Documente Academic
Documente Profesional
Documente Cultură
j3J
[UnClassified]
An article of interest to the NY Private Sector 9-11 Team appeared in the Financial Times
Newspaper (attachment 1) on Thursday, July 10, 2003 with a headline "Companies Ignore Terror
Risks" which summarized the findings of a comprehensive survey of corporate spending on
security post 9-11 by declaring that corporate spending to protect sites against terrorist attacks
and other security risks has gone up just 4 per cent, while insurance costs have risen by a median
of 33 per cent since 2001.
We met with the Security Expert, Tom Cavanaugh, who worked on the survey mentioned above
which was entitled "Corporate and Security Management", Organization and Spending since
9111 (attachment 2). We asked questions and clarification on the survey. I mentioned that we
were looking at additional issues related to corporate measures on emergency preparedness and
security and wondered if they were going to do any follow-on surveys on security focused
questions. He said that they would be willing to conduct additional surveys, but did not have the
financing and was not willing to conduct them for free to support the Commission. We
acknowledged that the 9-11 Commission was not in a position to conduct another survey but
would be interested in helping shape the questions and using the results in the final report on the
COMMISSION SENSITIVE
COMMISSION SENSITIVE
9-11 story as well as background leading to recommendations for future action in the private
sector preparedness and continuity of business area.
The conclusion I drew from the first meeting was basically that there would not be any follow-on
relation with the 9-11 Commission and the Conference Board on the survey idea because there
was no funding.
Several weeks later, in August, Tom Cavanaugh called me back and said that they might have
funding from Department of Homeland Security to do a further survey on these issues. In
September, he called to say that he thought there would be funding and asked if I could submit
the questions that we would be interested in finding the answers to and any lists of companies to
which we would like to submit the questions.
I responded with the attached list of questions which I derived from a George Washington
University Study of 1997 and my own ideas (attachment 3). Tom took this list and developed an
interactive survey questionnaire (attachment 4). We met on October 16, 2003 to discuss this
survey. Sam Caspersen and I reviewed the survey that Tom proposed and it is adequate for the
purposes of collecting interesting data on how prepared companies are following 9-11. Tom is
still working on the companies to whom the questionnaire will be directed. I recommended that
he speak to James Creague of American Express Security about the downtown alliance of banks
and financial institutions security directors which would be a good proxy for the WTC area
representatives. In addition, the survey will be given to companies through-out the United States
in order to make geographic comparisons.
Follow-up: We need to get our comments back on the survey and determine the relationship
between the 9-11 Commission and the Survey when it is finalized.
Background:
Attachment I: Financial Times Article July 20, 2003 "Companies Ignore Terror Risk"
Attachment 2: Research Report: Corporate Security Management: Organization and Spending
Since 9/11" by the Conference Board
COMMISSION SENSITIVE 2
COMMISSION SENSITIVE
Attachment 3: "Potential Questions for NY City Partnership on Emergency Preparedness" by
Emily Walker
Attachment 4: Zarga Interactive Draft Survey "Federal 9-11 Commission"
[UnClassified]
COMMISSION SENSITIVE 3
~
IAGNETISM:Signs of a bull marketare drawing speculators backto the more volatile Tokyo stocksMarket Insight, Page 28
:003
Thursday July 10 2003
WE
panel's advice.
R1333-03-RR
Corporate Security ManagelneIlt
Organization and Spending Since 9/11
by Thomas E. Cavanagh
with the assistance of Meredith Whiting
contents
6 Patterns of Organ.ization
6 Security Directors
8 Risk Managers and IT Security Officers
45 Threats to IT Security
47 Lessons Learned
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
I ey Findings
Corporate security has become a high-profile
issue since the events of September 11, 2001
exposed America's vulnerability to terrorist
CEO's were often dismayed to discover that the security function was highly decen-
tralized and widely dispersed through their companies' management structures, mak-
ing accountability and coordination difficult. Some observers expected that there
would be a widespread move in corporate America toward centralizing the security
function under the control of a Chief Security Officer reporting directly to the CEO.
This has not been the case. While there has been some movement toward greater
coordination of the security function since 9111, it remains decentralized in most
companies. In general, we are seeing an evolution, not a revolution, in the manage-
ment of corporate security.
4 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Organization and Spending
Key findings from the survey show:
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
a er
of Organization
I)espite raised expectations and heightened visibility,
corporate America is uIldergoing all evolution rather
than a revolution in the management of security concerns.
Security Directors
Security has traditionally been associated with physical protection-"the guard at
the gate"-in the lingo of the profession. This function remains the core responsibil-
ity of the senior executives who manage corporate security. These executives pri-
marily come from a background in the "peacekeeping" professions, with 47 percent
having police experience and one-third coming from the military. Some 15 percent
have worked in the security industry for a vendor or consultant, and 12 percent have
been employed in private investigation.
While important, strategic business management does not loom as large in the career
paths of security directors. Just under one-fourth report diversified corporate man-
agement experience, while 11 percent have been involved in facilities management
and 9 percent apiece in IT and risk management. As security issues "move up the
food chain" in significance, senior management experience will probably become
more important as a qualification for the position of security director.
The vast majority of security directors hold a rank below the vice presidential level.
Only 1 percent hold a title at the C-suite level and 17 percent are vice presidents.
Almost half (48 percent) are directors and 27 percent are managers.
6 Corporate s e cu ritv Management: Organization and Spending Since 9/11 The Conference Board
Reporting relationships are remarkably diverse. The most
Most security directors come
common pattern (20 percent) is for security directors to
from a background in law enforcement
or the military report to the SVP for Facilities, reflecting the profession's
traditional emphasis on physical protection. Another
Professional background 15 percent report to an executive with responsibility for
(multiple responses possible)
operations, administration, services, or support, while
Police 47.2%
13 percent report to the SVP for Human Resources.
Finance/
Risk Management
Other Govemment/
Lobbying
Executive level
Human Resources
CIA/Intelligence
Occupational Safety
Education
Reporting relationship
Supply Chain
Management SVP for Facilities 19.8%
Operations/
Legal Administration/
Services/Support
SVP for
Other .5
Human Resources
Risk Manager/Auditor
Other
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Risk Managers and IT Security Officers
The functions of risk management and protecting the IT Profile of Risk Managers
system are handled in separate silos in most companies,
Executive level
distinct from each other and from the physical security Chief Risk/
7.7%
function as well. Interestingly, both of these positions Administrative Officer
appear to enjoy more seniority and influence within the Vice President •••••• 30.8
corporate structure than the security director position. Director •••• 21.2
CSO
cating the preeminence of financial concerns in determin- (Chief Security Officer)
ing the accountability for the risk management portfolio.
SVP for Facilities
A less common pattern is for the risk manager to report SVP for Administration
Purchasing/
to an executive with operational responsibilities in human Procurement
resources (8 percent), or facilities, administration, or
Other
procurement (4 percent apiece). Only 4 percent of risk
managers report to a Chief Security Officer, indicating Numberof respondents: 52
Corporate Security Management: Organization and Spending Since 9/ II The Conference Board
IT security is the most prestigious of the three major Profile of IT Security Officers
security portfolios. Over one-third of the IT security
officers surveyed serve at the senior management level. Executive level
The Chief Information Officer is the IT security officer Chief Information .....
