The Macrosite for News, Analysis and Opinion about the Future of the Internet
Howard Schmidt

Security Knowledge Is Power

Written by Howard Schmidt
11/7/2007 7 comments
DISCUSS     Email This

Most organizations today have finally come to see information security as a business enabler and not simply as a black hole where they dump their money. Companies are putting security into every aspect of their operations to maximize productivity and profits. And they are hiring information security professionals at record rates to help them build and maintain secure networks.

Look out, though: There may be a missing piece to security that businesses aren’t considering. While information security professionals can implement a suitable set of controls -- policies, processes, procedures, and organizational structures, as well as software and hardware protection -- that may not be enough anymore. It may be time we all accept that simply everyone who touches information technology should understand information security threats and solutions.

This new emphasis on "security understanding for everyone" has to start with the IT department and, especially, network administrators. A recent study suggested that a high percentage of IT executives still have little idea how many breaches their network is being hit with every day, let alone any understanding of the type of incident and method of attack.

Being in the dark is never a good idea in security and often results in bad things happening. We at least need network administrators who can recognize anomalies and report them immediately to the CIO, as well as to the information security department.

We need an IT staff that has a solid foundation in information security best practices, from the upper echelon to the IT rookie. They need to implement all their information technology solutions in parallel with the security policy of the organization. Information security people converse in their own language, just as IT people converse in theirs. We need a common language and a common understanding.

Organizations can also mitigate security threats by conducting workforce awareness programs to help prevent spam, phishing, and virus attacks. Last year, one of my colleagues, Will Pelgrin, the director of the New York State Office of Cyber Security and Critical Infrastructure, conducted a pair of anti-phishing exercises within his own organization. He routed a bogus phishing email from outside the agency and delivered it to 10,000 employees. The intent of the exercise was to test employees' willingness to give up personally identifiable information to a supposedly trusted source.

Phase 1 of the test results showed 17 percent of the employees followed the link to the password-checker site; 15 percent tried to interact with the password checker; and 3 percent cut and pasted the URL into a browser. After implementing awareness training within the agency, results from phase 2 of the test showed only 14 percent of the staff followed the link; 8 percent interacted with the form; and 5 percent cut and pasted the URL.

As more organizations form dedicated information security departments, there is a danger that security training for IT professionals will be neglected. Research by (ISC)2 (the International Information Systems Security Certification Consortium) has found that reporting lines for security are going outside the IT department more and more, with only 29 percent of chief information officers having ultimate responsibility for security in their organization these days.

What we’re seeing is that there are people who will never pursue security certification or a dedicated information security career, yet they will still have significant responsibility for information security. As much of the information security function moves out of IT, there is a risk that these people will not receive any training or certification.

It is important that IT professionals who do not have formal security qualifications study for and obtain security certifications, such as the SSCP (Systems Security Certified Practitioner). The qualification is designed to validate IT professionals’ mastery of the technical implementation of systems security and their ability to collaborate with information security managers and executives responsible for security policy.

I believe that getting a formal qualification in security could give IT professionals more flexibility in their careers, as well as help institutionalize security into the day-to-day operations. As time goes on, we see more and more convergence of IT operations and security. Certifications, like the SSCP, make IT professionals more marketable and more valuable in any IT organization.

Certification also brings other value to the IT professional’s career, including professional education opportunities, peer networking and industry communication, invaluable forums and events, and more.

And let’s not forget about job opportunities. If you asked me who I would hire -- an an IT professional without security knowledge or one with security knowledge -- I’d feel much more comfortable hiring the latter. As IT increasingly becomes more and more a key part of our lives, the certification of people who run these critical systems will be more and more important.

— Howard Schmidt, Former White House cybersecurity adviser

Channel: Enterprise IT, Security
Tags:
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
CustomComputers
Rank: Cave Painter
Monday November 26, 2007 4:28:14 PM
no ratings

 

Apparently Hired by Gov. Spitzer don't you think?  It would be prudent to think that many probably cannot read,write nor understand English.

Agree on "how safe we should feel"

Michael Singer
IQ Crew
Thursday November 8, 2007 6:36:05 PM
no ratings

Howard,

Thanks for revisiting this subject. I remember you raising similar concerns about certification and understanding security threats during an RSA security conference a few years back.

When Richard Clarke originally explained the relationship, there was a lot of speculation on how businesses would step up to the plate. It certainly seems like there is a collective effort yet more needs to be addressed, as you note.

It certainly looks like IT managers at the Federal level are taking the job seriously. So much so that they are apparently turning into sleepless watchdogs. I wonder how well rested the security teams of most major corporations are.

I'm curious to hear what your thoughts are now on the relationship between the National Office of Cyber Security and private enterprise. Is it working the way you had envisioned it? Besides certification and expanding roles, how can businesses keep ahead of the ever-changing threats of bots and Zombies?

