Certainly security is a major concern of every enterprise. Much of the IT professional's day-to-day tasks revolve around securing networks and the data that flows through those networks from prying eyes, malicious code, or end-user happenstance. When it comes to the big picture—national security strategy—we often consider that to be the sole responsibility of the government and law enforcement. However, that is not really the case because IT professionals, through their normal day-to-day activity, play an integral in the overall national security plan—whether they know it or not.
The book, Implementing Homeland Security for Enterprise IT, by Michael Erbschloe, explores the role IT professionals play in protecting cyberspace from attack. It is a role they must play because governments are ill-equipped to take on the responsibility with any effectiveness. In the downloadable book chapter, "Why a National Strategy to Secure Cyberspace Is Important," you are shown how important your role is by exploring the nature of information warfare, the emergence of blended threats, the evolving definition of cyberattacks, and the measurement of impacts when cyberattacks occur.
To expand on these themes in greater detail, TechRepublic interviewed author Michael Erbschloe about how IT professionals fit into the overall national security scheme.
[TechRepublic] For many, the natural tendency is to assume that "Homeland Security" is strictly a government and/or law enforcement responsibility. However, as your book illustrates, for the IT professional managing networking assets in the enterprise, homeland security is also their responsibility. In your research, have you found IT professionals to be absolutely aware of their status on the frontline of cybersecurity? Have they accepted the role they must play or has there been resistance?
[Erbschloe] IT professionals, just as [in] the overall population, seem to have little awareness about homeland security in a broad sense. IT pros do have a high level of awareness about cybersecurity. However, I do not meet many IT pros that intellectually tie their cybersecurity efforts to homeland security. The exception are those folks that work in environments that are deemed as critical industries, with those in the financial security [area] having the highest level of awareness about their cybersecurity efforts and how they relate to homeland security. This is probably due, for the most part, to ongoing efforts in the financial sector to fight money laundering and working with governments to track terrorist funds.
I have not identified what I would call resistance. To resist, the IT pros would have to be highly aware of how their cybersecurity efforts are an integral part of homeland security and then react. Since the awareness level about homeland security is low we cannot really test the proposition about whether or not there is resistance.
The main reason I wrote the book was to extract the core information that IT pros need to examine their role in homeland security and how homeland security efforts may impact their organization. There are volumes of information about homeland security and it can be rather tedious to sift through. I also believe that the Department of Homeland Security has not put much effort in trying to communicate with IT pros in general.
The debate about the status of cybersecurity within the DHS is still raging on. It seems to be the airline security problem all over again. Those of us who flew a million miles could readily tell you that airport/airline security sucked. But the government and the airlines let things go, and look what happened. Now DHS is taking the same lax attitude toward cybersecurity. Bear in mind that DHS is mostly made up of people that work in the physical security arena and have no idea how to approach cybersecurity.
[TechRepublic] Some of the survey results presented in your book indicate that many enterprises have implemented disaster recovery and security plans, but have yet to really train the IT staff or end-users on how to enact those plans should it become necessary. What is your explanation for this gap and how do enterprises close it?
[Erbschloe] I keep beating on this topic and ask almost everybody I meet about it. I get a variety of responses ranging from "we don't have the time or the money" or "the plans were just done to be in compliance with something."
In organizations where I see the gap being closed it is mostly because their have been incidents.
I do not have an answer, but until there are incidents, people just don't seem to take planning or the training very seriously. Bear in mind that in places like Florida, where there is a fairly constant stream of disasters, real life experience takes the place of training for disaster recovery.
[TechRepublic] TechRepublic publishes news articles almost every day that involve some sort of cyberattack or security vulnerability that could provide a means for such an attack. The persistent presence of these minor incidents makes them seem almost a routine result of doing business over the Internet. Are you concerned that the minimal impact of these incidents for enterprises will lead to security complacency, increasing the overall vulnerability of the network to a major attack?
[Erbschloe] Yes, I am concerned. Human nature is working against us. People start relaxing when there is not a consequence. It is like trying to keep a well trained army when there is not a big war. I expect that security efforts will rise and fall as the damage from attacks rises and falls.
I also think that IT security people are well aware of the interconnectedness of our world. Although the typical corporate manager or government bureaucrat often thinks they know, their depth of understanding is and will remain low. Cybersecurity is still under funded as a result.
[TechRepublic] In your book, you discuss initiatives to raise public awareness of the potential for cyberattacks. The discussion forums on TechRepublic are filled with IT professional's laments over end users usurping well-planned security measures. Many of these stories revolve around the steps these administrators had to take to clean up an annoying mess. One day, the mess created is likely to go well-beyond the mere annoying. As a professional community, indeed as a society in general, how do you propose we counteract the end-user factor? Is end-user education the answer, or should the technology evolve to a point where end-user behavior is not an issue?
[Erbschloe] It needs to be a combination of training/education and technology. More and more organizations are locking down systems and not providing end-users with anything close to admin rights on systems. New computers are being shipped with trial versions of security software. There are a lot of awareness campaigns underway.
But although awareness about cybersecurity has certainly grown, there is so much to know. The typical end-user can get overwhelmed quickly. A few years ago they had to learn about antivirus software. Then with broadband, they needed firewalls. Now they need to combat spyware. They also need to fight data and identity theft. When you get down to it, most people just want their computers to work.
I have little faith in the near-term evolution of technology. The cyber-safe computer is not going to come anytime soon. Even if it does, the threat and means of attacks always evolve, which means the system would need to be patched and security software updated. Not many individuals are very good at keeping up with these necessities. Many large, well-staffed organizations also fall quickly behind.
Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.