Officer JII 21.3%
title of Chief Information Security Officer and another Vice President 15.0
Manager
Fifteen percent of IT security officers are vice presidents,
while one-quarter are directors and one-eighth are managers. Security Architect
Other
Number of respondents: 80
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Accountability is Widely Dispersed For all other security-related functions, no more than
one-quarter of companies report that ultimate responsi-
Security responsibilities are widely dispersed in a
bility is handled by anyone executive. Two main
typical company. Security executives were asked who
clusters appear, however. The following responsibilities
had the ultimate responsibility for a variety of security-
related to physical protection are usually accountable
related functions. There are only three functions for
to the CSO, the SVP for Facilities, or the SVP for
which over half of all companies report the same
Human Resources:
pattern of accountability:
IT security 67.3%
10 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Salary Levels Large multinational companies pay the highest salaries
for security directors and risk managers. For example,
Compared to the most senior management positions,
the median salary for security directors in companies
security executives earn relatively modest salaries.
with at least $1 billion in sales is $124,000, well above
The salary levels reflect the prestige and reporting
the median of $101,900 for all companies. The median
relationships discussed previously.
for risk managers in such companies is $138,500, again
IT security officers are the best paid of the three well above the overall median of $123,600. On the other
security management positions, earning a median salary hand, the difference in median salaries between IT secu-
of $139,800 per year. Risk managers are second with a rity officers in these large companies and the overall
median salary of$123,600. The security directors bring median is less than $5,000 per year. It appears that salary
up the rear, with a median salary of$101,900. Fully levels in the IT security profession are driven less by the
20 percent of IT security officers make at least $200,000 size of the company than by the expertise required to fill
a year, compared to 10 percent of risk managers and the position.
9 percent of security directors.
IT Security officers are the most Security directors and risk managers
highly paid security executives earn more at large multinationals
48.7% $101.9
Less than All
34.0% $123.6
$100,000 companies
20.8% $139.8
33.0 105.0
$100,000 to Critical
36.0 125.0
$149,999 industries
37.5 132.7
9.1 122.5
$150,000 to 131.8
20.0 Multinational
$199,999
22.2 136.8
124.0
$200,000 to Sales over
138.5
$249,999 $1 billion
13.9 144.7
131.3
$250,000 Over
137.5
or more 10,000 FTE's
140.0
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board II
Staffing Levels Just under half of all companies (47 percent) report that
they have increased their security staffing level since
Security directors were asked how many FTE's their
2001. Larger companies are more likely to be increasing
companies employ that have security as their primary
security staff. Over half (53 percent) of companies with
responsibility. Among the 199 companies in the sample,
over $1 billion in sales have increased security employ-
the median number of security employees is 39.3. Of
ment, compared to 40 percent of companies below this
course, the number varies depending on the size of the
sales level. Similarly, security staff has risen among
company. Forcompanies with under 10,000 total FTE's,
54 percent of companies with 10,000 or more total
the median security employment is 28.7 FTE's. For com-
FTE's, compared to 44 percent of companies with a pay-
panies with 10,000 or more FTE's, the median security
roll below that size. Interestingly, there is no significant
employment is 76.6 FTE's.
difference between critical and non-critical industries as
a whole on this measure (49 vs. 46 percent).
Less than
10
40.6
25.0
10 to 49 23.9
Non-critical 42.7
industries
50 to 99 103
l
40.2
24.7
100t0499 8.5 24.7
i!ii;;~:::':1~4'~6~~~~~
25.7
Multinational 44.2
77 24.7
500 to 999
Sales under
50.0
1,000 or $1 billion
more sa
Under 45.0
10,000 FTE's 24.8
i 29
• Fewer
• Same
Over ~ 1-9% higher
35.7
10,000 HE's
10% higher
]0
or more
~ Number ot respondents
12 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
However, when critical and non-critical industries are IT security is a relatively small share of security
broken into specific industry segments, a wide disparity employment at most companies. Almost half of all
appears. Financial services companies are most likely to companies (48 percent) employ fewer than 5 FTE's
report an increase in security staffing (62 percent of com- whose primary responsibility is IT security. However,
panies), followed by companies in the "digital industries" companies in critical industries are much more likely to
(technology, media, and telecommunications) with have a relatively large contingent of people dealing with
53 percent reporting an increase, energy and utilities IT security. Almost half of such companies (48 percent)
(47 percent), healthcare (39 percent), retail and wholesale have 10 or more FTE's working on security, compared
trade (33 percent), and manufacturing (31 percent). to 31 percent of companies in non-critical industries.
Change in security FTE's since 2001 FTE's with IT security as primary responsibility
All
All
companies
companies
199 .
?30'
Financial
services Critical ~!!!!!!!!!!!!!I!IIJ!II!!I---. 39.5
29
industries
3S
Digital
industries
17
Non-critical
industries
Energyl 42
utilities
17
Domestic
34
Healthcare
28
Multinational
~!!!!I!!!I!II-----------.
Trade 42
12
• Fewer
• Same
~ 1-9% higher
10% higher or more
Under
• Number of respcnsdents 10,000 FTE's
~i{I
• 1·4
.5-9
Over .10-24
10,000 FTE's 25·49
50 or more
• Number of respondents
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 13
Not surprisingly, larger companies have more staff devoted Larger companies are increasing
to IT security. Over half of all companies (51 percent) IT security staff most rapidly
with sales over $1 billion have 10 or more IT security
staff, compared to only 15 percent of companies below Change in IT security FTE's since 2001
that sales level. Similarly, 62 percent of companies with
10,000 or more total FTE's have 10 or more IT security
personnel, compared to 22 percent of companies with a
total payroll below that size.
,===-~
Larger companies are increasing their IT security 37
Under
10,000 FTE's
45
Over
10,000 HE's
• Fewer
• Same
iI 1·9'.1.higher
• Number of respondents
14 Corporate Security Management: Organization and Spending Since 9/11 The Con Ie re nee Boa rd
The Chief Security Officer
• •
on
I~'1011o\ving 9/11, expectations seemed to be
that corporate America would move to centralize
The CSO concept hinges on the perceived need to integrate security concerns into
corporate strategy. In theory, the position would give security issues a place at the table
whenever high-level decisions are being made about location of facilities, supply chain
sources, choice of corporate partners, and procedures to ensure the safety of a company's
products and stakeholders. The CSO would concentrate on the "big picture," delegating
routine oversight of physical security to managers at the operating level.
With regular access to the C-suite, the CSO would be better able to redirect company
policies quickly in response to an emergency or a perceived threat. Finally, the CSO
would control the security budget for the corporation as a whole, so security spending
could be managed more effectively.
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 15
Authority and Financial Resources However, there is much less agreement with the state-
ment: "I have the financial resources I need to deal with
Looking at their current situation in their companies,
the security concerns that I am directly responsible for
security executives tend to be much more satisfied with
in my company" or the equivalent for risk management
their decision-making authority than with the financial
or IT security. Only 26 percent of security directors,
resources under their control. Security executives were.
19 percent of risk managers, and 14 percent of IT secu-
asked to agree or disagree with the statement: "I have
rity directors agree strongly that they have the financial
the decision-making authority I need to deal with the
resources they need. Meanwhile, 27 percent of security
security concerns that I am directly responsible for in my
directors, 25 percent of risk managers, and 35 percent
company" or an equivalent statement dealing with risk
of IT security officers disagree with this statement.
management or IT security concerns. Almost all security
executives agree with this statement; 51 percent of secu- Security executives in non-critical industries are the
rity directors, 35 percent of risk managers, and 43 per- least satisfied with their control over financial resources.
cent of IT security officers agree with it strongly. Fully one-third (33 percent) of security directors in non-
critical industries disagree that they have enough control
over finances, compared
to 21 percent of security
directors in critical indus-
Security executives are more satisfied with their
decision-making authority than with their financial resources tries. The disparities are
even greater for risk
managers: 32 percent in
"I have the decision-making authority 1 need .. ." "I have the financial resources I need ... "
non-critical industries
50,8%_.-,!!!!!!
