Risk Management

Little Spending on Security, Survey Says

Since Sept. 11, business security spending up a mere 4 percent.
Stephen TaubJuly 14, 2003

It’s been less than two years since terrorists launched a series of devastating attacks on U.S. soil. But it looks like 9/11 is already a distant memory for many corporate executives.

According to a new study released by The Conference Board, most companies are only spending modest sums on security—despite the continued threat of global terrorism.

The median increase in security spending is 4 percent since September 2001, the survey found. Moreover, just 7 percent of the companies that participated in the survey have increased their security spending dramatically, meaning by 50 percent or more.

The study, which was sponsored by ASIS International, found that companies that are most likely to have permanently increased their security spending are in six “critical infrastructure” industries: transportation, energy and utilities, financial services, media and telecommunications, information technology, and health care.

The study polled more than 331 business-security directors, risk managers, and information-technology security officers. More than half of the companies covered in the study generate at least $1 billion in annual sales.

“While nobody knows how much security spending is enough, there are legitimate concerns about corporate vulnerability,” says Tom Cavanagh, The Conference Board’s expert on security issues and the author of the report. “Since about 80 percent of America’s critical infrastructure is controlled by the private sector, corporate security managers will play an increasingly vital role in protecting key industries and the people who work in them and are based near them.”

Daniel H. Kropp, president of ASIS International, called the 4 percent median increase “counterintuitively small in light of our concerns about terror.” But Kropp concedes that determining whether security spending is adequate must be judged “against the level of threat and the degree of risk faced by an individual company in an individual industry in a selected location.”

Another worrisome finding from the study: most companies haven’t changed the way they try to protect their businesses and employees. Just 24 percent of the respondents said their employers have centralized security responsibility in a chief security officer—and few appear interested in creating the position.

In fact, most of the companies in the survey employ fewer than 50 people to oversee all their security needs. Many do use outside security consultants and guard forces, however, to augment their staffs.

Rather than guarding against attacks, most of the respondents are spending more on insurance and risk management. The median spending for these two are up 33 percent, with about 20 percent of the respondents saying their insurance costs have at least doubled since 2001.

Of course, increased spending on insurance doesn’t necessarily mean corporations are purchasing additional coverage to protect against security threats. The increased spending may just mean that carriers are charging a whole lot more for their existing policies.

Other findings:

  • Only 26 percent of the security directors, 19 percent of the risk managers, and 14 percent of the information-technology security chiefs strongly agree that their departments are adequately financed.
  • Most high-level security executives come from the law-enforcement community (47 percent), or served in the military (33 percent) before joining their companies.
  • Most top corporate security executives hold titles below the vice presidential level and earn less than $150,000 per year. Surprisingly, only 9 percent report directly to their company’s CEO.
  • While median security spending is up about 9 percent in New York, Boston, and key cities in the northeast, it has risen less than 3 percent in other parts of America.