MFR NARA - T8 - Conference Board - Cavanaugh Thomas - 7-17-03 and 10-16-03 - 00168

COMMISSION SENSITIVE
jY) F~ v30)l) '"bj
j3J
[UnClassified]
MEMORANDUM FOR THE RECORD
Event: Meeting with the Conference Board

Type of event: Discussion on Security Survey results and potential new survey
Date: Meeting 1: July 17, 2003
Meeting 2: Oct. 16, 2003
Special Access Issues: NOnt \ "J~ n L • If

1\
Prepared by: Emily Walker l1V '" ~'--

Team Number: 8
Location: 845 Third Ave, NY NY 212-339-0419
Participants - Non-Commission: Thomas Cavanaugh: Senior Research Associate in Global
Corporate Citizenship, The Conference Board
Participants - Commission: Emily Walker, Sam Caspersen, John Fanner Meeting 1
Emily Walker only Meeting 2
An article of interest to the NY Private Sector 9-11 Team appeared in the Financial Times
Newspaper (attachment 1) on Thursday, July 10, 2003 with a headline "Companies Ignore Terror
Risks" which summarized the findings of a comprehensive survey of corporate spending on
security post 9-11 by declaring that corporate spending to protect sites against terrorist attacks
and other security risks has gone up just 4 per cent, while insurance costs have risen by a median
of 33 per cent since 2001.
We met with the Security Expert, Tom Cavanaugh, who worked on the survey mentioned above
which was entitled "Corporate and Security Management", Organization and Spending since
9111 (attachment 2). We asked questions and clarification on the survey. I mentioned that we
were looking at additional issues related to corporate measures on emergency preparedness and
security and wondered if they were going to do any follow-on surveys on security focused
questions. He said that they would be willing to conduct additional surveys, but did not have the
financing and was not willing to conduct them for free to support the Commission. We
acknowledged that the 9-11 Commission was not in a position to conduct another survey but
would be interested in helping shape the questions and using the results in the final report on the
9-11 story as well as background leading to recommendations for future action in the private
sector preparedness and continuity of business area.
The conclusion I drew from the first meeting was basically that there would not be any follow-on
relation with the 9-11 Commission and the Conference Board on the survey idea because there
was no funding.
Several weeks later, in August, Tom Cavanaugh called me back and said that they might have
funding from Department of Homeland Security to do a further survey on these issues. In
September, he called to say that he thought there would be funding and asked if I could submit
the questions that we would be interested in finding the answers to and any lists of companies to
which we would like to submit the questions.
I responded with the attached list of questions which I derived from a George Washington
University Study of 1997 and my own ideas (attachment 3). Tom took this list and developed an
interactive survey questionnaire (attachment 4). We met on October 16, 2003 to discuss this
survey. Sam Caspersen and I reviewed the survey that Tom proposed and it is adequate for the
purposes of collecting interesting data on how prepared companies are following 9-11. Tom is
still working on the companies to whom the questionnaire will be directed. I recommended that
he speak to James Creague of American Express Security about the downtown alliance of banks
and financial institutions security directors which would be a good proxy for the WTC area
representatives. In addition, the survey will be given to companies through-out the United States
in order to make geographic comparisons.
Follow-up: We need to get our comments back on the survey and determine the relationship
between the 9-11 Commission and the Survey when it is finalized.
Background:
Attachment I: Financial Times Article July 20, 2003 "Companies Ignore Terror Risk"
Attachment 2: Research Report: Corporate Security Management: Organization and Spending
Since 9/11" by the Conference Board
COMMISSION SENSITIVE 2
Attachment 3: "Potential Questions for NY City Partnership on Emergency Preparedness" by
Emily Walker
Attachment 4: Zarga Interactive Draft Survey "Federal 9-11 Commission"
[UnClassified]
COMMISSION SENSITIVE 3
~
IAGNETISM:Signs of a bull marketare drawing speculators backto the more volatile Tokyo stocksMarket Insight, Page 28
:003
Thursday July 10 2003
WE
Companies ignore terror risk ~~p~u

Spending on security measures following the September 11 attacks has barely increased, while corporate insurance costs have soared
By Edward Alden in Washington risen by a median 33 per cent
.....................................................................................
since 2001, while insurance costs
Oversight, a watchdog group, depending on the size of the' nies-and.sc per cent of manufac-
hopes fo
Astra dn
said last month that interviews company, the industry and the turers said they had not changed
Spending on security and for one-fifth of companies have with security officials at nuclear
anti-terror measures by US doubled. part of the country where it is. security spending il,1response to
power plants showed that only located. . the attacks.
companies has barely risen since "There was an expectation that one-in-four plants was adequately
the September 11 attacks, it was there would be an overhaul in Large corporations,' particu- " The biggest hit for companies By Christopher Bowe in New Y(
protected against terrorist larly in .the' ci ties •.'.of the': has. been higher insurance costs, and Geoff Dyer in London
revealed yesterday. corporate security after 9/11," attacks.
While insurance and risk- said Tom Cavanagh the Confer- north-east, have increased secu- particularly for the multinational ....................................................................
Tom Ridge, secretary of home- rity spending most sharply, -by· . companies. that would be more
management costs have' jumped ence Board's security expert, who land security, last week asked a .an average 9 per cent, compared . likely to be attacked by terror- AstraZeneca, the Anglo-S
sharply, corporate spending to wrote the report. . pharmaceuticals· group
Homeland Security advisory with just 2.8 per cent in the 'rest ifsts.
protect sites against terrorist . "But in general we haven't council to establish an award - boosted yesterday when
If attacks and other security risks found that." of the US. . More than half of the compa- advisory committee voted
II modelled on the Commerce . The response also'diffe'rsby i . nies surveyed in .the report said ommend approval of Crest,
has gone up just 4 per cent, The White House has been Department's Malcolm Baldridge
I; according to the Conference struggling to cajole US compa- sector. More than 70 percent of: . that. they had faced difficulties
award - to encourage companies cholesterol-lowering dr
Board, a business research group. nies to increase their readiness energy companies and 60 per cent obtaining insurance coverage for . hopes could be a blockbusu
to adopt innovative security of financial services -,firms said;Qfflce . properties in cities,
In the first comprehensive sur- for terrorist attacks, particularly measures. The advisory panel to t
vey of corporate security spend- . in critical industries such as that security 'spending would . particularly in' the north-east of . Food and Drug Administ
The Conference Board study remain permanently higher than the country.
ing after September 11, the board transport, energy and utilities. showed that measures to combat before September 11.·.. voted unanimously to r
found that insurance costs have The. Project on Government ' .. " , : _ . mend the drug, and ItIs til
terrorists have varied, widely But half of all·traqingc0D?-pa-. www.ft.tom/us. the FDA is likely to' Iollo
I
panel's advice.
R1333-03-RR
Corporate Security ManagelneIlt
Organization and Spending Since 9/11
by Thomas E. Cavanagh
with the assistance of Meredith Whiting
contents
.:\; Key Findings

5 Organization and Spending
6 Patterns of Organ.ization
6 Security Directors
8 Risk Managers and IT Security Officers
10 Accountability is Widely Dispersed

11 Salary Levels
12 Staffing Levels
15 The Chief Security Officer Position

16 Authority and Financial Resources
17 Changes in Accountability
18 Case Study: Emergency Response at Duke Energy
19 Creating the CSO Position
2:3 Spending on Corporate Security

24 A Permanent Increase in Spending
25 A Modest Increase Overall
27 Case Study: Consoiidating Security at Avaya
28 Security Spending in the Northeast

28 Smaller Companies Bear a Larger Burden
30 The Cost of IT Security
,),:. Case Study: IT Security at Unisys
34 The Soaring Cost of Risk Management

35 Changes in Insurance Coverage
36 Risk Management as a Line Item
38 A Methodological Note on Risk Management Data
39 The Costs of Terrorism
40 What Security Executives WOi"ry About

42 The Desirability of Dispersing Facilities
44 Case Study: Crisis Management at Air Products
45 Threats to IT Security
47 Lessons Learned
50 Appendix: About the Sample
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
I ey Findings
Corporate security has become a high-profile
issue since the events of September 11, 2001
exposed America's vulnerability to terrorist
attack. Because roughly 80 percent of

America's critical infrastructure is managed
by the private sector, corporate security

managers have an essential role to play ill the
protection of key industries and the people
who work in them.

In the wake of September 11, many companies reviewed their security operations.
The events of that day made clear that security was not merely a matter of protecting
employees and facilities from physical harm. A terrorist attack on a major business
district could disrupt operations, inhibit travel, snarl supply chains, and pose major
strategic issues for the conduct and even the survival of a multinational business.
CEO's were often dismayed to discover that the security function was highly decen-
tralized and widely dispersed through their companies' management structures, mak-
ing accountability and coordination difficult. Some observers expected that there
would be a widespread move in corporate America toward centralizing the security
function under the control of a Chief Security Officer reporting directly to the CEO.
This has not been the case. While there has been some movement toward greater
coordination of the security function since 9111, it remains decentralized in most
companies. In general, we are seeing an evolution, not a revolution, in the manage-
ment of corporate security.
4 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Organization and Spending
Key findings from the survey show:
Organization of the function Spending Patterns

• The process of security management is only • Corporate security spending has clearly
beginning to evolve into a strategic business increased since 9111, but the increases
function in corporate America. At present, have been unevenly distributed. About half of
security issues are generally divided into three companies report a permanent increase in the
separate silos (physical protection, risk level of security spending, with companies
management, and IT security) with distinct in the critical industries leading the way.
accountability and reporting relationships. • The median increase in total security
.. Despite having strategic implications for spending is only 4 percent, but this figure
business management, security is still being disguises a wide range, with 7 percent of
treated as an operational concern by most companies stepping up their security spending
companies in the United States. The traditional by 50 percent or more. Larger, multinational
emphasis on physical protection is reflected in companies report larger increases than smaller,
the recruitment of security directors from law domestic companies. However, smaller
enforcement and the military. companies pay a larger share of their sales
volume for security .
.. High-level reporting and accountability
are still the exception rather than the rule in .. Insurance and risk management is the area
corporate security management. It remains to be \ I showing the most dramatic increase in spending,
seen if the usual ways of doing business will \I with a median increase of 33 percent. Fully one-
prove adequate to the challenge of managing fifth of companies report that their spending on
corporate security in an increasingly threatening insurance has at least doubled since 2001. The
international environment. increase in insurance costs has been concentrated
among companies in the critical industries.
• Centralization, coordination, and strategic
management of the corporate security function • In terms of salary and executive level,
are still relatively unusual. While one-quarter of IT security is the most prestigious security
companies have a Chief Security Officer, most portfolio, although it is often simply an
of the remainder do not appear to have much extension of the IT operation. Risk management
interest in creating the position. is generally part of the financial management of
the company. The position of security director
is the lowest-ranking and tends to be focused
. .' .. onissues of physical protection. Most security
Defining eritic,al.iIl9-*§tp.~s,,', executives serve below the vice presidential

level and earn less than $150,000 per year.
Following the usage of the U.S..()'epal;trnenJof
• Companies in the Northeast Metro region
HomelandSecurity, cri~icalrhd(Jstrtes'~r¢defined< '
are reporting bigger increases in spending on
as the following: transportation;ellergyandutiHtiesj ,
security and risk management than companies
financial servicesjrnediaandtelecommunicatio~s; in the rest of the United States.
information tech~ologYiand ~ealth?al'e.,Remaining
industries are classified as non-crltlcak ,
a er
of Organization
I)espite raised expectations and heightened visibility,
corporate America is uIldergoing all evolution rather
than a revolution in the management of security concerns.
Security Directors
Security has traditionally been associated with physical protection-"the guard at
the gate"-in the lingo of the profession. This function remains the core responsibil-
ity of the senior executives who manage corporate security. These executives pri-
marily come from a background in the "peacekeeping" professions, with 47 percent
having police experience and one-third coming from the military. Some 15 percent
have worked in the security industry for a vendor or consultant, and 12 percent have
been employed in private investigation.
While important, strategic business management does not loom as large in the career
paths of security directors. Just under one-fourth report diversified corporate man-
agement experience, while 11 percent have been involved in facilities management
and 9 percent apiece in IT and risk management. As security issues "move up the
food chain" in significance, senior management experience will probably become
more important as a qualification for the position of security director.
Given their importance in the current business environment, security directors

occupy a surprisingly modest level in the corporate totem pole. Most security direc-
tors hold mid-level management positions that are deeply imbedded in the routine
operations of their companies.
The vast majority of security directors hold a rank below the vice presidential level.
Only 1 percent hold a title at the C-suite level and 17 percent are vice presidents.
Almost half (48 percent) are directors and 27 percent are managers.
6 Corporate s e cu ritv Management: Organization and Spending Since 9/11 The Conference Board
Reporting relationships are remarkably diverse. The most
Most security directors come
common pattern (20 percent) is for security directors to
from a background in law enforcement
or the military report to the SVP for Facilities, reflecting the profession's
traditional emphasis on physical protection. Another
Professional background 15 percent report to an executive with responsibility for
(multiple responses possible)
operations, administration, services, or support, while
Police 47.2%
13 percent report to the SVP for Human Resources.
Military •••••••• 32.7

Most security directors do not report directly to the top
Other Corporate
Management II
.
23.6
management of their companies. Only 9 percent of secu-
rity directors report to the CEO. Some 10 percent report
to the Chief Legal Officer, presumably due to liability
and compliance issues. Another 8 percent report to the
Private Investigation
CFO, and 6 percent report to the COO. C-suite access
F~cilities Management may become more common in the future as security
concerns become more integrated into strategic manage-
Professional/
Corporate Security ment. But at present, a routine reporting relationship to
Information the CEO or COO is still relatively unusual.
Technology
Finance/
Risk Management
FBI Profile of Security Directors
Other Govemment/
Lobbying
Executive level
Human Resources
CIA/Intelligence
Occupational Safety
u.S. Secret Service
Education
Reporting relationship
Supply Chain
Management SVP for Facilities 19.8%
Operations/
Legal Administration/
Services/Support
SVP for
Other .5
Human Resources
CLO (Chief Legal·Officer)
Number of respondents: 199

