VideoTake the lessons Midland, Michigan-based Dow can teach. Last year, Dow started conducting its own vulnerability assessments — under guidelines established by the American Chemistry Council — and now has completed reviews at its two dozen so-called Tier 1 and Tier 2 facilities in the United States, those most critical based on size and proximity to populated areas. Dow is now implementing upgrades that include new perimeter controls at certain plants and additional ID access to specific areas. And Tim Scott, Dow's global director for emergency services and security, notes that the ISACs support these measures by establishing the links for relaying risk information specific to the chemical industry. "The DuPonts, BASFs, and Dows are all very involved in helping smaller companies achieve the goals of improving security," he says.
In the electrical-sector ISAC, Charlotte, North Carolinabased Duke Energy has also been combining its vulnerability assessments with efforts to help smaller utilities. It is giving special attention to calculating its security costs — if not specific ROIs — hoping to develop the most cost-effective solutions for future threats. "Unless we know how we're spending dollars today, that's very tough to quantify," says C. Jeffery Triplette, vice president of risk-management services. Searching for the best software to help with the process, "we did not pick the most expensive or the cheapest or the one with all the bells and whistles," he says. "We chose an off-the-shelf product that met Department of Energy requirements and [didn't require] a PhD in security."
The message about the need to quantify costs first came home to Triplette when his CEO asked him how much it cost to go from a yellow to an orange alert level. "I'm sure he wasn't the first CEO to ask that question. But his question got us to examine security costs from a whole new perspective," says Triplette. For one three-building office complex occupied by, say, 2,000 people, he says, "it cost in additional operating costs — additional contract labor, extra hours of coverage — about $10,000 per week," he says. Multiplying that across all facilities illustrates why "moving to a higher threat level is not just changing a color," he says. "This security stuff is real, and it costs real dollars."
The 40-40-20 Rule
Even with such models available, deciding where to allot security dollars can be a problem for high- and low-security companies alike. Ernst & Young's Mark Doll, co-author of Defending the Digital Frontier: A Security Agenda, suggests there's often a tendency to let too much ride on technology. "One thing I find when I talk to clients is that people, process, and technology are out of balance," he says. Typically, companies place 80 percent of their emphasis on technology, with 10 percent each in the personnel and process aspects of security. But the ideal division, he says, is often 40 percent people, 40 percent process, and 20 percent technology, allowing security measures to be skillfully woven into the corporate culture.
"Companies will [say] they have installed a crisis-management hotline," says Doll, "but we'll ask them what the number is, and they'll say 'I don't know.'" (Another typical hotline problem: systems designed to handle 20 calls at once, when in a real crisis 2,000 calls may be coming in.)
Doll also points out that "you don't have to spend a lot of money" to make security mesh with culture. Michael Wyzga, senior vice president and CFO of Cambridge,Massachusetts-based Genzyme Corp., would agree. In September 2001, the biotech firm was in the planning stage for its new building when suddenly new issues arose, including whether to stay with a glass-wall design. The company quickly decided to go with the glass, as it reflected the openness of the corporate culture — but then found itself reviewing ways to make it more resilient. Vice president of security David Kent presented alternatives, including an expensive high-strength glass and an antishatter film for the glass already ordered. (The film was chosen, in part because of cost.)
Are We Safe Yet?
Whatever level of spending a company decides upon, of course, it must reflect available resources — especially since the government expects the private sector to underwrite its own safeguards. It's also clear that heavy spending alone doesn't buy invulnerability. Putting money into monitors, for example, does nothing to reduce the threat of corporate cyberterrorism, or the danger that a truck transporting chemicals may become a weapon of mass destruction. Further, the process of making a company hard to infiltrate may also make it harder to operate.
Indeed, companies have to grapple with how much security measures may affect productivity. Conventional wisdom has it that some steps — such as delays caused by mail-searching protocols — can hurt production. But the Council on Competitiveness argues that, gradually, lower security risks will beget a more-confident, more-productive workforce — something the organization thinks is worthy of acknowledgment. "We may come up with something like the Malcolm Baldrige quality awards," says Wince-Smith, but recognizing instead excellence in integrated security management.
Sidebar: Uncalculated Risk
There's not much incentive to calculate return on investment for corporate security expenses. In fact, says Genzyme Corp. CFO Michael Wyzga, "you'd be nuts to do it, and you'd drive your CFO nuts."
Reader Comments» Post a comment