Corporate Security Management Organization and Spending Since 9/11

research report

Today, security is more than just locking the door behind you. Many expected a movement toward strategically aligning functions like physical protection, risk management, and IT security under a Chief Security Officer. But senior security executives report that we are seeing an evolution - not a revolution - in how companies manage corporate security.

R-1333-03-RR The Conference Board creates and disseminates knowledge about management and the marketplace to help businesses strengthen their performance and better serve society.

Working as a global, independent membership organization in the public interest, we conduct research, convene conferences, make forecasts, assess trends, publish information and analysis, and bring executives together to learn from one another.

The Conference Board is a not-for-profit organization and holds 501 (c) (3) tax-exempt status in the United States.

About the authors About this report Thomas E. Cavanagh is a Senior Research Associate in Global The study was sponsored by ASIS International. Senior security Corporate Citizenship at The Conference Board. Since September executives were interviewed online from October 2002 through 2000, he has been directing TCB e-Surveys, The Conference February 2003. Separate questionnaires were developed for Board’s newly formed unit offering online survey research security directors, risk managers, and IT security officers, and services to commercial and non-profit clients. While at The were targeted at the senior executive responsible for each of Conference Board, he has authored Community Connections: those functions in a given company. The samples comprise 199 Strategic Partnerships in the Digital Industries, a study of security directors, 52 risk managers, and 80 IT security officers. corporate partnerships to overcome the “digital divide,” and Over 50 percent of each sample was derived from companies Corporate Community Development: Meeting the Measurement with $1 billion or more in annual sales. This information was Challenge, a study of the returns on corporate investments in supplemented by in-depth case study interviews conducted community economic development projects. He was the lead with senior security executives at four major corporations. author of After September 11th: The Challenge Facing American For a complete breakdown of the survey sample see Appendix: Business and of The Conference Board’s series of Executive About the Sample. Action Reports on Corporate Security in a Time of Crisis.

Meredith Armstrong Whiting has served as The Conference Board’s senior research fellow, government affairs, since 1987. About ASIS International She authors research on topics relating to public policy, ASIS International is the preeminent organization for security environmental issues, and corporate citizenship, and organized professionals, with more than 33,000 members worldwide. ASIS the Board’s first council for chief environmental, health, and is dedicated to increasing the effectiveness and productivity of safety executives. security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine - Security Management - ASIS leads the way for advanced and improved Chuck Mitchell editor Peter Drubin design security performance. To learn more about ASIS go to Pam Seenaraine production www.asisonline.org Corporate Security Management Organization and Spending Since 9/11 by Thomas E. Cavanagh with the assistance of Meredith Whiting

contents

4 Key Findings 5 Organization and Spending

6 Patterns of Organization 6 Security Directors 8 Risk Managers and IT Security Officers 10 Accountability is Widely Dispersed 11 Salary Levels 12 Staffing Levels

15 The Chief Security Officer Position 16 Authority and Financial Resources 17 Changes in Accountability 18 Case Study: Emergency Response at Duke Energy 19 Creating the CSO Position

23 Spending on Corporate Security 24 A Permanent Increase in Spending 25 A Modest Increase Overall 27 Case Study: Consolidating Security at Avaya 28 Security Spending in the Northeast 28 Smaller Companies Bear a Larger Burden 30 The Cost of IT Security 33 Case Study: IT Security at Unisys 34 The Soaring Cost of Risk Management 35 Changes in Insurance Coverage 36 Risk Management as a Line Item 38 A Methodological Note on Risk Management Data 39 The Costs of Terrorism

40 What Security Executives Worry About 42 The Desirability of Dispersing Facilities 44 Case Study: Crisis Management at Air Products 45 Threats to IT Security

47 Lessons Learned

50 Appendix: About the Sample

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 3 Key Findings

Corporate security has become a high-profile issue since the events of September 11, 2001 exposed America’s vulnerability to terrorist attack. Because roughly 80 percent of America’s critical infrastructure is managed by the private sector, corporate security managers have an essential role to play in the protection of key industries and the people who work in them.

In the wake of September 11, many companies reviewed their security operations. The events of that day made clear that security was not merely a matter of protecting employees and facilities from physical harm. A terrorist attack on a major business district could disrupt operations, inhibit travel, snarl supply chains, and pose major strategic issues for the conduct and even the survival of a multinational business.

