The big question about enterprise security isn’t how to keep cyber-criminals out of your network; the big question is how to limit the damage.
According to Richard Clarke, former special advisor to the president for cyber-space and national coordinator for security and counter-terrorism, “The bad guys are already in your network.”
Meeting over dinner with a small group of Washington D.C.-area media representatives, Clarke said that what companies really need to do is find ways to protect what’s really important.
To make those decisions, the company needs to understand the risks to the organization. “That’s not as obvious as it may seem,” Clarke said in a subsequent interview. “Every company has its own risk tolerance. They should go through a transparent process deciding what the risks are and their tolerance for those risks.”
Clarke, who is now CEO of Good Harbor Security Risk Management, spoke at the dinner at the invitation of RedSeal, a risk management software company, which was announcing a new round of funding. He said that there are several steps that a company usually takes once the management accepts that hackers will find their way into the company network.
“Usually, the next steps involve encryption and good access and identity management,” Clarke said. “Encryption alone won’t do you any good if someone can come in and assume your identity.” He said that if you do those two things, you’ve solved 75 percent of the problem. Then, Clarke said, “You need to protect the crown jewels.”
But to do that, the company needs to decide what the crown jewels actually are. “It’s a whole company analysis,” Clarke said. The company needs to decide what information would badly hurt the company or even put it out of business if it’s lost or compromised. In addition, he said, the company needs to determine what the worst-case scenario might be if a hacker had free rein inside the company network.
“It might be damage caused by a takeover of digital control systems,” Clarke said. For others, it might be being offline for a couple of days. “For Sony, it was data destruction.”
One thing that increases the risks to the company is the lack of a chief information security officer. “A lot of large companies don’t have a qualified CISO,” Clarke said, “Target didn’t. Some companies have [CISOs, but they] aren’t qualified.”
Worse, he said that many companies keep up what he calls “the myth of perimeter defense. They think they’ll keep the bad guys out,” he said, “but we know the bad guys can get in.”
Former Cyber-Security Czar Says Network Perimeter Defenses Don’t Work
Instead, companies need to look at how they architect their networks. “Good companies have lots of interior firewalls and network segmentation,” he said.
Of course, there’s more. There’s also a problem with CISOs being unable to make the case for security measures that might help in limiting damage. Usually, he said this problem arises because the CISO reports to the CIO and the CFO who have conflicting interests.
He said it’s common for the CISO to ask for the budget to improve security, only to be turned down when they’re unable to guarantee that such expenditures will keep attackers from breaking into the network.
Protecting networks is more difficult than ever these days because some of the organizations trying to break in to networks aren’t just criminals—they may be government-sponsored hackers.
“The Chinese national government engages in hacking on American companies,” Clarke said. “It’s almost on an industrial scale.”
“They’re looking for research information, but also how companies work.” Clarke said that when the Chinese government decides to open an industrial sector, they’ll hack into existing companies to see how they’re run, who their customers are and even what they’re bidding on. “They will get information that’s very short-lived like contract bidding, and they’ll underbid them. We see that a lot,” he said.
It’s critical that companies protect what’s really important, Clarke said. To accomplish that, they need to appoint a risk management committee, preferably at the C-level. He said that it’s also critical to have a CISO who is a C-level executive and reports to the CEO. Those people need to dedicate the resources to protect the crown jewels and the information they’re legally required to protect, knowing that the bad guys will find their way into the network somehow.
Clarke also said that it’s critical for the risk management committee and the CISO to realize the full range of issues they’ll be facing. There’s crime, of course. But Clarke pointed out that there’s also cyber-espionage, hacktivism and, of course, war. He pointed out that no company can protect everything against all of those threats. Instead, it’s necessary that the company define what it can do to protect what’s most important and focus on that.
During his time managing the U.S. government’s cyber-wars, Clarke learned that it’s best to fight the battles that can be won and to defend high-priority assets that must be protected. The challenge for companies is making the right choices. That part, at least, may be possible.