Clarke listed 10 steps for businesses to follow:

* Establish automatic monitoring of compliance and auditing capabilities of networks. "Every day you can see if you're secure," he said.

* Acquire a patch-management system and service. Noting that 50 or 60 patches are issued each week by software providers, Clarke called patching "the No. 1 headache of CIOs."

* Set up an identity-access-management system, preferably a two-factor password-ID system. "Almost any password can be broken" by programs easily available on the Internet, he noted.

* Data should be encrypted in sensitive areas. He said proposed California legislation calls for many IT organizations to encrypt data.

* Participate in an early-warning system, preferably with an organization with a set of detect sensors.

* Establish rigorous security-oriented service-level agreements with ISPs. Clarke indicated that the FCC is considering making this provision mandatory for certain IT users.

* Institute an IT security-awareness program, a sort of catch-all program that would educate staff on widespread security aspects of their networks.

* All software--not just products from Microsoft--should be systematically tested. Clarke noted that buffer-overflow problems have been cited for years but little has been done to correct the problem. He said there is a need for "software products that test software."

* Secure the physical part the IT organization to make sure that intruders can't just walk in and violate security.

* Address "the road-warrior problem," as illustrated by network users logging in from remote locations who unknowingly have infected software, typically on laptops.