White House insider urges cyber-security rethink

IT security is moving into the enterprise core as organizations strive to combat data breaches and other pervasive Internet threats, according to a former White House cyber-security expert.

Howard Schmidt, a former special adviser for cyberspace security to the White House, says “operationalizing” security involves making it a component of the whole enterprise architecture, as opposed to simply a plug-in component for deploying security agents such as antivirus, firewall and intrusion detection systems.

“One of the biggest things I see in the enterprise is that they’re looking to insert security as this standalone thing,” says Schmidt, who was also chief security strategist for the U.S. Computer Emergency Response Team at the Department of Homeland Security.

“They look at antivirus, anti-spyware and firewalls as almost discreet components of an enterprise.”

Schmidt, who has been traveling to various countries recently to speak on cyber-security issues, says the industry is beginning to see a shift in how enterprises are handling IT security.

Making security a part of the enterprise architecture gives the IT department a panoramic view of security as it relates to the whole enterprise, he adds.

“Many companies are realizing the benefit of having this visibility across the enterprise,” says Schmidt. “Instead of spending $10,000 to manage individual, discreet devices, by having a single platform that you’re viewing across, you get the economies of scale,”.

Schmidt likens the shift in security management to firefighting, where previously homes and office buildings were built and furnished without considering the flammability of materials used. In the olden days, as well, firefighting was a voluntary effort, he explains.

“Much of what we were doing (in the enterprise) was subject to compromise, subject to data breaches, subject to identity theft. And the way we dealt with it, at the time, was to run in there like the volunteer fire department, sort of like the technologists who have a little bit of a sensibility around security.”

The next-generation of firefighting, however, saw buildings being built with sprinkler systems, for instance, or making materials less flammable. The same shift is happening in the enterprise security arena, where it’s becoming less about how quickly an organization can respond to an incident and more about preventing breaches from happening, says Schmidt.

So, how does an organization make the shift? The first step is to identify where the risks are, says Schmidt.

“In many enterprises, the measurement of success is based on 99.999 per cent uptime. You have to look back and identify what the risks are, both internal and external, such as telecom failure, hardware failure, software failure,” he says.

Schmidt suggests looking at some standards already in place that pertain to risk mitigation and then finding those that best apply to your organization. Some of the more useful are ISO 17799, COBIT (Control Objectives for Information and Related Technology) and the National Institute of Standards and Technologies’ framework on risk management.

The biggest issue around operationalizing security may not be technical, however, says Tom Keenan, a professor at University of Calgary and IT security spokesperson for the Canadian Information Processing Society (CIPS).

“The most dangerous part of any computer system is the people who run it,” said Keenan. “The issue is really a culture of awareness among your people so that they don’t even think about doing something that would break security.”

Identifying where the risks exist may be the first step, as Schmidt suggests, but educating employees on the consequences of those risks may be a bigger challenge, says Keenan.

Even with the best technological safeguards in place, security breaches can still occur without proper awareness among the people who use the technology.

“(For example) there are companies that log after-hours access to their systems. The problem, of course, is that somebody has to look at those logs and do something about it, and that is where we fall down,” says Keenan.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now