Although core-business protection is also largely an exercise in risk identification, prioritization, and mitigation, opportunities for value capture increase as one moves from people to businesses to networks. Done properly, and marketed effectively, an investment in appropriate levels of security can help differentiate a product or service, or enhance a company’s operational effectiveness versus that of its competitors. Embedding security within the organization — effectively hardwiring it into operations, in much the same way supply chain management is today — can transform security from a burden into an enabler.
During the 1990s, about a decade after the Tylenol-tampering scare first alerted the American public to the reality of smaller-scale domestic terrorism, Procter & Gamble Company dedicated one-eighth of its research and development staff — nearly 1,000 people, of whom 250 were Ph.D. scientists — to product and packaging safety. The R&D team developed innovations such as the Safety SquEase child-resistant cap, which provided the company’s Aleve analgesic with a distinct selling point at its launch. P&G subsequently sold its stake in Aleve, but Safety SquEase has been adapted for use with other P&G products.
“Safety requirements are not niceties that we incorporate simply to increase product appeal. Rather, they are corporate mandates, a nonnegotiable part of every project,” a P&G executive told a “Safety Sells” conference sponsored by the U.S. Consumer Product Safety Commission in 1995.
Operationalizing strategic security in that way — building it into core processes, budgeting cycles, and strategic planning, rather than bolting it on — can give a company an advantage over slower-moving competitors. That was a central lesson of Y2K mania. Some companies built the costs of Y2K preparations into ongoing information technology budgets and were able to seamlessly revamp aging technology systems, reducing their exposure to supply chain disruptions. This better, faster, more robust market presence saved them billions in extraordinary expenses incurred by laggards.
As in the mid-’90s, companies should focus much of their short- and medium-term strategic security planning on the firm’s supporting infrastructures, for it is on these systems — their operations, safety, and assurance — that business resiliency relies. The Bank of New York Company had two clearing systems with different telephone and power supplies in place on September 11, but both were in Lower Manhattan and were disabled after the attacks. The Wall Street firm Morgan Stanley Dean Witter & Company is now planning to build a second trading floor within 35 miles of its Midtown Manhattan headquarters. The backup facility, which could be elsewhere in Manhattan or in the suburbs, would not rely on the same power grid or telephone switching system as the principal office.
Fully securing business operations against any kind of attack clearly is not a realistic consideration for CEOs. However, there are some basic steps companies can take to protect their critical infrastructures. These steps are:
- Integrate all aspects of security — physical and personnel security and information assurance — across the enterprise and appoint a senior manager to control security integration and management company-wide.
- Get in touch with local, state, and federal government offices with security responsibilities that affect business and establish working partnerships to inform your risk assessments and build in a private sector input to new government plans and regulations.
- Study the company’s disaster recovery plan and reassess its operating environments in light of potential new threats to business security. Develop and exercise a new disaster recovery plan and update the company-wide security program if necessary.
- Understand the risk/reward payoff for security options and sequence the rollout of a new security program to address the worst risks first.
- Review and update, review and update, repeat as necessary. The threat environment, defensive tools, and a company’s operations are constantly changing. Today’s plan could be tomorrow’s recipe for disaster.