The big question about enterprise security isn't how to keep cyber-criminals out of your network; the big question is how to limit the damage.
According to Richard Clarke, former special advisor to the president for cyber-space and national coordinator for security and counter-terrorism, "The bad guys are already in your network."
Meeting over dinner with a small group of Washington D.C.-area media representatives, Clarke said that what companies really need to do is find ways to protect what's really important.
To make those decisions, the company needs to understand the risks to the organization. "That's not as obvious as it may seem," Clarke said in a subsequent interview. "Every company has its own risk tolerance. They should go through a transparent process deciding what the risks are and their tolerance for those risks."
Clarke, who is now CEO of Good Harbor Security Risk Management, spoke at the dinner at the invitation of RedSeal, a risk management software company, which was announcing a new round of funding. He said that there are several steps that a company usually takes once the management accepts that hackers will find their way into the company network.
"Usually, the next steps involve encryption and good access and identity management," Clarke said. "Encryption alone won't do you any good if someone can come in and assume your identity." He said that if you do those two things, you've solved 75 percent of the problem. Then, Clarke said, "You need to protect the crown jewels."
But to do that, the company needs to decide what the crown jewels actually are. "It's a whole company analysis," Clarke said. The company needs to decide what information would badly hurt the company or even put it out of business if it's lost or compromised. In addition, he said, the company needs to determine what the worst-case scenario might be if a hacker had free rein inside the company network.
"It might be damage caused by a takeover of digital control systems," Clarke said. For others, it might be being offline for a couple of days. "For Sony, it was data destruction."
One thing that increases the risks to the company is the lack of a chief information security officer. "A lot of large companies don't have a qualified CISO," Clarke said, "Target didn't. Some companies have [CISOs, but they] aren't qualified."
Worse, he said that many companies keep up what he calls "the myth of perimeter defense. They think they'll keep the bad guys out," he said, "but we know the bad guys can get in."