For most companies, the latter will likely involve identifying the most essential aspects of their operationsthose that would compromise the organization's very survival if it were weakened by an attack of some kindand then creating a plan specifically to protect them. The result: a more targeted strategy designed to safeguard the most critical and most potentially vulnerable operations rather than a broad-based approach incapable of concentrating on the most indispensable areas.
Consider a relationship with a trusted supplier who not only has to provide components as they're needed without interruption but who also maintains sensitive information about the purchasing company's plans and designs. The interaction between customer and supplier depends on countless network connections and data, but only some of itthe blueprints for next year's new product line and the strategy for launching it, for instancehas to be carefully guarded. Consequently, rather than a homogeneous security scheme, additional precautions, in the form of hiring people with carefully monitored backgrounds, expanded encryption technologies, limited network access, extra backup systems and secure alternate workplaces, would be taken for only the most sensitive segments of the supply chain.
"In a relatively low-threat environment, people were willing to accept certain risks across the board to try to protect everything," says James Morris, executive vice present at Veritect, the private-sector division of Veridian Corp., a security consultancy. "Now our clients around the world are worried specifically about the most important parts of their systems, saying, 'Help me understand what we're going to do if a truck bomb or bioterrorism makes it impossible to access our place of business and our computers. Where do my people go to work? How do they get information to keep operating? How can I keep manufacturing, provide customer service and get supplies? And how can I be sure that none of my competitors is taking advantage of my weakness and stealing essential data?'"
Few companies have codified their thinking on how to respond to the new risk equation, and fewer still are willing to talk publicly about their plans. Chip foundry Silterra Malaysia Sdn. Bhd is an exception. The company, which has sales and marketing offices in Sunnyvale, Calif., and is headquartered in Malaysia, is majority-owned by the Malaysian government, which hopes to gain a footing in the highly profitable electronics component business. The chipmaking industry is cutthroatintellectual property is so vital to survival that competitive intelligence and corporate spying is endemicbut Silterra is even more at risk. Its primary competitors are other Asian nations that have worked with local businesses to develop semiconductor foundry ventures of their own, and thus are likely to go to any lengths, perhaps as far as sabotage, to defend their investments.
Keenly aware of this, last May, Silterra CEO Cyril Hannon, a semiconductor veteran who had run worldwide operations at LSI Logic Corp., hired Rick Dove, an expert in adaptive organizations and cultures, to serve as CIO and set up Silterra's security program. Dove tackled his job as if the company was in immediate jeopardy. Assuming the company will be attacked in some way perhaps not even fathomable today, Dove began to create a system designed to be less reactive than typical security programs. The company, Dove feels, is just as likely to suffer an attack from withina disgruntled employee or a worker paid off by a rivalas from without, so his approach essentially keeps the company in a constant state of high alert.
Dove is building layers of technology that constantly morphpasswords are modified automatically, biometric identifiers are installed as new ones are developed and their parameters keep shifting, public-key encryption formulas are added and then changed minute to minute, network access is limited just to those specific areas particular employees need to reachand even that is constantly in flux, depending on the projects they're working on. He's even planning disinformation campaigns designed to lure suspected employees into network dead ends in unauthorized areas to catch them before they do any real damage.
Moreover, only Dove will know every aspect of the security system; that way, it can't be easily compromised. Dove plans to set up what he calls a "specialty department" dedicated to safeguarding the technologyas opposed to the ad hoc collection of IT people that generally passes for a security team nowand to put each person on the team in charge of a tiny piece of the total operation. "They'll be compartmentalized enough and unaware of exactly what each other is doing so they can't compare notes about what's going on inside without it being very obvious," says Dove, the founder of Questa, N.M.-based Paradigm Shift International.
If his system sounds like a wartime intelligence and counterintelligence operation, it's because that's what companies actually need to have in this difficult environment. And although Silterra's Hannon was one of the few executives that took the potential of corporate terrorism seriously before the attack on the World Trade Center and the Pentagon, since then Dove has gotten increasing support from the company's other top managers, many of whom are now urging Dove to move more quickly and aggressively.
"What we had before was ambivalence: 'Why are we spending so much money on so little obvious return?' Now, what we have is recognition and thankfulness that something is actually being done to protect the company and its people," says Dove.
Return on investment, however, remains a touchy subject. Companies, especially in lean times, are not particularly anxious to spend money on projects that don't enhance revenue or develop new assets. Some crisis experts remain concerned that the sudden enthusiasm for protective measures is more a short-term outgrowth of fear than a permanent change in sentiment. To thwart this, Dove and other CIOs are adopting a real-options approach to measuring the ROI of a security program that actually places a value on the program and lets management decide whether to continue it based on how well it is performing, rather than judging it by a simple year-after-year depreciation model.
The technique involves creating different scenarios that could develop at various points throughout the life of the security program, and placing a potential value on each of the scenarios. For instance, a $500,000 investment in a biometrics system could have a value of $10 million if it succeeds in thwarting an attack during its first three years and saves three days of revenue. Like a call option on a share of stock, if these scenario price targets are met, the investment is shown to have real worth to the company and may continue to be funded; if not, the company may rethink its security formula. "It makes for an adaptable culture," says Dove, "that forces us to reassess because there are actually prices attached to what we did."
While the Silterra model is focused primarily on network and technology security, in the new, more suspicious business environment, its proactive, swat-team approach is already being mirrored in varying guises at many corporations. A number of companies are beginning to reassess the vaunted just-in-time inventory systems that, by ensuring that no manufacturing materials are purchased until they were absolutely needed, boosted factory productivity and efficiency so significantly in the past decade. Suddenly, the idea of minimal inventory carries a potentially large price tag of its own. Many U.S. companies lost three days or more of materials shipments following the Sept. 11 attacks, and only the dubious silver lining of a slow economy has mitigated the impact. Consequently, some U.S. manufacturers, including Xerox Corp. and Ford Motor Co., have announced plans to expand their on-hand inventory to as many as three days at some key plants so any disruption in deliveries won't affect output and financial aftershocks are limited.