A few months after returning to the private sector as Chief Information Security Officer (CISO) at online auctioneer eBay, Schmidt is making good on his promise. In November, he spearheaded the launch of the Global Council of Chief Security Officers (CSOs), a group of prominent security experts who aim to use their collective expertise to boost internet security.
Operating as a think tank, the council plans to define the CSO role within organizations, hone the CSO's role in implementing the National Strategy to Secure Cyberspace, and meet with vendors to discuss technological ways to reduce risk.
This month, the council is scheduled to hold a CSO Summit at the RSA Conference in San Francisco, after holding an inaugural meeting in January to lay out specific projects. SC Magazine sat down with Schmidt in December to discuss his goals for the council, his advice for other CSOs, and his thoughts on what lies ahead for cybersecurity.
Goals for the Global Council of CSOs
First and foremost, the group wants to increase the visibility of the CSO, a relatively new and evolving position. "We want to raise the profile and get people thinking about the value that security officers bring to the day-to-day business processes," explains Schmidt, who was Microsoft's CSO before moving to the White House.
While some CSOs enjoy a great deal of clout in organizations, others are the first to get blamed when things go wrong, he continues. The think tank plans to foster consistency by defining the proper role, background and reporting arrangements of the CSO.
With vendors – particularly small ones – the council hopes to help steer them towards security solutions that solve business needs.
"One of the questions we ask in security all the time is: 'Will this product really solve the pain point I'm feeling running a security operation?'," he says.
"There are a ton of brilliant people out there doing great, entrepreneurial things, but if they're going in directions that won't solve anything, the business is going to fail and we don't want to see that." With large vendors, the group plans to talk about how the next generation of browsers and operating systems could make a difference from a security perspective, while still providing full functionality.
Vendors have asked Schmidt whether steps they are taking truly help or are merely a Band-Aid.
"We have had some really candid conversations about what's working and what's not working," he recalls.
Another top goal for the group is to work with governments on a global basis to zero in on what is important from a cybersecurity response perspective." We see attacks online all the time, but there are only a few things that rise to the level of needing to alert the government and taking some exceptional measures to deal with," he comments.
While the U.S. Department of Homeland Security is the main government entity the council hopes to interface with, it needs to work with other governments and groups around the world, adds Schmidt. To that end, it is working to add select international experts.
However, the group does not plan to expand its U.S. membership – at least not much. "As these things get too big, you end up not being able to accomplish a lot, no matter how smart a group of people you have," explains Schmidt.
The power of the council
As well as Schmidt, the group's charter members are: Mary Ann Davidson, CSO at Oracle; Whitfield Diffie, CSO, vice-president and fellow at Sun Microsystems; Bill Boni, Motorola's CISO; Dave Cullinane, Washington Mutual's CISO; Vint Cerf, senior vice-president of technology strategy at MCI; Scott Charney,Microsoft's chief trustworthy computing strategist; William Pelgrin, director of the New York State Office of Cybersecurity and Critical Infrastructure Coordination; Rhonda MacLean, Bank of America's CSO; and Steve Katz, former CISO of Citigroup.
Such a broad-based collection of experts – who represent themselves on the council, rather than their companies – will have enough influence to achieve its goals, insists Schmidt. "We have got experts in secure code development, encryption, legal issues, investigative issues, and operational issues.What we have pulled together represents a good cross-section." For his part, MCI's Cerf says he joined the group to help educate people about the importance of security practices, facilitate documentation of best practices, identify key research areas, and explore the possibility of economic incentives in the insurance industry for security implementations.
"Our task is to show that there's economic benefit in investing in security technology and security practices," says Cerf. "That's where I hope we could make a credible argument to show some real data, as opposed to simply waving our arms." Indeed, council members intend to devote their time to areas where they can make a real, measurable difference, promises Microsoft's Charney: "It's a chance for a group of people who have been in this space for a long time to sit down and take a fresh look at some of these issues and try to think outside the box and find areas where we can have particular impact. It's a real opportunity for us to do some thought-leadership." One of the major issues for the council will be not just how to do a better job of increasing security awareness but also how to get people to take meaningful action to reduce risk, continues Charney.
The group will also probably weigh in on important policy matters. He adds that he's not suggesting that the council has all the answers, and Cerf notes that the group in no way has "a corner on creative ideas." In fact, Schmidt says the group is not looking to impose itself on anybody, but will be an industry resource. Also, it's actively working with other infosec groups, including the Information Systems Security Association (ISSA) CISO Executive Membership program.
Schmidt's creation of the global council illustrates his powers of leadership, believes Charney, who has known Schmidt for about 12 years, back when Charney was with the U.S. Department of Justice and Schmidt was with the Air Force Office of Special Investigations, where he created the government's first dedicated computer forensic lab.
"Howard has always been a catalyst for change, always looking forward, not back... He has always been deeply committed to making the infrastructure secure and figuring out practical things that can be done to actually make it happen," recalls Charney.
Elevating security and the CSO
Security industry executives say the council is on the right track. "The most important thing for the CSO council to resolve, or to get clarity on through collaboration, is to define the CSO's role more clearly," says Deepak Taneja, CTO at Netegrity.
