Richard Clarke, former White House adviser for cyberspace security, says too little has been done to gird the nation’s telecom and information technology systems against terrorist attack. Recently, he sat down with CIO Insight Editor-in-Chief Ellen Pearlman and Executive Editor Marcia Stepanek to explain why. What follows is an edited version of his remarks.
Take the biggest merger you can imagine—Compaq and Hewlett-Packard Co. plus AOL Time Warner Inc.—and multiply it times 10, and you have the problem [director of Homeland Security] Tom Ridge faces. He’s doing 22 simultaneous mergers and acquisitions, bringing 22 different federal agencies together into one. That is a daunting management problem. But the Department of Homeland Security has not done a very good job yet in infrastructure protection, and particularly in cyberspace security. We have been urging them to create a national cyberspace security center, get a well-known national expert to lead it and place that person fairly high up in the organization chart. Until the department does all three of those things, I don’t think they’ll succeed in carrying out the mission given to them by Congress.
In the private sector, there’s some good progress in some verticals. In banking and finance there’s very good progress, and very good cooperation with the Treasury Department, the Federal Reserve Board, the Office of the Comptroller of the Currency. But in other verticals—manufacturing and healthcare, to name two—there’s very little progress.
Part of it is the availability of funding. With the terrible shape the economy is in, it’s difficult for IT managers to find money to do anything. Yet, if you look at IT spending over the course of the past 12 to 15 months, while IT spending in general in the private sector has been flat, IT security spending has been up about 12 percent. There’s a realization that it’s important. The best measure of that is where companies put their money. But it varies enormously from vertical to vertical.
Yet spending alone is not enough. We looked at 22 departments in the federal government and asked each of them what part of their IT budget they were spending on IT security, and it varied from less than 1 percent to over 10 percent. Then we looked at audits that have been done at those departments, which graded them from A to F. Fourteen of them had Fs, eight of them had grades above F but nothing above C+. There was very little correlation between high grades and high spending.
The lesson is that you have to be careful how you spend your money. You can throw millions of dollars into intrusion detection systems, but if that’s all you buy you don’t have security. You have to have an overall policy for IT security and mechanisms to enforce that policy, but you also have to have defense in depth and be able to take hits. You can’t assume anymore that your system is going to be infallible. And if you throw all of your money into one thing and don’t sit back first and define an IT security policy, then you’ll probably end up spending your money foolishly.
The most important thing a CIO can do to make his or her business safer is clearly articulate an IT security policy, make sure everyone in the organization knows their piece of it and then enforce it. And it should be relatively detailed. For most companies, the IT security policy is a dusty loose-leaf book that nobody looks at, most people can’t find and certainly no one is enforcing consistently. And many IT security policies don’t address all the issues that need to be addressed. So rather than rushing out and opening their checkbooks and hiring dozens of consultants, the first thing I would urge CIOs to do is to stop, hunt down the best collection of IT security policies they can find, the best practices, the best standards—and there are many to choose from—then ask a series of questions that will generate an IT security policy that’s appropriate for your company. Then figure out how you can enforce it.
The challenge is that most managers in the private sector are worried about ROI, and most of them are unable to articulate to the CEO, the CFO and the board an ROI for investing in IT security. People tend to look at it as overhead. Yet if you do it right, in many cases it will save money and allow you to do things you could not otherwise do to open up new markets and partnerships. But I think the challenge for most CIOs is saying, “Yeah, boss, I need $5 million for this IT security thing, but here’s the ROI.”