Security directors disagree, compared to
19Y'
17 percent in critical
Risk managers industries. The dissatisfac-
52
tion is most acute among
IT security officers
80
IT security officers-almost
half (45 percent) in non-
• Agree strongly • Agree somewhat Disagree critical industries disagree
• Number of respondents
that they have adequate
financial resources, com-
pared to 24 percent in
critical industries.
16 Corporate Security Management: Organization and Spending Since 9/" The Conference Board
Changes in Accountability
Many companies reexamined their security operations Most companies report
in the wake of 9/11. Most companies, however, have no change in accountability
for security since 9/11
not made dramatic changes in the organization of their
security operations as a result of these deliberations.
When security directors are asked how the accountabil- "Since the events of September 11, 2001,
how has the accountability for security
ity for security issues has changed in their companies, issues in your company changed?"
V just under half (49 percent) report no change at all.
Changes in corporate organization charts appear to No change 49.2%
Other comments
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 17
Case Study
Emergency Response at Duke Energy
Many companies reviewed their security operations in the wake of 9/11.
These were the results at Duke Energy.
"Our biggest weakness was in our events. Each business unit within
After 9/11, Duke Energy began
new efforts and accelerated existing corporate office areas," continues Duke Energy is conducting a risk
ones to strengthen safety and secu- Hendricks. "Not all areas had emer- analysis, based on more than 850
rity for employees, customers, and gency plans, and those that did did- identified processes.
"Duke Energy's nuclear operations, in turn reports directly to the chair- infrastructure. Since 2001 we have
and the nuclear industry as a whole, man of the board. relocated our backup operations to
a site far away from headquarters.
have an advantage," Hendricks
Duke Energy's Tom Bowman, man- Setting up the new, rigorous
says. The plant emergency
aging director of crisis management security and emergency response
processes are tested and exercised
regularly. As a result, the company's and business continuity planning, systems and documenting them
nuclear plants were able to respond also manages a new Enterprise requires a significant investment."
1 a· Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Creating the CSO Position
In the survey of security directors, 24 percent reported Most companies don't plan
that their company currently has the position of CSO. to have a Chief Security Officer
Average
Military/ •••••••
Police/Security" 1.99
Strategic business .
management" 2.37
Finance/Risk ~ ••••••••
management II 2.57
Information .
technology" 3.07
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 19
Companies in critical industries are more likely to have Companies in critical industries
a CSO than those in non-critical industries (29 vs. are more likely to have a eso ...
19 percent), suggesting that centralization of the security
function is especially important in industries where secu-
rity is most vital. Domestic companies are also more
likely to have a CSO than multinationals (32 percent vs.
18 percent).
I=====:~~•••
are most likely to have a CSO
CSO. While 35 percent of companies have a CSO if they
have less than $1 billion in sales, this figure drops to 97 32.0%
15 percent for companies with over $1 billion in sales.
I====:~~•••••
Domestic
MUltinatio~~ 18.2%
Similarly, 31 percent of companies with under 10,000
FTE's have a CSO, compared to 11 percent of compa-
nies with over 10,000 FTE's. All 35.2
I===~~
•••••
Sales under $1 billion
Sales over $1 bil~i~g 15.5
As one would expect, CSOs are more likely than other eso's are more likely
security directors to report to top management. A total to report to top management
of 43 percent report to a C-suite executive, compared to
Security director reports to ...
27 percent of security directors in companies that have
no interest in creating the CSO position. In companies CEO
(Chief Executive Officer)
that do not currently have a CSO but are considering
creating the position, 43 percent report to a C-level COO .--
(Chief Operating Officer)
executive, the same as in companies that already have a
CSO. However, 28 percent of CSOs report to the very CFO
(Chief Financial Officer)
top level (CEO or COO), compared to only 11 percent
of security directors in companies that are considering CLO
(Chief Legal Officer)
whether to create the CSO position.
SVP for Facilities
20 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
esos are far more likely to have ... but CSOs are no more likely to have
the authority they feel they need ... the financial resources they feel they need
=
72.3% Company has CSO 25.5%
. 47'
• Number of respondents
There is evidence that the CSO solution does indeed Even so, while CSOs may be just as dissatisfied with
enhance the ability of security directors to implement their financial clout as other security directors, they are
policies within their companies. Almost three-quarters increasing spending more rapidly. The median spending
(72 percent) of CSOs agree strongly that they have increase on security since 2001 in companies with a
the decision-making authority they need, compared to CSO is 5.3 percent, compared to 2.4 percent in compa-
39 percent of security directors in companies that are nies with no interest in the CSO position. Spending is
considering appointing a CSO, and 45 percent in increasing most rapidly (6.7 percent) in companies that
companies with no interest in the CSO position. do not currently have a CSO but are thinking of creating
the position. This pattern again suggests that as a com-
However, the major complaint of security executives pany upgrades the priority it places on security, it is
concerns their lack of control over the purse strings, more likely to consider creating the position ofCSO.
and having a CSO does not appear to amelio-
rate that concern. Regardless of where a
company stands on the CSO issue, only about
one-quarter of security directors agree strongly Companies with CSOs are more likely
to increase security spending
that they have the financial resources they need.
company~ ••••••
4b' has CSO • 5.3%
No interest in
! i"7 CSO position 2.4
• Number of respondents
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 21
This point becomes even clearer if we Companies discussing a CSO position
look at the relationship between certain have specialized spending needs ...
kinds of security sending increases and
Company May create No interest in
interest in creating the CSO position. Percentage of companies reporting
increase in se.endin8. on ... has cso cso e.osition GSa e.osition
Companies that are considering the cre-
ation of the position have specialized IT security 34.1% 77.3% 38.7%
needs. They are twice as likely as other Business recovery and continuity 28.2 59.1 34.3
companies to report increases in spending
Insurance/financial risk management 36.8 50.0 32.9
on IT security (77 percent) or business
recovery and continuity (59 percent). Protecting buildings and facilities 56.8 64.0 50.0
that have increased spending on IT secu- se.endin8. more on ... GSa e.osition rese.ondents
a higher profile for security concerns Protecting buildings and facilities 13.8 65
22 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
en
on Corporate Security
Except for risk management and insurance,
The heightened concern over corporate security since September 11, 2001
has occurred in a difficult economic climate, which has discouraged major new
commitments of funds. In the current environment, large-scale capital improvements
that cannot demonstrate an immediate return on investment are a particularly tough
sell to management.
Thus, the perceived need to upgrade corporate security has clashed with the
perceived need to control expenses until the economy recovers. There have been
sharp increases in spending on unavoidable costs involving insurance and risk
management, but relatively modest increases in security spending overall. The
biggest increases have been concentrated among large multinationals and companies
in critical industries, which are perceived to have the highest exposure to risk.