"They're talking about the role in terms of corporate responsibilities, national responsibilities, and future technology development, and all three make sense." The role of CSO/CISO is relatively new and its charter is not well understood, which can result in a lack of clout within an organization, adds Taneja.
"They've some clout, because security is such an important issue, but they do not really run things within a company. They don't typically report to the CEO... Yet security has become a C-level, board level issue," he states.
Elevating the role of the CSO and infosec governance overall is critical, says Kevin Simzer, senior vice-president of marketing at Entrust: "That's what the names on this council have the foresight and credibility to be able to do." Olivier Thierry, senior vice-president of marketing at NetIQ, says defining the CSO is valuable, but what would be very helpful to security executives is raising CEO awareness of the cost of security breaches. "To the extent that this organization can truly reach out and communicate to CEOs – not to other CSOs, because they already get it – and help them understand the level of effort and investment required to mitigate risk, that would be excellent," he says.
At eBay ,Schmidt believes he enjoys a culture that makes security a priority.
"I was pleasantly surprised when I got there with the attention that the entire company pays to security. I was used to environments – not only with my previous employers, but in working with other companies – where there seems to be this tension with getting something out and security... "I expected to have to go out there and evangelize and buy people lunch to get things done right. That's not the case. In most cases, before a project is even embarked on, it's: 'Let's make sure we're doing this in a way that protects not only security, but privacy'." Like other e-commerce companies, eBay is addressing the problem of phishing attacks (which attempt to deceive email recipients into divulging personal information, such as credit card numbers, through mass spoofed emails that appear to come from legitimate sources) and the issue of fraud and identity theft, he says.
An industry coalition launched last fall by, among others, VeriSign, eBay, Amazon.com, Visa, Microsoft and the Information Technology Association of America to fight online identity theft, is also tackling the problem of phishing attacks. Working collectively, the coalition is looking at how technology might help prevent the fraudulent emails from reaching a user's inbox.
Schmidt's advice and predictions
Asked what advice he'd offer other CSOs, Schmidt says his top recommendation is to take a holistic approach.
"What happens with some security folks is that they focus on perimeters and firewalls, or antivirus or authentication.
To have good security, whether a small three-person company or a major enterprise, you have to look at it from an end-to-end basis," he says.
"You have to make sure that you engage the engineers in the IT organization, not just the people in the risk management office." In some cases, the audit group can be a CSO's best friend by helping build controls that prevent security breaches, he continues.
"Also, don't be afraid to talk with people outside the normal sphere of influence. Learn the new technologies that are out there," he advises.
But CSOs need to keep in mind that security is not just a technology issue.
"You've got to have the business wrapper around it or it won't fly in the business community," he warns.
Finally, Schmidt believes security executives should make sure that they bond with the people who run the business units. "Help them to understand the value that you are bringing to them," he says, "and that you're not looking to stop them from doing things, but you're trying to enable them." Looking at infosec issues that might arise over the next few months, Schmidt predicts that Remote Procedure Call (RPC) – a programming interface that's fundamental to the way many networks operate, and which last year's Blaster worm exploited – will increasingly become a target for cyber attacks.
"That's one of the things that we as a profession can start looking at now and try to figure out ways to protect against," he says.
Outsourcing of security operations will become more prevalent than ever before in 2004 as organizations look to ease the pain of managing multiple security devices and become more comfortable with the idea of outsourcing, believes Schmidt. Patch management will shift to an automated process, he adds.
As for the Global Council of CSOs, expectations are high. Cerf acknowledges that the group has set itself some ambitious goals: "We have some work to do, but I know that Howard is intensely determined to turn this into a productive activity, and all those who are a part of it hope we can achieve it."
A pocket guide for CEOs...
The Global Council of CSOs plans to create a 'pocket guide' to help them create security organizations within their companies. The group came up with the idea at its inaugural meeting last month (January).
"One of the things we're looking to do is build a matrix of the various security functions of those who have some sort of security in their title, from the physical, cyber, or risk-management strategy perspective... and provide, basically, a pocket guide to CEOs on decision-making about creating organizational structures for security," says eBay CISO Howard Schmidt, who led the formation of the CSO council.
Schmidt believes that, like the CIO role a few years ago, the position of the chief security officer is still evolving, making it crucial to identify the various functions that CEOs and boards should consider as they put together security organizations.
"This is something we're targeting at CEOs to help facilitate broader acceptance of security within any size corporation," explains Schmidt.
The security executive's role has been sliced in many ways, he adds, noting that most of the council members have the word 'security' in their current and past titles, with roles ranging from operational, strategic, legal and product development.
In addition to the CSO matrix, the think tank plans to work with Carnegie Mellon University's CIO Institute to form a comparable CSO Institute.
Carnegie Mellon's Cyber Lab, a research and education center that handles administrative duties for the council, is compiling notes from the inaugural meeting to help the group prioritize other projects and identify resources it will need for them. It is also identifying key research items and conducting a "gap analysis" to determine areas that are not already being covered by other organizations, says Schmidt.
Some of the other possible areas of focus or potential white papers include PKI, open-source security, and security issues surrounding SCADA (for industrial computing), he continues.
The council is also inviting security leaders in Asia and Europe to join the group, but intends to keep total membership under 20.
According to Schmidt, the bottom line is: "We are not going to be able to fix everything, but we're going to do our part."