IT security professionals are better trained today than they've ever been, but they need to keep learning about the business side of their companies if they're going to keep their networks safe, and advance their own careers, according to arguably one of the best known figures in the security industry.
Howard Schmidt, who worked in the White House for 31 years, was chair of the President's Critical Infrastructure Protection Board before retiring in May of 2003. The man who once was chief security officer for Microsoft Corp. and Chief Security Strategist for eBay, now runs R&H Security Consulting LLC, a company he formed with his wife to focus on computer forensics and security consulting.
One of his goals these days is to bring security professionals together to discuss what issues they're facing, what attacks they're battling and what technologies and policies are working for them. In the second part of Datamation's one-on-one Q&A with Schmidt, he talks about how qualified CSOs are for their jobs today, what they need to do their jobs better and how outsourcing and offshoring are affecting corporate security.
Q: CSOs say they aren't prepared to deal with social engineering. How
much of a problem has this become?
It doesn't happen often, but it always has impact. Look at Choicepoint, as an example. There were bad guys posing as good guys doing a lot of bad things to the company. Social engineering is just another phrase for con artist. That's something that is really difficult to control... We still have people falling victim to phishing emails. It's playing off people's weaknesses and their desire to do business or their desire to be nice. It's an awareness issue.
Q: What needs to be done to curb it?
As people grow up with technology, it will be easier to recognize these things and not fall victim to them... [Until then] it's a combination of things. We're doing a better job of education, a better job of providing tools... and there's also the law enforcement response. The law enforcement community has really stepped up some efforts and they've been very public about it. Between new technology, information sharing amongst security professionals and new law enforce ment tools, it will have an impact in the short term -- until people become more aware.
Q: You've done a survey that shows CSOs are worried about
inappropriate use. What do you mean by that?
It's where you have a policy that says you don't IM or download P2P files [in the workplace or via company equipment]. There might be a policy about going to relay channels. People use the systems for what they're not designed to be used for. Some companies say, this is a company machines and to better protect our system, you're not going to do these things. And that's inappropriate use.
Q: Has this gotten out of control on enterprise networks?
It's not out of control but it's difficult to manage. When people follow policy, you can do a much better job of securing systems. It's not out of control, but it needs to be monitored and dealt with. I had a conversation with somebody about a person repeatedly using the computer for non-work-related stuff -- against policy. The manager said, ''He's a good employee, so I'll talk to this person but I won't take any disciplinary [action]'' It's all about the perspective from a security professional and the perspective of a business person. A lot of this boils down to a business decision. If the employee is downloading viruses and worms, that's obviously a big risk.
Q: Since CSOs have so much responsibility and a growing list of
challenges, do they largely have enough training to do these jobs
That's where we've seen the change over the last few years. If you had asked me that three years ago, I'd have said no. There were very few people who had the technical understanding of security implementation, as well as the [understanding] of the business side of things. Over the last two to three years, as we've seen security responsibility go higher up the echelons, the successful ones have that experience. It's not good to have it on someone's shoulders to learn by the school of hard knocks... One of the issues was how do we deal with that... We understand that better so we're focusing on that more.
Q: What is the one thing, above all others, that you think CSOs need
to do their jobs better?
Clearly, it's support from the executive-level staff and the backing of senior executive staff. I don't know if I'd ever go back to a corporate job, but if I did, I'd want to meet with the CEO and I'd want a conversation with him to make sure they buy into the concept of security being a business enabler. If they don't have executive support, then all is for naught.
Q: How is outsourcing and offshoring affecting security and security
That's interesting. I was dead set against outsourcing security years ago. After trying to keep people trained and asking for bigger budgets, I found a lot of things become cost effective and more economically feasible. As long as you retain skill and effectiveness internally, then you can leverage to deal with day-to-day work that you don't need to do inhouse. There really are some benefits. The biggest thing to worry about is to make sure you hire someone who knows what they're doing. It's very competitive. You might know absolutely nothing about them... You really have to do your due diligence that they're trustworthy, they know their stuff and they'll be there in the long haul with yah... They know every vulnerability and skull in the closet, so you need to make sure that today's security consultant doesn't become tomorrow's hacker.
Q: Overall, are companies safer today than they were a year ago or two
Absolutely. We're far better off this year than last year, and significantly better off than the year before. Next year we'll be better off than we are now. This is a progressive thing. We're seeing technology being very proactive.