Certainly security is a major concern of every enterprise.
Much of the IT professional’s day-to-day tasks revolve around securing
networks
and the data that flows through those networks from prying eyes,
malicious code, or end-user happenstance. When it comes to the big
picture—national security strategy—we often consider that to be the sole
responsibility of the government and law enforcement. However, that is not
really the case because IT professionals, through their normal day-to-day
activity, play an integral in the overall national security plan—whether they
know it or not.

The book, Implementing
Homeland Security for Enterprise IT
, by Michael Erbschloe, explores the
role IT professionals play in protecting cyberspace from attack. It is a role
they must play because governments are ill-equipped to take on the
responsibility with any effectiveness. In the downloadable
book chapter
, “Why a National Strategy to Secure Cyberspace Is
Important,” you are shown how important your role is by exploring the
nature of information warfare, the emergence of blended threats, the evolving
definition of cyberattacks, and the measurement of impacts when cyberattacks
occur.

To expand on these themes in greater detail, TechRepublic
interviewed author Michael Erbschloe about how IT professionals fit into the
overall national security scheme.

Untitled Document

 

Implementing Homeland Security for Enterprise IT
By

Michael Erbschloe
ISBN:

1555583121
Publisher:

Digital Press (November 26, 2003)
Pages: 299


 

Interview

[TechRepublic] For
many, the natural tendency is to assume that “Homeland Security
is strictly a government and/or law enforcement responsibility. However, as
your book illustrates, for the IT professional managing networking assets in
the enterprise, homeland security is also their responsibility. In your
research, have you found IT professionals to be absolutely aware of their status
on the frontline of cybersecurity? Have they accepted the role they must play
or has there been resistance?

[Erbschloe] IT
professionals, just as [in] the overall population, seem to have little
awareness about homeland security in a broad sense. IT pros do have a high
level of awareness about cybersecurity. However, I do not meet many IT pros
that intellectually tie their cybersecurity efforts to homeland security. The
exception are those folks that work in environments that are deemed as critical
industries, with those in the financial security [area] having the highest
level of awareness about their cybersecurity efforts and how they relate to
homeland security. This is probably due, for the most part, to ongoing efforts
in the financial sector to fight money laundering and working with governments
to track terrorist funds.

I have not identified what I would call resistance. To
resist, the IT pros would have to be highly aware of how their cybersecurity
efforts are an integral part of homeland security and then react. Since the
awareness level about homeland security is low we cannot really test the
proposition about whether or not there is resistance.

The main reason I wrote the book was to extract the core
information that IT pros need to examine their role in homeland security and
how homeland security efforts may impact their organization. There are volumes
of information about homeland security and it can be rather tedious to sift
through. I also believe that the Department
of Homeland Security
has not put much effort in trying to communicate with
IT pros in general.

The debate about the status of cybersecurity within the DHS
is still raging on. It seems to be the airline security problem all over again.
Those of us who flew a million miles could readily tell you that
airport/airline security sucked. But the government and the airlines let things
go, and look what happened. Now DHS is taking the same lax attitude toward
cybersecurity. Bear in mind that DHS is mostly made up of people that work in
the physical security arena and have no idea how to approach cybersecurity.

[TechRepublic] Some
of the survey results presented in your book indicate that many enterprises
have implemented disaster recovery and security plans, but have yet to really
train the IT staff or end-users on how to enact those plans should it become
necessary. What is your explanation for this gap and how do enterprises close
it?

[Erbschloe] I
keep beating on this topic and ask almost everybody I meet about it. I get a
variety of responses ranging from “we don’t have the time or the
money” or “the plans were just done to be in compliance with
something.”

In organizations where I see the gap being closed it is
mostly because their have been incidents.

I do not have an answer, but until there are incidents,
people just don’t seem to take planning or the training very seriously. Bear in
mind that in places like Florida, where there is a fairly constant stream of
disasters, real life experience takes the place of training for disaster
recovery.

[TechRepublic] TechRepublic
publishes news articles almost every day that involve some sort of cyberattack
or security vulnerability that could provide a means for such an attack. The
persistent presence of these minor incidents makes them seem almost a routine
result of doing business over the Internet. Are you concerned that the minimal
impact of these incidents for enterprises will lead to security complacency,
increasing the overall vulnerability of the network to a major attack?

[Erbschloe] Yes,
I am concerned. Human nature is working against us. People start relaxing when
there is not a consequence. It is like trying to keep a well trained army when
there is not a big war. I expect that security efforts will rise and fall as
the damage from attacks rises and falls.

I also think that IT security people are well aware of the
interconnectedness of our world. Although the typical corporate manager or
government bureaucrat often thinks they know, their depth of understanding is
and will remain low. Cybersecurity is still under funded as a result.

[TechRepublic] In
your book, you discuss initiatives to raise public awareness of the potential
for cyberattacks. The discussion forums on TechRepublic are filled with IT
professional’s laments over end
users
usurping well-planned security measures. Many of these stories
revolve around the steps these administrators had to take to clean up an
annoying mess. One day, the mess created is likely to go well-beyond the mere
annoying. As a professional community, indeed as a society in general, how do
you propose we counteract the end-user factor? Is end-user education the
answer, or should the technology evolve to a point where end-user behavior is
not an issue?

[Erbschloe] It
needs to be a combination of training/education and technology. More and more
organizations are locking down systems and not providing end-users with
anything close to admin rights on systems. New computers are being shipped with
trial versions of security software. There are a lot of awareness campaigns
underway.

But although awareness about cybersecurity has certainly
grown, there is so much to know. The typical end-user can get overwhelmed
quickly. A few years ago they had to learn about antivirus software. Then with
broadband, they needed firewalls. Now they need to combat spyware. They also
need to fight data and identity theft. When you get down to it, most people
just want their computers to work.

I have little faith in the near-term evolution of
technology. The cyber-safe computer is not going to come anytime soon. Even if
it does, the threat and means of attacks always evolve, which means the system
would need to be patched and security software updated. Not many individuals
are very good at keeping up with these necessities. Many large, well-staffed
organizations also fall quickly behind.