CEO (Chief Executive Officer)
CFO [Chief Financial Officer)
COO (Chief Operating Officer)
Risk Manager/Auditor
Other
Risk Managers and IT Security Officers
The functions of risk management and protecting the IT Profile of Risk Managers
system are handled in separate silos in most companies,
Executive level
distinct from each other and from the physical security Chief Risk/
7.7%
function as well. Interestingly, both of these positions Administrative Officer
appear to enjoy more seniority and influence within the Vice President •••••• 30.8
corporate structure than the security director position. Director •••• 21.2
Risk managers serve at a considerably higher level Manager •••••• 30.8
than security directors. Some 8 percent hold the title 9.6

Other
of Chief Risk Officer or Chief Administrative Officer,
placing them at the top management level. Fully Reporting relationship
31 percent are vice presidents and 21 percent are CEO .....
(Chief Executive Officer) II 21.2
directors, while 31 percent serve at the manager level.
CFO .....
(Chief Financial Officer) .. 21.2
The reporting relationships retlect this seniority. Among Other Financial/

15.3
Risk Management
risk managers, 21 percent report to the CEO, and an iden-
Legal
tical percentage reports to the CFO. Another 15 percent
report to an executive with financial responsibilities, indi- Human Resources
CSO
cating the preeminence of financial concerns in determin- (Chief Security Officer)
ing the accountability for the risk management portfolio.
SVP for Facilities
A less common pattern is for the risk manager to report SVP for Administration
Purchasing/
to an executive with operational responsibilities in human Procurement
resources (8 percent), or facilities, administration, or
Other
procurement (4 percent apiece). Only 4 percent of risk
managers report to a Chief Security Officer, indicating Numberof respondents: 52
that the risk manager position is defined primarily in terms

of financial issues rather than security responsibilities.
Corporate Security Management: Organization and Spending Since 9/ II The Conference Board
IT security is the most prestigious of the three major Profile of IT Security Officers
security portfolios. Over one-third of the IT security
officers surveyed serve at the senior management level. Executive level
The Chief Information Officer is the IT security officer Chief Information .....
Officer JII 21.3%
at 21 percent of the companies surveyed, meaning that Chief Operating/Technology/

Security Officer
security is part of that executive's responsibility as the Chief Information
company's senior IT official. Some 6 percent hold the Secu rity Officer
title of Chief Information Security Officer and another Vice President 15.0
7 percent have a different C-Ievel title.
Manager
Fifteen percent of IT security officers are vice presidents,
while one-quarter are directors and one-eighth are managers. Security Architect
Another 5 percent hold the title of Security Architect. Other
Over two-thirds of IT security officers report to

Reporting relationship
C-Ievel executives. Some 39 percent report to the Chief
CIO/CTO (Chief Information/ .
Information Officer or Chief Technology Officer, and Technology Officer) JII 38.8%
23 percent report directly to the CEO, while 6 percent CEO ••••

(Chief Executive Officer) 22.5
report to the CFO and 5 percent to the COO. Another Other Information Technology /
13.8
14 percent report to an executive in information systems Systems/Services
CFO
or services, meaning that about half of all IT security (Chief Financial Officer)
officers report through an IT silo. The high level of IT COO

(Chief Operating Officer)
security officers reflects how critical IT systems have Other Operations/
become to the management of a modem corporation. Administration
Other
Accountability is Widely Dispersed For all other security-related functions, no more than
one-quarter of companies report that ultimate responsi-
Security responsibilities are widely dispersed in a
bility is handled by anyone executive. Two main
typical company. Security executives were asked who
clusters appear, however. The following responsibilities
had the ultimate responsibility for a variety of security-
related to physical protection are usually accountable
related functions. There are only three functions for
to the CSO, the SVP for Facilities, or the SVP for
which over half of all companies report the same
Human Resources:
pattern of accountability:
• IT security is the ultimate responsibility • Protecting employees

of a senior IT executive in two-thirds
• Protecting buildings and facilities
of companies.
• Executive security
• Insurance and risk management is the ultimate
responsibility of the CFO in just • Biological, chemical, and radiological hazards
over half of companies.
• Emergency preparedness
• Background investigations are the ultimate
responsibility of the SVP for Human Resources Protecting the supply and distribution chains are usually
in just over half of companies. the ultimate responsibility of the SVP for Facilities, the
CSO, or the COO. Business recovery and continuity
have a very distinctive pattern, with accountability
assigned to the COO, CFO, or a senior IT executive.
Security responsibilities are widely dispersed
CIO/CTO/ sVP SVP for

SVP for IT CFO forHR CSO Facilities COO
Executive with ultimate responsibility for ...
IT security 67.3%
Insurance/financial risk management 54.8%
Background investigations 54.8% 14.2%
Protectingemployees 15.2 25.8 17.2%
Protecting buildings and facilities 10.1 23.6 24.6
Executive security 10.2 24.5 14.3
Business recovery and continuity 13.1 18.2 19.2%
Biological/ chemical/ radiologica I hazards 9.6 18.1 18.6
Emergency preparedness 11.1 17.6 17.6
Protecting supply chain 11.3 10.8 15.4 10.3
Protecting distribution chain 13.3 14.9 10.8
Salary Levels Large multinational companies pay the highest salaries
for security directors and risk managers. For example,
Compared to the most senior management positions,
the median salary for security directors in companies
security executives earn relatively modest salaries.
with at least $1 billion in sales is $124,000, well above
The salary levels reflect the prestige and reporting
the median of $101,900 for all companies. The median
relationships discussed previously.
for risk managers in such companies is $138,500, again
IT security officers are the best paid of the three well above the overall median of $123,600. On the other
security management positions, earning a median salary hand, the difference in median salaries between IT secu-
of $139,800 per year. Risk managers are second with a rity officers in these large companies and the overall
median salary of$123,600. The security directors bring median is less than $5,000 per year. It appears that salary
up the rear, with a median salary of$101,900. Fully levels in the IT security profession are driven less by the
20 percent of IT security officers make at least $200,000 size of the company than by the expertise required to fill
a year, compared to 10 percent of risk managers and the position.
9 percent of security directors.
IT Security officers are the most Security directors and risk managers
highly paid security executives earn more at large multinationals
Median salary (S thousand)
48.7% $101.9
Less than All
34.0% $123.6
$100,000 companies
20.8% $139.8
33.0 105.0
$100,000 to Critical
36.0 125.0
$149,999 industries
37.5 132.7
9.1 122.5
$150,000 to 131.8
20.0 Multinational
$199,999
22.2 136.8
124.0
$200,000 to Sales over
138.5
$249,999 $1 billion
13.9 144.7
131.3
$250,000 Over
137.5
or more 10,000 FTE's
140.0
Median salary Respondents

• Security directors
• Securily directots $10t,900 197
• Risk managers
• Risk managers $123.600 50
IT security officers
IT security officers S 139,BOO 72
Number of respondents: t97
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board II
Staffing Levels Just under half of all companies (47 percent) report that
they have increased their security staffing level since
Security directors were asked how many FTE's their
2001. Larger companies are more likely to be increasing
companies employ that have security as their primary
security staff. Over half (53 percent) of companies with
responsibility. Among the 199 companies in the sample,
over $1 billion in sales have increased security employ-
the median number of security employees is 39.3. Of
ment, compared to 40 percent of companies below this
course, the number varies depending on the size of the
sales level. Similarly, security staff has risen among
company. Forcompanies with under 10,000 total FTE's,
54 percent of companies with 10,000 or more total
the median security employment is 28.7 FTE's. For com-
FTE's, compared to 44 percent of companies with a pay-
panies with 10,000 or more FTE's, the median security
roll below that size. Interestingly, there is no significant
employment is 76.6 FTE's.
difference between critical and non-critical industries as
a whole on this measure (49 vs. 46 percent).
Most companies employ Larger companies are increasing

less than 50 people for security security staff most rapidly
Change in security FTE's since 2001

FTE's with security as primary responsibility
Less than
10
40.6
25.0
10 to 49 23.9
Non-critical 42.7
industries
50 to 99 103
l
40.2
24.7
100t0499 8.5 24.7
i!ii;;~:::':1~4'~6~~~~~
25.7
Multinational 44.2
77 24.7
500 to 999
Sales under
50.0
1,000 or $1 billion
more sa
Modian FIE's Respondents 35.5

25.5
• All companies 39.3 199
27.3
!II less IhanlO,OOO FIE's 28.7 129
More Ihan 10,000 FrE's 76.6 70
Under 45.0
10,000 FTE's 24.8
i 29
• Fewer
• Same
Over ~ 1-9% higher
35.7
10,000 HE's
10% higher
]0
or more
~ Number ot respondents
However, when critical and non-critical industries are IT security is a relatively small share of security
broken into specific industry segments, a wide disparity employment at most companies. Almost half of all
appears. Financial services companies are most likely to companies (48 percent) employ fewer than 5 FTE's
report an increase in security staffing (62 percent of com- whose primary responsibility is IT security. However,
panies), followed by companies in the "digital industries" companies in critical industries are much more likely to
(technology, media, and telecommunications) with have a relatively large contingent of people dealing with
53 percent reporting an increase, energy and utilities IT security. Almost half of such companies (48 percent)
(47 percent), healthcare (39 percent), retail and wholesale have 10 or more FTE's working on security, compared
trade (33 percent), and manufacturing (31 percent). to 31 percent of companies in non-critical industries.
Financial and technology companies Companies in critical industries

are increasing security staff most rapidly employ more people for IT security
Change in security FTE's since 2001 FTE's with IT security as primary responsibility
All
All
companies
companies
199 .
?30'
Financial
services Critical ~!!!!!!!!!!!!!I!IIJ!II!!I---. 39.5
29
industries
3S
Digital
industries
17
Non-critical
industries
Energyl 42
utilities
17
Domestic
34
Healthcare
28
Multinational
~!!!!I!!!I!II-----------.
Trade 42
12
Manufacturing Sales under 77.8

$1 billion
29 27
• Fewer
• Same
~ 1-9% higher
10% higher or more
Under
• Number of respcnsdents 10,000 FTE's
~i{I
• 1·4
.5-9
Over .10-24
10,000 FTE's 25·49
50 or more
• Number of respondents
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 13
Not surprisingly, larger companies have more staff devoted Larger companies are increasing
to IT security. Over half of all companies (51 percent) IT security staff most rapidly
with sales over $1 billion have 10 or more IT security
staff, compared to only 15 percent of companies below Change in IT security FTE's since 2001
that sales level. Similarly, 62 percent of companies with
10,000 or more total FTE's have 10 or more IT security
personnel, compared to 22 percent of companies with a
total payroll below that size.
,===-~
Larger companies are increasing their IT security 37
staff most rapidly. While 42 percent of companies

with $1 billion or more in sales have increased their IT Non-critical 54.S
industries jjJ
·12 ,
security staff since 2001, only 26 percent of companies <.••.....
, .
below this sales level have done so. Similarly, half of

companies with 10,000 or more FTE's have increased
IT security staff, compared to 27 percent of companies
below that level of employment.
Under
10,000 FTE's
45
Over
10,000 HE's
• Fewer
• Same
iI 1·9'.1.higher
10% higher or more
14 Corporate Security Management: Organization and Spending Since 9/11 The Con Ie re nee Boa rd
The Chief Security Officer
• •
on
I~'1011o\ving 9/11, expectations seemed to be
that corporate America would move to centralize
the security function under the control of a

.:
Chief Security ()fficer (CSO) reporting directly

to the C-EO. That does not appear to be the case.
The Chief Security Officer (CSO) position is intended to be analogous to that of a

