Risk Management

What Price Security?

Companies have been slow to make costly antiterrorism investments. But their low-key moves may be making them less vulnerable.
Roy HarrisJuly 1, 2003

When it comes to thwarting terrorism, only a handful of companies have had to worry about controversial big-ticket items like intrusion-detection equipment for chemical plants or antimissile defenses for airliners, which some lawmakers want to mandate. For the rest of Corporate America, aggressive investment in “guards, gates, and guns” was supposed to be enough to counter the post­September 2001 threat. Or so the White House thought.

While actual private-sector security spending hasn’t been calculated, a November 2002 report from the Federal Reserve Bank of New York leads to a disappointing preview, say experts. The report said companies spent $32.8 billion in 2001, and noted that if annual spending doubled to reflect the new threat environment, an additional $7.8 billion would have gone for capital equipment, with $25 billion for personnel. But the Brookings Institution’s Michael O’Hanlon, for one, believes overall spending fell far short of doubling in 2002, and says that “at many companies the level of improvement needs to be more akin to how airport security changed after 9/11.”

Government officials, too, have been concerned over low spending at some companies. Although critical industries like utilities and transportation have invested heavily, overall “the other side of the situation is complacency” among companies that don’t feel directly threatened, says Al Martinez-Fonts Jr., special assistant to Department of Homeland Security (DHS) Secretary Tom Ridge for the department’s private-sector office.

That doesn’t mean Corporate America has been recklessly cutting corners. In fact, at many companies the list of security measures enacted since 9/11 is long, and includes conducting intensified preparedness reviews, installing technology safeguards, and focusing on business-continuity issues like supply-chain vulnerabilities. In addition, firms such as Cadence Design Systems Inc. and Duke Energy Corp. are placing physical and IT security under a single corporate officer, who often reports directly to the CFO.

Low-Key And Low-Cost

Spending for such steps tends to be relatively modest, and may not turn up in the budget at all. Yet the companies taking these more-strategic initiatives believe they make sense in today’s environment, something Martinez-Fonts certainly agrees with. Moreover, such low-key initiatives are easier to mesh with corporate culture. At Cadence, for example, employees have learned to appreciate preparedness for earthquakes — the San Jose, California-based design-software maker is nestled between two active faults — and they welcome the latest manifestations of heightened security. “You can’t quantify what peace of mind is worth,” says senior vice president and CFO William Porter.

Predictions aside, there are good reasons why overall security spending has been lower than expected. For one, corporations are wary of fluctuating rules. “The dilemma companies face is that if they put up a six-foot fence and the government ends up mandating an eight-foot fence, you’ve wasted your money on the six-foot fence,” says Martinez-Fonts. To lessen the likelihood of such misdirected spending, companies hope DHS will help them win special exemptions on security issues — for example, by easing freedom-of-information restrictions that might hinder information-sharing.

Other executives have balked because measuring the return on investment for terrorism is nearly impossible (see “Uncalculated Risk,” facing page). “It’s futile to figure out what the ROIs are,” says Porter. Like other CFOs, he’s spent little time projecting returns for security enhancements, which have included more electronic surveillance, golf-cart patrols, and the design of a more-cohesive business-recovery plan.

Then there is the fact that spending is dictated by such factors as a facility’s attractiveness to terrorists. That’s why it isn’t surprising that Dow Chemical Co. is taking millions of dollars in preventive measures. Yet a firm like Milwaukee-based Briggs & Stratton Corp. hasn’t done “anything out of the ordinary” to increase security since 9/11, says CFO James Brenn. “Our plants are in heartland America,” he notes, and it wouldn’t make sense to spend heavily — that is, unless terrorists shifted their targets from urban landmarks and adopted a “more-random mode of operation.”

Still, there’s agreement that security planning has gained a higher priority — after early uncertainty about what steps to take, and how quickly to take them. “There has been an awakening,” says Deborah Wince-Smith, president of the Council on Competitiveness, a private group of corporate managers, academics, and labor leaders that was a post-9/11 critic of company preparedness. Its survey last fall showed that 90 percent of executives didn’t consider their firms as targets. “But from what we’ve heard from our industrial sectors, there is growing awareness,” says Wince-Smith. All of which leads Martinez-Fonts to believe outlays for security will go up: “Companies will do the right things” to adjust to the more-dangerous environment, he says, “because they want to remain in business.”

It Ain’t Easy Being Orange

The right thing to do right now, it seems, is share information. And facilitating an unprecedented level of industry cooperation are several Information Sharing Analysis Centers, or ISACs, that were created in 10 industries to prepare for Y2K, but now work closely with the DHS and serve as a cornerstone of antiterrorism defenses (see “Strength in Numbers,” below). Through their networks, companies that don’t figure to be targets are benefiting from preparedness at companies in more-sensitive businesses.

Take the lessons Midland, Michigan-based Dow can teach. Last year, Dow started conducting its own vulnerability assessments — under guidelines established by the American Chemistry Council — and now has completed reviews at its two dozen so-called Tier 1 and Tier 2 facilities in the United States, those most critical based on size and proximity to populated areas. Dow is now implementing upgrades that include new perimeter controls at certain plants and additional ID access to specific areas. And Tim Scott, Dow’s global director for emergency services and security, notes that the ISACs support these measures by establishing the links for relaying risk information specific to the chemical industry. “The DuPonts, BASFs, and Dows are all very involved in helping smaller companies achieve the goals of improving security,” he says.

