This is the first in a two-part Q&A with former White House Security
Advisor Howard Schmidt. Follow the rest of the story here.
A former White House security advisor turned corporate consultant says IT
security professionals have a bigger and more complicated job to deal
with than ever before. But he also says they’re more prepared and better
equipped to handle it.
Howard Schmidt is a man with a lot of experience in security — both in
the government and in the corporate field. He’s the type of man who
garners a great deal of attention when he speaks out on security issues,
whether they be corporate readiness to fight off virus attacks or the
country’s readiness to battle cyber terrorism.
Schmidt, who worked in the White House for 31 years, was appointed by
President Bush as Special Adviser for Cyberspace Security for the White
House just three months after the terrorist attacks of Sept. 11. In
January of 2003, he became the chair of the President’s Critical
Infrastructure Protection Board before retiring in May of the same year.
But his security work doesn’t begin or end with the government.
Schmidt once served as chief security officer for Microsoft Corp., and
was Vice President and Chief Information Security Officer and Chief
Security Strategist for eBay. During his military years, he was a
supervisory special agent and director of the Air Force Office of Special
Investigations (AFOSI) Computer Forensic Lab and Computer Crime and
Information Warfare Division.
And his retirement from the White House has not slowed him down.
He has assumed the position of Chief Security Strategist for the U.S.
CERT Partners Program for the National Cyber Security Division. Schmidt
also is president and CEO of R&H Security Consulting LLC, a company he
formed with his wife to focus on computer forensics and security
consulting. And he is co-founder of CSO Interchange, which holds
vendor-neutral meetings for CSOs to discuss issues and share information.
In a one-on-one interview with Datamation, Schmidt talks about
chief security officers’ growing status in the corporate world, whether
or not CSOs are trained enough to handle their jobs and what they need to
do a better job.
Q: A recent survey by CSO Interchange shows that CSOs say their jobs
are more difficult than they were a year ago. What is changing?
There are a few things changing. There are a couple good news stories.
CSOs are getting more authority and responsibility than they’ve ever had
in the past and that makes it more difficult. The second thing is we’re
seeing increased use of wireless and instant messaging, which is becoming
a corner stone of the way companies communicate. It’s all more
complicated, but we all feel we’re doing a better job than we’ve ever
done before securing the enterprise.
Q: IT managers and security professionals have been saying for years
that they need more authority to do their jobs well. Are they finally
getting their wish?
That’s one of the good news things — having increased responsibility and
the associated authority. The security officer who has the responsibility
but not the authority just becomes the person to blame when things go
wrong. Give us the responsibility and the authority to go ahead and
affect changes. If you look at the survey, we are feeling much more
comfortable with the level of security we’re able to implement. We’re
doing a better job because we have more authority.
Q: Your survey also showed that a lot of CSOs say their companies are
relatively safe from worms, viruses and Trojan horses. Are they as safe
as they think they are?
Yah, I think we are. We’re better equipped to handle it. It’s like
anything else. Once something rises to the level of being the most
pronounced threat out there, we work very hard at it. It’s not surprising
we think we’re best equipped to deal with it. It’s been such a problem in
the past that we work really hard to make sure it’s not a problem
anymore.
Q: When it comes to malware, are corporate networks safer today than
they were a year ago or two or three years ago?
I think we’re probably a factor of two to three times better protected
than last year. I have not gotten one malicious piece of code or phishing
in my inbox in nine months now. They wind up in my spam box or in my
anti-virus filter… We’re not going to sit back and rest on our laurels
but we are happy about it… During a particular outbreak of some sort,
you’ll read about this company being affected, but you don’t read about
the 6,000 companies that weren’t infected.
Q: You talk with a lot of CSOs. What are they worried about?
The whole issue of vulnerabilities and code we don’t know about yet. As
all the major vendors come out with new patches, it’s always on our minds
about what it’s going to take to fix the next one. That’s the
conversation we most often have. Looking at new methods of communication,
like IM, getting away from static user ID and passwords. The targets are
becoming the end users.
The rest of our one-on-one interview with Howard Schmidt will run tomorrow, Friday, July 8.