Chief Financial Officer (CFO) or Chief Information Officer (CIO). The CSO would
coordinate all security responsibilities throughoutthe company and would be accountable
to top management and the governing board. With a single person accountable for security
responsibilities, the many silos involved in security operations could be better coordinated
and information could be disseminated more effectively throughout the corporation.
The CSO concept hinges on the perceived need to integrate security concerns into
corporate strategy. In theory, the position would give security issues a place at the table
whenever high-level decisions are being made about location of facilities, supply chain
sources, choice of corporate partners, and procedures to ensure the safety of a company's
products and stakeholders. The CSO would concentrate on the "big picture," delegating
routine oversight of physical security to managers at the operating level.
With regular access to the C-suite, the CSO would be better able to redirect company
policies quickly in response to an emergency or a perceived threat. Finally, the CSO
would control the security budget for the corporation as a whole, so security spending
could be managed more effectively.
Authority and Financial Resources However, there is much less agreement with the state-
ment: "I have the financial resources I need to deal with
Looking at their current situation in their companies,
the security concerns that I am directly responsible for
security executives tend to be much more satisfied with
in my company" or the equivalent for risk management
their decision-making authority than with the financial
or IT security. Only 26 percent of security directors,
resources under their control. Security executives were.
19 percent of risk managers, and 14 percent of IT secu-
asked to agree or disagree with the statement: "I have
rity directors agree strongly that they have the financial
the decision-making authority I need to deal with the
resources they need. Meanwhile, 27 percent of security
security concerns that I am directly responsible for in my
directors, 25 percent of risk managers, and 35 percent
company" or an equivalent statement dealing with risk
of IT security officers disagree with this statement.
management or IT security concerns. Almost all security
executives agree with this statement; 51 percent of secu- Security executives in non-critical industries are the
rity directors, 35 percent of risk managers, and 43 per- least satisfied with their control over financial resources.
cent of IT security officers agree with it strongly. Fully one-third (33 percent) of security directors in non-
critical industries disagree that they have enough control
over finances, compared
to 21 percent of security
directors in critical indus-
Security executives are more satisfied with their
decision-making authority than with their financial resources tries. The disparities are
even greater for risk
managers: 32 percent in
"I have the decision-making authority 1 need .. ." "I have the financial resources I need ... "
non-critical industries
50,8%_.-,!!!!!!
Security directors disagree, compared to
19Y'
17 percent in critical
Risk managers industries. The dissatisfac-
52
tion is most acute among
IT security officers
80
IT security officers-almost
half (45 percent) in non-
• Agree strongly • Agree somewhat Disagree critical industries disagree
that they have adequate
financial resources, com-
pared to 24 percent in
critical industries.
Security executives in non-critical industries are

least satisfied with their control over financial resources Apparently in criticalindus-
tries, it is easier for security
"I have the financial resources 1need .. ,"
executives to make a busi-
ness case for obtaining the
Critical industries Non-critical industries
financial resources they feel
-){,. Security directors 103'
they need. In the non-critical
industries, becausesecurity
24 Risk managers 2f.l does not appear to be quite
as integral to the business, it
38 IT security officers 42 is more difficult for security
executives to battle success-
• Agree strongly • Agree somewhat Disagree fully for a share of the cor-
I 'Number of respondents porate budget.
16 Corporate Security Management: Organization and Spending Since 9/" The Conference Board
Changes in Accountability
Many companies reexamined their security operations Most companies report
in the wake of 9/11. Most companies, however, have no change in accountability
for security since 9/11
not made dramatic changes in the organization of their
security operations as a result of these deliberations.
When security directors are asked how the accountabil- "Since the events of September 11, 2001,
how has the accountability for security
ity for security issues has changed in their companies, issues in your company changed?"
V just under half (49 percent) report no change at all.
Changes in corporate organization charts appear to No change 49.2%
be relatively rare. Some 9 percent of companies have

More urgency, attention, concern,
created a new executive position to centralize and visibility, interest, focus 12.7
coordinate security, and 4 percent have realigned

their reporting relationships.
New security position created
Most of the changes mentioned are subtle, and have to to centralize, coordinate 9.0
do with increased priority placed on security issues in Emergency preparedness/

crisis/recovery planning
their company's management. For example, 13 percent
of security directors note an increased urgency and More responsibility,
recognition, authority
visibility for security issues; 10 percent report having
better access to senior management; 5 percent enjoy . More resources, staff,
funding, support
more recognition and authority; and 5 percent have
Security upgrades,
received more resources. Other security directors find access controls, surveillance
there is a new stress on procedures: 8 percent see more Vulnerability/risk assessment,

emphasis on emergency preparedness and crisis man- compliance auditing
agement; 4 percent report security upgrades; and Realignment in

reporting relationships
4 percent see more concern with risk assessment
and compliance auditing. Interface with government
agencies, law enforcement
Concern with current

events, terrorism
Integration with business

management/strategy
Other comments
(Summary coded from open-ended responses)
Case Study
Emergency Response at Duke Energy
Many companies reviewed their security operations in the wake of 9/11.
These were the results at Duke Energy.
Company: Duke Energy Employees: 22,000

Located: Charlotte, North Carolina Sales (2002): $15.7 billion
Business: A builder of power infrastructures and a wholesale energy seller,

the company is a top tier gas and power marketer in the U.S. and a Fortune 500 company.
"Our biggest weakness was in our events. Each business unit within
After 9/11, Duke Energy began
new efforts and accelerated existing corporate office areas," continues Duke Energy is conducting a risk
ones to strengthen safety and secu- Hendricks. "Not all areas had emer- analysis, based on more than 850
rity for employees, customers, and gency plans, and those that did did- identified processes.
neighbors. At the heart of these n't exercise them regularly. None of

the plans considered the possibility So far, some 325 business continu-
activities was the work done in
of multiple, simultaneous events, ity plans have been developed for
late 2001 and early 2002 by the
which could severely impact our the company's major operating
Enterprise Safety and Security
operations. Our ability to quickly business units-electric utility,
Network (ESSN).
locate employees who might be gas transmission, and unregulated
traveling or were otherwise away power generation-as well as for

The ESSN was charged to examine
from the office was an area we corporate offices. The process can
ways to coordinate more effectively
also needed to improve." get complicated. For instance, in the
across the company during a crisis
company's gas pipelines business
or event. ESSN also identified
Prior to 9/11, the security function there are six different businesses in
potential security and safety risks
resided in a number of groups and the United States and Canada, with
that were not on the horizon prior
locations. Today, the company's Risk facilities in more than 30 states.
to 9/11, and response efforts that
were needed to address those new Management Services group over-
sees corporate security, insurance, A major concern is securing the
risks. Jim Hendricks, vice president
crisis management, and business information technology operations.
of corporate environment, health
continuity. The group is headed by Hendricks says, "No one had seri-
and safety at that time, served as
vice president JeffTriplette. Triplette ously contemplated the ramifica-
executive sponsor of the ESSN.
reports to the chief risk officer, who tions of a major attack onour IT
"Duke Energy's nuclear operations, in turn reports directly to the chair- infrastructure. Since 2001 we have
and the nuclear industry as a whole, man of the board. relocated our backup operations to
a site far away from headquarters.
have an advantage," Hendricks
Duke Energy's Tom Bowman, man- Setting up the new, rigorous
says. The plant emergency
aging director of crisis management security and emergency response
processes are tested and exercised
regularly. As a result, the company's and business continuity planning, systems and documenting them
nuclear plants were able to respond also manages a new Enterprise requires a significant investment."
quickly to instructions provided by Crisis Operations Center (ECOe),
the Nuclear Regulatory Commission which is activated during severe
after September 11. emergencies or potential crisis
1 a· Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Creating the CSO Position
In the survey of security directors, 24 percent reported Most companies don't plan
that their company currently has the position of CSO. to have a Chief Security Officer
(It should be noted, however, that none of the security

directors surveyed had this exact title.)
Most of the companies without a CSO position do not

appear to have much interest in creating one. Only 5 per-
cent of companies overall say they are definitely planning
to create the position; 4 percent are actively considering
the idea; and 6 percent are engaged in preliminary discus-
sions. Over half of all companies (51 percent) are not dis-
cussing the idea at present, and 10 percent have definitely
decided not to create the position.
When asked which kinds of experience are most valued

in a CSO, the protective services are still given pride of
. 51.3% No discussions
at present
24." Company currently has
a Chief Security Officer
-T.
!
!
JI
4.5% Definitely planning to
place. Security directors were asked to rank four kinds of . 10.1 % Definitely will not
create eso position
experience on a scale of 1 to 4 in terms of their impor-
create position
4.0% Actively considering .JJ
tance (1 being most important) as preparation for the 6.0% Preliminary discussions j
CSO position. Military and police work finished first, Number ot respondents: 199
with an average rank of 1.99, followed by strategic busi-

ness management (2.37), finance and risk management
(2.57), and information technology (3.07).
Protective service experience

is most valued in a eso
"Ptease rank the importance of each of

the following kinds of experience as preparation
for the position of Chief Security Officer, from
1 for most important to 4 for least important."
Average
Military/ •••••••
Police/Security" 1.99
Strategic business .
management" 2.37
Finance/Risk ~ ••••••••
management II 2.57
Information .
technology" 3.07
Number ot respondents: 197
Companies in critical industries are more likely to have Companies in critical industries
a CSO than those in non-critical industries (29 vs. are more likely to have a eso ...
19 percent), suggesting that centralization of the security
function is especially important in industries where secu-
rity is most vital. Domestic companies are also more
likely to have a CSO than multinationals (32 percent vs.
18 percent).
...but smaller domestic companies

However, smaller companies are most likely to have a
I=====:~~•••
are most likely to have a CSO
CSO. While 35 percent of companies have a CSO if they
have less than $1 billion in sales, this figure drops to 97 32.0%
15 percent for companies with over $1 billion in sales.
I====:~~•••••
Domestic
MUltinatio~~ 18.2%
Similarly, 31 percent of companies with under 10,000
FTE's have a CSO, compared to 11 percent of compa-
nies with over 10,000 FTE's. All 35.2
I===~~
•••••
Sales under $1 billion
Sales over $1 bil~i~g 15.5
Security operations are clearly more centralized in

smaller companies. We believe this is probably because IN
Under 10,000 FTE's 31.0
organizational silos and senior-level executive positions Over 10,000 FT~·~ 11.4
are more likely to proliferate in larger companies, mak-

ing it more difficult to consolidate security authority , Number of respondents
behind a single individual in the person of a CSO. Of

course, one could also argue that this proliferation is
precisely why a CSO might be needed to bring order
out of this potential for organizational chaos.
As one would expect, CSOs are more likely than other eso's are more likely
security directors to report to top management. A total to report to top management
of 43 percent report to a C-suite executive, compared to
Security director reports to ...
27 percent of security directors in companies that have
no interest in creating the CSO position. In companies CEO
(Chief Executive Officer)
that do not currently have a CSO but are considering
creating the position, 43 percent report to a C-level COO .--
(Chief Operating Officer)
executive, the same as in companies that already have a
CSO. However, 28 percent of CSOs report to the very CFO
(Chief Financial Officer)
top level (CEO or COO), compared to only 11 percent
of security directors in companies that are considering CLO
(Chief Legal Officer)
whether to create the CSO position.
SVP for Facilities
The pattern suggests that the decision to create a CSO

is influenced by certain pre-existing patterns in security SVP for
Human Resources
management. If a company's security director already
reports directly to upper management, then the company Other
is more likely to consider designating this executive as

the CSO to reflect the importance of the responsibilities. Respondents
• Company has cso 46

• May create GSa position 28
No interest in csa position 121
esos are far more likely to have ... but CSOs are no more likely to have
the authority they feel they need ... the financial resources they feel they need
Percentage of security directors Percentage of security directors

agreeing strongly that they have the agreeing strongly that they have
decision-making authority they need: the financial resources they ne.ed:
=
72.3% Company has CSO 25.5%
. 47'
39.3 1 May create CSO position 28.6

28
45.1 ••••••• 11 No interest in CSO position 4.6

122
There is evidence that the CSO solution does indeed Even so, while CSOs may be just as dissatisfied with
enhance the ability of security directors to implement their financial clout as other security directors, they are
policies within their companies. Almost three-quarters increasing spending more rapidly. The median spending
(72 percent) of CSOs agree strongly that they have increase on security since 2001 in companies with a
the decision-making authority they need, compared to CSO is 5.3 percent, compared to 2.4 percent in compa-
39 percent of security directors in companies that are nies with no interest in the CSO position. Spending is
considering appointing a CSO, and 45 percent in increasing most rapidly (6.7 percent) in companies that
companies with no interest in the CSO position. do not currently have a CSO but are thinking of creating
the position. This pattern again suggests that as a com-
However, the major complaint of security executives pany upgrades the priority it places on security, it is
concerns their lack of control over the purse strings, more likely to consider creating the position ofCSO.
and having a CSO does not appear to amelio-
rate that concern. Regardless of where a
company stands on the CSO issue, only about
one-quarter of security directors agree strongly Companies with CSOs are more likely
to increase security spending
that they have the financial resources they need.
Median increase in total security spending since 2001:
company~ ••••••
4b' has CSO • 5.3%
May create ~ •••••••

27 CSO position ~ 6.7
No interest in
! i"7 CSO position 2.4
This point becomes even clearer if we Companies discussing a CSO position
look at the relationship between certain have specialized spending needs ...
kinds of security sending increases and
Company May create No interest in
interest in creating the CSO position. Percentage of companies reporting
increase in se.endin8. on ... has cso cso e.osition GSa e.osition
Companies that are considering the cre-
ation of the position have specialized IT security 34.1% 77.3% 38.7%
needs. They are twice as likely as other Business recovery and continuity 28.2 59.1 34.3
companies to report increases in spending
Insurance/financial risk management 36.8 50.0 32.9
on IT security (77 percent) or business
recovery and continuity (59 percent). Protecting buildings and facilities 56.8 64.0 50.0
Executive security 14.3 22.7 18.3

We can refine this analysis even further by
Biological/ chemical/radiological hazards 16.7 21.7 23.4
looking only at companies that do not cur-
22.0 25.0 25.2
rently have a CSO. Among the remaining Background investigations
companies, those that report certain kinds Number of respondents 47 27 122
of spending increases are also much more

likely to report interest in the CSO position.
. .. compared to other companies without a CSO
For example, among non-CSO companies If companies without a GSa are May create Number of
that have increased spending on IT secu- se.endin8. more on ... GSa e.osition rese.ondents
rity, 32 percent are thinking of creating a

IT security 32.1% 53
CSO, compared to only 8 percent of non-
CSO companies that have not increased IT Business recovery and continuity 27.7 47
spending. Among non-CSO companies Insurance/financial risk management 25.0 36

that have increased spending on business 22.2 72
Protecting buildings and facilities
recovery and continuity, 28 percent are
Executive security 20.0 25
discussing the CSO option, compared to
12 percent that have not increased such Biological/ chemical! radiological hazards 18.5 27
spending. Somewhat smaller disparities Background investigations 18.2 33
exist among non-CSO companies depend-
ing on whether or not they have increased
If companies without a GSa are May create Number of
spending on risk management (25 vs. se.ending the same or less on ... cso e.osition rese.ondents
14 percent) or protecting buildings and
facilities (22 vs. 14 percent). IT security 8.1% 62
Business recovery and continuity 12.2 74