CEO’s were often dismayed to discover that the security function was highly decentralized and widely dispersed through their companies’ management structures, making accountability and coordination difficult. Some observers expected that there would be a widespread move in corporate America toward centralizing the security function under the control of a Chief Security Officer reporting directly to the CEO.

This has not been the case. While there has been some movement toward greater coordination of the security function since 9/11, it remains decentralized in most companies. In general, we are seeing an evolution, not a revolution, in the management of corporate security.

4 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Organization and Spending Key findings from the survey show:

Organization of the Function Spending Patterns • The process of security management is only • Corporate security spending has clearly beginning to evolve into a strategic business increased since 9/11, but the increases function in corporate America. At present, have been unevenly distributed. About half of security issues are generally divided into three companies report a permanent increase in the separate silos (physical protection, risk level of security spending, with companies management, and IT security) with distinct in the critical industries leading the way. accountability and reporting relationships. • The median increase in total security • Despite having strategic implications for spending is only 4 percent, but this figure business management, security is still being disguises a wide range, with 7 percent of treated as an operational concern by most companies stepping up their security spending companies in the United States. The traditional by 50 percent or more. Larger, multinational emphasis on physical protection is reflected in companies report larger increases than smaller, the recruitment of security directors from law domestic companies. However, smaller enforcement and the military. companies pay a larger share of their sales volume for security. • High-level reporting and accountability are still the exception rather than the rule in • Insurance and risk management is the area corporate security management. It remains to be showing the most dramatic increase in spending, seen if the usual ways of doing business will with a median increase of 33 percent. Fully one- prove adequate to the challenge of managing fifth of companies report that their spending on corporate security in an increasingly threatening insurance has at least doubled since 2001. The international environment. increase in insurance costs has been concentrated among companies in the critical industries. • Centralization, coordination, and strategic management of the corporate security function • In terms of salary and executive level, are still relatively unusual. While one-quarter of IT security is the most prestigious security companies have a Chief Security Officer, most portfolio, although it is often simply an of the remainder do not appear to have much extension of the IT operation. Risk management interest in creating the position. is generally part of the financial management of the company. The position of security director is the lowest-ranking and tends to be focused on issues of physical protection. Most security Defining critical industries executives serve below the vice presidential level and earn less than $150,000 per year. Following the usage of the U.S. Department of Homeland Security, critical industries are defined • Companies in the Northeast Metro region are reporting bigger increases in spending on as the following: transportation; energy and utilities; security and risk management than companies financial services; media and telecommunications; in the rest of the United States. information technology; and healthcare. Remaining industries are classified as non-critical.

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 5 Patterns of Organization

Despite raised expectations and heightened visibility, corporate America is undergoing an evolution rather than a revolution in the management of security concerns.

Security Directors Security has traditionally been associated with physical protection—“the guard at the gate”—in the lingo of the profession. This function remains the core responsibility of the senior executives who manage corporate security. These executives primarily come from a background in the “peacekeeping” professions, with 47 percent having police experience and one-third coming from the military. Some 15 percent have worked in the security industry for a vendor or consultant, and 12 percent have been employed in private investigation.

While important, strategic business management does not loom as large in the career paths of security directors. Just under one-fourth report diversified corporate management experience, while 11 percent have been involved in facilities management and 9 percent apiece in IT and risk management. As security issues “move up the food chain” in significance, senior management experience will probably become more important as a qualification for the position of security director.

Given their importance in the current business environment, security directors occupy a surprisingly modest level in the corporate totem pole. Most security directors hold mid-level management positions that are deeply imbedded in the routine operations of their companies.

The vast majority of security directors hold a rank below the vice presidential level. Only 1 percent hold a title at the C-suite level and 17 percent are vice presidents. Almost half (48 percent) are directors and 27 percent are managers.

6 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Most security directors come Reporting relationships are remarkably diverse. The most from a background in law enforcement common pattern (20 percent) is for security directors to or the military report to the SVP for Facilities, reflecting the profession’s traditional emphasis on physical protection. Another Professional background (multiple responses possible) 15 percent report to an executive with responsibility for operations, administration, services, or support, while Police 47.2% 13 percent report to the SVP for Human Resources.

Military 32.7 Most security directors do not report directly to the top Other Corporate Management 23.6 management of their companies. Only 9 percent of secu-

Security Vendor/ rity directors report to the CEO. Some 10 percent report 14.6 Consultant to the Chief Legal Officer, presumably due to liability Private Investigation 12.1 and compliance issues. Another 8 percent report to the CFO, and 6 percent report to the COO. C-suite access Facilities Management 11.1 may become more common in the future as security Professional/ concerns become more integrated into strategic manage- Corporate Security 9.0 ment. But at present, a routine reporting relationship to Information Technology 9.0 the CEO or COO is still relatively unusual.

