Chief information security officers should stop talking about cyber-terrorism and start worrying about the availability...
of services and data, former White House security adviser Howard Schmidt told the ISSA conference.
Schmidt, former chief security officer at Microsoft and eBay, warned that security professionals were sending the wrong signals to the board by talking about cyber-terrorism, rather than the availability of key business services.
Cyber-terrorism, which has associations with weapons of mass destruction, is an inappropriate description for the risks facing businesses and governments, he said.
"Can you imaging talking to your boss and saying, 'I am on the security staff. We need to protect against cyber-terrorism.' Can you imagine the look you will get?" he said.
One chief security officer found his plans for improving the security of his company dismissed out of hand by the chief executive, simply because he used the phrase cyber-terrorism, Schmidt said.
"The chief executive said, 'I don't care about that; it is the government's responsibility.' When you use terms like cyber-terrorism, it is a government issue," he said.
Tackling security effectively will require a new generation of programmers with the skills to develop secure applications, said Schmidt.
Many businesses are running applications containing code that is inherently insecure, but secure computing techniques are becoming more widespread.
"Our next generation of programmers will be doing a better job. But in the meantime, 99% of all exploits result from a known vulnerability," he said.
It is vital to secure the operating system, he said, so that if insecure code is inserted into a system it will not run.