The conclusion seems inescapable:
\r interest in creating a CSO is driven by
Insurance/financial risk management 14.1 64
a higher profile for security concerns Protecting buildings and facilities 13.8 65
within a company. As the security director Executive security 16.0 106

becomes more accountable to the C-suite, 90
Biological/ chemical! radiological hazards 20.0
and spending increases on specialized
Background investigations 18.4 98
concerns like IT security and business
recovery, senior management is more
. likely to consider the CSO option as a
means to improve the coordination and
effectiveness of security management.
en
on Corporate Security
Except for risk management and insurance,
corporate spending 011 security has increased
only moderately since 9/11.
The heightened concern over corporate security since September 11, 2001
has occurred in a difficult economic climate, which has discouraged major new
commitments of funds. In the current environment, large-scale capital improvements
that cannot demonstrate an immediate return on investment are a particularly tough
sell to management.
Thus, the perceived need to upgrade corporate security has clashed with the
perceived need to control expenses until the economy recovers. There have been
sharp increases in spending on unavoidable costs involving insurance and risk
management, but relatively modest increases in security spending overall. The
biggest increases have been concentrated among large multinationals and companies
in critical industries, which are perceived to have the highest exposure to risk.
A Permanent Increase in Spending companies say that spending has hit a new, higher plateau
since 9/11, but do not expect additional increases in the
Security spending jumped immediately after 9111 as
future. Finally, 18 percent say that their spending on secu-
many companies tightened the security perimeter control-
rity will continue to increase for the next several years.
ling access to their facilities. Among the most common
changes were hiring additional guards and installing
Adding together the last two categories, just over half
surveillance cameras, turnstiles, and other mechanisms
(52 percent) of companies report a permanent increase
.at entry points. These upgrades were especially common
in their level of security spending since 9/11. However,
in New York City (particularly Manhattan) and the.
there is a considerable difference between companies
Washington, D.C. area, the two regions attacked on 9111
in critical and non-critical industries. In the critical
and considered most at risk of continued terrorist activity.
industries, 56 percent of companies report a permanent
There was some uncertainty, however, as to whether the increase, vs. 39 percent not reporting a permanent
increases in spending were merely a temporary response to increase. In the non-critical industries, the division
a time-bounded emergency or represented a more penna- is much more even: 48 percent report a permanent
nent increase in the level of security spending, with impli- increase, while 52 percent do not.
cations for corporate budgets going forward. The survey
results indicate that for most companies, security spending There are major differences among specific industries
has increased and the increase appears to be permanent. with regard to the trend in security spending. Over two-
thirds (71 percent) of companies in the energy and utili-
Security directors were asked which of four statements ties industry report a permanent increase, followed by
comes closest to describing their company's spending 62 percent of companies in the financial services industry.
since 9/11. Roughly one-third of companies say that their Smaller proportions of companies report a permanent
spending has not been affected in any significant way, increase in security spending in the technology sector
leaving two-thirds reporting an increase. Some 13 percent (47 percent), healthcare (46 percent), retail and whole-
report a spike in spending, i.e., a temporary increase that sale trade (42 percent), and manufacturing (38 percent).
is expected to recede in the future. Another one-third of
About half of companies report a permanent increase in security spending
Which of these statements comes closest to your view about your company's spending on security-related concerns since September 11,2001?
All Critical Non-critical

companies industries industries
Our company's spending on security has not been affected in any significant way 32.2% 27.1% 36.9%
Our company's spending on security has increased on a temporary basis,

but it will probably decline in the future 13.1 11.5 14.6
Our company's spending on security will continue at a higher level than it was
prior to September 11, 2001, but we do not anticipate significant future increases
in the level of security spending 33.7 43.8 24.3
Our company's spending on security will continue to increase every year

for the next several years 18.1 12.5 23.3
None of the above 3.0 5.2 1.0
t-Julllber of respondents lyC) Of.:, i03
Utilities and financial companies report a permanent increase in security spending
Which of these statements comes closest to your view about your company's spending on security-related concerns since September II, 2001?
Ener~ Finance Di8.ital Health Trade Mfg.
Our company's spending on security

has not been affected in any significant way 11.8% 27.6% 35.3% 28.6% 50.0% 41.4%
Our company's spending on security has increased

on a temporary basis, but it will probably decline in the future 11.8 10.3 5.9 17.9 8.3 20.7
Our company's spending on security will continue at a higher level

than it was prior to September 11,2001, but we do not anticipate
significant future increases in the level of security spending 58.8 51.7 35.3 32.1 25.0 24.1
Our company's spending on security will continue to increase

every year for the next several years 11.8 10.3 11.8 14.3 16.7 13.8
5.9 0.0 11.8 7.1 0.0 0.0

None of the above
17 29 !7 28 12 29
Number of respondents
A Modest Increase Overall

Although most security directors report a permanent increase in spending, the
size of the increase is not very large on the whole. The median increase across
all companies is 4 percent, a relatively modest figure. However, this aggregate
statistic fails to capture the wide range of change in security spending since 2001.
The companies cluster in three groups, each comprising

approximately one-third of the sample. Most companies report a modest
increase in overall security spending
• The first group reports no increase: 8 percent actually

report spending less in 2002 than in 2001, and 29 percent Change in total security spending since 2001
report spending about the same on security. Less 8.3%
• The second group of 32 percent report moderate increases About the same 29.2
between 1 and 9 percent. 1 to 9% higher 31.8
• The remaining companies (31 percent) report increases 10to 19% higher •••• 16.7
of 10 percent or more. A small group of companies is

20 to 49% higher 6.8
increasing spending dramatically: 14 percent are now
50 to 99% higher
spending at least 20 per cent more on security per year,
and 7 percent have stepped up their spending by 100% higher or more
50 percent or more.
Medianincrease:4%
Number of respondents: t 92
Note: "Don't know" eliminated
Larger multinational companies report bigger increases Large multinationals report
in security spending than smaller domestic companies. bigger increases in overall
The median increase for multinationals (defined as security spending
companies receiving 10 percent or more of their sales
Change since 200 t
overseas) is 4.7 percent, vs. 3.6 percent for domestic
liiiiiiiiiiiiiii ••
Median increase
companies. For companies with sales over one billion All compa~~e2s. 4.0%
dollars, the median increase is 5.5 percent vs. 1.4 percent Critical industri~~ •••••• 3.8
for companies below that level of sales. The median Non-critical indust~i~~ •••••• 4.4
increase for companies with 10,000 or more employees
Domes[~ig ••••• 3.6
is 5.4 percent, compared to 3 percent for companies • 4.7
Multinational
below that staffing level. 76
Sales under $1 billion _1.4
83
• 5.5
Interestingly, there is no significant difference in the Sales over $1 billion
108
level of spending increase between companies in critical Under 10.000 FW~ •••• 3.0
and non-critical industries. In fact, the median increase is ______ 5.4
Over 10,000 FTE's
slightly higher for non-critical industries (4.4 percent vs. 6<)
3.8 percent in critical industries). On the surface, this • Number of respondent.
may seem counterintuitive. It may indicate that compa-

nies in critical industries had already spent considerable
sums on security prior to 9111because they have always
been perceived to be at greater risk, while other compa-
nies have felt more need to catch up since that date.
Most industries report a modest
increase in security spending
The level of increase is quite consistent across indus-
tries. Among companies in the critical industries, the
Change since 200 t
median increases for the four major industry groups
Median increase-
cluster in the 4 to 5 percent range. In the non-critical ••••••••• 5.0%
sector, the median increase for manufacturing companies
Digital industries
is 3.8 percent, compared to 1.3 percent in retail and 15 •••••• 5.0
wholesale trade. Healthc~!e

1..8 • •••• 4.2
Financial servicf~
••••• 4.1
Manufacturig~
•••• 3.8
Trade
!') 1.3
Case Study 5
Consolidating Security at Avaya
Internal security reviews can impact corporate spending in a variety of ways. At Avaya, spending
on physical security has actually declined, but spending for risk management has increased.
Company: Avaya Inc. Located: Basking Ridge, New Jersey

Employees: 18,800 Sales (2002): $5 billion
Business: Builds and manages communications networks for more than

one million businesses worldwide, including 90 percent of the Fortune 500
Marene Allison, Avaya's director of Security policies were thoroughly The insurance environment has
global security, joined the company examined and updated as needed, proved to be as challenging for
in January 2002 and immediately including expiration-dated pass- Avaya as it has for other buyers.
began to bring the multiple aspects words, new external network Insurance costs have increased but
of security under one management connections, occupancy rules, the company has also done a more
system. and security camera networks. detailed risk assessment in order to

Externally, there are almost no signs ensure business continuity and miti-
Allison sees Avaya's consolidation of increased security, although the gate its risks.
strategy as emblematic of a wide- guard contracts were changed and
ranging business pattern: "The new there is a new emphasis on emer- Diane Askwyth, risk manager for
generation of security professionals gency response training. Allison Avaya, says, "One of the positive
must be comfortable in the gover- says, "We wanted to have the ability outcomes for Avaya is the intense
nance arena as well as in opera- to secure our environment, but we focus on business continuity plan-
tions. They need much broader want our facilities to remain wel- ning. Being able to demonstrate a
backgrounds than their predeces- coming to employees and visitors." strong corporate commitment to
sors. They must also be able to disaster recovery and business con-
Avaya reduced its operational secu- tinuity planning has helped Avaya in
V
articulate the case for security mea-
sures that affect overall company rity costs with the consolidation and its negotiations with insurance
policy and operations. The business increased effectiveness and respon- underwriters."
protection challenge is huge." siveness. Allison attributes this to

"having a single point of account-
One of Allison's first tasks was to ability for security with an under-
coalesce a corporate security man- standing of the overall situation and
agement team. The group, which how it fits into the business." This
includes the corporate risk manager contrasts with other cost increases
and several director-level execu- which have occurred in business
tives, brings together representa- continuity /disaster recovery
tives of Avaya's business continuity planning and insurance. For Avaya,
planning, discovery and recovery, disaster recovery means not only
real estate and risk management, their own IT operations and busi-
environmental, health & safety, ness continuity, but that of their
public relations and human customers as well.
resources, and legal functions.
Security Spending in the Northeast Security spending is increasing
Geographic location is one of the strongest predictors most rapidly in Northeast Metro areas...
of increased spending on corporate security. Companies

Change in total security spending since 2001
were assigned to a region based on the location of their
liiiiiiiiil •••
Median increase
headquarters. Northeast Me~~. 9.0%
Rest of United States

Security spending is increasing much more rapidly in "110 2.8
the metropolitan Northeast, defined as a headquarters

'NorlhA~sl Melro' is defined as companies
location in the Boston, New York, Philadelphia, or having headquarters in Ihe Basion, New York.
Philadelphia, and Washinglon, DC melropolitan areas.
Washington metropolitan areas. In the Northeast Metro
~Numbl!'r tl( respondents
corridor, the median increase for total security spending
since 2001 is 9 percent, compared to 2.8 percent in the
rest of the country.
Smaller Companies Bear a Larger Burden

In purely dollar terms, security spending is not a major
Most companies report spending
budget item for most companies. Security directors were less than $10 million per year on security
asked to estimate the total spending on security by their
companies in the United States. (A preliminary focus
group determined that estimating security spending over-
seas would be extremely difficult and very inaccurate, so
the study did not attempt to estimate security spending
outside the country.)
The median security spending for all companies in 2002

was $4.4 million. Fifteen percent of all companies report
$10 to
spending over $10 million a year on security, and only $49 million
6 percent report spending $50 million a year or more.
Companies with at least $1 billion in sales (approxi- $50 to

$99 million
mately the cutoff for the Fortune 1000) report spending
a median of $6 million a year on security, compared to
Modian (million) Respondenls
a median of $1.6 million for companies below that sales $100 million
1.0
• All companies S4.4 191
1.2
level. Of the billion-dollar companies, 22 percent report or more • Sales under S 1 billion S 1.6 03
0.9 Sales over S t billion $6.0 107
spending at least $10 million a year on security, and
8 percent spend at least $50 million a year.
Note: "Don't know' eliminated
There is considerable variation among companies in the Companies use a wide variety of methods to determine
amount of security spending as a percentage of annual their level of spending on security. The most important
sales. While 63 percent report spending less than one means is benchmarking against industry standards,
percent of sales on security, 5 percent of companie~ > utilized by 54 percent of companies. Other commonly
spend 3 percent or more of their sales on security. V employed ground rules include the cost of previous
incidents (used by 37 percent of companies), the value
One would of course expect security spending to be of facilities (28 percent) and recommendations from
higher in dollar terms among the larger companies. And consultants (26 percent).
we have already seen that the recent increase in security
spending is generally concentrated among larger compa-
nies. However, relative to the size of the company, the Benchmarking is used to determine
total cost of security appears to be more of a burden for the appropriate level of security spending
smaller companies than for larger firms.
Benchmarking against .
Expressed as a percentage of sales, smaller companies industry standards Jill 53.8%
spend more on security than larger companies. Over half

Cost of previous .
(53 percent) of firms with less than $1 billion in sales security Incidents Jill 37.2
spend one percent or more of their sales on security,

compared to slightly more than one-quarter (26 percent) Value of facilities ••••• 28.1
of firms with over one billion dollars in sales.

