This is the second piece in a two-part interview with former White
House Security Advisor Howard Schmidt. To see the first part of our
interview with him click here
.
IT security professionals are better trained today than they’ve ever
been, but they need to keep learning about the business side of their
companies if they’re going to keep their networks safe, and advance their
own careers, according to arguably one of the best known figures in the
security industry.
Howard Schmidt, who worked in the White House for 31 years, was chair of
the President’s Critical Infrastructure Protection Board before retiring
in May of 2003. The man who once was chief security officer for Microsoft
Corp. and Chief Security Strategist for eBay, now runs R&H Security
Consulting LLC, a company he formed with his wife to focus on computer
forensics and security consulting.
One of his goals these days is to bring security professionals together
to discuss what issues they’re facing, what attacks they’re battling and
what technologies and policies are working for them. In the second part
of Datamation’s one-on-one Q&A with Schmidt, he talks about how
qualified CSOs are for their jobs today, what they need to do their jobs
better and how outsourcing and offshoring are affecting corporate
security.
Q: CSOs say they aren’t prepared to deal with social engineering. How
much of a problem has this become?
It doesn’t happen often, but it always has impact. Look at Choicepoint,
as an example. There were bad guys posing as good guys doing a lot of bad
things to the company. Social engineering is just another phrase for con
artist. That’s something that is really difficult to control… We still
have people falling victim to phishing emails. It’s playing off people’s
weaknesses and their desire to do business or their desire to be nice.
It’s an awareness issue.
Q: What needs to be done to curb it?
As people grow up with technology, it will be easier to recognize these
things and not fall victim to them… [Until then] it’s a combination of
things. We’re doing a better job of education, a better job of providing
tools… and there’s also the law enforcement response. The law
enforcement community has really stepped up some efforts and they’ve been
very public about it. Between new technology, information sharing amongst
security professionals and new law enforce ment tools, it will have an
impact in the short term — until people become more aware.
Q: You’ve done a survey that shows CSOs are worried about
inappropriate use. What do you mean by that?
It’s where you have a policy that says you don’t IM or download P2P files
[in the workplace or via company equipment]. There might be a policy
about going to relay channels. People use the systems for what they’re
not designed to be used for. Some companies say, this is a company
machines and to better protect our system, you’re not going to do these
things. And that’s inappropriate use.
Q: Has this gotten out of control on enterprise networks?
It’s not out of control but it’s difficult to manage. When people follow
policy, you can do a much better job of securing systems. It’s not out of
control, but it needs to be monitored and dealt with. I had a
conversation with somebody about a person repeatedly using the computer
for non-work-related stuff — against policy. The manager said, ”He’s a
good employee, so I’ll talk to this person but I won’t take any
disciplinary [action]” It’s all about the perspective from a security
professional and the perspective of a business person. A lot of this
boils down to a business decision. If the employee is downloading viruses
and worms, that’s obviously a big risk.
Q: Since CSOs have so much responsibility and a growing list of
challenges, do they largely have enough training to do these jobs
well?
That’s where we’ve seen the change over the last few years. If you had
asked me that three years ago, I’d have said no. There were very few
people who had the technical understanding of security implementation, as
well as the [understanding] of the business side of things. Over the last
two to three years, as we’ve seen security responsibility go higher up
the echelons, the successful ones have that experience. It’s not good to
have it on someone’s shoulders to learn by the school of hard knocks…
One of the issues was how do we deal with that… We understand that
better so we’re focusing on that more.
Q: What is the one thing, above all others, that you think CSOs need
to do their jobs better?
Clearly, it’s support from the executive-level staff and the backing of
senior executive staff. I don’t know if I’d ever go back to a corporate
job, but if I did, I’d want to meet with the CEO and I’d want a
conversation with him to make sure they buy into the concept of security
being a business enabler. If they don’t have executive support, then all
is for naught.
Q: How is outsourcing and offshoring affecting security and security
professionals’ jobs?
That’s interesting. I was dead set against outsourcing security years
ago. After trying to keep people trained and asking for bigger budgets, I
found a lot of things become cost effective and more economically
feasible. As long as you retain skill and effectiveness internally, then
you can leverage to deal with day-to-day work that you don’t need to do
inhouse. There really are some benefits. The biggest thing to worry about
is to make sure you hire someone who knows what they’re doing. It’s very
competitive. You might know absolutely nothing about them… You really
have to do your due diligence that they’re trustworthy, they know their
stuff and they’ll be there in the long haul with yah… They know every
vulnerability and skull in the closet, so you need to make sure that
today’s security consultant doesn’t become tomorrow’s hacker.
Q: Overall, are companies safer today than they were a year ago or two
years ago?
Absolutely. We’re far better off this year than last year, and
significantly better off than the year before. Next year we’ll be better
off than we are now. This is a progressive thing. We’re seeing technology
being very proactive.