Finance/ 9.0 Risk Management

FBI 6.5 Profile of Security Directors

Other Government/ 6.0 Lobbying Executive level

Human Resources 5.0 C-Suite 1.0%

3.0 CIA/Intelligence Vice President 16.7

Director Occupational Safety 3.0 47.5

Manager 26.8 U.S. Secret Service 2.5 Other 8.1 Education 2.5

Reporting relationship Supply Chain 2.0 Management SVP for Facilities 19.8% Legal 2.0 Operations/ Administration/ 15.2 Services/Support Other .5 SVP for 13.2 Human Resources CLO (Chief Legal Officer) 10.2 Number of respondents: 199 CEO (Chief Executive Officer) 9.1

CFO (Chief Financial Officer) 8.1

COO (Chief Operating Officer) 6.1

Risk Manager/Auditor 4.6

Other 13.7

Number of respondents: 199

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 7 Risk Managers and IT Security Officers The functions of risk management and protecting the IT Profile of Risk Managers system are handled in separate silos in most companies, Executive level distinct from each other and from the physical security Chief Risk/ function as well. Interestingly, both of these positions Administrative Officer 7.7%

appear to enjoy more seniority and influence within the Vice President 30.8 corporate structure than the security director position. Director 21.2

Risk managers serve at a considerably higher level Manager 30.8 than security directors. Some 8 percent hold the title Other 9.6 of Chief Risk Officer or Chief Administrative Officer, placing them at the top management level. Fully Reporting relationship

31 percent are vice presidents and 21 percent are CEO directors, while 31 percent serve at the manager level. (Chief Executive Officer) 21.2 CFO (Chief Financial Officer) 21.2 The reporting relationships reflect this seniority. Among Other Financial/ Risk Management 15.3 risk managers, 21 percent report to the CEO, and an iden- tical percentage reports to the CFO. Another 15 percent Legal 7.7 report to an executive with financial responsibilities, indi- Human Resources 7.7 cating the preeminence of financial concerns in determin- CSO (Chief Security Officer) 3.8 ing the accountability for the risk management portfolio. SVP for Facilities 3.8

A less common pattern is for the risk manager to report SVP for Administration 3.8 to an executive with operational responsibilities in human Purchasing/ Procurement 3.8 resources (8 percent), or facilities, administration, or procurement (4 percent apiece). Only 4 percent of risk Other 11.7 managers report to a Chief Security Officer, indicating Number of respondents: 52 that the risk manager position is defined primarily in terms of financial issues rather than security responsibilities.

8 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board IT security is the most prestigious of the three major Profile of IT Security Officers security portfolios. Over one-third of the IT security officers surveyed serve at the senior management level. Executive level The Chief Information Officer is the IT security officer Chief Information Officer 21.3% at 21 percent of the companies surveyed, meaning that Chief Operating/Technology/ 7.4 security is part of that executive’s responsibility as the Security Officer Chief Information 6.3 company’s senior IT official. Some 6 percent hold the Security Officer title of Chief Information Security Officer and another Vice President 15.0 7 percent have a different C-level title. Director 25.1

Fifteen percent of IT security officers are vice presidents, Manager 12.5 while one-quarter are directors and one-eighth are managers. Security Architect 5.0 Another 5 percent hold the title of Security Architect. Other 7.4

Over two-thirds of IT security officers report to C-level executives. Some 39 percent report to the Chief Reporting relationship CIO/CTO (Chief Information/ Information Officer or Chief Technology Officer, and Technology Officer) 38.8%

23 percent report directly to the CEO, while 6 percent CEO 22.5 report to the CFO and 5 percent to the COO. Another (Chief Executive Officer) Other Information Technology/ 13.8 14 percent report to an executive in information systems Systems/Services CFO 6.3 or services, meaning that about half of all IT security (Chief Financial Officer) officers report through an IT silo. The high level of IT COO 5.0 security officers reflects how critical IT systems have (Chief Operating Officer) Other Operations/ 5.0 become to the management of a modern corporation. Administration