Recommendations ......
from consultants Jill 25.6
As much 3S
we can afford 17.6
Security spending is more of Actuarial statistics

16.1
on expected losses
a burden for smaller companies
Security spending as a Internal budget
process/requests
percentage of annual sales
62.7% In-house assessments/

Less than recommendations
47.0%
1%
73.9%
24.1 Value of goods shipped
Recommendations
from vendors
2 to 2.9%
Threat level
Respondents
• All companies 158 Government

3% or more k~ 9.0 7r1lSales under $' billion 66 regulations/standards
2.2 • Sales over S I billion 92
Percentage of
annual sales
Other comments
Corporate Security Management: Organization and Spending Since 9/ II The Conference Board 29
Security directors were asked to estimate the degree of The Cost of IT Security
change in spending in a variety of security categories.
Despite its importance, IT security is a relatively low-
Over half of companies (54 percent) report an increase
budget item in many companies. Over half of all compa-
in spending on protecting buildings and facilities.
nies in the sample of IT security officers (55 percent)
Spending on lT security is reported to be rising by
report spending less than $1 million per year on IT secu-
43 percent of companies, followed by business recovery rity, and this proportion rises to 89 percent in companies
and continuity (36 percent) and insurance and risk man- with under $1 billion in sales. Larger companies devote
agement (36 percent). more resources to this line item. Among companies with
$1 billion or more in sales, one-quarter (24 percent)
spend at least $5 million per year on IT security, and
4 percent spend $20 million or more.
Most companies have increased
spending on buildings and facilities
Percent reporting increased spending Most companies spend less than

$1 million per year on IT security
18i' Protecting buildings
and facilities JI
.
54.1%
l
156 IT security ••••••• 43.3
Less than
160 Business recovery
and continuity •••••• 36.3 $1 million iiiiiiiiii~~~·541·51%"1I1II 88.9%
36%
136 Insurance and
risk management
172 Background
investigations
1 ~i9 Biological/chemical/
radiological hazards 21.3
173 Executive security

$5 to
$9 million
16
Note: "Don't know' eliminated
$10 to
$19 million
Respondents
$20 million • All companies 77
or more II Sales under S I billion 27
Sales over S 1 billion 50
Nole: "Don't know' etiminated
30 Corporate Security Management: Organization and spending Since 9/11 The Conference Board
Benchmarking is the most common means of detennin- Benchmarking and affordability
ing spending on IT security, used by 40 percent of com- drive IT security spending
panies, but a close second is affordability: one-third of
companies say they spend "as much as we can afford." Methods used to determine appropriate
Other common guidelines are recommendations from level of IT security spending:
consultants (19 percent); and the cost of previous Benchmarking against

industry standards _ ••••••••••••• 1 40.0%
incidents (14 percent).

As much as
we can afford _ ••••••••••• 32.5
The median company spends 1.9 percent of its total IT Recommendations

from consultants 18.8
budget on IT security. The median is considerably higher
for companies in the critical industries (2.4 percent) than Cost of previous
security incidents
......
II 13.8
companies in the non-critical industries (1.6 percent).
Percentage of
12.5
overall IT budget
As with security spending in general, IT security tends

Risk assessment
to be more of a burden for smaller companies. Among
Business needs/
companies with under $1 billion in sales, 39 percent priorities 6.3
report spending 5 percent or more of their IT budget on
Budget constraints/
security compared to 14 percent of companies with over analysis
$1 billion in sales. Domestic companies also spend rela- Recommendations

from vendors
tively more on security, with 35 percent spending at least
5 percent of their IT budget on security, compared to Other _ ••• 10.0
13 percent of multinationals.
IT security is more of a burden for smaller domestic companies
IT security spending as percentage of IT budget
Less 1% to 2% to 5% to 10% or Number of

than 1% 1.9% 4.9% 9.9% more Median resEl.0ndents
All companies 28.0% 26.7% 22.7% 16.0% 6.7% 1.9% 75
Critical 22.2 25.0 27.8 13.9 11.1 2.4 36

Non-critical 33.3 28.2 17.9 17.9 2.6 1.6 39
Domestic 23.5 17.6 23.5 23.5 11.8 3.2 34

Multinational 28.2 35.9 23.1 10.3 2.6 1.6 39
Under $1 bil. sales 23.1 19.2 19.2 23.1 15.4 2.8 26

Over $ 1 bil. sales 30.6 30.6 24.5 12.2 2.0 1.7 49
Under 10K FTE's 23.8 28.6 21.4 14.3 11.9 2.0 42

Over10K FTE's 33.3 24.2 24.2 18.2 0.0 1.8 33
There is a wide disparity among companies in the rate The increases are pronounced in the critical industries,
of spending increase on IT security. The median increase where 28 percent of companies have increased IT
since 2001 is only 1.9'percent, but this figure hides an security spending by 20 percent or more, compared
enormous amount of variation. Almost half of all compa- to 15 percent of companies in non-critical industries.
nies (47 percent) have not increased spending on IT Larger companies are also more likely to increase IT
security since 2001; on the other hand, 36 percent have security spending: 31 percent of companies with 10,000
increased spending by 10 percent or more, and 21 per- or more employees have stepped up IT security spending
cent have increased it by at least 20 percent. by 20 percent or more compared to 14 percent of compa-
nies below that payroll level.
IT security spending is increasing in critical industries
Change since 2001
1-9% 10-19% 20-49% 50% + Number of

Less Same higher higher higher higher Median res(!.ondents
All companies 7.9% 39.5% 17.1% 14.5% 10.5% 10.5% 1.9% 76
Critical 8.3 36.1 16.7 11.1 13.9 13.9 4.2 36

Non-critical 7.5 42.5 17.5 17.5 7.5 7.5 0.7 40
Domestic 3.0 33.3 21.2 21.2 15.2 6.1 7.1 33

Multinational 12.5 42.5 12.5 10.0 7.5 15.0 0.0 40
Under $1 bil. sales 3.7 40.7 22.2 22.2 0.0 11.1 3.3 27
Over $1 bil. sales 10.2 38.8 14.3 10.2 16.3 10.2 1.4 49
Under 10K FTE's 4.5 45.4 18.2 18.2 4.5 9.1 0.6 44
Overl0K FTE's 12.5 31.3 15.6 9.4 18.8 12.5 5.0 32
32 Corporate Security Management: Organization and Spending Since 9/ II The Conference Board
Case Study
IT Security at Unisys
Companies in the IT sector must evaluate security not just in terms of the integrity
of their technology products and operations but their physical security as wel/.
Here is the way that Unisys management has dealt with the challenge.
Company: Unisys Located: Blue Bell, Pennsylvania
Employees: 36,400 Sales (2002): $5.6 billion
Business: a worldwide information technology services and

solutions company operating in more than 100 countries.
Ensuring employee security was The third action was to establish an Director of risk management,
the first priority in Unisys's five- emergency contact list available to James McMullen, says he has seen
step action plan following the all employees worldwide. Through insurance premium increases in
World Trade Center attacks on this system, employees can identify excess of 100 percent. "Terrorism
9/11. "With many of our 40,000 the facility, security, safety, IT, and insurance as part of a global
employees worldwide unnerved HR contact by name and number property program carries a huge
by the tragedy, we felt it was cru- for any Unisys facility worldwide. premium and most companies
cial to add extra physical security, are not going to buy it-unless
and to take steps to improve over- All employees are now required their headquarters are in midtown
all security," says Greg Fischer, to take a basic training course Manhattan or in some high profile
on facility safety and security, and location. Most Fortune 500 com-
vice president for facilities and
review it annually. The final action pany facilities are not in that kind
asset management.
plan was to create a coordinating of situation. It's an issue of bal-
The first step was to have the exist- council to integrate the business ance. We are going to purchase
ing security systems evaluated. continuity, disaster recovery, and it for specific policies for the time
Extra cameras and guards were emergency response functions- being, but we'll be watching it
added, as were roaming patrols in which previously had been scat- closely for the future."
facility parking lots. Access to park- tered among several departments.
ing near the company's data cen- "Unisys has been actively involved
ters and other important buildings As a measure of the importance in business continuity planning
was tightened, and access control placed on security issues as a at its major manufacturing and
systems were upgraded. result of September 11, Fischer service locations for more than
emphasizes that, "At least half fourteen years," he continues.
A facility incident notification of the activities reviewed at the "We have identified our single
system, operating through Unisys' annual review for the board of source suppliers and put backups
website, email, telephone, and directors were security related." in place, and our scenario planning
pager channels, was established allows us to know just how quickly
to allow any employee or other "We are also moving to a new we can be back in business after
individual worldwide to reach the access control system requiring almost any kind of disaster.
right contact for reporting or inquir- our employees to use identification September 11 did not show us
ing about the status of a facilities cards to swipe in and out of a any reason to change those
problem. Fischer says, "Now, if facility. This system will provide policies and processes."
you're in Moscow and hear about more accurate information on
a facility problem, you can reach facility utilization from a security
the right person in minutes." and safety basis."
The Soaring Cost of Risk Management Insurance and risk management
There is one dramatic exception to the pattern of moder- costs are soaring
ate increases in security spending: insurance and risk
Increase since 200 1
management. Costs have been soaring in this arena
o to 9% 11.4%
because of the massive losses incurred on 9/11. To
10 to 19% 25.0
reflect the increased risk to corporate facilities and
20 to 49% 34.1
employees, insurers have dramatically raised premiums
for certain kinds of coverage. so to 99% '-9.,
100%or more 20.5
The Conference Board survey of corporate risk managers
found a median increase of 33 percent in spending on Median increase: 33%
insurance and risk management since 2001. Even this Note: 'Don't know' eliminated
figure understates the severity of the costs borne by some

companies. A remarkable 21 percent of risk managers
report that their costs have at least doubled since 2001.
The increases in risk management costsare spread

Multinationals are bearing
quite evenly across various sectors of the economy. the largest increases in insurance
The median increase for multinationals is 40.6 percent, and risk management costs
compared to 26.4 percent for companies with a domestic
focus. Geographic location is an important factor: the Median increase since 2001
median increase in Northeast Metro areas is 42.5 per- I
·i4 ~ All companies 33.0%
cent, compared to 31.3 percent in the rest of the United
States. Companies in critical industries are reporting
'}" Critical industries
I 38.8
a larger increase than those in non-critical industries
{Ii Non-critical industries 32.3
(38.8 percent vs. 32,3 percent). Smaller companies
report larger increases in percentage terms than larger
24- Domestic
I 26.4
companies, but the differences are relatively minor.
20 Multinational 40.6
20 Sales under $1 billion

I 37.5
24 Sales over st billion 31.7
27 Under' 0,000 FTE's

I 35.0
17 Over 10.000 FTE's 32.9
to Northeast Metro
I 42.S
30 Rest of country 31.3

I
Changes in Insurance Coverage medical insurance spending is 15.7 percent for domestic
companies vs. 8.8 percent for multinationals. Companies
Half of risk managers report paying higher insurance
with less than $1 billion in sales report a much higher
premiums since 2001, and 10 percent have increased
increase in medical costs (15.6 percent) than those over
their level of insurance coverage. The increase in insur-
that level of sales (6.7 percent). The finding suggests that
ance costs has prompted companies to assume more of
there are important economies of scale for securing cost-
the risk themselves to hold down their spending. For
effective medical coverage for companies doing almost
example, 40 percent of risk managers have increased
all of their business in the United States.
their level of self-insurance, and 31 percent are taking
policies with higher deductibles.
Business interruption coverage differs from the pattern
F or categories of insurance that are most directly related to for other security-related coverage. The median increase
security threats, the biggest increases in insurance costs are in both critical and non-critical sectors hovers around the
being incurred by companies in critical industries, which 16.5 percent reported for companies overall. The key
are perceived to be most at risk. For example, the median factor here appears to be the scale of the business.
increase in property insurance is 37.5 percent for compa- Multinationals report much larger median increases in
nies in critical industries vs. 22.1 percent in non-critical business interruption insurance costs than domestic com-
industries. For liability insurance, the median increase is panies (29 vs. )2.5 percent), and companies with 10,000
40.6 percent in critical industries compared to 13.6 percent or more employees report larger median increases than
in non-critical industries. Companies in critical industries those with fewer employees (29 percent vs. 14.4 percent).
face a median 23.8 percent rise in spending for medical
insurance vs. 9 percent for non-critical industries.
Large multinationals are facing the biggest increases Critical industries face the biggest increases
in cost for property insurance. The median increase in in security-related insurance costs
property insurance spending for multinationals (39.3 per-
Liability Business Medical
cent) is double the rate for domestic companies (19 per- Median increase Property
since 2001 insurance insurance interrueJion insurance
cent). Companies with over $1 billion in sales report a
higher median increase than companies below that size All companies 28.1% 21.5% 16.5% 13.0%
(35 vs. 20 percent). Critical industries 37.5 40.6 18.0 23.8
Non-critical industries 22.1 13.6 16.0 9.0
On the other hand, domestic companies face the biggest
Domestic 19.0 27.5 12.5 15.7
increases in costs for liability insurance and medical 18.3 29.0 8.8
Multinational 39.3
insurance. Health coverage is a particular problem for
Sales under $1 billion 20.0 19.0 15.0 15.6
smaller domestic companies. The median increase in
Sales over $1 billion 35.0 25.0 19.0 6.7
Under 10,000 FTE's 24.3 23.0 14.4 13.9

Over 10,000 HE's 35.0 23.0 29.0 9.0
Companies bear more of
the insurance risks themselves
All companies 40 40 38 29
Changes in insurance coverage since 2001
Critical industries 18 18 17 12
Higher premiums ••••••••••• 50.0% Non-critical industries 22 22 21 17
Domestic 22 22 20 17
More self-insurance ••••••••• 40.4
Multinational 18 18 18 12
Higher deductible ••••••• 30.8 Sales under $1 billion 19 19 17 16

Sales over $1 billion 21 21 21 13
tncreasedcoverage .. 9.6
Under 10,000 FTE"s 25 26 24 22
Over 10.000 FTE"s 15 14 14
Number of respondents. 52
Risk Management as a Line Itern Actuarial data are employed by 62 percent of risk man-
agers to gauge the appropriate level of spending. Other
Insurance and risk management is one of the biggest
commonly employed tools are benchmarking against
single line items in a typical company's security-related
industry standards (56 percent) and recommendations
spending. The median spending on insurance and risk
from consultants (33 percent).
management for all companies in the risk managers'
sample is $7.4 million. The median spending is much
higher for companies with more than $1 billion in sales
($19.2 million) than for companies below this sales level Actuarial data are most common
($3 million). Indeed, 63 percent of companies above the means of determining spending
billion-dollar level in sales pay at least $10 million per on risk management
year for risk management, and 8 percent pay at least

