Howard Schmidt — bridging cyber-security gaps

Howard Schmidt, CISSP, is the VP and chief information officer for eBay, and has served as the chairman of the US President's Critical Infrastructure Protection Board. He was also CSO of Microsoft, where he managed the secure strategies group. He has also been a director of the US Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare HQ, where he established the first dedicated computer forensic lab in US government.

He recently spoke to Brian McKenna about professional certification, what civilian IT security managers can learn from law enforcement and the military, and 9/11. He urges IT security professionals not to be hide-bound, and to mind the gaps in their knowledge.

Will the computer forensics community professionalize in the same way as the infosecurity community has with (ISC)2?

There has been a lot of discussion about that over the last ten years. The computer forensics certifications that exist now are ad hoc, about no more than a few friends getting together and saying ‘this is what we do’. There is nothing blessed by academia, nor anything on the professional level of a CISSP or a CISM.

The challenge is that the career path in law enforcement is very varied. You might start off as a uniformed policeman, then go into an investigator role, where you might build up your expertise in computer forensics, and then, in order to be promoted, you might move back into the uniformed arena in a managerial role. So there is not the same continuity as there is in the private sector. That is one of the reasons why we haven’t done that; you jump in and out too much

What kind of things do you think IT security professionals can learn from law enforcement and from intelligence officers in the military?

In the US, Germany, Australia, and in the UK we see a number of former law enforcement officials — like myself — moving into the corporate security business, and we are bringing things with us that are changing mind sets. For those who’ve not served in law enforcement, one major thing to learn is that not everything you do will result in a conviction or termination of employment.

Also you need to realize that if you do call in the police that does not mean your business will be shut down. When you are the victim of a hack attack or a DDoS attack there is a natural tension between getting the system back up and running and gathering evidence. But you can do both as same time!

We’ve been teaching this for years. But in the late 80s and early 90s we, in law enforcement, realized we were still not getting the calls because people feared business disruption.

There is a lot of talk these days about the infosec profession evolving into risk management. Is there much substance to this, or is it just fancy verbiage?

There is substance to it, and it is a trend. But there is also a movement into broader IT — ultimately to the CIO role. That is because, in order to be really good at security, you need to know how the IT infrastructure works. So you have to operationalize security into the fabric of the IT organization.

On the risk management side, the business needs of security are dictating. So there is movement either to the world of risk managers and auditors or to the straight IT world.

What would be your main advice to an IT security manager, with a CISSP, with respect to further professional education?

Two things: one, look beyond the day to day operations — envision what to do to make the business better in terms of security. And secondly, take care you work in a collegiate manner with the business owners, and upwards with the CTO, the CFO and so on. In order for the security function, and for you, to be successful, you need to be more than a security person. You need to develop relationships to understand what the business needs.

Security is no longer our closed world, and increasingly we see the new face of the security executive at the Board meetings and leading the information security council, and working with the business units — even though security is still a cost centre.

To that end — the training of the emerging breed of security executives — there are things like the CSO Institute at Carnegie Mellon University.

When you left the White House in April 2003, did you think, ‘job done’?

When I was called after September 11, my job was to create a national strategy and to develop an international dialogue around cyber-security that would bring it to a higher level of recognition.

We’ve been successful in both of those respects. The blueprint for the operational part has been put into effect by the Department of Homeland Security in the US, and we are sharing that with our partners around the world.

Was September 11, in retrospect,the catalyst for all that?

We’d done a lot of work before then. In 1996, I was involved in the President’s Commission for Critical Infrastructure Protection (the PCCIP), and out of that came, in May 1998, Presidential Decision Directive (PDD) no 63 that recognized that the vast majority of the critical infrastructure was in the private sector, and there were no CNI touch points in the US government. Also we saw that the private sector was not organized by sector very well.

From that we established the ISACS – the Information Sharing Analysis Centres. So, they were created before 9/11, and, by April 2001, the plan for creating the President’s critical infrastructure protection board was submitted and under review.
But 9/11 did accelerate a lot of the plans.

Would you say that IT security managers should educate themselves about geopolitics?

Yes especially when they work for multi-national corporations. There is a useful comparison to be made with the days of the Cold War. There were still business opportunities in the old Eastern bloc, even though there were always restrictions Now those have broken down, but there are still prohibitions, and there are clear prohibitions on doing business with governments that sponsor terrorism.

And, in the Asian markets there is a nervousness now that high profile companies are working with governments that we may not always have the best relationships with. So, understanding how you can serve a broader customer base without shunning the political relations of your own government is very important.

You’ve experienced a broad range of roles — from Microsoft through the White House to eBay. What thoughts do you have on the similarities and differences?

The main challenge is showing that security is not just a necessary evil, but is part of the day to day business — and that goes for defence or online auctions. The security processes are the same whether ‘the business’ is profit or national security.