Other 8.6

Number of respondents: 80

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 9 Accountability is Widely Dispersed For all other security-related functions, no more than Security responsibilities are widely dispersed in a one-quarter of companies report that ultimate responsi- typical company. Security executives were asked who bility is handled by any one executive. Two main had the ultimate responsibility for a variety of security- clusters appear, however. The following responsibilities related functions. There are only three functions for related to physical protection are usually accountable which over half of all companies report the same to the CSO, the SVP for Facilities, or the SVP for pattern of accountability: Human Resources: • IT security is the ultimate responsibility • Protecting employees of a senior IT executive in two-thirds Protecting buildings and facilities of companies. • • Executive security • Insurance and risk management is the ultimate responsibility of the CFO in just • Biological, chemical, and radiological hazards over half of companies. • Emergency preparedness • Background investigations are the ultimate responsibility of the SVP for Human Resources Protecting the supply and distribution chains are usually in just over half of companies. the ultimate responsibility of the SVP for Facilities, the CSO, or the COO. Business recovery and continuity have a very distinctive pattern, with accountability assigned to the COO, CFO, or a senior IT executive.

Table 1 Security responsibilities are widely dispersed

CIO/CTO/ SVP SVP for Executive with ultimate responsibility for… SVP for IT CFO for HR CSO Facilities COO

IT security 67.3% Insurance/financial risk management 54.8% Background investigations 54.8% 14.2% Protecting employees 15.2 25.8 17.2% Protecting buildings and facilities 10.1 23.6 24.6 Executive security 10.2 24.5 14.3 Business recovery and continuity 13.1 18.2 19.2% Biological/chemical/radiological hazards 9.6 18.1 18.6 Emergency preparedness 11.1 17.6 17.6 Protecting supply chain 11.3 10.8 15.4 10.3 Protecting distribution chain 13.3 14.9 10.8

Number of respondents: 199

10 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Salary Levels Large multinational companies pay the highest salaries Compared to the most senior management positions, for security directors and risk managers. For example, security executives earn relatively modest salaries. the median salary for security directors in companies The salary levels reflect the prestige and reporting with at least $1 billion in sales is $124,000, well above relationships discussed previously. the median of $101,900 for all companies. The median for risk managers in such companies is $138,500, again IT security officers are the best paid of the three well above the overall median of $123,600. On the other security management positions, earning a median salary hand, the difference in median salaries between IT secu- of $139,800 per year. Risk managers are second with a rity officers in these large companies and the overall median salary of $123,600. The security directors bring median is less than $5,000 per year. It appears that salary up the rear, with a median salary of $101,900. Fully levels in the IT security profession are driven less by the 20 percent of IT security officers make at least $200,000 size of the company than by the expertise required to fill a year, compared to 10 percent of risk managers and the position. 9 percent of security directors.

IT Security officers are the most Security directors and risk managers highly paid security executives earn more at large multinationals

Median salary ($ thousand) 48.7% $101.9 Less than All 34.0% $100,000 companies $123.6 20.8% $139.8

33.0 105.0 $100,000 to Critical 36.0 125.0 $149,999 industries 37.5 132.7

9.1 122.5 $150,000 to 20.0 $199,999 Multinational 131.8 22.2 136.8

3.0 124.0 $200,000 to 4.0 Sales over $249,999 $1 billion 138.5 13.9 144.7

6.1 $250,000 131.3 6.0 Over or more 10,000 FTE’s 137.5 5.6 140.0

Median salary Respondents Security directors Security directors $101,900 197 Risk managers Risk managers $123,600 50 IT security officers IT security officers $139,800 72

Number of respondents: 197

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 11 Staffing Levels Just under half of all companies (47 percent) report that Security directors were asked how many FTE’s their they have increased their security staffing level since companies employ that have security as their primary 2001. Larger companies are more likely to be increasing responsibility. Among the 199 companies in the sample, security staff. Over half (53 percent) of companies with the median number of security employees is 39.3. Of over $1 billion in sales have increased security employ- course, the number varies depending on the size of the ment, compared to 40 percent of companies below this company. For companies with under 10,000 total FTE’s, sales level. Similarly, security staff has risen among the median security employment is 28.7 FTE’s. For com- 54 percent of companies with 10,000 or more total panies with 10,000 or more FTE’s, the median security FTE’s, compared to 44 percent of companies with a pay- employment is 76.6 FTE’s. roll below that size. Interestingly, there is no significant difference between critical and non-critical industries as a whole on this measure (49 vs. 46 percent).

