While United States chief executive officers are confident about the ability of their companies to continue serving customers in the U.S. and abroad, the September 11 attacks almost certainly will affect the way they operate internally.
| “A new approach to corporate security, we believe, has to be internalized at the CEO level. Corporate security is now a strategic issue that no longer can be delegated.” |
Although awareness of security issues has risen overall, we believe that a new approach to corporate security has to be internalized at the CEO level. In an address late last year at the Cyber-Security Summit, sponsored by Booz Allen and Lucent Technologies/Bell Labs, Richard A. Clarke, chairman of the President’s Critical Infrastructure Protection Board and special advisor to the President for cyberspace security, observed that the average company spends .0025 percent of revenue on IT security — “a little bit less than what most companies spend on coffee... And if you think IT security is about the same priority for your company as coffee, don’t come complaining to me when you get hacked,” Mr. Clarke told his audience. “And you will get hacked.”
We believe corporate security is now a strategic issue that no longer can be delegated. And that is a message that needs to find a prominent spot on the CEO agenda.
Current CEO Security Priorities
Seventy-two CEOs from firms with more than $1 billion in annual revenues responded to the Booz Allen survey, which examined how the September terrorist attacks, the anthrax mailings, and their aftershocks had affected their view of security at their own firms, their organizations’ operations, and their companies’ relationships with federal and local government authorities.
| “More than three-quarters of the executives interviewed express increased concern for such day-to-day activities as mail processing, travel, and protection of employees.” |
Prior to the attacks, corporate security was a midlevel concern for U.S. CEOs, averaging 6.0 on a 10-point scale. Since September 11, this level of concern has increased to 7.5. These results are consistent across industries, company size, and dependence on overseas sales. Those who don’t plan increases in corporate security — including some energy and transportation firms — report that security was already a major (7.3) concern before the raids. The CEOs with heightened concern about security expect this concern to last at least one to two years; half of this group project that this heightened concern over security will continue at least five years.
Corporate leaders are being thorough in their review of their crisis-response capabilities. Ninety percent of CEOs surveyed have reviewed their firm’s disaster-planning documents since September 11, and more than three-fourths have reviewed insurance policies to ensure adequate coverage and preparedness. For those CEOs who have not yet reviewed their insurance policies, such a review tops the list of planned changes in the next three months.
| “Ninety percent of CEOs surveyed have reviewed their firm’s disaster-planning documents since September 11, and more than three-fourths have reviewed insurance policies to ensure adequate coverage and preparedness.” |
Just over half of the CEOs in the Booz Allen survey (54 percent) have a chief security officer (CSO) in place, and 90 percent of those CSOs have been in the position for more than two years. Chief information officers are more likely than other executives to have security responsibilities when there is no CSO. That’s not likely to change soon: 97 percent of firms that do not have a CSO have no plans to create this position in the immediate future.