In the electrical-sector ISAC, Charlotte, North Carolina­based Duke Energy has also been combining its vulnerability assessments with efforts to help smaller utilities. It is giving special attention to calculating its security costs — if not specific ROIs — hoping to develop the most cost-effective solutions for future threats. “Unless we know how we’re spending dollars today, that’s very tough to quantify,” says C. Jeffery Triplette, vice president of risk-management services. Searching for the best software to help with the process, “we did not pick the most expensive or the cheapest or the one with all the bells and whistles,” he says. “We chose an off-the-shelf product that met Department of Energy requirements and [didn’t require] a PhD in security.”

The message about the need to quantify costs first came home to Triplette when his CEO asked him how much it cost to go from a yellow to an orange alert level. “I’m sure he wasn’t the first CEO to ask that question. But his question got us to examine security costs from a whole new perspective,” says Triplette. For one three-building office complex occupied by, say, 2,000 people, he says, “it cost in additional operating costs — additional contract labor, extra hours of coverage — about $10,000 per week,” he says. Multiplying that across all facilities illustrates why “moving to a higher threat level is not just changing a color,” he says. “This security stuff is real, and it costs real dollars.”

The 40-40-20 Rule

Even with such models available, deciding where to allot security dollars can be a problem for high- and low-security companies alike. Ernst & Young’s Mark Doll, co-author of Defending the Digital Frontier: A Security Agenda, suggests there’s often a tendency to let too much ride on technology. “One thing I find when I talk to clients is that people, process, and technology are out of balance,” he says. Typically, companies place 80 percent of their emphasis on technology, with 10 percent each in the personnel and process aspects of security. But the ideal division, he says, is often 40 percent people, 40 percent process, and 20 percent technology, allowing security measures to be skillfully woven into the corporate culture.

“Companies will [say] they have installed a crisis-management hotline,” says Doll, “but we’ll ask them what the number is, and they’ll say ‘I don’t know.’” (Another typical hotline problem: systems designed to handle 20 calls at once, when in a real crisis 2,000 calls may be coming in.)

Doll also points out that “you don’t have to spend a lot of money” to make security mesh with culture. Michael Wyzga, senior vice president and CFO of Cambridge,Massachusetts-based Genzyme Corp., would agree. In September 2001, the biotech firm was in the planning stage for its new building when suddenly new issues arose, including whether to stay with a glass-wall design. The company quickly decided to go with the glass, as it reflected the openness of the corporate culture — but then found itself reviewing ways to make it more resilient. Vice president of security David Kent presented alternatives, including an expensive high-strength glass and an antishatter film for the glass already ordered. (The film was chosen, in part because of cost.)

Are We Safe Yet?

Whatever level of spending a company decides upon, of course, it must reflect available resources — especially since the government expects the private sector to underwrite its own safeguards. It’s also clear that heavy spending alone doesn’t buy invulnerability. Putting money into monitors, for example, does nothing to reduce the threat of corporate cyberterrorism, or the danger that a truck transporting chemicals may become a weapon of mass destruction. Further, the process of making a company hard to infiltrate may also make it harder to operate.

Indeed, companies have to grapple with how much security measures may affect productivity. Conventional wisdom has it that some steps — such as delays caused by mail-searching protocols — can hurt production. But the Council on Competitiveness argues that, gradually, lower security risks will beget a more-confident, more-productive workforce — something the organization thinks is worthy of acknowledgment. “We may come up with something like the Malcolm Baldrige quality awards,” says Wince-Smith, but recognizing instead excellence in integrated security management.

Sidebar: Uncalculated Risk

There’s not much incentive to calculate return on investment for corporate security expenses. In fact, says Genzyme Corp. CFO Michael Wyzga, “you’d be nuts to do it, and you’d drive your CFO nuts.”

That disdain for attempting to pin down such numbers is reinforced by academia. “When you get much beyond the low-hanging fruit that costs little but has obvious benefits — like emergency evacuation plans — you get into a really murky area,” says Carnegie-Mellon University risk-management expert H. Keith Florig. With terrorism, “you don’t know what the risk is, and you don’t know what the risk reduction is when you buy any particular intervention.”

The standard cost-benefit calculation calls for expected losses from an incident — say, the destruction of a plant — to be multiplied by the incident’s probability. That amount is multiplied again by a factor representing any mitigation activity. The ROI is the difference between the savings and the mitigation cost. “Formulas are nice for keeping concepts in mind, but the amount of irreducible uncertainty in this case is so large that…quantitative estimates of ROI would be deemed not credible,” says Florig.

Taking On Terror
One scenario for annual homeland security costs.
Contributor Cost (In $ Bill.) Percentage of 2003 GDP
Federal homeland security budget $38.0 0.35%
Additional state and local spending 1.3 0.01
Additional private-sector labor cost 25.0* 0.23
Additional private-sector capital cost 7.8* 0.07
Total direct costs 72.1 0.66
*Based on a doubling of annual outlays by the private sector after 2001
Source: Bart Hobjin, Federal Reserve Bank of New York (November 2002)
Strength In Numbers
The 10 private U.S. Information Sharing Analysis Centers
Industry Coordinating Group Website
Airports Airports Council International — North America www.aci-na.org
Chemical American Chemistry Council http://chemicalisac.chemtrec.com
Electricity North American Electric Reliability Council http://www.esisac.com
Energy (Oil & Gas) American Petroleum Institute/SAIC http://www.energyisac.com
Financial Services Securities Industry Automation/SAIC http://fsisac.com
Food Food Marketing Institute http://www.fmi.org/isac
Information Technology Internet Security Systems https://www.it-isac.org
Surface Transportation Association of American Railroads* http://www.surfacetransportationisac.org
Telecommunications National Coordinating Center for Telecommunications http://www.ncs.gov/ncc/main.html
Water Association of Metropolitan Water Agencies http://www.waterisac.org
*Cosponsored with the American Public Transportation Association Source: Department of Homeland Security