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 23
A Permanent Increase in Spending companies say that spending has hit a new, higher plateau
since 9/11, but do not expect additional increases in the
Security spending jumped immediately after 9111 as
future. Finally, 18 percent say that their spending on secu-
many companies tightened the security perimeter control-
rity will continue to increase for the next several years.
ling access to their facilities. Among the most common
changes were hiring additional guards and installing
Adding together the last two categories, just over half
surveillance cameras, turnstiles, and other mechanisms
(52 percent) of companies report a permanent increase
.at entry points. These upgrades were especially common
in their level of security spending since 9/11. However,
in New York City (particularly Manhattan) and the.
there is a considerable difference between companies
Washington, D.C. area, the two regions attacked on 9111
in critical and non-critical industries. In the critical
and considered most at risk of continued terrorist activity.
industries, 56 percent of companies report a permanent
There was some uncertainty, however, as to whether the increase, vs. 39 percent not reporting a permanent
increases in spending were merely a temporary response to increase. In the non-critical industries, the division
a time-bounded emergency or represented a more penna- is much more even: 48 percent report a permanent
nent increase in the level of security spending, with impli- increase, while 52 percent do not.
cations for corporate budgets going forward. The survey
results indicate that for most companies, security spending There are major differences among specific industries
has increased and the increase appears to be permanent. with regard to the trend in security spending. Over two-
thirds (71 percent) of companies in the energy and utili-
Security directors were asked which of four statements ties industry report a permanent increase, followed by
comes closest to describing their company's spending 62 percent of companies in the financial services industry.
since 9/11. Roughly one-third of companies say that their Smaller proportions of companies report a permanent
spending has not been affected in any significant way, increase in security spending in the technology sector
leaving two-thirds reporting an increase. Some 13 percent (47 percent), healthcare (46 percent), retail and whole-
report a spike in spending, i.e., a temporary increase that sale trade (42 percent), and manufacturing (38 percent).
is expected to recede in the future. Another one-third of
Which of these statements comes closest to your view about your company's spending on security-related concerns since September 11,2001?
Our company's spending on security has not been affected in any significant way 32.2% 27.1% 36.9%
Our company's spending on security will continue at a higher level than it was
prior to September 11, 2001, but we do not anticipate significant future increases
in the level of security spending 33.7 43.8 24.3
24 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Utilities and financial companies report a permanent increase in security spending
Which of these statements comes closest to your view about your company's spending on security-related concerns since September II, 2001?
17 29 !7 28 12 29
Number of respondents
• The second group of 32 percent report moderate increases About the same 29.2
• The remaining companies (31 percent) report increases 10to 19% higher •••• 16.7
50 percent or more.
Medianincrease:4%
Number of respondents: t 92
Note: "Don't know" eliminated
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 25
Larger multinational companies report bigger increases Large multinationals report
in security spending than smaller domestic companies. bigger increases in overall
The median increase for multinationals (defined as security spending
companies receiving 10 percent or more of their sales
Change since 200 t
overseas) is 4.7 percent, vs. 3.6 percent for domestic
liiiiiiiiiiiiiii ••
Median increase
companies. For companies with sales over one billion All compa~~e2s. 4.0%
dollars, the median increase is 5.5 percent vs. 1.4 percent Critical industri~~ •••••• 3.8
for companies below that level of sales. The median Non-critical indust~i~~ •••••• 4.4
increase for companies with 10,000 or more employees
Domes[~ig ••••• 3.6
is 5.4 percent, compared to 3 percent for companies • 4.7
Multinational
below that staffing level. 76
Sales under $1 billion _1.4
83
• 5.5
Interestingly, there is no significant difference in the Sales over $1 billion
108
level of spending increase between companies in critical Under 10.000 FW~ •••• 3.0
and non-critical industries. In fact, the median increase is ______ 5.4
Over 10,000 FTE's
slightly higher for non-critical industries (4.4 percent vs. 6<)
Financial servicf~
••••• 4.1
Manufacturig~
•••• 3.8
Trade
!') 1.3
• Number of respondents
26 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Case Study 5
Consolidating Security at Avaya
Internal security reviews can impact corporate spending in a variety of ways. At Avaya, spending
on physical security has actually declined, but spending for risk management has increased.
Marene Allison, Avaya's director of Security policies were thoroughly The insurance environment has
global security, joined the company examined and updated as needed, proved to be as challenging for
in January 2002 and immediately including expiration-dated pass- Avaya as it has for other buyers.
began to bring the multiple aspects words, new external network Insurance costs have increased but
of security under one management connections, occupancy rules, the company has also done a more
generation of security professionals gency response training. Allison Avaya, says, "One of the positive
must be comfortable in the gover- says, "We wanted to have the ability outcomes for Avaya is the intense
nance arena as well as in opera- to secure our environment, but we focus on business continuity plan-
tions. They need much broader want our facilities to remain wel- ning. Being able to demonstrate a
backgrounds than their predeces- coming to employees and visitors." strong corporate commitment to
sors. They must also be able to disaster recovery and business con-
Avaya reduced its operational secu- tinuity planning has helped Avaya in
V
articulate the case for security mea-
sures that affect overall company rity costs with the consolidation and its negotiations with insurance
policy and operations. The business increased effectiveness and respon- underwriters."
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 27
Security Spending in the Northeast Security spending is increasing
Geographic location is one of the strongest predictors most rapidly in Northeast Metro areas...
28 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
There is considerable variation among companies in the Companies use a wide variety of methods to determine
amount of security spending as a percentage of annual their level of spending on security. The most important
sales. While 63 percent report spending less than one means is benchmarking against industry standards,
percent of sales on security, 5 percent of companie~ > utilized by 54 percent of companies. Other commonly
spend 3 percent or more of their sales on security. V employed ground rules include the cost of previous
incidents (used by 37 percent of companies), the value
One would of course expect security spending to be of facilities (28 percent) and recommendations from
higher in dollar terms among the larger companies. And consultants (26 percent).
we have already seen that the recent increase in security
spending is generally concentrated among larger compa-
nies. However, relative to the size of the company, the Benchmarking is used to determine
total cost of security appears to be more of a burden for the appropriate level of security spending
smaller companies than for larger firms.
Benchmarking against .
Expressed as a percentage of sales, smaller companies industry standards Jill 53.8%
As much 3S
we can afford 17.6
Recommendations
from vendors
2 to 2.9%
Threat level
Respondents
Percentage of
annual sales
Note: "Don't know" eliminated
Other comments
Corporate Security Management: Organization and Spending Since 9/ II The Conference Board 29
Security directors were asked to estimate the degree of The Cost of IT Security
change in spending in a variety of security categories.
Despite its importance, IT security is a relatively low-
Over half of companies (54 percent) report an increase
budget item in many companies. Over half of all compa-
in spending on protecting buildings and facilities.
nies in the sample of IT security officers (55 percent)
Spending on lT security is reported to be rising by
report spending less than $1 million per year on IT secu-
43 percent of companies, followed by business recovery rity, and this proportion rises to 89 percent in companies
and continuity (36 percent) and insurance and risk man- with under $1 billion in sales. Larger companies devote
agement (36 percent). more resources to this line item. Among companies with
$1 billion or more in sales, one-quarter (24 percent)
spend at least $5 million per year on IT security, and
4 percent spend $20 million or more.
