Sunday, September 26, 2021

Howard Schmidt on CSOs, Risks and Responsibilities

This is the first in a two-part Q&A with former White House Security

Advisor Howard Schmidt. Follow the rest of the story here.

A former White House security advisor turned corporate consultant says IT

security professionals have a bigger and more complicated job to deal

with than ever before. But he also says they’re more prepared and better

equipped to handle it.

Howard Schmidt is a man with a lot of experience in security — both in

the government and in the corporate field. He’s the type of man who

garners a great deal of attention when he speaks out on security issues,

whether they be corporate readiness to fight off virus attacks or the

country’s readiness to battle cyber terrorism.

Schmidt, who worked in the White House for 31 years, was appointed by

President Bush as Special Adviser for Cyberspace Security for the White

House just three months after the terrorist attacks of Sept. 11. In

January of 2003, he became the chair of the President’s Critical

Infrastructure Protection Board before retiring in May of the same year.

But his security work doesn’t begin or end with the government.

Schmidt once served as chief security officer for Microsoft Corp., and

was Vice President and Chief Information Security Officer and Chief

Security Strategist for eBay. During his military years, he was a

supervisory special agent and director of the Air Force Office of Special

Investigations (AFOSI) Computer Forensic Lab and Computer Crime and

Information Warfare Division.

And his retirement from the White House has not slowed him down.

He has assumed the position of Chief Security Strategist for the U.S.

CERT Partners Program for the National Cyber Security Division. Schmidt

also is president and CEO of R&H Security Consulting LLC, a company he

formed with his wife to focus on computer forensics and security

consulting. And he is co-founder of CSO Interchange, which holds

vendor-neutral meetings for CSOs to discuss issues and share information.

In a one-on-one interview with Datamation, Schmidt talks about

chief security officers’ growing status in the corporate world, whether

or not CSOs are trained enough to handle their jobs and what they need to

do a better job.

Q: A recent survey by CSO Interchange shows that CSOs say their jobs

are more difficult than they were a year ago. What is changing?

There are a few things changing. There are a couple good news stories.

CSOs are getting more authority and responsibility than they’ve ever had

in the past and that makes it more difficult. The second thing is we’re

seeing increased use of wireless and instant messaging, which is becoming

a corner stone of the way companies communicate. It’s all more

complicated, but we all feel we’re doing a better job than we’ve ever

done before securing the enterprise.

Q: IT managers and security professionals have been saying for years

that they need more authority to do their jobs well. Are they finally

getting their wish?

That’s one of the good news things — having increased responsibility and

the associated authority. The security officer who has the responsibility

but not the authority just becomes the person to blame when things go

wrong. Give us the responsibility and the authority to go ahead and

affect changes. If you look at the survey, we are feeling much more

comfortable with the level of security we’re able to implement. We’re

doing a better job because we have more authority.

Q: Your survey also showed that a lot of CSOs say their companies are

relatively safe from worms, viruses and Trojan horses. Are they as safe

as they think they are?

Yah, I think we are. We’re better equipped to handle it. It’s like

anything else. Once something rises to the level of being the most

pronounced threat out there, we work very hard at it. It’s not surprising

we think we’re best equipped to deal with it. It’s been such a problem in

the past that we work really hard to make sure it’s not a problem

anymore.

Q: When it comes to malware, are corporate networks safer today than

they were a year ago or two or three years ago?

I think we’re probably a factor of two to three times better protected

than last year. I have not gotten one malicious piece of code or phishing

in my inbox in nine months now. They wind up in my spam box or in my

anti-virus filter… We’re not going to sit back and rest on our laurels

but we are happy about it… During a particular outbreak of some sort,

you’ll read about this company being affected, but you don’t read about

the 6,000 companies that weren’t infected.

Q: You talk with a lot of CSOs. What are they worried about?

The whole issue of vulnerabilities and code we don’t know about yet. As

all the major vendors come out with new patches, it’s always on our minds

about what it’s going to take to fix the next one. That’s the

conversation we most often have. Looking at new methods of communication,

like IM, getting away from static user ID and passwords. The targets are

becoming the end users.

The rest of our one-on-one interview with Howard Schmidt will run tomorrow, Friday, July 8.

Similar articles

Latest Articles