Chief information security officers should stop talking
about cyber-terrorism and start worrying about the availability of
services and data, former White House security adviser Howard
Schmidt told the ISSA conference.
Schmidt, former chief security officer at Microsoft and eBay,
warned that security professionals were sending the wrong signals
to the board by talking about cyber-terrorism, rather than the
availability of key business services.
Cyber-terrorism, which has associations with weapons of mass
destruction, is an inappropriate description for the risks facing
businesses and governments, he said.
"Can you imaging talking to your boss and saying, 'I am on the
security staff. We need to protect against cyber-terrorism.' Can
you imagine the look you will get?" he said.
One chief security officer found his plans for improving the
security of his company dismissed out of hand by the chief
executive, simply because he used the phrase cyber-terrorism,
Schmidt said.
"The chief executive said, 'I don't care about that; it is the
government's responsibility.' When you use terms like
cyber-terrorism, it is a government issue," he said.
Tackling security effectively will require a new generation of
programmers with the skills to develop secure applications, said
Schmidt.
Many businesses are running applications containing code that is
inherently insecure, but secure computing techniques are becoming
more widespread.
"Our next generation of programmers will be doing a better job.
But in the meantime, 99% of all exploits result from a known
vulnerability," he said.
It is vital to secure the operating system, he said, so that if
insecure code is inserted into a system it will not run.