But perhaps the most critical examples of how companies will become more vigilant about protecting their most valued assets from the unexpected is the renewed focus on the vulnerability of brands. According to security experts, many companies now fear that their success, which is really just the sum of the credibility and popularity of their products, could be hampered by stealthy terrorist attacks on items they manufacture and sell. Consider the current plight of the U.S. Postal Service: The anthrax scare, no matter what its source, has dealt yet another blow to an organization beset by high-priced labor, highly efficient competition and technology that can increasingly sidestep its primary service. Already, calls are going out to resort to e-mail in sending mission-critical business communications.
With that as an object lesson, security experts are advising companies to isolate the brands they can't afford to let be harmed by an attack. Using this knowledge, the company can then dedicate resources to ensure that the most critical manufacturing and sales activities related to these productswhether it be the purchase and delivery of materials, the safeguarding of the brand's formula or designs, quality control or shipping logisticsare backed by the most secure technology and protected at key stages by executives and workers who have been thoroughly investigated and can be trusted with such critical roles. And to make sure that this heightened state of attentiveness is maintained, employees could be given incentives in the form of increased compensation or promotions for uncovering new points of vulnerability in systems connected to these essential brands, and for devising solutions to overcome weak links.
Says USC's Mitroff: "Corporations are finally realizing that they have to train people to think, 'What is contained in our most important brands or our marketing brochures or the system that runs our factories or the management team that makes decisions or even the structural design of our building, such that if it was altered in any wayby any completely unknown possibilityit would decimate our business and reputation?'"
Like the global battle against terrorism itself, reaching this degree of targeted security may take a long time at most companies and will require CIOs to change their mindset from systems to strategyfrom installing technology based on a hoped-for return to understanding their companies' most essential priorities and plans, and developing proactive technology to protect and further them. For CIOs this is an opportunity to move closer to the strategic core of the organization, but it will only be successful if they respond to these potentially increased responsibilities with a higher than normal level of creativity and flexibility.
So far, this tends to be happening only at companies where CIOs have played a starring role even before the Trade Center crisis. In the days following the attack, Merrill Lynch & Co.'s fiber-optic communications failed so frequently that the IT department at the brokerage quickly installed a series of lasers to transmit data wirelessly from its lower Manhattan headquarters to backup sites in Jersey City, N.J., across the Hudson River. Merrill's chief technology officer, John McKinley, is among the more influential in the financial services industry, and he's directly involved in setting corporate strategy and linking systems to it. Still, prior to the attack, an installation of this sort would have taken months of development and testing. And layers of management would have had to approve the project. Now, without any other options and because it faced imminent disaster, Merrill has had to loosen its bureaucracy. In the process, the company has taken a chance on a promising new wireless technology that could help it disperse information over handheld devices and laptops more freelyand even give it a leg up on its rivalslong after its communications snafus are over.
To combat risk in the riskiest and most changeable of business environments, many experts recommend that companies build the organization around a central crisis management team that culls the knowledge and experiences of all parts of the organization. That means naming a chief crisis officer who can coordinate the specific operational needs of different departments, organize contingency plans, and arrange backup sites for communications, manufacturing and office-based employees.
"Where risk may have once meant, perhaps naively, just making sure a virus doesn't bring down a computer system, now each company has to re-examine every part of its access to the world, whether through the Internet or physically," says Tony Borek, director of IT architecture at Tecolote Research Inc., a Santa Barbara, Calif.-based company that conducts risk analysis for the federal government. "Risk management was never simple, but now it seems like it was. We just didn't understand how complicated the risks were."
Jeffrey Rothfeder writes frequently about business, security, environmental and technology issues. Comments on this story can be sent to firstname.lastname@example.org.