Methods used to determine
$100 million per year.
appropriate level of spending:
Actuarial statistics on •••••••

expected losses,. 61.5%
Benchmarking against .
industry standards II 55.S
Most large companies spend Recommendations ......

from consultants II 32.7
at least $10 million per year on
Recommendations
insurance and risk management from vendors 28.S
Cost of previous
security incidents
As much as
we can afford
20.0% Percentage
Less than of annual sales
$1 million 38.1%
4.2%
Other
42.2
$1 to Number of respondents: 52
52.4
$9 million
33.3
33.3
$10 to
$49 million 9.5
54.2
$50 to 0
$99 million 0
$100 million
or more
8.3
Median Respondents
• All companies S7.4mil 45

II Sales under S I billion 3.0 21
Sales over S I billion 19.2 24
Note: 'Don't know' eliminated
Companies in the critical industries spend a higher Medical insurance is the biggest risk management expense
amount on risk management as a percentage of their for most companies, with 63 percent of all companies
annual sales. Over half (53 percent) of companies in crit- spending $1 million or more per year on health coverage.
ical industries spend 1 percent or more of their sales on The comparable proportion for liability insurance is
risk management, compared to 36 percent of companies 49 percent, followed by property insurance (48 percent)
in non-critical industries. and business interruption insurance (32 percent).
The disparity between companies above and below

the billion-dollar sales level is especially pronounced
Critical industries spend for property insurance (76 vs. 16 percent spending
a higher percentage of their $1 million per year or more) and liability insurance
sales on risk management (68 vs. 26 percent).
All 56.4%
companies 28.2%
3'1'
15.4%
Medical insurance is the biggest
insurance cost for most companies
Critical 47.1
industries 29.4
17 Percentage of companies spending
23.6
$1 million or more in 2002 on ...
63.6 Medical insurance

Non-critical
industries 27.3
22 9.0
Liability insurance
• Less lhan 1"

Property insurance
.. 110 1.9"
2% or more
Business interruption
• Number of respondenls
insurance
Nole: "Don't know' eliminaled
Life insurance
Disability insurance
• All companies
III Sales under $1 billion
Travel insurance
Sales over S 1 billion
Medical insurance
• ..
30 16 14
liability insurance 41 19 22
Property insurance 40 19 21
Business interruption
insurance 41 19 22
Life insurance 27 15 12
Disability insurance 29 16 13
Travel insurance 36 18 18
A Methodological Note on Risk Management Data
Security directors are much We also believe that the security In sum, many security directors
less likely to perceive a dramatic directors' estimates of dollar either did not provide data on risk
increase in spending on risk spending on risk management management spending, or appear
management than are the risk are unrealistically low. For all to have greatly underestimated
managers themselves. While only companies, the security directors' both the dollar amount and the
36 percent of security directors median estimate of spending on degree of increase in risk manage-
report an increase in spending on risk management in 2002 is ment spending in their companies.
insurance and risk management $1.4 million and among companies It appears likely that the security
since 2001,98 percent of risk with $1 billion or more in sales, the directors answered the spending
managers report an increase. median estimate is $5 million. Both questions in the survey with refer-
The median increase reported by of these figures are less than one- ence primarily to the budgets that
the risk managers is 33 percent. third the median estimates from they personally control within
Although the sample of risk the sample of risk managers their companies.
managers is much smaller ($7.4 million and $19.2 million

respectively). Here again, Thus, we believe that the
(52 as opposed to 199 security
37 percent of security directors estimates of dollar amounts
directors), we believe the risk
are unable to provide an estimate, and increases in total security
managers' estimates are
and we believe the risk managers' spending gleaned from the secu-
more accurate.
data are more reliable. rity directors' questionnaire are
The risk managers work with best regarded as estimates of total
budget data on insurance and Perhaps most telling is the fact spending on security exclusive of
other financial issues on an ongo- that the median estimates on risk costs for insurance and risk man-
ing basis, while this responsibility management spending from the agement. We believe that the risk
is often far removed from the risk managers' survey actually managers' estimates of spending
function of the security director. exceed the median estimates for on insurance and risk management
Indeed, 31 percent of the security total security spending from the are more accurate, and should be
directors are unable to estimate security director's survey. The utilized in analyses of that aspect
the change in spending on risk median total security spending of security-related spending.
management. Thus, we believe for all companies in the security

the risk managers' data should director's survey is $4.4 million,
be relied upon for estimates of the and the median for companies over
rise in spending on this particular $1 billion in sales is $6 million. If
aspect of security. we accept the risk managers' data
as accurate, then the totals
reported by the security directors
are clearly too low unless they
exclude most or all of the actual
spending on risk management.
The Costs of 'Ierrorism Larger companies are also more likely to report a
problem with office space insurance. Two-thirds of com-
Concerns about terrorism have clearly influenced the
panies with $1 billion or more in sales report that insur-
ability of some companies to secure adequate insurance
ance for Class urban properties is a problem, compared
coverage since 9/1 I. Over half of all risk managers
to 46 percent of companies below that sales level.
(57 percent) report that it is becoming more difficult to
Similarly, 70 percent of companies with 10,000 or more
secure adequate insurance coverage for Class A office
employees report difficulty insuring such space com-
space in urban locations since 2001. (Note: this percent-
pared to half of companies below that payroll level.
age excludes "don't know" responses and companies not
having Class A office space in an urban location.)
Direct coverage for terrorism is also becoming more
This problem is most acute for companies with head- difficult to secure. While 27 percent of companies have
quarters in the Northeast Metro region, where fully such coverage, 17 percent have been unable to renew it,
88 percent report increased difficulty in insuring Class A while an additional 29 percent did not have it before or
office space compared to 41 percent in the rest of the after 9/1 I. There seems to be considerable ambiguity
country. Companies in critical industries are much more with regard to this type of coverage: 6 percent of compa-
likely to report difficulty (72 percent) than companies nies say it depends on circumstances, and 21 percent are
non-critical industries (30 percent). not sure if they are covered.
Class A office space is becoming Most companies lack coverage for terrorism
more difficult to insure
Percentage of companies reporting it is more difficult "Does your company's current insurance coverage
to secure adequate insurance coverage for Class A include coverage for terrorist events?"
office space in prime urban locations since 2001
All risk managers

rift"' •••••••• 57.1%
Critical industries ~ •••••••••

18 "" 72.2
Non-critical industries .....
10 "" 30.0
Domestic
17 II . 52.9
MUltinatio~~ •••••••• 60.0
Sales under $1 billion .

1:3 II 46.2
Sales over $1 billi~~ ••••••••• 66.7
••••••• 50.0
5.8% Depends
17.3% Unable to
11.1% Not sure renew
Northeast Metro
o ~II •••••••••••
87.5 Number of respondents: 52
Rest of country
Q •••••• 41.2
Note: "Don', know" and "not apptlcable" eliminated
What Security Executives
orrx
About
The sheer variety of threats faced by
contemporary businesses preseIIts a
long list of contingencies for which

security executives II111stbe prepared.
All three types of security executives (security directors, A different question was posed to gauge the severity
risk managers, and IT security officers) were asked an of different types of threats. Security directors were
open-ended question to elicit what they are most worried asked to rate the severity of threats to their companies
about. Security directors are most concerned about the on a 7-point scale, with 7 representing the most severe
possibility of workplace violence, a worry voiced by threat. The threats rated most highly on this scale are
one-third of the sample. Terrorism was the next most theft (averaging 5.06 on the 7-point scale) and computer
frequent mention (by 19 percent), followed by financial hackers and viruses (5.05). These worries are followed
crime (15 percent) and computer hacking (15 percent). by current and former employees (4.59) and natural
disasters (4.24).
The relatively low rating for terrorism (3.31) on the

Security directors worry most scale question, compared to the open-ended question,
about workplace violence
suggests that most security directors believe the proba-
bility of a terrorist incident affecting their own company
In thinking about all of the potential
security threats that your company faces, is relatively low. At the same time, the damage from
what worries you tlte most? such an incident could be quite severe if it were to occur.
Workplace violence/ .
disgruntled employees • 33.0%
Terrorism •••••••• 18.9 Theft and computer hacking

are the most direct threats
Theft/fraud/ . 14.6
financial crime •
Computer data
hackers,
loss • . 14.6 "On a scale from 1 to 7, where 1 represents
a minimal threat and 7 represents a severe threat,
Biological/chemical/ ..... how would you rate the threat to your company
product contamination ~ 9.2 posed by the following?"
Street crime/physical ..... Theft 5.06

security /facilities protection. 8.6
Computers hackers
and viruses 5.05
Sabotage /vandalism 7.0
Current and 4. 59
former employees
Natural disasters
Natural disasters 4.2
Loss of confidential/proprietary
information, trade secrets Sabotage 3.34
Business continuity/
disaster recovery Terrorist attacks 3.31
Executive security /kidnapping/ Industrial accidents 2.97

abduction/hijacking
Radical protest
Lack of resources/risk activists 2.79
assessment/management focus
Overseas threats/
foreign instability Number of respondents: 197
Arson, fire
Background checks/
negligent hiring
Other worries 7.6
Number 01 respondents: 185
Risk managers have a somewhat different set of con- The Desirability of Dispersing Facilities'
cerns. Perhaps because they deal with insurance issues,
Risk managers were also asked to estimate the maximum
they seem much more attuned to the dangers posed by
number of employees they consider prudent to locate in
terrorism and emergency preparedness. In the open-ended
a single facility. The median is 425. Only 14 percent of
question, terrorism is most often cited as the threat that
risk managers consider it prudent to situate 1,000 or
worries risk managers the most (by 22 percent), followed
more employees at a single location. If companies were
by business interruption and disaster recovery (17 per-
to act on these perceptions, the recent trend toward con-
cent) and workplace violence (11 percent).
solidation of facilities in downtown office towers and
suburban office parks might give way to a desire to
disperse employees and operations.
Risk managers are most worried about Maximum number of employees

terrorism and disaster recovery considered prudent to locate
in a single facility
In thinking about all of the potential risk
management threats that your company faces,
what worries you the most?
Less than 100 •••••• 21.6%
Terrorism •••••••••••• 121.7%

100 to 199
Business interruption/ , •••••••••

disaster recovery/emergency • 17.4 200 to 499 32.4
Workplace violence/ , ••••• 500 to 999 27.0

disgruntled employees. 10.9
Cargo transit security, border , •••• 1,000 to 1999

closures, delivery problems II 8.7
2,000 to 4,999 8.1
Equity exposure, , ••••
credit market risk • 8.7
5,000 or more 0
Contamination/ , ••••
toxic release • 8.7
Madian: 425
Number 01 respondenls: 37
Natural disasters _ •• 8.7
Nota: "Don't know' eliminated
__ 6.5
Litigation
International travel/
risks overseas
I••• 6.5
Workers compensation .....

losses. 6.5
Rising medical costs,

insurance premiums
I••• 6.5
Unanticipated loss,
undiscovered risk 4.3
IT security, cyber crime 4.3
Other comments •••••••• 13.0
However, most companies do not report plans to dis- Most companies are not planning to
perse their facilities. Only 5 percent of security directors disperse facilities for security reasons
indicate that their companies are definitely planning to
rent, buy, or construct additional facilities to disperse Planning to rent, buy, or construct
additional facilities in order to disperse
employees for security reasons, and 8 percent of
employees for security reasons:
companies are planning additional facilities to disperse
Yes, definitely
operations. An additional 10 percent of companies are
discussing the possibility of dispersing employees for Actively conslderlng
security reasons, and another 15 percent are discussing

whether to disperse operations. That leaves over-three
quarters of companies that are not currently discussing No, definitely 40.7
the idea of dispersing facilities. Number of respondents: 199
Given the lack of interest in additional facilities, it is not

surprising that very few companies are planning to spend Planning to rent, buy, or construct
additional facilities in order to disperse
much money on construction for security reasons during operations for security reasons:
the next five years. Almost two-thirds of security direc-
Yes, definitely
tors (65 percent) expect to spend less than $1 million on
Actively conSidering
security-related construction, and only 7 percent antici-
pate spending $10 million or more.
No, definitely ••••••••••• 36.2
Estimated spending on construction for

security reasons during next five years:
Less than $1 million 65.1%
$1 to 9 million 28.3
Note: "Don" know' eliminated
Case Study
Crisis Management at Air Products
Although most corporations are not planning major security-related construction,

some companies in critical industries are undertaking major capital improvement
projects. One of them is the chemical manufacturer Air Products
Company: Air Products and Chemicals Located: Lehigh Valley, Pennsylvania

