after an attack has taken place and a part of us has been stolen.
Thankfully there are people like Jeremy Livingston who understand the security realm and oversee cybersecurity and develop security solutions for Edge’s EdgeSecure.
Effective December 2018, Livingston became Edge’s new Associate Vice President for Security Solutions Development and Chief Information Security Officer. His previous experience includes a lengthy list of prestigious positions, as he began his career in cybersecurity while serving in the Navy doing cryptography and IQ security.
Following his post in the Navy, Livingston was honored to work as the Senior Information Systems Security Analyst supporting the CIO to the Executive Office of the President of the United States.
“I served in the White House for the last year of President Bush’s term and the first year of President Obama’s term,” Livingston said. “Seeing the transition of power in the White House first-hand was an exceptional experience.”
Livingston served on a team of security engineers who reviewed everything entering the White House network, including software, hardware, and full security assessments. A new term and new smart device at that point was the BlackBerry. President Barack Obama became known for his dependence on his BlackBerry for communication during his 2008 Presidential campaign. Despite the security issues, he insisted on using it even after inauguration – causing some interesting challenges for security engineers.
“President Obama’s use of the BlackBerry was an amazing challenge, and while I can’t share the details of more than what was already in print at the time, the security team did a fantastic job protecting his information and ensuring nothing was compromised,” Livingston said.
After serving in the White House, Livingston continued his deep and varied background within the security realm, which included being the Chief Information Security Officer to the PEW Charitable Trusts in Washington D.C., the U. S. Government’s Food and Drug Administration, the Office of the Inspector General for the Federal Housing Finance Agency as well as security related engagements with the Goddard Space Flight Center, the National Nuclear Security Agency, and the U.S. Department of Labor. Throughout this timeframe, he also enjoyed (and continues to enjoy) teaching security at the local community college, as well as several CIFSP courses online.
From a more granular perspective, Livingston’s experience includes overseeing a team of 50 at the Food and Drug Administration to three people at the Federal Housing Finance Agency. For example, Livingston and his team were responsible for 20,000 users at the Food and Drug Administration, a super computer, and a data center with 5,000 servers.
“I’m fortunate to have experienced quite a variety of tasks, objectives and professional interactions among the different positions,” he said.
Edge Expands Cybersecurity Efforts
Just about every week another company deals with a data breach, which is why Livingston is excited to join forces with Edge and serve its members. Edge and its members are expanding into different sectors and his cybersecurity expertise is complementary to these efforts.
“There’s a lot of interest in the security area with things like GDPR and breaches being discussed in the media,” Livingston said. “You know everybody’s focus is on security and protecting the privacy of data, and hopefully I can bring the expertise to help our partners.”
He stressed the importance of organizations understanding their risk level, as there are countless dangerous elements found online.
“You need to first determine the risk and understand the threats as well as any unique vulnerabilities your organization may have,” he explained. “When you develop a deep understanding, the knowledge allows you to make risk-informed decisions for deciding which protections are needed in your organization and how much money should be spent for defending against those threats.”
Livingston will be leading Edge’s cybersecurity program EdgeSecure, working with organizations and institutions to ensure they achieve a security posture that minimizes risk. The partnership includes understanding needs and finding who requires which capabilities or expertise. The goal is to make informed risk-based decisions and help secure networks.
“We can help organizations and institutions with inside information that sets the landscape. We can conduct vulnerability scanning, asset discovery, and we can provide executive level advice and guidance all the way down to staff augmentation if this is what they need,” he said. “The end goal is to effectively mitigate risks and meet their compliance requirements without breaking a budget.”
Role of Cybersecurity
Cybersecurity isn’t necessarily what’s portrayed in the movies, where the hackers are going against security professionals. Protection is everyone’s responsibility and users tend to be the first line of defense. A computer user is going to first see a malicious link or receive an email with a risky attachment.
When technology users are empowered to understand and defeat the threats at the onset, this deeper level of awareness goes a long way toward stopping future attacks. This insight is critical to developing a really strong defense in depth strategy.
