Are there any steps that an IT executive can take to prevent this type of catastrophe?

With network diversity, they won't have to reboot the entire enterprise. In fact, if they have diversity and appropriate alarms in place, they may detect the attack sooner. For example, if there's a computer worm that attacks Linux systems and you are monitoring with a Microsoft system, you may detect the worm far sooner than if everything is on a Linux system. Anytime you can detect an attack faster or respond more quickly, it is going to help. Planning can help. Even if only 25 percent or 20 percent of machines fall victim, how do you detect them? How do you get the patches in place? How do you do restores and reboots while maintaining any type of continuity? That type of planning is very helpful.

What's the bigger threat: insiders or outsiders?

That depends on the business and what's of value on the systems. Insiders already have access and know what would hurt the most. Disgruntled employees can cause a lot of hurt or they can steal a lot. Employees also can be the ones who carelessly change settings that allow outsiders in. In that sense, insiders are the biggest complication. Insiders may not be the biggest source of threats, but they can cause the most potential damage.

The threat from the outside is growing. More criminal activity is occurring on the network, and we don't have a corresponding increase in law enforcement to keep up with it. We're seeing more politically motivated activity. Some of it is vandalism, but quite a bit of it is economically motivated industrial espionage. Online clothing retailers are unlikely targets for that, but a big aerospace company or pharmaceutical company is. Everybody has to worry about the insider threat. The outsider threat is different for different companies.

What's the worst security incident you've witnessed in the course of your career?

It was an insider attack. It was a criminal matter. I'm not sure whether it was prompted by anger or greed. But it involved an employee making off with a copy of very valuable proprietary information for the industry and taking it to the competition. The company's own copies of the information were badly damaged so they couldn't be completely replaced. The incident leaked within the small circle of that industry, so there was damage to business relationships. It was a technical person that did the damage. This was many years ago. The company went through some hard times.

How has the situation with network security changed during the last 10 years from the point of view of the chief security officer developing policy and working with the CIO?

One of the major changes is increased speed. More can come into your network or go out in a shorter amount of time, and therefore you have less time to react. A second change is the scope within an enterprise where the network reaches. Ten years ago, we didn't have anywhere near the number of desktop systems, wireless was not a concern, and VOIP was not considered. Now we have all kinds of devices that we have to worry about. Third, the motivations of those who would attack our systems have moved from exploration and bravado pretty firmly into the realm of criminal activity. Finally, 10 years ago we were seeing targeted attacks such as getting into accounts or getting into machines. Now we're seeing more broadly based denial of service, spam, botnet, adware and spyware kinds of attacks that don't so much focus on gaining access as they do on affecting wide-scale capacity.

What grade would you give to U.S. multinationals in terms of information security?

Most of the big multinationals are probably at least in the B range. Aerospace, banks, pharmaceuticals, tend to be good, as are some online merchants. I'm told that the Internet gambling sites are incredibly good because their whole livelihood has to be protected. Government agencies in the United States are not particularly good. Universities, charities and state governments are all pretty bad.

What is the next big threat that worries you the most and why?

A threat that is not so much technology as it is governance is the trend toward preferential treatment for commercial traffic. Big ISPs and companies are installing spam filters that block traffic from other countries, companies, ISPs or domains. It's effectively a breakdown of the end-to-end model. You cannot depend on your e-mail going through. You've got some countries setting up their own domain roots. We're losing the underlying commonality that the Internet grew on. We're having a Tower of Babel moment of sorts. It's ironic that one of the reasons the Internet succeeded is its lack of centralized control. But that may destroy the other thing that made the Internet very attractive, which is its ubiquitous, common access. How that's going to play out I don't know. It's not a technology issue, but it impacts the technology in a major way.