Howard Schmidt on CSOs, Risks and Responsibilities

In the first of a two-part Q&A, the former White House security advisor turned corporate consultant says IT has a bigger and more complicated job to deal with than ever before. But he also says they're more prepared and better equipped to handle it.
This is the first in a two-part Q&A with former White House Security Advisor Howard Schmidt. Follow the rest of the story here.

A former White House security advisor turned corporate consultant says IT security professionals have a bigger and more complicated job to deal with than ever before. But he also says they're more prepared and better equipped to handle it.

Howard Schmidt is a man with a lot of experience in security -- both in the government and in the corporate field. He's the type of man who garners a great deal of attention when he speaks out on security issues, whether they be corporate readiness to fight off virus attacks or the country's readiness to battle cyber terrorism.

Schmidt, who worked in the White House for 31 years, was appointed by President Bush as Special Adviser for Cyberspace Security for the White House just three months after the terrorist attacks of Sept. 11. In January of 2003, he became the chair of the President's Critical Infrastructure Protection Board before retiring in May of the same year.

But his security work doesn't begin or end with the government.

Schmidt once served as chief security officer for Microsoft Corp., and was Vice President and Chief Information Security Officer and Chief Security Strategist for eBay. During his military years, he was a supervisory special agent and director of the Air Force Office of Special Investigations (AFOSI) Computer Forensic Lab and Computer Crime and Information Warfare Division.

And his retirement from the White House has not slowed him down.

He has assumed the position of Chief Security Strategist for the U.S. CERT Partners Program for the National Cyber Security Division. Schmidt also is president and CEO of R&H Security Consulting LLC, a company he formed with his wife to focus on computer forensics and security consulting. And he is co-founder of CSO Interchange, which holds vendor-neutral meetings for CSOs to discuss issues and share information.

In a one-on-one interview with Datamation, Schmidt talks about chief security officers' growing status in the corporate world, whether or not CSOs are trained enough to handle their jobs and what they need to do a better job.

Q: A recent survey by CSO Interchange shows that CSOs say their jobs are more difficult than they were a year ago. What is changing?
There are a few things changing. There are a couple good news stories. CSOs are getting more authority and responsibility than they've ever had in the past and that makes it more difficult. The second thing is we're seeing increased use of wireless and instant messaging, which is becoming a corner stone of the way companies communicate. It's all more complicated, but we all feel we're doing a better job than we've ever done before securing the enterprise.

Q: IT managers and security professionals have been saying for years that they need more authority to do their jobs well. Are they finally getting their wish?
That's one of the good news things -- having increased responsibility and the associated authority. The security officer who has the responsibility but not the authority just becomes the person to blame when things go wrong. Give us the responsibility and the authority to go ahead and affect changes. If you look at the survey, we are feeling much more comfortable with the level of security we're able to implement. We're doing a better job because we have more authority.

Q: Your survey also showed that a lot of CSOs say their companies are relatively safe from worms, viruses and Trojan horses. Are they as safe as they think they are?
Yah, I think we are. We're better equipped to handle it. It's like anything else. Once something rises to the level of being the most pronounced threat out there, we work very hard at it. It's not surprising we think we're best equipped to deal with it. It's been such a problem in the past that we work really hard to make sure it's not a problem anymore.

Q: When it comes to malware, are corporate networks safer today than they were a year ago or two or three years ago?
I think we're probably a factor of two to three times better protected than last year. I have not gotten one malicious piece of code or phishing in my inbox in nine months now. They wind up in my spam box or in my anti-virus filter... We're not going to sit back and rest on our laurels but we are happy about it... During a particular outbreak of some sort, you'll read about this company being affected, but you don't read about the 6,000 companies that weren't infected.

Q: You talk with a lot of CSOs. What are they worried about?
The whole issue of vulnerabilities and code we don't know about yet. As all the major vendors come out with new patches, it's always on our minds about what it's going to take to fix the next one. That's the conversation we most often have. Looking at new methods of communication, like IM, getting away from static user ID and passwords. The targets are becoming the end users.

The rest of our one-on-one interview with Howard Schmidt will run tomorrow, Friday, July 8.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.