“Your first line of defense needs to understand and know what the threats entail. The end users are essentially on the front lines, so to speak, which place them in a critical role because they act as a very important detection mechanism. In most cases, they will be the individuals to encounter the first sign of a threat or attack,” Livingston said.
Once a threat or attack is encountered, an important part of the process calls for an end-user to inform the help desk and to report the problem, so a record or a report can be created in a timely manner.
“A vital part of the detection process is for users, students, and everyone involved to be aware of potential threats so they can help defend their respective systems and, subsequently, report any suspicious activity,” he said.
Edge’s Virtual CISO (vCISO) Program Option
Despite the importance of security, unfortunately, not every organization or institution has the ability to maintain a chief information security officer (CISO) on staff. This particular circumstance is why Edge is incorporating the virtual CISO program wherein interested members can gain the benefits of a traditional CISO with years of knowledge, experience, leadership and decision-making capabilities, without some of the high costs.
With the Virtual CISO program, Edge brings in high-level expertise to handle the pressing issues of member organizations while keeping the costs very reasonable. When a virtual CISO is hired, the institution only pays for the hours where help is needed.
A CISO helps prioritize risk mitigation activities and manage the overall risk for the organization. Reports are then sent to the board and the CIO. The risk mitigation report then helps guide staffing needs and assessments. The overall information system becomes easier to manage and compliance requirements are also met.
To achieve a secure system, having a qualified understanding of compliance requirements with FERPA, GDPR, or the privacy act is essential. If an organization doesn’t follow the conditions, heavy fines or fees can occur. The GDPR requires that due care is taken to protect the privacy of the information being safeguarded.
“Adherence to proper protocols is why it’s so important to have someone who understands the compliance level because you can prioritize your experts to meet the compliance requirements without taxing too much of the budget,” Livingston said.
Farleigh Dickinson University is an institution that has contracted with Edge for a virtual CISO. Livingston and his team are reviewing security elements of software and services for the University. They are looking at GDPR compliance and policy reviews, as well as evaluating security elements of software and services.
“We’ve already received accolades from the CIO on the progress being made,” he said. “This expertise and understanding can be used at almost any of the public institutions in New Jersey.”
Future of Cybersecurity
Livingston feels the future of security, compliance, and threat mitigations are going to turn into an app-store-type environment where an institution can purchase the hardware they want and download the latest threat intelligence or signatures from any number of different vendors.
“We’re already starting to see this sort of marketization of the security information,” he said. “The security information is really the key component, and I believe in the future there will be more emphasis around the information versus hardware or the vendor name.”
With the possible changes on the horizon, the new tools and solutions don’t necessarily mean threats are going to disappear. The game of cat and mouse takes place whenever there are security advancements.
“Ne’er-do-wells are going to use similar methods to look at ways to circumvent those protections, so you know we’ll come out with quantum computing and it’ll break all encryption,” Livingston explained. “Then we’ll find a way to make the quantum encryption and we’ll go back and forth.”
He doesn’t feel cybersecurity will ever become irrelevant because the threats will continue to grow, especially when quantum computing and artificial intelligence take off.
These growing security trends are precisely why EdgeSecure’s focus on cybersecurity is to ensure the program stays effective, efficient, and affordable for its users, which is done through an evolving line of offerings. Since December, Livingston has completed an analysis of everything being offered and changes have been made to make sure EdgeSecure is aligned with the needs of the member organizations.
“We want to make sure our products, services, and solutions are what organizations need to meet the challenges of the future,” he said. “The key goal is to provide what is needed as the threat landscape changes.”
In the future, EdgeSecure is also looking at adding a managed security services provider offering, which would run things at a technical level. This scenario would still require someone in a management capacity directing the overall activities, but the offering will take the technical onus off of the individual institutions and management.
“I think something like the managed security solution is really going to offer our members the support they need. One of the concerns I’ve heard over and over again has been how staffing is always an issue, and trying to find good cybersecurity staff can be a huge challenge,” Livingston said. “I believe this addition will help alleviate this problem and it’s going to be a great offering when we get it rolled out.”
The growing partnerships and security solutions excite Livingston as he digs into helping Edge’s membership – providing years of expertise and knowledge to EdgeSecure and its cybersecurity offerings.