Howard Schmidt: TJX Arrests Show We're Gaining Ground in War on Cyber Crime

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Howard Schmidt, a recognized information security thought leader, offers exclusive insights as new president of the Information Security Forum.

Schmidt, a household name in information security circles since his days as CISO and information security leader at Microsoft and eBay, discusses the global war against cyber criminals; the right approach to security spending; TJX what it means to the global fight; and what approach financial institutions should take when fighting cyber fraud.

Howard served in the position of Chief Security Strategist for the US CERT Partners Program for the National Cyber Security Division, Department of Homeland Security. He has served as international president of the Information Systems Security Association (ISSA) and was the first president of the Information Technology Information Sharing and Analysis Center (IT-ISAC). He retired from the White House after 31 years of public service in local and federal government. Schmidt was appointed by President Bush as the Vice Chair of the President's Critical Infrastructure Protection Board and as the Special Adviser for Cyberspace Security for the White House in December 2001. His focus now as the first president of The Information Security Forum is to gain more recognition for the group, which has 50 percent of the Fortune 100 companies as members.

ISMG: Tell us some good news about the war against cyber criminals. The arrest and indictment of 11 hackers involved in the breach of nine U.S. retailers (including the infamous TJX breach) earlier this month -- is it the light at the end of the tunnel?

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

SCHMIDT: Well, I don't know that it's the light at the end of the tunnel, but the sky sure is becoming lighter as the dawn is finally reaching us. I think it is a benefit on many different levels. One, I think that on the professional level, the people side, we're seeing people in the business side and in the IT side better trained to recognize threats, including the known threats that are out there. I see the level of people being certified increasing, and this is becoming a criteria for hiring in information security.

The vendors out there are building technology and have shifted the way they're doing business, leaning more toward building protections and better security into what they're building -- and how they're building it into their services, being more cognizant and bringing security experts into their companies to build scenarios should their products and services could be exploited. The third thing to cite is the response to these attacks. The international cooperation sends a clear message that we still may be vulnerable and there still may be vulnerabilities out there we don't yet know about, and people who are willing to exploit it for personal greed and gain, but there are people out there who are looking to investigate it and prosecute those that are interfering with our systems.

I don't know that I would say no matter where they are that they will be caught, but I will say their actions won't go unnoticed or undetected. Within the extent of the law, law enforcement will track them down and prosecute.

ISMG: What is the state of information security, both globally and here in the U.S.?

SCHMIDT: Starting here in the U.S., we've reached a point where the whole issue of information security and critical infrastructure protection is something that is now in mainstream discussions. When you see the President discussing it in his press conferences and coverage in daytime television cable news shows, this sends the message to everyone that this is a major issue and not just some niche technical issue we're dealing with.

I think at the same time businesses have realized information security's importance, some have realized it because of regulatory and compliance requirements, and some have realized that it's just the right thing to do. Others have addressed it because it is attacking their businesses, and they have upped their security processes.

Indeed, we're far from perfect, but we're doing more now than we've ever done before, and as I tell people who ask if we're winning, we're doing better than we did last year, and next year we'll do better than we did this year. But this is something we are still learning about.