Saturday, October 23, 2021

More Howard Schmidt on Training, Risks & Outsourcing

This is the second piece in a two-part interview with former White

House Security Advisor Howard Schmidt. To see the first part of our

interview with him click here

.

IT security professionals are better trained today than they’ve ever

been, but they need to keep learning about the business side of their

companies if they’re going to keep their networks safe, and advance their

own careers, according to arguably one of the best known figures in the

security industry.

Howard Schmidt, who worked in the White House for 31 years, was chair of

the President’s Critical Infrastructure Protection Board before retiring

in May of 2003. The man who once was chief security officer for Microsoft

Corp. and Chief Security Strategist for eBay, now runs R&H Security

Consulting LLC, a company he formed with his wife to focus on computer

forensics and security consulting.

One of his goals these days is to bring security professionals together

to discuss what issues they’re facing, what attacks they’re battling and

what technologies and policies are working for them. In the second part

of Datamation’s one-on-one Q&A with Schmidt, he talks about how

qualified CSOs are for their jobs today, what they need to do their jobs

better and how outsourcing and offshoring are affecting corporate

security.

Q: CSOs say they aren’t prepared to deal with social engineering. How

much of a problem has this become?

It doesn’t happen often, but it always has impact. Look at Choicepoint,

as an example. There were bad guys posing as good guys doing a lot of bad

things to the company. Social engineering is just another phrase for con

artist. That’s something that is really difficult to control… We still

have people falling victim to phishing emails. It’s playing off people’s

weaknesses and their desire to do business or their desire to be nice.

It’s an awareness issue.

Q: What needs to be done to curb it?

As people grow up with technology, it will be easier to recognize these

things and not fall victim to them… [Until then] it’s a combination of

things. We’re doing a better job of education, a better job of providing

tools… and there’s also the law enforcement response. The law

enforcement community has really stepped up some efforts and they’ve been

very public about it. Between new technology, information sharing amongst

security professionals and new law enforce ment tools, it will have an

impact in the short term — until people become more aware.

Q: You’ve done a survey that shows CSOs are worried about

inappropriate use. What do you mean by that?

It’s where you have a policy that says you don’t IM or download P2P files

[in the workplace or via company equipment]. There might be a policy

about going to relay channels. People use the systems for what they’re

not designed to be used for. Some companies say, this is a company

machines and to better protect our system, you’re not going to do these

things. And that’s inappropriate use.

Q: Has this gotten out of control on enterprise networks?

It’s not out of control but it’s difficult to manage. When people follow

policy, you can do a much better job of securing systems. It’s not out of

control, but it needs to be monitored and dealt with. I had a

conversation with somebody about a person repeatedly using the computer

for non-work-related stuff — against policy. The manager said, ”He’s a

good employee, so I’ll talk to this person but I won’t take any

disciplinary [action]” It’s all about the perspective from a security

professional and the perspective of a business person. A lot of this

boils down to a business decision. If the employee is downloading viruses

and worms, that’s obviously a big risk.

Q: Since CSOs have so much responsibility and a growing list of

challenges, do they largely have enough training to do these jobs

well?

That’s where we’ve seen the change over the last few years. If you had

asked me that three years ago, I’d have said no. There were very few

people who had the technical understanding of security implementation, as

well as the [understanding] of the business side of things. Over the last

two to three years, as we’ve seen security responsibility go higher up

the echelons, the successful ones have that experience. It’s not good to

have it on someone’s shoulders to learn by the school of hard knocks…

One of the issues was how do we deal with that… We understand that

better so we’re focusing on that more.

Q: What is the one thing, above all others, that you think CSOs need

to do their jobs better?

Clearly, it’s support from the executive-level staff and the backing of

senior executive staff. I don’t know if I’d ever go back to a corporate

job, but if I did, I’d want to meet with the CEO and I’d want a

conversation with him to make sure they buy into the concept of security

being a business enabler. If they don’t have executive support, then all

is for naught.

Q: How is outsourcing and offshoring affecting security and security

professionals’ jobs?

That’s interesting. I was dead set against outsourcing security years

ago. After trying to keep people trained and asking for bigger budgets, I

found a lot of things become cost effective and more economically

feasible. As long as you retain skill and effectiveness internally, then

you can leverage to deal with day-to-day work that you don’t need to do

inhouse. There really are some benefits. The biggest thing to worry about

is to make sure you hire someone who knows what they’re doing. It’s very

competitive. You might know absolutely nothing about them… You really

have to do your due diligence that they’re trustworthy, they know their

stuff and they’ll be there in the long haul with yah… They know every

vulnerability and skull in the closet, so you need to make sure that

today’s security consultant doesn’t become tomorrow’s hacker.

Q: Overall, are companies safer today than they were a year ago or two

years ago?

Absolutely. We’re far better off this year than last year, and

significantly better off than the year before. Next year we’ll be better

off than we are now. This is a progressive thing. We’re seeing technology

being very proactive.

Similar articles

Latest Articles