Do you see things differently having been working at separate times for Cyberspace Security and at the corporate level?

GerwingR
Rank: Scrivener
Thursday November 8, 2007 1:19:39 PM
no ratings
The new emphasis on "security understanding for everyone" has to start with the IT department and, especially, network administrators.  Value forums, events and more.
Matthew Cramer
IQ Crew
Wednesday November 7, 2007 5:46:30 PM
no ratings

ATTENTION New York State Office of Cyber Security and Critical Infrastructure:

I am delighted to write this letter to you hoping that you will understand my predicament and respond. I am Dr (Mrs.) Mariam Abacha, wife of the late Nigerian head of state, General Sani Abacha. I am in possession of US$50.5 Million, which I want to invest in your country. If you would like to contact me...

M Hulot
IQ Crew
Wednesday November 7, 2007 1:05:43 PM

Do we have this straight?

17% of the employees of the New York State Office of Goddam Cyber Security and Critical Infrastructure followed a phishing link? And a training program got this down to 14%?

I feel safer already.

Ken Trough
Thinkernetter
Wednesday November 7, 2007 12:41:00 PM
no ratings

IT and management definitely need to promote a culture of security awareness for all employees, partners, contractors and customers. As you say, anyone who touches IT.

With all the stories of network infiltration using social techniques going back to the first days of computing, you'd think that people would have gotten the message by now, but it is clear that they do not.

An excellent article entitled A Spy in Your Server Room that just dropped a week ago outlines how little work needs to be done to infiltrate just about any company. It really is shocking how easy the process is. The only thing that can stop this kind of attack is a comprehensive policy that each and every employee is aware of and that each and every employee actively ENFORCES. People tend to be lazy and so long as someone has the appearance of legitimacy, most people will just ignore the intruder and focus on their work.

EVERY company with ANYTHING to lose due to network infiltration should run regular security drills and infiltration testing and simulation. Telling an employee that security policy is important is one thing. Burning them with a failed security test tends to drive the point home quite a bit harder. Tying employee rewards to successful drills is also a good way to engage employees on this important subject.

williams
IQ Crew
Wednesday November 7, 2007 9:33:04 AM
no ratings
how does IT outsourcing affect information security?  as more and more companies outsource support and development functions to outside (often offshore) firms, it seems that it will be very important to have clear, concise internal rules regarding information access.  however, it seems that many companies outsource to avoid having to create and manage that sort of complex situation.  will there ultimately be a niche for firms that specialize in developing and managing security processes and policies between stakeholders and functional service providers? 
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
a moderated blogosphere of internet experts
Hilary Allison
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
Jeff Kaplan
Jeff Kaplan   6/17/2013   3 comments
It was about 10 years ago when a new generation of software-as-a-service (SaaS) alternatives started to gain acceptance and adoption among organizations of all sizes. And it has only been about five years since Amazon Web Services captured the marketplace's attention with Amazon EC2 and Amazon S3, which opened the door to a vast array of infrastructure-as-a-service (IaaS) offerings. Now, the third piece of the cloud computing puzzle is beginning to win over organizations seeking to build their own apps: platform-as-a-service (PaaS).
Mary E. Shacklett
Energy consumption is a primary contributor to global warming. At the end of 2012, 40 percent of energy consumption in the US came from commercial and residential buildings.
Derrick Wood
IETV: the thinkerNet on film
5
of
John Kennedy
How Big-Data Is Changing Marketing
6|13|13   |   1:07   |   1 comment

Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   10 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   1 comment

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
2pm EDT
Fri
Jun 21st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   6/18/2013   Post a comment
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Taking a Dim View of Home Energy Management Tech
Mary E. Shacklett
Energy consumption is a primary contributor to global warming. At the end of 2012, 40 percent of energy consumption in the US came from commercial and residential buildings.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
IT's Time for PaaS Is Here
Jeff Kaplan
It was about 10 years ago when a new generation of software-as-a-service (SaaS) alternatives started to gain acceptance and adoption among organizations of all sizes. And it has only been about five years since Amazon Web Services captured the marketplace's attention with Amazon EC2 and Amazon S3, which opened the door to a vast array of infrastructure-as-a-service (IaaS) offerings. Now, the third piece of the cloud computing puzzle is beginning to win over organizations seeking to build their own apps: platform-as-a-service (PaaS).
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
Amazon Revolutionizes Book Publishing
Mansur Hasib
The publishing world has long been controlled by powerful companies with high costs, barriers to access, restrictions on distribution, one-sided copyright ownership contracts, and lengthy delays in getting critical information and knowledge out to a broad audience. In this world it often seemed all but the most famous of authors controlled little while publishers controlled everything. In the academic community, the sad result has been an excessive price increase in the cost of textbooks. Technology is finally empowering authors.
CLICK FOR MORE