A former White House security advisor turned corporate consultant says IT security professionals have a bigger and more complicated job to deal with than ever before. But he also says they're more prepared and better equipped to handle it.
Howard Schmidt is a man with a lot of experience in security -- both in the government and in the corporate field. He's the type of man who garners a great deal of attention when he speaks out on security issues, whether they be corporate readiness to fight off virus attacks or the country's readiness to battle cyber terrorism.
But his security work doesn't begin or end with the government.
Schmidt once served as chief security officer for Microsoft Corp., and was Vice President and Chief Information Security Officer and Chief Security Strategist for eBay. During his military years, he was a supervisory special agent and director of the Air Force Office of Special Investigations (AFOSI) Computer Forensic Lab and Computer Crime and Information Warfare Division.
And his retirement from the White House has not slowed him down.
He has assumed the position of Chief Security Strategist for the U.S. CERT Partners Program for the National Cyber Security Division. Schmidt also is president and CEO of R&H Security Consulting LLC, a company he formed with his wife to focus on computer forensics and security consulting. And he is co-founder of CSO Interchange, which holds vendor-neutral meetings for CSOs to discuss issues and share information.
In a one-on-one interview with Datamation, Schmidt talks about chief security officers' growing status in the corporate world, whether or not CSOs are trained enough to handle their jobs and what they need to do a better job.
Q: A recent survey by CSO Interchange shows that CSOs say their jobs
are more difficult than they were a year ago. What is changing?
There are a few things changing. There are a couple good news stories. CSOs are getting more authority and responsibility than they've ever had in the past and that makes it more difficult. The second thing is we're seeing increased use of wireless and instant messaging, which is becoming a corner stone of the way companies communicate. It's all more complicated, but we all feel we're doing a better job than we've ever done before securing the enterprise.
Q: IT managers and security professionals have been saying for years
that they need more authority to do their jobs well. Are they finally
getting their wish?
That's one of the good news things -- having increased responsibility and the associated authority. The security officer who has the responsibility but not the authority just becomes the person to blame when things go wrong. Give us the responsibility and the authority to go ahead and affect changes. If you look at the survey, we are feeling much more comfortable with the level of security we're able to implement. We're doing a better job because we have more authority.
Q: Your survey also showed that a lot of CSOs say their companies are
relatively safe from worms, viruses and Trojan horses. Are they as safe
as they think they are?
Yah, I think we are. We're better equipped to handle it. It's like anything else. Once something rises to the level of being the most pronounced threat out there, we work very hard at it. It's not surprising we think we're best equipped to deal with it. It's been such a problem in the past that we work really hard to make sure it's not a problem anymore.
Q: When it comes to malware, are corporate networks safer today than
they were a year ago or two or three years ago?
I think we're probably a factor of two to three times better protected than last year. I have not gotten one malicious piece of code or phishing in my inbox in nine months now. They wind up in my spam box or in my anti-virus filter... We're not going to sit back and rest on our laurels but we are happy about it... During a particular outbreak of some sort, you'll read about this company being affected, but you don't read about the 6,000 companies that weren't infected.
Q: You talk with a lot of CSOs. What are they worried about?
The whole issue of vulnerabilities and code we don't know about yet. As all the major vendors come out with new patches, it's always on our minds about what it's going to take to fix the next one. That's the conversation we most often have. Looking at new methods of communication, like IM, getting away from static user ID and passwords. The targets are becoming the end users.
The rest of our one-on-one interview with Howard Schmidt will run tomorrow, Friday, July 8.