Most companies have increased
spending on buildings and facilities
l
156 IT security ••••••• 43.3
Less than
160 Business recovery
and continuity •••••• 36.3 $1 million iiiiiiiiii~~~·541·51%"1I1II 88.9%
36%
136 Insurance and
risk management
172 Background
investigations
1 ~i9 Biological/chemical/
radiological hazards 21.3
$10 to
$19 million
Respondents
$20 million • All companies 77
or more II Sales under S I billion 27
Sales over S 1 billion 50
30 Corporate Security Management: Organization and spending Since 9/11 The Conference Board
Benchmarking is the most common means of detennin- Benchmarking and affordability
ing spending on IT security, used by 40 percent of com- drive IT security spending
panies, but a close second is affordability: one-third of
companies say they spend "as much as we can afford." Methods used to determine appropriate
Other common guidelines are recommendations from level of IT security spending:
13 percent of multinationals.
Number of respondents: 80
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 31
There is a wide disparity among companies in the rate The increases are pronounced in the critical industries,
of spending increase on IT security. The median increase where 28 percent of companies have increased IT
since 2001 is only 1.9'percent, but this figure hides an security spending by 20 percent or more, compared
enormous amount of variation. Almost half of all compa- to 15 percent of companies in non-critical industries.
nies (47 percent) have not increased spending on IT Larger companies are also more likely to increase IT
security since 2001; on the other hand, 36 percent have security spending: 31 percent of companies with 10,000
increased spending by 10 percent or more, and 21 per- or more employees have stepped up IT security spending
cent have increased it by at least 20 percent. by 20 percent or more compared to 14 percent of compa-
nies below that payroll level.
Under $1 bil. sales 3.7 40.7 22.2 22.2 0.0 11.1 3.3 27
Over $1 bil. sales 10.2 38.8 14.3 10.2 16.3 10.2 1.4 49
Under 10K FTE's 4.5 45.4 18.2 18.2 4.5 9.1 0.6 44
Overl0K FTE's 12.5 31.3 15.6 9.4 18.8 12.5 5.0 32
32 Corporate Security Management: Organization and Spending Since 9/ II The Conference Board
Case Study
IT Security at Unisys
Companies in the IT sector must evaluate security not just in terms of the integrity
of their technology products and operations but their physical security as wel/.
Here is the way that Unisys management has dealt with the challenge.
Ensuring employee security was The third action was to establish an Director of risk management,
the first priority in Unisys's five- emergency contact list available to James McMullen, says he has seen
step action plan following the all employees worldwide. Through insurance premium increases in
World Trade Center attacks on this system, employees can identify excess of 100 percent. "Terrorism
9/11. "With many of our 40,000 the facility, security, safety, IT, and insurance as part of a global
employees worldwide unnerved HR contact by name and number property program carries a huge
by the tragedy, we felt it was cru- for any Unisys facility worldwide. premium and most companies
cial to add extra physical security, are not going to buy it-unless
and to take steps to improve over- All employees are now required their headquarters are in midtown
all security," says Greg Fischer, to take a basic training course Manhattan or in some high profile
on facility safety and security, and location. Most Fortune 500 com-
vice president for facilities and
review it annually. The final action pany facilities are not in that kind
asset management.
plan was to create a coordinating of situation. It's an issue of bal-
The first step was to have the exist- council to integrate the business ance. We are going to purchase
ing security systems evaluated. continuity, disaster recovery, and it for specific policies for the time
Extra cameras and guards were emergency response functions- being, but we'll be watching it
added, as were roaming patrols in which previously had been scat- closely for the future."
ing near the company's data cen- "Unisys has been actively involved
ters and other important buildings As a measure of the importance in business continuity planning
was tightened, and access control placed on security issues as a at its major manufacturing and
systems were upgraded. result of September 11, Fischer service locations for more than
emphasizes that, "At least half fourteen years," he continues.
A facility incident notification of the activities reviewed at the "We have identified our single
system, operating through Unisys' annual review for the board of source suppliers and put backups
website, email, telephone, and directors were security related." in place, and our scenario planning
to allow any employee or other "We are also moving to a new we can be back in business after
individual worldwide to reach the access control system requiring almost any kind of disaster.
right contact for reporting or inquir- our employees to use identification September 11 did not show us
ing about the status of a facilities cards to swipe in and out of a any reason to change those
problem. Fischer says, "Now, if facility. This system will provide policies and processes."
you're in Moscow and hear about more accurate information on
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 33
The Soaring Cost of Risk Management Insurance and risk management
There is one dramatic exception to the pattern of moder- costs are soaring
ate increases in security spending: insurance and risk
Increase since 200 1
management. Costs have been soaring in this arena
o to 9% 11.4%
because of the massive losses incurred on 9/11. To
10 to 19% 25.0
reflect the increased risk to corporate facilities and
20 to 49% 34.1
employees, insurers have dramatically raised premiums
for certain kinds of coverage. so to 99% '-9.,
100%or more 20.5
The Conference Board survey of corporate risk managers
found a median increase of 33 percent in spending on Median increase: 33%
Number of respondents: 44
insurance and risk management since 2001. Even this Note: 'Don't know' eliminated
to Northeast Metro
I 42.S
• Number of respondents
34 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Changes in Insurance Coverage medical insurance spending is 15.7 percent for domestic
companies vs. 8.8 percent for multinationals. Companies
Half of risk managers report paying higher insurance
with less than $1 billion in sales report a much higher
premiums since 2001, and 10 percent have increased
increase in medical costs (15.6 percent) than those over
their level of insurance coverage. The increase in insur-
that level of sales (6.7 percent). The finding suggests that
ance costs has prompted companies to assume more of
there are important economies of scale for securing cost-
the risk themselves to hold down their spending. For
effective medical coverage for companies doing almost
example, 40 percent of risk managers have increased
all of their business in the United States.
their level of self-insurance, and 31 percent are taking
policies with higher deductibles.
Business interruption coverage differs from the pattern
F or categories of insurance that are most directly related to for other security-related coverage. The median increase
security threats, the biggest increases in insurance costs are in both critical and non-critical sectors hovers around the
being incurred by companies in critical industries, which 16.5 percent reported for companies overall. The key
are perceived to be most at risk. For example, the median factor here appears to be the scale of the business.
increase in property insurance is 37.5 percent for compa- Multinationals report much larger median increases in
nies in critical industries vs. 22.1 percent in non-critical business interruption insurance costs than domestic com-
industries. For liability insurance, the median increase is panies (29 vs. )2.5 percent), and companies with 10,000
40.6 percent in critical industries compared to 13.6 percent or more employees report larger median increases than
in non-critical industries. Companies in critical industries those with fewer employees (29 percent vs. 14.4 percent).
face a median 23.8 percent rise in spending for medical
insurance vs. 9 percent for non-critical industries.
