Howard Schmidt today is the CEO of R&H Security Consulting. However, he's better known around the world for working in the White House for 31 years. A former White House security adviser, he was appointed by President Bush as Special Adviser for Cyberspace Security just three months after the terrorist attacks of September 11, 2001.
When it comes to security, Schmidt has been around the block. On the corporate side, he once served as vice president and chief information security officer and chief security strategist for eBay and he also was chief security officer for Microsoft. In the military, he was director of the Air Force Office of Special Investigations Computer Forensic Lab and Computer Crime and Information Warfare Division.
In an interview with Computerworld in the US, Schmidt talked about running background checks on IT workers, balancing privacy and security, and passports with RFID chips.
What's the scariest thing you see happening in security right now?
I think it's the mobile devices and the capabilities that we want ... but there isn't enough attention to making those things secure. We now have the capability to download and install all kinds of applications on our mobile devices. People use a mobile phone for more than talking. I use mine to pay my Paypal account, to check my back account. I see criminals out there who know this. What they've been attacking on the desktop, they'll starting attacking in our mobile devices as they become more like PCs in our pockets. We can't wait five years to do something about it. We have to do something now.
What are CSOs telling you they're most worried about?
One of the biggest things in a work environment is the whole issue of risk and compliance. Most of the CSOs I talk to say less about what's the best technology, [and more about] how [to] make sure their firm can feel confident they're doing good governance, risk and compliance. How do they know they've minimized risk for the company, and [that] they comply with federal laws, state laws and international laws with the way their business needs to be run?
How can companies strike a balance between security and privacy?
For a long time there's been the perspective that if you have security you don't have privacy. The way I look at is if you don't have security, you can't guarantee privacy. Privacy falls into two buckets. One is directly related to data protection. How can we protect our data? You do that using good security. The second part of the discussion is who does what with my data, how can I control that and how can I revoke it? This is the difficult part. Right now, we are not in control of that data. I'll give you a live example. One of our boys is in medical school in Wisconsin. Rather than pay for board, we bought a house there. We weren't financing it, but they wanted our Social Security numbers. I said, "Why?" The lady said, "I don't know. It's just a company form." I told them, "You've got my ID, my passport, my license. You've got confirmation of who I am. Why do you need my Social Security number and what happens to it if someone breaks in here?" I didn't fill it out. I was very assertive and took control. The answer right now is to develop more rights over our private data. We basically need a bill of rights over privacy of information.