Employees: 17,200 Sales (2002): $5.4 billion
Business: The company is the largest global supplier of electronic materials,

hydrogen, helium and select performance chemicals.
Nirmal Chatterjee is Air Products' The next step was to analyze The process has been expensive.
vice president for environment, company policies and processes Ken Petrini, vice president for
health and safety (EH&S) and in light of the new threat. Air taxes, reports that some $10 mil-
corporate engineering. He admits Products is applying the principles lion has already been appropriated
that prior to 9/11: "Like most US of the American Chemical to upgrade security in areas identi-
chemical companies we had basic Council's Responsible Care fied through the security vulnera-
security, ID badges, visitor registra- security code globally and security bility assessments conducted at
tion, fences, and gates with cam- vulnerability assessments at all the company's highest risk sites.
eras and uniformed security at our facilities are being completed Another $10 million is expected to
larger facilities, but we didn't have worldwide. Chatterjee says, be required to further improve
enough to pass the 'red face test.' "These tools are invaluable in security at all sites.
Traditionally there have been no helping us classify potential
industry security standards. Each targets, determine possible threat These numbers reflect only
company was more or less on its sources, and evaluate any gaps capital expenditures for upgrading
own in determining how much was in our security practices." facilities. They do not include the
enough when it came to security time and money involved in the
measures. We have since become Crisis management programs crisis management process, the
our own worst critic and are took on a significant new dimen- hardening of the company's
now implementing our security sion. Among the additions to the transportation infrastructure,
processes as stringently as we usual emergency response exer- or IT security measures.
do our safety programs." cises was terrorism scenario plan-
ning. The only change within the A more stringent customer qualifi-
On the morning of 9/11, the corporate structure, aside from cation process has been developed
company immediately mobilized a creation of the position of global for the company's more sensitive
crisis management team compris- director of process safety integrity, products. If a customer were to
ing representatives from manufac- was to move responsibility for order a much larger quantity of
turing, energy and materials, and security standards and best prac- one of these products, a flag would
travel, as well as security, EH&S, tices into the office of environ- go up and the order would shift
corporate communications, and ment, health and safety. immediately to another level. As
human resources. This team was an extension of the company's
never disbanded since the threat product stewardship efforts,
of terrorism remained high in the current policies also seek to
intervening months. The team's ensure product security even
focus was only sharpened by the after delivery.
onset of war in Iraq.
44 Corporate Security Management: Organization and Spending Since 9/11, The Conference Board
Threats to rr Security When presented with a 7-point scale to rate the severity
of various IT threats, the most highly rated threat was
IT security officers primarily focus on preserving the
viruses and worms (mean of 4.11, or about halfway,
integrity of their networks and web sites. When respond-
on a 7-point scale). This was followed by insider abuse of
ing to the open-ended question, the most common worry
Internet access (3.59), laptop theft (2.94), theft of propri-
concerns network intrusion and perimeter protection,
etary information (2.22), denial-of-service attacks (2.21),
mentioned by 21 percent. Close behind are viruses and
and firewall penetration (2.20) Most of the items received
worms (cited by 19 percent), protecting confidential
ratings near the bottom of the severity scale, suggesting
information (18 percent) and web site disruption
that most IT security officers are fairly sanguine about
(13 percent).
their ability to protect their companies' systems.
Network intrusion is the biggest Viruses and worms are

worry for IT security officers the most direct threats to ITsecurity
In thinking about all of the potential "On a scale from 1 to 7, where

IT security threats that your company faces, 1 represents a minimal problem and
what worries you the most? 7 represents a severe problem,
how severe have the following problems
Network intrusion/ been for your company's IT security?"
perimeter protection/
remote access 20.8%
Viruses, worms, Viruses and worms 4.11
malicious code
Insider abuse of
Protection of
Internet access
confidential information/
identity theft
Denial of service Laptop theft

attacks, web site
disruption, hacking
Theft of proprietary
Complacency, apathy,
information
lack of management
concern/ support
Denial-of-
Internal
service attacks
security breaches/
disgruntled employees
Firewall penetration
Disaster recovery
Connections to Fraud
Internet/telecom/
power grid
Embezzlement
Cyber terrorism
Physical damage/ Sabotage of datal

vandalism to IT web pages
hardware/buildings
Overreactions,
cost of responding
to trivial problems Number of respondents: 80
Other comments
Number or respondents: 72
Insiders and outsiders are Just under half of companies (49 percent) report that
equally threatening to IT security they could restore their IT system within 24 hours of a
disaster. Another 40 percent could restore their system
Most important risk to IT security posed by ... within one week, leaving 10 percent who would need a
full month to restore their IT system.
pen~~~::1:~ •••• 16.2
Company's .
own employees" 30.0
Both equal ••••••••••• 48.8

About half of companies could
Not sure 5.0
restore their IT system within
24 hours of a disaster
Time needed to restore main

IT system if it was destroyed
When asked whether insiders or outsiders are the great- Instant switchover
to backup system
est threats to their IT systems, almost half of IT security
Within 6 hours 10.4
officers (49 percent) rate both as equal threats, while
30 percent fear their own company's employees and only
16 percent worry most about outsiders.
Most companies (63 percent) have tested their disaster

recovery programs, and 45 percent have tested their Number of respondents: 77
business continuity programs. Five percent of companies

report that they have actually used their disaster recovery
program in an emergency, and 6 percent have used their
business continuity program in an emergency. Only
15 percent of companies report that they do not have a
disaster recovery program, and one-quarter do not have a
business continuity program.
Most companies have tested

their disaster recovery and
business continuity programs
Tested
Used in
~========~~~.
II 45.0% 62.5%
emergency
Program not
tested or used
Company doesn't 15.0 • Disaster recovery program

have program ~j 25.0 ~ Business continuity program
Number at respondents: 80
46 Corporate Security Management: Organization and Spending Since 9/11 The Co nf e r e nc e Board
essons
earned
Th.e four corporate case studies in this report
(Duke -Energy, IInisys, Avaya, and lUI' Produets)
illustrate SOIne common trends in the "\vays that
major companies are organizing their
emergency response operations.
Concerns about terrorism have prompted major corporations to review their

security policies and practices to reorganize, consolidate, and upgrade their
security programs.
In industries producing voLatile materials, security processes for the manufac-

ture and delivery of potentially hazardous products had been in place for
decades. In these critical industries, the challenge after 9/11 was to extend the
security mindset to include people, facilities, products, and delivery systems
globally. In other industries, the terrorism wake-up call meant looking seriously
at security as a pervasive issue for the first time.
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board' 47
People First on 9/11 The following steps were generally taken to enhance
In the immediate aftermath of the terrorist attacks on physical security:
9/11, the first priority was to identify the whereabouts
of employees, communicate their circumstances to their • strengthening facility perimeters
families and to management, and get those who were • increasing uniformed security protection
traveling home.
• installing or upgrading identification and
surveillance systems
Crisis Management Teams • limiting facility access
Formation of a security oversight and emergency-
• increasing security training and drills
response team was one of the first actions taken by
all of the companies interviewed. Including executives • hardening physical security.
representing the security, EH&S, business continuity,
communications, human resources, legal, insurance, Two of the four companies have established crisis opera-
and other relevant functions, these groups were tions centers to be activated during severe emergencies
generally charged with: or potential crises and to serve as a clearinghouse for all
aspects of emergency response.
• reviewing existing security measures
• analyzing security risks

Consolidation of Security Management
• aligning security policies and processes
Security oversight was scattered prior to 9/11, so secu-
for all operations
rity issues had never been addressed holistically. Some
• evaluating physical and IT security needs companies have chosen to totally consolidate responsi-
for the short and long term bility for security management, creating a new position
• recommending changes in the corporate of chief security officer who reports to top management
structure to strengthen emergency and works closely with the corporate risk manager and
response capabilities IT director to align all aspects of security. Other com-
panies vested the EH&S or risk management office
• recommending capital improvements with responsibility for security, or effected some com-
to cope with the increased threat bination of the two strategies. Security management has
. clearly gained stature and recognition as a vital busi-
These groups continue to function actively, driving ness function.
integration of security throughout the corporation.
A Priority on Risk Analysis Coordination with Government Agencies
The terrorism threat focused business' attention on The September 1I experience has highlighted a dilemma
areas of vulnerability not always considered prior to for companies attempting to establish effective emer-
September It. All four companies invested heavily in gency response programs. One company identified more
risk analysis reviews, addressing every aspect of their than 40 agencies charged with advising its business units
operations from product security in manufacture and about potential threats, sometimes asking for conflicting
delivery to the location of IT operations to terrorism or inconsistent information. There is general agreement,
scenario planning and travel policies. For companies especially among companies operating critical infrastruc-
with hundreds and even thousands of installations, ture or manufacturing volatile products, that coordina-
going beyond the immediate hardening processes to tion among the agencies themselves is crucial.
identify specific vulnerabilities at every facility is an
enormous undertaking.
Whether or not new risk management programs were

considered necessary appears to depend largely on the
company's type of business. After looking closely at its
existing risk management programs, one firm felt that
no new systems were necessary. Others have spent tens
of millions of dollars to upgrade their risk management
programs. Some had begun to plan for terrorism attacks
long before 9/11. For example, several chemical compa-
nies were working as early as 1999 with the American
Chemical Council and its Center for Chemical Process
to develop what has become a highly respected vulnera-
bility assessment technology for the industry.
Appendix
bout the Sample

Senior security executives were interviewed online from Multinational companies are defined as companies that
October 2002 through February 2003. Separate question- derive 10 percent or more of their sales from overseas.
naires were developed for security directors, risk man- All other companies are defined as domestic. There are
agers, and IT security officers, and were targeted at the 77 multinational companies and 97 domestic companies
senior executive responsible for each of those functions in the sample of security directors. There are 25 multina-
in a given company. The samples comprise 199 security tional and 25 domestic companies in the sample of risk
directors, 52 risk managers, and 80 IT security officers. managers. There are 42 multinational and 34 domestic
companies in the sample of IT security officers.
Over 50 percent of each sample was derived from compa-
nies with $1 billion or more in annual sales, roughly the Respondent companies were classified into regions
cutoff for inclusion in the Fortune 1000. In the sample according to the ZIP code of their headquarters location.
of security directors, there are 110 companies above Companies in the Boston, New York, Philadelphia, and
$1 billion in sales and 88 below. In the sample of risk Washington metropolitan areas were classified as
managers, there are 28 companies above $1 billion in Northeast Metro; companies headquartered in the United
sales and 24 below. In the sample of IT security officers, States outside these areas are classified as "Rest of United
there are 53 companies above $1 billion in sales and States." Companies headquartered outside the United
27 below. States were omitted from this particular classification.
There are 57 Northeast Metro respondents in the sample
Following the usage of the U.S. Department of of security directors, and 130 from the rest of the country.
Homeland Security, critical industries are defined as the There are 12 Northeast Metro respondents in the sample
following: transportation; energy and utilities; financial of risk managers, and 35 in the rest of the country. There
services; media and telecommunications; information are 16 Northeast Metro respondents in the sample of IT
technology; and healthcare. Remaining industries are security officers, and 62 in the rest of the country.
classified as non-critical. There are 96 companies from
critical industries and 103 from non-critical industries in
the sample of security directors. There are 24 companies
from critical industries and 28 from non-critical indus-
tries in the sample of risk managers. There are 38 com-
panies from critical industries in the sample of IT
security officers, and 42 from non-critical industries.
Draft Sources: GW Study 1997, GAO report ideas, my own thinking t:="LW c.tA.k:e.rz
. a.j03
Potential Questions with Security Heads at Member Companies
Main question: Was your organization located within the 16 block radius of the WTC on
9-11? YeslNo
1. Does your company have an emergency preparedness plan?

a. What does it cover?
2. Does your company have a continuity of business plan?
a. Is the COB plan written by business or for the overall company?
b. What does it cover (eg IT, suppliers, off-site locations, alternative
telecommunications, etc)
3. If your company does not have an emergency preparedness plan in place, is it for
one of the following reasons?
a. In process
b. Lack of threat
c. Other answers
4. How does your company's senior management view crisis management plans and
the related activities of emergency management and business continuity?
a. Very important
b. Somewhat important
c. Not important
5. Do you have a Crisis Management or an Emergency Operations Center in your
complex?
6. What functional department is responsible for crisis management in your
corporation? And what others are involved?
7. Does your company have a Chief Security Officer and, if so, who does that person
report to?
8. Does your company have a Corporate Crisis Management team, group or council?
a. Who is on the team
b. What are their responsibilities
c. Why and how often do they meet?
9. Is your CEO involved in crisis management and how?
10. Has the Corporation's Board of Directors reviewed the Emergency Preparedness
Plan and/or Continuity of Business Plan?
11. Do employees view the corporation's emergency management preparedness as
adequate?
12. Has your company conducted an all-hazards risk assessment?
a. Were the risks rated according to their potential threat?
b. Was a wide-scale disaster included in your risk/threat assessment?
c. Was an emergency response plan constructed to meet those overall risks?
d. Has it been practiced and communicated to employees?
13. Which of the following functional areas are included in your companies' crisis
management plans or programs?
a. Crisis communication
b. Security of Building and/or staff
c. Evacuation procedures and training and practice .
1
Draft Sources: GW Study 1997, GAO report ideas, my own thinking
d. Health and Environmental Safety

