by Elizabeth M. Ferrarini

For the past 30 years, Howard Schmidt has been at the forefront in the battle against computer crime, especially cybercrime. In fact, President George W. Bush appointed Schmidt as the vice chair of the president's Critical Infrastructure Protection Board in December 2001. The board reported to Governor Tom Ridge, then director of the Dept. of Homeland Security. Schmidt played a key role in developing the "National Strategy in Cyberspace," released in February 2003.

Prior to joining the White House staff, Schmidt was chief security officer for Microsoft Corp., where he oversaw the Security Strategies Group. It was responsible for ensuring the development of a trusted computing environment via auditing, policy, best practices, and incubation of security products and practices. Schmidt has also held key-level management positions in security for EBay.com, the Air Force Office of Special Investigations, and the Federal Bureau of Intelligence's National Drug Intelligence Center.

Schmidt is the co-author, along with Tom Ridge, of a book, called  Patrolling Cyberspace: Lessons Learned from a Lifetime in Data  Security. Enterpriseleadership.org recently spoke with Schmidt about his book, and the things C-level executives should know about managing enterprise risks, including security.

EL: What are some of the cutting-edge security methods described in  your book?

HS: There isn't anything "cutting edge." Tom and I wrote this book because people look at security and think that identity theft, hacking, and phishing began a couple of years ago. These things have been going on for more than 20 years. To this end, we take non-technical readers through a historical look at cybercrime and technology crime.

EL: Front-page news seems to occur when major companies have a security breach. What data security challenges do C-level executives face today and how can they best deal with them?

HS: For the past 10 years, companies have utilized distributed data systems, and data resides in many places. First, executives need to worry about where their most business-critical data lives. Is it at a third-party data center or on employees' laptops? Second, they need to know all of the different ways their data is being secured. They also need to know the third-party's data-retention policy. Third, executives need to examine the effectiveness level of their compliance with regulations, such as Sarbanes-Oxley, as well as how a third party handles compliance issues.

EL: How would you rate how major organizations are handling  cybersecurity or data security?

HS: Everyone is struggling with having data that resides all over the place. It's impossible for any organization to know where all of the data lives. Erasing something from the Internet is difficult. On the other hand, when a company's data breach becomes front-page news, the C-level executives at major companies say, "That could've been us! How would we handle this situation so we wouldn't loose customer confidence?" C-level executives are spending a lot of time looking at the quality of controls for complying with regulations.

EL: Physical security doesn't seem to get as much airtime as data  security. Shouldn't the two be treated as equally important?

HS: A lot of companies have some aspect of their data housed at a third-party location. Many hosted data centers do a good job of segregating each company's server cages from access from unauthorized people. If a business partner houses your data, you need to clarify the terms and conditions of the arrangement. You can use a service-level agreement, a legal contract, or some type of a compliance audit.

EL: Does it make sense for company executives, academics, and government professionals to come together to solve security problems?

HS: Yes. In the forward to the Black Book on Government  Security, I talk about being a contributor to the Black Book on  Corporate Security. The content of each book might be different, but the goals are the same. For example, the government is concerned about issues such as national security and public safety. Companies are concerned about business continuity. Both government agencies and companies use the same technologies, the same processing, and the same training methods to solve security problems.

Sharing best practices between government agencies, academic institutions, and major corporations is mandatory. No one needs to re-invent how to make security better.

EL: How do you determine how well security is doing in an enterprise?  Are there such things as security metrics?

HS: There's always been a lot of discussion about how to apply metrics to security. Take the two sides of the Y2K debate. Some people said they spent millions on the process, but nothing happened. Another group of people said if we hadn't have spent any money, then bad things might have occurred.

The same type of debate takes place with security. Some metrics look at how many viruses you might have prevented, or the number of vulnerabilities that might have existed versus the ones that have been patched. These metrics are customized to a particular environment.

Right after I left the Dept. of Homeland Security, I worked on a private-sector project to develop a model for ranking security issues. The Common Vulnerability Scoring System enables an organization to tailor the model to its own environment, and its appetite for developing metrics on what's acceptable and what's not acceptable.

EL: Since you left office, how well has the Dept. of Homeland  Security been handling cybersecurity?

HS: The government has been focusing on making systems better, as well as encouraging the private sector to do more. However, the private sector has done a better job of becoming more responsive to national security and public safety issues.

When I was at the White House, we worked hard to get the private sector to realize that national security is more about the business at home. The private sector responded by forming the Information Sharing and Analysis Center, which enables IT folks from the private sector to get together to further the goals set by the National Security Strategy.

EL: How effective is the chief security officer role in Fortune 1000  corporations?

HS: A few large organizations view the CSO role as a cost center or just an extension of the IT organization. However, the executive management team and its board at many major corporations count on the CSO to make the business run more efficiently and more trusted. There is a greater partnership with the CSO than ever before. At both EBay and Microsoft, both the CIO and I, as CSO, were peers. Having security outside of the IT organization reinforces the attitude that security serves a broader function than IT.

EL: If security is now perceived as a business issue, then how are  organizations helping a CSO deal with operational issues?

HS: As a result of this new perception of security, more and more companies have adopted a business risk or business continuity group council model to put all of the major stakeholders on the same page about issues that affect the integrity of business operations. The model brings together the CSO, the CIO, the CTO, the chief counsel, the head of human resources, as well as representatives from the audit and risk management teams. The council works on setting policies, examining new technologies for security, resolving compliance issues, and handling business continuity.

EL: For 2007, on what things do C-level executives need to  focus?

HS: The market for anti-virus and anti-phishing software has started to mature. As a result, executives need to look at emerging technologies, such as wireless. How can they protect remote workers who use their wireless laptops at airports, hotels, or coffee shops? Executives also need to look at making application vulnerabilities less of an issue.

--

Elizabeth M. Ferrarini is a technology freelance writer and  IT consultant from Boston, Massachusetts. Reach her at elizabethferrarini@yahoo.com.