Howard Schmidt on CSOs, Risks and Responsibilities

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
This is the first in a two-part Q&A with former White House SecurityAdvisor Howard Schmidt. Follow the rest of the story here.

A former White House security advisor turned corporate consultant says ITsecurity professionals have a bigger and more complicated job to dealwith than ever before. But he also says they're more prepared and betterequipped to handle it.

Howard Schmidt is a man with a lot of experience in security -- both inthe government and in the corporate field. He's the type of man whogarners a great deal of attention when he speaks out on security issues,whether they be corporate readiness to fight off virus attacks or thecountry's readiness to battle cyber terrorism.

Schmidt, who worked in the White House for 31 years, was appointed byPresident Bush as Special Adviser for Cyberspace Security for the WhiteHouse just three months after the terrorist attacks of Sept. 11. InJanuary of 2003, he became the chair of the President's CriticalInfrastructure Protection Board before retiring in May of the same year.

But his security work doesn't begin or end with the government.

Schmidt once served as chief security officer for Microsoft Corp., andwas Vice President and Chief Information Security Officer and ChiefSecurity Strategist for eBay. During his military years, he was asupervisory special agent and director of the Air Force Office of SpecialInvestigations (AFOSI) Computer Forensic Lab and Computer Crime andInformation Warfare Division.

And his retirement from the White House has not slowed him down.

He has assumed the position of Chief Security Strategist for the U.S.CERT Partners Program for the National Cyber Security Division. Schmidtalso is president and CEO of R&H Security Consulting LLC, a company heformed with his wife to focus on computer forensics and securityconsulting. And he is co-founder of CSO Interchange, which holdsvendor-neutral meetings for CSOs to discuss issues and share information.

In a one-on-one interview with Datamation, Schmidt talks aboutchief security officers' growing status in the corporate world, whetheror not CSOs are trained enough to handle their jobs and what they need todo a better job.

Q: A recent survey by CSO Interchange shows that CSOs say their jobsare more difficult than they were a year ago. What is changing?
There are a few things changing. There are a couple good news stories.CSOs are getting more authority and responsibility than they've ever hadin the past and that makes it more difficult. The second thing is we'reseeing increased use of wireless and instant messaging, which is becominga corner stone of the way companies communicate. It's all morecomplicated, but we all feel we're doing a better job than we've everdone before securing the enterprise.

Q: IT managers and security professionals have been saying for yearsthat they need more authority to do their jobs well. Are they finallygetting their wish?
That's one of the good news things -- having increased responsibility andthe associated authority. The security officer who has the responsibilitybut not the authority just becomes the person to blame when things gowrong. Give us the responsibility and the authority to go ahead andaffect changes. If you look at the survey, we are feeling much morecomfortable with the level of security we're able to implement. We'redoing a better job because we have more authority.

Q: Your survey also showed that a lot of CSOs say their companies arerelatively safe from worms, viruses and Trojan horses. Are they as safeas they think they are?
Yah, I think we are. We're better equipped to handle it. It's likeanything else. Once something rises to the level of being the mostpronounced threat out there, we work very hard at it. It's not surprisingwe think we're best equipped to deal with it. It's been such a problem inthe past that we work really hard to make sure it's not a problemanymore.

Q: When it comes to malware, are corporate networks safer today thanthey were a year ago or two or three years ago?
I think we're probably a factor of two to three times better protectedthan last year. I have not gotten one malicious piece of code or phishingin my inbox in nine months now. They wind up in my spam box or in myanti-virus filter... We're not going to sit back and rest on our laurelsbut we are happy about it... During a particular outbreak of some sort,you'll read about this company being affected, but you don't read aboutthe 6,000 companies that weren't infected.

Q: You talk with a lot of CSOs. What are they worried about?
The whole issue of vulnerabilities and code we don't know about yet. Asall the major vendors come out with new patches, it's always on our mindsabout what it's going to take to fix the next one. That's theconversation we most often have. Looking at new methods of communication,like IM, getting away from static user ID and passwords. The targets arebecoming the end users.

The rest of our one-on-one interview with Howard Schmidt will run tomorrow, Friday, July 8.