Large multinationals are facing the biggest increases Critical industries face the biggest increases
in cost for property insurance. The median increase in in security-related insurance costs
property insurance spending for multinationals (39.3 per-
Liability Business Medical
cent) is double the rate for domestic companies (19 per- Median increase Property
since 2001 insurance insurance interrueJion insurance
cent). Companies with over $1 billion in sales report a
higher median increase than companies below that size All companies 28.1% 21.5% 16.5% 13.0%
(35 vs. 20 percent). Critical industries 37.5 40.6 18.0 23.8
Non-critical industries 22.1 13.6 16.0 9.0
On the other hand, domestic companies face the biggest
Domestic 19.0 27.5 12.5 15.7
increases in costs for liability insurance and medical 18.3 29.0 8.8
Multinational 39.3
insurance. Health coverage is a particular problem for
Sales under $1 billion 20.0 19.0 15.0 15.6
smaller domestic companies. The median increase in
Sales over $1 billion 35.0 25.0 19.0 6.7
All companies 40 40 38 29
Changes in insurance coverage since 2001
Critical industries 18 18 17 12
Higher premiums ••••••••••• 50.0% Non-critical industries 22 22 21 17
Domestic 22 22 20 17
More self-insurance ••••••••• 40.4
Multinational 18 18 18 12
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 35
Risk Management as a Line Itern Actuarial data are employed by 62 percent of risk man-
agers to gauge the appropriate level of spending. Other
Insurance and risk management is one of the biggest
commonly employed tools are benchmarking against
single line items in a typical company's security-related
industry standards (56 percent) and recommendations
spending. The median spending on insurance and risk
from consultants (33 percent).
management for all companies in the risk managers'
sample is $7.4 million. The median spending is much
higher for companies with more than $1 billion in sales
($19.2 million) than for companies below this sales level Actuarial data are most common
($3 million). Indeed, 63 percent of companies above the means of determining spending
billion-dollar level in sales pay at least $10 million per on risk management
Benchmarking against .
industry standards II 55.S
Cost of previous
security incidents
As much as
we can afford
20.0% Percentage
Less than of annual sales
$1 million 38.1%
4.2%
Other
42.2
$1 to Number of respondents: 52
52.4
$9 million
33.3
33.3
$10 to
$49 million 9.5
54.2
$50 to 0
$99 million 0
$100 million
or more
8.3
Median Respondents
36 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Companies in the critical industries spend a higher Medical insurance is the biggest risk management expense
amount on risk management as a percentage of their for most companies, with 63 percent of all companies
annual sales. Over half (53 percent) of companies in crit- spending $1 million or more per year on health coverage.
ical industries spend 1 percent or more of their sales on The comparable proportion for liability insurance is
risk management, compared to 36 percent of companies 49 percent, followed by property insurance (48 percent)
in non-critical industries. and business interruption insurance (32 percent).
All 56.4%
companies 28.2%
3'1'
15.4%
Medical insurance is the biggest
insurance cost for most companies
Critical 47.1
industries 29.4
17 Percentage of companies spending
23.6
$1 million or more in 2002 on ...
2% or more
Business interruption
• Number of respondenls
insurance
Life insurance
Disability insurance
• All companies
III Sales under $1 billion
Travel insurance
Sales over S 1 billion
Number of respondents
Medical insurance
• ..
30 16 14
liability insurance 41 19 22
Property insurance 40 19 21
Business interruption
insurance 41 19 22
Life insurance 27 15 12
Disability insurance 29 16 13
Travel insurance 36 18 18
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 37
A Methodological Note on Risk Management Data
Security directors are much We also believe that the security In sum, many security directors
less likely to perceive a dramatic directors' estimates of dollar either did not provide data on risk
management than are the risk are unrealistically low. For all to have greatly underestimated
managers themselves. While only companies, the security directors' both the dollar amount and the
36 percent of security directors median estimate of spending on degree of increase in risk manage-
report an increase in spending on risk management in 2002 is ment spending in their companies.
insurance and risk management $1.4 million and among companies It appears likely that the security
since 2001,98 percent of risk with $1 billion or more in sales, the directors answered the spending
managers report an increase. median estimate is $5 million. Both questions in the survey with refer-
The median increase reported by of these figures are less than one- ence primarily to the budgets that
the risk managers is 33 percent. third the median estimates from they personally control within
Although the sample of risk the sample of risk managers their companies.
budget data on insurance and Perhaps most telling is the fact spending on security exclusive of
other financial issues on an ongo- that the median estimates on risk costs for insurance and risk man-
ing basis, while this responsibility management spending from the agement. We believe that the risk
is often far removed from the risk managers' survey actually managers' estimates of spending
function of the security director. exceed the median estimates for on insurance and risk management
Indeed, 31 percent of the security total security spending from the are more accurate, and should be
directors are unable to estimate security director's survey. The utilized in analyses of that aspect
the change in spending on risk median total security spending of security-related spending.
38 Corporate Security Management: Organization and Spending Since 9/ II The Conference Board
The Costs of 'Ierrorism Larger companies are also more likely to report a
problem with office space insurance. Two-thirds of com-
Concerns about terrorism have clearly influenced the
panies with $1 billion or more in sales report that insur-
ability of some companies to secure adequate insurance
ance for Class urban properties is a problem, compared
coverage since 9/1 I. Over half of all risk managers
to 46 percent of companies below that sales level.
(57 percent) report that it is becoming more difficult to
Similarly, 70 percent of companies with 10,000 or more
secure adequate insurance coverage for Class A office
employees report difficulty insuring such space com-
space in urban locations since 2001. (Note: this percent-
pared to half of companies below that payroll level.
age excludes "don't know" responses and companies not
having Class A office space in an urban location.)
Direct coverage for terrorism is also becoming more
This problem is most acute for companies with head- difficult to secure. While 27 percent of companies have
quarters in the Northeast Metro region, where fully such coverage, 17 percent have been unable to renew it,
88 percent report increased difficulty in insuring Class A while an additional 29 percent did not have it before or
office space compared to 41 percent in the rest of the after 9/1 I. There seems to be considerable ambiguity
country. Companies in critical industries are much more with regard to this type of coverage: 6 percent of compa-
likely to report difficulty (72 percent) than companies nies say it depends on circumstances, and 21 percent are
non-critical industries (30 percent). not sure if they are covered.
Class A office space is becoming Most companies lack coverage for terrorism
more difficult to insure
Percentage of companies reporting it is more difficult "Does your company's current insurance coverage
to secure adequate insurance coverage for Class A include coverage for terrorist events?"
office space in prime urban locations since 2001
Domestic
17 II . 52.9
••••••• 50.0
5.8% Depends
17.3% Unable to
11.1% Not sure renew
Northeast Metro
o ~II •••••••••••
87.5 Number of respondents: 52
Rest of country
Q •••••• 41.2
• Number of respondents
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 39
What Security Executives
orrx
About
The sheer variety of threats faced by
contemporary businesses preseIIts a
40 Corporate Security Management: Organization and Spending Since 9/ II The Conference Board
All three types of security executives (security directors, A different question was posed to gauge the severity
risk managers, and IT security officers) were asked an of different types of threats. Security directors were
open-ended question to elicit what they are most worried asked to rate the severity of threats to their companies
about. Security directors are most concerned about the on a 7-point scale, with 7 representing the most severe
possibility of workplace violence, a worry voiced by threat. The threats rated most highly on this scale are
one-third of the sample. Terrorism was the next most theft (averaging 5.06 on the 7-point scale) and computer
frequent mention (by 19 percent), followed by financial hackers and viruses (5.05). These worries are followed
crime (15 percent) and computer hacking (15 percent). by current and former employees (4.59) and natural
disasters (4.24).
Computer data
hackers,
loss • . 14.6 "On a scale from 1 to 7, where 1 represents
a minimal threat and 7 represents a severe threat,
Biological/chemical/ ..... how would you rate the threat to your company
product contamination ~ 9.2 posed by the following?"
Business continuity/
disaster recovery Terrorist attacks 3.31
Overseas threats/
foreign instability Number of respondents: 197
Arson, fire
Background checks/
negligent hiring
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 41
Risk managers have a somewhat different set of con- The Desirability of Dispersing Facilities'
cerns. Perhaps because they deal with insurance issues,
Risk managers were also asked to estimate the maximum
they seem much more attuned to the dangers posed by
number of employees they consider prudent to locate in
terrorism and emergency preparedness. In the open-ended
a single facility. The median is 425. Only 14 percent of
question, terrorism is most often cited as the threat that
risk managers consider it prudent to situate 1,000 or
worries risk managers the most (by 22 percent), followed
more employees at a single location. If companies were
by business interruption and disaster recovery (17 per-
to act on these perceptions, the recent trend toward con-
cent) and workplace violence (11 percent).
solidation of facilities in downtown office towers and
suburban office parks might give way to a desire to
disperse employees and operations.
