YOU’D BE HARD PRESSED to find someone with a deeper understanding of IT security than Richard Clarke. The author of Against All Enemies: Inside America’s War on Terror (Free Press, 2004), Clarke spent 11 years as a senior security advisor to three presidential administrations. As chairman of Good Harbor Consulting LLC, he advises clients about a variety of security issues.

Vantage writer Sari Kalin asked Clarke about the state of corporate IT security in the U.S. His message: Threats are everywhere and escalating, and some security weaknesses are beyond anyone’s power to control. But CSOs can take steps to secure their companies’ IT assets—and turn IT security into a business advantage.

Vantage: How common are corporate security threats, and how well prepared are American companies to resist them?

Clarke: The state of IT security varies enormously by the type of company. Most banks and financial services companies spend a lot on IT security and take it seriously, but even they suffer from attacks that are devastating. Surveys show that IT security spending has risen to 8 percent at most large companies, but cash alone will not protect you. Every day, major companies are hit by denial-of-service attacks, worms, viruses, fraud, extortion, industrial espionage, spyware, identity theft, phishing and spam/spim. [Editor’s note: “Spim” refers to unsolicited advertising sent by instant messaging.] On almost every measure, incidents and their damage are increasing and have been for the past five years.

Vantage: In general, what’s the weakest spot in corporate security?

Clarke: The greatest corporate security weak spot is not under the direct control of most companies; it’s [in] the software they buy. The software has vulnerabilities, or mistakes in code development. Hackers exploit these flaws. If you have access to the source code, you can run software to check it for common errors such as “buffer overflow.”

Vendors, however, do not make all the mistakes. Often companies overlook crucial elements to an overall secure architecture. Remarkably, many companies are still relying on passwords for access to networks. The problem is that passwords are easily hacked. Passwords might be found under the mouse on a yellow sticky [note] by the cleaning crew. Passwords can be detected by spyware or keystroke monitors secretly placed on your system.

Vantage: How can companies improve their own IT security?

Clarke: The first thing that should be done is to create a way to regularly inventory cyber and HR assets, give those assets unique identifiers, and then limit access to the network and parts of the network based on confirmed identity and “need to know.” Suppliers, contractors, customers, hackers and clerical staff should not be accessing the R&D files.

The second thing is to constantly check those assets for vulnerabilities and policy compliance in an automated way. If a server has not had its patch status updated, you should know right away. If someone has installed an unauthorized WiFi network, you should get an instant alarm. If a remote client is accessing the network via a VPN, you should know whether it poses a risk before completing the connection.

The third thing companies need to do is encrypt everything: internal e-mail, e-mail to customers and suppliers, data in NAS/SAN storage systems. That way, if somebody does get into the network, all they get is gobbledygook.

Vantage: How can CIOs and CSOs justify increased IT security spending?

Clarke: The easiest thing to do is to let a “white hat” or “ethical” hacking team be allowed to see if there are any major vulnerabilities, and then offer the results to the CEO, general counsel, in-house auditor and the chairman of the board’s audit committee. Because of the Sarbanes-Oxley Act of 2002 and other regulations such as the banking rules, chances are that you can make a case that your company is noncompliant and at risk of a violation. But don’t just try to scare them. See if you can make the case that having a high standard of IT security is a product differentiator. Many companies are now advertising that they have good systems to deal with hacking or identity theft. Within a vertical market, first movers who can say that they have strong security may enlarge their market share.

I think there are things you cannot do—or cannot do well—until and unless you have a secure system. For example, well over half the potential market for online banking is not being realized. As a result, banks are suffering a huge opportunity cost. Their profits could be much higher if they doubled the number of customers who bank online.

PHOTOGRAPH BY CHRIS HARTLOVE