While United States chief executive officers are confident about the ability of their companies to continue serving customers in the U.S. and abroad, the September 11 attacks almost certainly will affect the way they operate internally.
|“A new approach to corporate security, we believe, has to be internalized at the CEO level. Corporate security is now a strategic issue that no longer can be delegated.”|
Although awareness of security issues has risen overall, we believe that a new approach to corporate security has to be internalized at the CEO level. In an address late last year at the Cyber-Security Summit, sponsored by Booz Allen and Lucent Technologies/Bell Labs, Richard A. Clarke, chairman of the President’s Critical Infrastructure Protection Board and special advisor to the President for cyberspace security, observed that the average company spends .0025 percent of revenue on IT security — “a little bit less than what most companies spend on coffee... And if you think IT security is about the same priority for your company as coffee, don’t come complaining to me when you get hacked,” Mr. Clarke told his audience. “And you will get hacked.”
We believe corporate security is now a strategic issue that no longer can be delegated. And that is a message that needs to find a prominent spot on the CEO agenda.
Current CEO Security Priorities
Seventy-two CEOs from firms with more than $1 billion in annual revenues responded to the Booz Allen survey, which examined how the September terrorist attacks, the anthrax mailings, and their aftershocks had affected their view of security at their own firms, their organizations’ operations, and their companies’ relationships with federal and local government authorities.
|“More than three-quarters of the executives interviewed express increased concern for such day-to-day activities as mail processing, travel, and protection of employees.”|
Prior to the attacks, corporate security was a midlevel concern for U.S. CEOs, averaging 6.0 on a 10-point scale. Since September 11, this level of concern has increased to 7.5. These results are consistent across industries, company size, and dependence on overseas sales. Those who don’t plan increases in corporate security — including some energy and transportation firms — report that security was already a major (7.3) concern before the raids. The CEOs with heightened concern about security expect this concern to last at least one to two years; half of this group project that this heightened concern over security will continue at least five years.
Corporate leaders are being thorough in their review of their crisis-response capabilities. Ninety percent of CEOs surveyed have reviewed their firm’s disaster-planning documents since September 11, and more than three-fourths have reviewed insurance policies to ensure adequate coverage and preparedness. For those CEOs who have not yet reviewed their insurance policies, such a review tops the list of planned changes in the next three months.
|“Ninety percent of CEOs surveyed have reviewed their firm’s disaster-planning documents since September 11, and more than three-fourths have reviewed insurance policies to ensure adequate coverage and preparedness.”|
Just over half of the CEOs in the Booz Allen survey (54 percent) have a chief security officer (CSO) in place, and 90 percent of those CSOs have been in the position for more than two years. Chief information officers are more likely than other executives to have security responsibilities when there is no CSO. That’s not likely to change soon: 97 percent of firms that do not have a CSO have no plans to create this position in the immediate future.
Another management priority is a proactive employee-safety measure that will also reduce costs: using videoconferencing to replace air travel. Interestingly, only a few CEOs (7 percent) appear concerned about lowering their public profile.
Nearly half of the surveyed CEOs (49 percent) are reviewing alternatives to their existing supply chains in case of disruptions; 42 percent are reviewing their suppliers’ abilities to ensure production is safe from sabotage. U.S. businesses lost hundreds of millions of dollars because of supply chain disruptions when U.S. borders and airports were closed in the wake of the attacks.
|“Nearly half of CEOs are reviewing alternatives in case of supply chain disruptions; 42 percent are reviewing their suppliers’ abilities to ensure production is safe from sabotage.”|
Despite the CEOs’ increased sensitivity to their companies’ operational vulnerabilities, participants in this survey appear confident in their ability to maintain quality of service for their U.S. customers. Most of the respondents agree that corporate security is unlikely to make customers uneasy. Nearly three-fourths of CEOs (72 percent) believe that the quality of corporate security is no more important now for customers than it was prior to September 11, and that customers’ willingness to purchase from their companies will not be affected. However, chief executives of nonfinancial firms are more concerned — more than a third believe that the quality of their corporate security is a more important factor in customers’ willingness to purchase their products and services.
Globalization strategies have been largely unaffected by events of the past year, including the terrorist attacks and protests in Seattle and Genoa, according to these CEOs. Half the interview group believe that any new barriers to previously open borders, both in the U.S. and abroad, will have either an insignificant or no impact on their companies. Whereas this is especially true for large firms, CEOs of the smaller Fortune 1000 firms believe that the after-effects of September 11 will hinder their competitiveness. A third of the surveyed executives believe that any new barriers will have a moderate or very significant effect on their companies.
Business as Usual?
CEOs are evenly split on the question of when or whether “business as usual” (defined as the state of business on Monday, September 10, 2001) will return: A third felt that business as usual would have returned within three months, a third think that it will return sometime between six months and 5 or more years, and a third believe that business will never be the same. Chief executives of global firms are less positive: Over half of these executives believe that business will never be the same.
|“CEOs will find that a stronger partnership between industry and government is needed to solve critical security problems and ensure business continuity.”|
Any additional costs for new corporate security should be shared by government, shareholders, and customers, according to two-thirds of those CEOs who believe such additional security costs are possible. A third of CEOs believe that new security costs will not be substantial.
Looking ahead, we believe CEOs will find that a stronger partnership between industry and government is needed to solve critical security problems and ensure business continuity. A cooperative effort is essential to achieve a level of business resilience that positions the business community for future growth.
Mark Gerencser, [email protected]
Mark Gerencser is a vice president with Booz Allen Hamilton in Annapolis Junction, Md. He has 20 years of engineering and consulting experience resolving communication-systems, information-security, and technology-insertion challenges. He is coleader of the firm’s strategic security initiative.
DeAnne Aguirre, [email protected]
DeAnne Aguirre is a vice president in Booz Allen Hamilton’s San Francisco office. She has 18 years of organizational and technology strategy experience serving multinational clients. She is coleader of the firm’s strategic security initiative.