e. Loss Control
f. Risk Mitigation
g. Risk Communication
h. Risk Evaluation
1. Stress/trauma management
j. Continuity of Business
14. Which of the following potential crisis events are considered in your company's
crisis management plans/programs?
a. Violence in the workplace
b. Ransom/kidnap
c. Criminal/Terrorist Act
d. White collar crime/fraud
e. Product recall
f. Ethics related
g. Executive Succession
h. Racism/sexism
1. Hostile takeover
J. Fire
k. Hurricane/Tornado/Flood
15. Does your company have back-up facilities and where are they located? Is it
backed up by each individual building or by business unit?
16. Has interest in emergency preparedness and continuity of business changed in
your organization since 9-11 ?
a. Have your emergency preparedness plans been updated?
b. Has the organization of emergency preparedness changed?
c. Has a continuity of business plan been updated?
d. Was a post- 9/11 assessment of lessons learned conducted?
e. Did this contribute to changes in policies?
f. Do employees feel that the corporation is more security/safety conscious?
g. What areas were changes in policies made (eg HR records, evacuation
practices and procedures, back-up facilities, alternative
telecommunications, ??
17. Relating to 9-11, if your company was affected,
a. Did you have equipment, trained personnel, and resources able to resume
operations as completely and rapidly as possible?
b. Was back-up space available and sufficient?
c. Did back-up telecommunications work?
d. Could you locate your staff?
e. Was your software at the back-up up-to-date?
f. Could people get to the back-up site or wherever they were meant to
work?
g. Did you have 3rd party vendors for certain features and did they come
through?
h. Did the crisis have human life repercussions?
1. Did you have adequate HR records to cover those instances?
2
Draft Sources: GW Study 1997, GAO report ideas, my own thinking EuJaJ.Au-i
~/0'3
J. Did you have adequate counseling and trama groups ready and available?
k. Did you receive negative press following 9-11 or negative reaction from
employees?
18. In either case, if you were directly effected or not by 9-11 :
a. Did the budget for crisis/management and business continuity change as a
consequence of 9-11, whether or not you were immediately affected?
b. Did the organizational structure for security and emergency preparedness
change?
c. Did the risk assessment procedures change?
d. Does your risk management plan consider the risk perception of
shareholders?
e. Did the Board of your corporation get involved?
f. Did your emergency planning and practice policies change?
19. What factors and areas of crisis management and business continuity do you
believe your company could improve?
a. Management responsiveness
b. Board responsiveness
c. Risk Assessment
d. Internal awareness
e. Communications of policies and procedures
f. Evacuation preparedness and drills
g. Back up sites
h. Back up telecommunications
1. Planning and coordination
j. Business Continuity
20. Does your company conduct evacuation planning?
21. If you are in a multi-tenant building, does your company have it's own evacuation
plan and if so, is it coordinated with other groups in the building?
a. Who do you believe is ultimately responsible for your employees safety?
b. What is the building owners responsibility
22. Does your company coordinate and collaborate crisis management and business
continuity with suppliers and vendors?
23. Does your company coordinate with customers?
24. Does your company coordinate with State, Local or Federal Govt?
a. What is the nature of the relationship?
b. Do you receive warnings from the public sector that apply to your
company
c. How does that occur and with what frequency?
d. Any issues related to this coordinate that could be improved?
25. Does your company show its emergency preparedness plans to local police and
fire and are they kept up-to-date with changes in your building or your plans?
26. Does your company have a crisis communication plan for employees and families
of employees?
27. Is the crisis management plan or emergency preparedness plan a "stand alone" or
is it integrated and connected to the company's overall crisis management
program?
3
preview & Edit Questions
Page 1 of7
Account Summary E~it My Account . My Horne Page .. ..Change Password Request Package
Please follow three simple steps to create your branching survey
Step 1: Create questions by using Add Question button at the end of the page
Step 2: Move questions to a new page by clicking on ~ image
Step 3: Branch questions and values
Note
1. To end the flow of the branching survey, add 999 to Branch to text box
2. Editing questions will reset Branch to values for that particular question
3. Please click on Finish Survey after setting branching values
4. Page No.1 is compulsory and cannot be deleted
Title
Opening Text
Survey Questions
Federal 9-11 Commission
-
IMTI
o The entire company

o A division or business unit
L~~~~.~9..!=
_ .._.."..___,, " __
Other (please specify)
w __ .
L " ""._.
__ _.~"_.__ ,,_ !
4,;.Does·voUr.¢.Oriip·~ny·t.urtehtly;ljavethe:.p;osino,,·()fChief ;$ecU'rH:y9fficer?
.' =.' : .'-',' '.. " . :..'., ':; ,"... '. . ,",-,,-:
J
,.,., .. ' ,
C' Yes
r: No Branch Yes to
Branch No to
I http://www.zarca.com!zarca_.branch Dal!e.a~n?sid=1&-.rl()Wn=tnlP.~n~OP=~ 1 () /1 c: uv»

, preview & Edit Questions
Page 2 of7
Pag~'N'9~
r; Yes, definitely
C\ Actively considering
C Preliminary discussions
o No discussions at present
o No, definitely
e~~f!.I'4;()j~;\> /
~.~~~ ~, .'
o Yes
o No Branch Yes to
o Not sure Branch No to
Branch Not sure
;:pj'g,~~~~'(:j',;~x
~1~,,~;;~,~~~'~II:11~=fit"'
[J Crisis communication
o Evacuation procedures
o Coping with stress/trauma
[l liaison with police and fire departments
C Securing access to facilities
o First aid
D Locating employees
[J Other (please specify) L----.,,--,-- .._._._. .__J
~~'~'f.,·~t~ilr~I;"r: .'"'~~,~:~~~~;{~(i,ro;pa;~'¥~~:'
o Yes
".v·,
o No
C Not sure
~ij:~i~::rt':;,~';''; /
~~'ii~~·~$:\V~~;":'~jll,lP~"~i~~~~~'~!J;~~~\i'~~~':;5~~~~ 'fi'~·'>~t;!'P'~.~:t;··,·;
·~.~'.ii:;.,·'>·.,·./:
eYes
o No Branch Yes to
n Not sure Branch No to
Branch Not sure
page'·No.,6
·Preview & Edit Questions
Page 3 of7
l;~l.WIjB'tii~:cov~rfi'q.;:ln{vCiq;f'e(:)rn'p'~'rfY'~'~'~!ii!1:~~$i\'~6~tift'ui't¥"':plifH?'
C Restoring IT system
n Moving operations to off-site locations
n Alternative telecom links
D Contingency plans with suppliers
[J Alternative transportation for goods
[J Commuting options
[J Work from home
o Other (please specify)
~~,~t~g~~,=rz~~~;~r~~f~I~~~~~~~f:!~~~t~~'~~~~:~pa~~* rd.
L:7tf£1~..
'.'.'.".'.'
o Yes
o No
o Not sure
~f~~'~~;t!tC<*~~'~1I,~T~~III.~:rf ~
~
o Yes
o No
o Not sure
~
~.
o Yes
C No Branch Yes to
o Not sure Branch No to
Branch Not sure
[J CEO (Chief Executive Officer)

[J COO (Chief Operations Officer)
o CFO (Chief Financial Officer)
[J CIa (Chief Information Offlcer)/SVP for IT
OCTO (Chief Technology Officer)
n CLO (Chief Legal Officer)/General Counsel
L' eso (Chief Security Officer)/Security Director
,C SVP for Communications/Public Affairs
rSVp for EH&S (Environment, Health & Safety)
rSVp for Facilities
r: SVP for Human Resources
r Head of Risk Management
http://www.zarca.com!zarca_branch pal!e.asD?sid=1&cl()wn=tnlp.~n~op=~ lA/lelA')

· Preview & Edit Questions
Page 4 of7
o Other (please specify)

L _ .1
.'.:·:·LlJ i"'"
y' .<....
••..:..
....
AW
¥
I..
~~~~~.~!_:_
.._.~.,,
Other (please specify)
.w ••••••••••• __ •••• _ ... _~_.,,_. __ •• __ ._ .... .~. ~._ ... __ •• .. "'_ •• ._._ •••
'w._ -- --- ..--- -- --- _._ _. .1
..;.~~J~i·~[!fIl~'!t~:O~~!,·,
1.:6.:'H~~:()ftejJ\:~~~!;I·jj~r':~~[lip~tlj~~
.:,/':.:;
. , '.>';~ ..~.':.:~;"'.'·/
....
. "'ty .....:;::}.:;.:.;::;:':;.
o Only during emergencies

r Once a year
C. Twice a year
C: 3 or 4 times a year
o 5 to 11 times a year
C Once a month or more
C Violence in the workplace

C Ransom/kidnapping
[J Terrorist attacks
[] Theft/embezzlement/fraud
D Product contamination/recall
fJ Loss of telephone service
[J Fire/arson
[J Natural disasters
o Loss of electric power
o Loss of Internet access
n Compromise of confidential data
r: Executive succession
o Disruption of transportation
c Computer hacking/viruses/worms
o Ethics controversy
[J Biological/chemical/radiological hazards
[J Other (please specify) , .
Terror ElectriC Hurricane

..attacks :blackout Isabel
9/11/01 8/14/03 9/18/03
(a) Your company's facility closed for business
c o C
(b) Loss of electric power
r: D D
1 rv /1 ~ ,,,,.,
.Preview & Edit Questions
Page 5 of7
(c) Loss of telephone service (Iandline)

c 0 [J
(d) Loss of telephone service (cellular)
[J D 0
(e) Loss of Internet access
[J 0 C
(f) Loss of computer files
D D D
. (g) Loss of physical documents
D D [J
(h) Disruption of commuter transportation
0 0 D
(i) Physical damage to facility
D [] D
(j) Difficulty locating employees
C D 0
(k) Need for first aid
D 0 D
(I) Counseling for emotional trauma
D D C
(m) Disruption of deliveries
0 D
(n) Drop in revenues
D
C Fire department
[] Police department
D American Red Cross
o State government
o FEMA
[J U.S. Dept. of Homeland Security

D FBI
[] Other (please specify) [ -!

.•..•.......••.•........•.• ................................
j.
Before
9/11 'Today
(a) Operations center available at off-site location
c 0
(b) Regularly conduct emergency evacuation drills
0 D
(c) Background investigation of potential new hires
[J 0
(d) Computer files stored at off-Site backup facility
D D
(e) Paper documents stored at off-Site backup facility
D [J
(f) Security guards at entry points
0 D
(g) Turnstiles/gates at entry points
[J C
(h) Inspecting backpacks/luggage at entry polnts
[J D
(i) Risk assessment/audit of vulnerabilities
[J C
http://www.zarca.com!zarca_branch_oage.asn?sid=3&down=tnlP.~.n~op=~ 10/1'= I()'l

· .Preview & Edit Questions
Page 6 of7
(j) Requiring visitors to be escorted

c C:
(k) Requiring IO badges
o D
(I) Screening mail and packages
[J o
·"·flY;~",~~)~;pca;'~~'I;;f~~~~i··#I:l~t:···
....... - ",
.•
t~"~.~I~.~!~ , _ ,., _ , _ .
~t~II~~~~~~(~~~~ij)~G~!~~~I!~~"j~~l!Y~~~~~'~lfijf~~
I.=.~~.~.~~!.~--
-'".----.-,.-.
rd.
t.;:;;'~ ~.o.'."';:
,
~
fil
f
. ..'. _....J
:;;~~r*·~@;J1Ji;ll!g~(pf!l~
r-. '-. ",' ., ':-~.:;
-'A'_ ,.. ':~\ -, ~,.,-,: .. ,
f.:.~:.!.~.~!=-
...,..._......
~ Add Question
Finish Survey
Delete Surve
http://www.zarca.com!zarca_branch oaQ:e.asn?slci=1&.ti()um=tnlp~n!ln~=Q 11'\ 11 ~ Jr.""

,.Preview & Edit Questions
Page 7 of7
T~rm~ of S~r.",t~~~ I PriV~GYPQ!i~y

Version 4.0 © 2001-2003 Zarca Interactive. All rights reserved
http://www.zarca.comlzarca_branch Dage.asn?sid=3&rlown=tnlp.Xrn~ap=~ lA/1e/A,)

MFR NARA - T8 - Conference Board - Cavanaugh Thomas - 7-17-03 and 10-16-03 - 00168

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

MFR NARA - T8 - Conference Board - Cavanaugh Thomas - 7-17-03 and 10-16-03 - 00168

Încărcat de

Drepturi de autor:

Formate disponibile

COMMISSION SENSITIVE

jY) F~ v30)l) '"bj

MEMORANDUM FOR THE RECORD

Event: Meeting with the Conference Board

Special Access Issues: NOnt \ "J~ n L • If

Prepared by: Emily Walker l1V '" ~'--

Companies ignore terror risk ~~p~u

.:\; Key Findings

10 Accountability is Widely Dispersed

15 The Chief Security Officer Position

19 Creating the CSO Position

2:3 Spending on Corporate Security

28 Security Spending in the Northeast

34 The Soaring Cost of Risk Management

39 The Costs of Terrorism

40 What Security Executives WOi"ry About

50 Appendix: About the Sample

attack. Because roughly 80 percent of

by the private sector, corporate security

who work in them.

Organization of the function Spending Patterns

Defining eritic,al.iIl9-*§tp.~s,,', executives serve below the vice presidential

Given their importance in the current business environment, security directors

Military •••••••• 32.7

FBI Profile of Security Directors

u.S. Secret Service

CLO (Chief Legal·Officer)

Number of respondents: 199

CFO [Chief Financial Officer)

COO (Chief Operating Officer)

Number of respondents: 199

Risk managers serve at a considerably higher level Manager •••••• 30.8

than security directors. Some 8 percent hold the title 9.6

The reporting relationships retlect this seniority. Among Other Financial/

that the risk manager position is defined primarily in terms

at 21 percent of the companies surveyed, meaning that Chief Operating/Technology/

7 percent have a different C-Ievel title.

Another 5 percent hold the title of Security Architect. Other

Over two-thirds of IT security officers report to

23 percent report directly to the CEO, while 6 percent CEO ••••

officers report through an IT silo. The high level of IT COO

• IT security is the ultimate responsibility • Protecting employees

Security responsibilities are widely dispersed

CIO/CTO/ sVP SVP for

Insurance/financial risk management 54.8%

Background investigations 54.8% 14.2%

Protectingemployees 15.2 25.8 17.2%

Protecting buildings and facilities 10.1 23.6 24.6

Executive security 10.2 24.5 14.3

Business recovery and continuity 13.1 18.2 19.2%

Biological/ chemical/ radiologica I hazards 9.6 18.1 18.6

Emergency preparedness 11.1 17.6 17.6

Protecting supply chain 11.3 10.8 15.4 10.3

Protecting distribution chain 13.3 14.9 10.8

Number of respondents: 199

Median salary (S thousand)

Median salary Respondents

Number of respondents: t97

Most companies employ Larger companies are increasing

Change in security FTE's since 2001

Modian FIE's Respondents 35.5

Financial and technology companies Companies in critical industries