Contamination/ , ••••
toxic release • 8.7
Madian: 425
Number 01 respondenls: 37
Natural disasters _ •• 8.7
Nota: "Don't know' eliminated
__ 6.5
Litigation
International travel/
risks overseas
I••• 6.5
Unanticipated loss,
undiscovered risk 4.3
42 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
However, most companies do not report plans to dis- Most companies are not planning to
perse their facilities. Only 5 percent of security directors disperse facilities for security reasons
indicate that their companies are definitely planning to
rent, buy, or construct additional facilities to disperse Planning to rent, buy, or construct
additional facilities in order to disperse
employees for security reasons, and 8 percent of
employees for security reasons:
companies are planning additional facilities to disperse
Yes, definitely
operations. An additional 10 percent of companies are
discussing the possibility of dispersing employees for Actively conslderlng
$1 to 9 million 28.3
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 43
Case Study
Crisis Management at Air Products
Nirmal Chatterjee is Air Products' The next step was to analyze The process has been expensive.
vice president for environment, company policies and processes Ken Petrini, vice president for
health and safety (EH&S) and in light of the new threat. Air taxes, reports that some $10 mil-
corporate engineering. He admits Products is applying the principles lion has already been appropriated
that prior to 9/11: "Like most US of the American Chemical to upgrade security in areas identi-
chemical companies we had basic Council's Responsible Care fied through the security vulnera-
security, ID badges, visitor registra- security code globally and security bility assessments conducted at
tion, fences, and gates with cam- vulnerability assessments at all the company's highest risk sites.
eras and uniformed security at our facilities are being completed Another $10 million is expected to
larger facilities, but we didn't have worldwide. Chatterjee says, be required to further improve
enough to pass the 'red face test.' "These tools are invaluable in security at all sites.
Traditionally there have been no helping us classify potential
industry security standards. Each targets, determine possible threat These numbers reflect only
company was more or less on its sources, and evaluate any gaps capital expenditures for upgrading
own in determining how much was in our security practices." facilities. They do not include the
enough when it came to security time and money involved in the
measures. We have since become Crisis management programs crisis management process, the
our own worst critic and are took on a significant new dimen- hardening of the company's
now implementing our security sion. Among the additions to the transportation infrastructure,
processes as stringently as we usual emergency response exer- or IT security measures.
do our safety programs." cises was terrorism scenario plan-
ning. The only change within the A more stringent customer qualifi-
On the morning of 9/11, the corporate structure, aside from cation process has been developed
company immediately mobilized a creation of the position of global for the company's more sensitive
crisis management team compris- director of process safety integrity, products. If a customer were to
ing representatives from manufac- was to move responsibility for order a much larger quantity of
turing, energy and materials, and security standards and best prac- one of these products, a flag would
travel, as well as security, EH&S, tices into the office of environ- go up and the order would shift
corporate communications, and ment, health and safety. immediately to another level. As
human resources. This team was an extension of the company's
never disbanded since the threat product stewardship efforts,
of terrorism remained high in the current policies also seek to
intervening months. The team's ensure product security even
focus was only sharpened by the after delivery.
onset of war in Iraq.
44 Corporate Security Management: Organization and Spending Since 9/11, The Conference Board
Threats to rr Security When presented with a 7-point scale to rate the severity
of various IT threats, the most highly rated threat was
IT security officers primarily focus on preserving the
viruses and worms (mean of 4.11, or about halfway,
integrity of their networks and web sites. When respond-
on a 7-point scale). This was followed by insider abuse of
ing to the open-ended question, the most common worry
Internet access (3.59), laptop theft (2.94), theft of propri-
concerns network intrusion and perimeter protection,
etary information (2.22), denial-of-service attacks (2.21),
mentioned by 21 percent. Close behind are viruses and
and firewall penetration (2.20) Most of the items received
worms (cited by 19 percent), protecting confidential
ratings near the bottom of the severity scale, suggesting
information (18 percent) and web site disruption
that most IT security officers are fairly sanguine about
(13 percent).
their ability to protect their companies' systems.
malicious code
Insider abuse of
Protection of
Internet access
confidential information/
identity theft
Firewall penetration
Disaster recovery
Connections to Fraud
Internet/telecom/
power grid
Embezzlement
Cyber terrorism
Overreactions,
cost of responding
to trivial problems Number of respondents: 80
Other comments
Number or respondents: 72
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 45
Insiders and outsiders are Just under half of companies (49 percent) report that
equally threatening to IT security they could restore their IT system within 24 hours of a
disaster. Another 40 percent could restore their system
Most important risk to IT security posed by ... within one week, leaving 10 percent who would need a
full month to restore their IT system.
pen~~~::1:~ •••• 16.2
Company's .
own employees" 30.0
When asked whether insiders or outsiders are the great- Instant switchover
to backup system
est threats to their IT systems, almost half of IT security
Within 6 hours 10.4
officers (49 percent) rate both as equal threats, while
30 percent fear their own company's employees and only
16 percent worry most about outsiders.
Tested
Used in
~========~~~.
II 45.0% 62.5%
emergency
Program not
tested or used
Number at respondents: 80
46 Corporate Security Management: Organization and Spending Since 9/11 The Co nf e r e nc e Board
essons
earned
Th.e four corporate case studies in this report
(Duke -Energy, IInisys, Avaya, and lUI' Produets)
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board' 47
People First on 9/11 The following steps were generally taken to enhance
In the immediate aftermath of the terrorist attacks on physical security:
9/11, the first priority was to identify the whereabouts
of employees, communicate their circumstances to their • strengthening facility perimeters
families and to management, and get those who were • increasing uniformed security protection
traveling home.
• installing or upgrading identification and
surveillance systems
Crisis Management Teams • limiting facility access
Formation of a security oversight and emergency-
• increasing security training and drills
response team was one of the first actions taken by
all of the companies interviewed. Including executives • hardening physical security.
representing the security, EH&S, business continuity,
communications, human resources, legal, insurance, Two of the four companies have established crisis opera-
and other relevant functions, these groups were tions centers to be activated during severe emergencies
generally charged with: or potential crises and to serve as a clearinghouse for all
aspects of emergency response.
• reviewing existing security measures
48 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
A Priority on Risk Analysis Coordination with Government Agencies
The terrorism threat focused business' attention on The September 1I experience has highlighted a dilemma
areas of vulnerability not always considered prior to for companies attempting to establish effective emer-
September It. All four companies invested heavily in gency response programs. One company identified more
risk analysis reviews, addressing every aspect of their than 40 agencies charged with advising its business units
operations from product security in manufacture and about potential threats, sometimes asking for conflicting
delivery to the location of IT operations to terrorism or inconsistent information. There is general agreement,
scenario planning and travel policies. For companies especially among companies operating critical infrastruc-
with hundreds and even thousands of installations, ture or manufacturing volatile products, that coordina-
going beyond the immediate hardening processes to tion among the agencies themselves is crucial.
identify specific vulnerabilities at every facility is an
enormous undertaking.
Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 49
Appendix
50 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board
Draft Sources: GW Study 1997, GAO report ideas, my own thinking t:="LW c.tA.k:e.rz
. a.j03
Potential Questions with Security Heads at Member Companies
Main question: Was your organization located within the 16 block radius of the WTC on
9-11? YeslNo
1
Draft Sources: GW Study 1997, GAO report ideas, my own thinking
2
Draft Sources: GW Study 1997, GAO report ideas, my own thinking EuJaJ.Au-i
~/0'3
J. Did you have adequate counseling and trama groups ready and available?
k. Did you receive negative press following 9-11 or negative reaction from
employees?
18. In either case, if you were directly effected or not by 9-11 :
a. Did the budget for crisis/management and business continuity change as a
consequence of 9-11, whether or not you were immediately affected?
b. Did the organizational structure for security and emergency preparedness
change?
c. Did the risk assessment procedures change?
d. Does your risk management plan consider the risk perception of
shareholders?
e. Did the Board of your corporation get involved?
f. Did your emergency planning and practice policies change?
19. What factors and areas of crisis management and business continuity do you
believe your company could improve?
a. Management responsiveness
b. Board responsiveness
c. Risk Assessment
d. Internal awareness
e. Communications of policies and procedures
f. Evacuation preparedness and drills
g. Back up sites
h. Back up telecommunications
1. Planning and coordination
j. Business Continuity
20. Does your company conduct evacuation planning?
21. If you are in a multi-tenant building, does your company have it's own evacuation
plan and if so, is it coordinated with other groups in the building?
a. Who do you believe is ultimately responsible for your employees safety?
b. What is the building owners responsibility
22. Does your company coordinate and collaborate crisis management and business
continuity with suppliers and vendors?
23. Does your company coordinate with customers?
24. Does your company coordinate with State, Local or Federal Govt?
a. What is the nature of the relationship?
b. Do you receive warnings from the public sector that apply to your
company
c. How does that occur and with what frequency?
d. Any issues related to this coordinate that could be improved?
25. Does your company show its emergency preparedness plans to local police and
fire and are they kept up-to-date with changes in your building or your plans?
26. Does your company have a crisis communication plan for employees and families
of employees?
27. Is the crisis management plan or emergency preparedness plan a "stand alone" or
is it integrated and connected to the company's overall crisis management
program?
3
preview & Edit Questions
Page 1 of7
Account Summary E~it My Account . My Horne Page .. ..Change Password Request Package
Please follow three simple steps to create your branching survey
Step 1: Create questions by using Add Question button at the end of the page
Step 2: Move questions to a new page by clicking on ~ image
Step 3: Branch questions and values
Note
1. To end the flow of the branching survey, add 999 to Branch to text box
2. Editing questions will reset Branch to values for that particular question
3. Please click on Finish Survey after setting branching values
4. Page No.1 is compulsory and cannot be deleted
Title
Opening Text
Survey Questions
Federal 9-11 Commission
-
IMTI
L~~~~.~9..!=
_ .._.."..___,, " __
Other (please specify)
w __ .
L " ""._.
__ _.~"_.__ ,,_ !
4,;.Does·voUr.¢.Oriip·~ny·t.urtehtly;ljavethe:.p;osino,,·()fChief ;$ecU'rH:y9fficer?
.' =.' : .'-',' '.. " . :..'., ':; ,"... '. . ,",-,,-:
J
,.,., .. ' ,
C' Yes
r: No Branch Yes to
Branch No to
Pag~'N'9~
r; Yes, definitely
C\ Actively considering
C Preliminary discussions
o No discussions at present
o No, definitely
e~~f!.I'4;()j~;\> /
~.~~~ ~, .'
o Yes
o No Branch Yes to
;:pj'g,~~~~'(:j',;~x
~1~,,~;;~,~~~'~II:11~=fit"'
[J Crisis communication
o Evacuation procedures
o Coping with stress/trauma
[l liaison with police and fire departments
C Securing access to facilities
o First aid
D Locating employees
~~'~'f.,·~t~ilr~I;"r: .'"'~~,~:~~~~;{~(i,ro;pa;~'¥~~:'
o Yes
".v·,
o No
C Not sure
~ij:~i~::rt':;,~';''; /
~~'ii~~·~$:\V~~;":'~jll,lP~"~i~~~~~'~!J;~~~\i'~~~':;5~~~~ 'fi'~·'>~t;!'P'~.~:t;··,·;
·~.~'.ii:;.,·'>·.,·./:
eYes
o No Branch Yes to
page'·No.,6
·Preview & Edit Questions
Page 3 of7
l;~l.WIjB'tii~:cov~rfi'q.;:ln{vCiq;f'e(:)rn'p'~'rfY'~'~'~!ii!1:~~$i\'~6~tift'ui't¥"':plifH?'
C Restoring IT system
n Moving operations to off-site locations
n Alternative telecom links
D Contingency plans with suppliers
[J Alternative transportation for goods
[J Commuting options
[J Work from home
o Other (please specify)
~~,~t~g~~,=rz~~~;~r~~f~I~~~~~~~f:!~~~t~~'~~~~:~pa~~* rd.
L:7tf£1~..
'.'.'.".'.'
o Yes
o No
o Not sure
~f~~'~~;t!tC<*~~'~1I,~T~~III.~:rf ~
~
o Yes
o No
o Not sure
~
~.
o Yes
C No Branch Yes to
.'.:·:·LlJ i"'"
y' .<....
••..:..
....
AW
¥
I..
~~~~~.~!_:_
.._.~.,,
Other (please specify)
.w ••••••••••• __ •••• _ ... _~_.,,_. __ •• __ ._ .... .~. ~._ ... __ •• .. "'_ •• ._._ •••
..;.~~J~i·~[!fIl~'!t~:O~~!,·,
1.:6.:'H~~:()ftejJ\:~~~!;I·jj~r':~~[lip~tlj~~
.:,/':.:;
. , '.>';~ ..~.':.:~;"'.'·/
....
. "'ty .....:;::}.:;.:.;::;:':;.
1 rv /1 ~ ,,,,.,
.Preview & Edit Questions
Page 5 of7
C Fire department
[] Police department
D American Red Cross
o State government
o FEMA
Before
9/11 'Today
(a) Operations center available at off-site location
c 0
(b) Regularly conduct emergency evacuation drills
0 D
(c) Background investigation of potential new hires
[J 0
(d) Computer files stored at off-Site backup facility
D D
(e) Paper documents stored at off-Site backup facility
D [J
(f) Security guards at entry points
0 D
(g) Turnstiles/gates at entry points
[J C
(h) Inspecting backpacks/luggage at entry polnts
[J D
(i) Risk assessment/audit of vulnerabilities
[J C
·"·flY;~",~~)~;pca;'~~'I;;f~~~~i··#I:l~t:···
....... - ",
.•
t~"~.~I~.~!~ , _ ,., _ , _ .
~t~II~~~~~~(~~~~ij)~G~!~~~I!~~"j~~l!Y~~~~~'~lfijf~~
I.=.~~.~.~~!.~--
-'".----.-,.-.
rd.
t.;:;;'~ ~.o.'."';:
,
~
fil
f
. ..'. _....J
:;;~~r*·~@;J1Ji;ll!g~(pf!l~
r-. '-. ",' ., ':-~.:;
-'A'_ ,.. ':~\ -, ~,.,-,: .. ,
f.:.~:.!.~.~!=-
...,..._......
~ Add Question
Finish Survey
Delete Surve