Most companies employ Larger companies are increasing less than 50 people for security security staff most rapidly

Change in security FTE’s since 2001 FTE’s with security as primary responsibility 10.6% All 28.1% 41.7% Less than companies 25.1% 34.1% 199* 10 22.1% 17.1%

10.4 Critical 30.2 40.6 industries 25.0 10 to 49 34.9 96 23.9 21.4

10.7 17.6 Non-critical 42.7 industries 50 to 99 14.7 25.2 103 20.3 22.9

10.3 14.6 Domestic 40.2 100 to 499 8.5 97 24.7 24.7 25.7

10.4 5.0 Multinational 44.2 500 to 999 3.9 77 24.7 7.1 19.5

9.1 4.5 Sales under 1,000 or $1 billion 50.0 3.9 25.0 more 88 5.7 14.7

11.8 Median FTE’s Respondents Sales over $1 billion 35.5 All companies 39.3 199 110 25.5 Less than10,000 FTE’s 28.7 129 27.3 More than 10,000 FTE’s 76.6 70 Under 10.9 45.0 10,000 FTE’s 129 24.8 19.6 Fewer Same Over 10.0 35.7 1-9% higher 10,000 FTE’s 70 25.7 10% higher 28.5 or more

* Number of respondents

12 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board However, when critical and non-critical industries are IT security is a relatively small share of security broken into specific industry segments, a wide disparity employment at most companies. Almost half of all appears. Financial services companies are most likely to companies (48 percent) employ fewer than 5 FTE’s report an increase in security staffing (62 percent of com- whose primary responsibility is IT security. However, panies), followed by companies in the “digital industries” companies in critical industries are much more likely to (technology, media, and telecommunications) with have a relatively large contingent of people dealing with 53 percent reporting an increase, energy and utilities IT security. Almost half of such companies (48 percent) (47 percent), healthcare (39 percent), retail and wholesale have 10 or more FTE’s working on security, compared trade (33 percent), and manufacturing (31 percent). to 31 percent of companies in non-critical industries.

Financial and technology companies Companies in critical industries are increasing security staff most rapidly employ more people for IT security

Change in security FTE’s since 2001 FTE’s with IT security as primary responsibility

All 10.6% 47.5% companies 41.7% All 25.1% 13.8% 199* companies 16.2% 22.1% 80* 12.5% 10.0% Financial 6.9 31.0 services 27.6 39.5 29 34.5 Critical 13.2 industries 23.7 38 13.2 Digital 17.6 10.6 29.4 industries 29.4 17 23.5 54.8 Non-critical 14.3 industries 9.5 Energy/ 11.8 42 11.9 utilities 41.2 9.5 35.3 17 11.8 58.8 2.9 10.7 Domestic 14.7 50.0 34 11.8 Healthcare 17.9 11.8 28 21.4 40.5 8.3 21.4 58.3 Multinational Trade 42 19.0 12 16.7 11.9 16.7 7.2

13.8 77.8 Manufacturing 55.2 Sales under 7.4 29 13.8 $1 billion 7.4 17.2 27 3.7 3.7

Fewer 32.1 Sales over 17.0 Same $1 billion 20.8 53 17.0 1-9% higher 13.2 10% higher or more

Under 63.0 * Number of responsdents 15.2 10,000 FTE’s 13.0 46 4.3 4.3 1-4 5-9 26.5 Over 11.8 10-24 10,000 FTE’s 20.6 25-49 34 23.5 17.6 50 or more

* Number of respondents

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 13 Not surprisingly, larger companies have more staff devoted Larger companies are increasing to IT security. Over half of all companies (51 percent) IT security staff most rapidly with sales over $1 billion have 10 or more IT security

staff, compared to only 15 percent of companies below Change in IT security FTE’s since 2001 that sales level. Similarly, 62 percent of companies with 8.9% All 10,000 or more total FTE’s have 10 or more IT security 53.2% companies 17.7% 79* personnel, compared to 22 percent of companies with a 19.0% total payroll below that size. 10.8 Critical 51.4 industries 16.2 37 Larger companies are increasing their IT security 18.9 staff most rapidly. While 42 percent of companies 7.1 with $1 billion or more in sales have increased their IT Non-critical 54.8 industries 19.0 security staff since 2001, only 26 percent of companies 42 19.0 below this sales level have done so. Similarly, half of 14.7 companies with 10,000 or more FTE’s have increased Domestic 50.0 34 14.7 IT security staff, compared to 27 percent of companies 20.6

below that level of employment. 4.8 Multinational 59.5 42 19.0 16.7

Sales under 11.1 $1 billion 59.3 27 18.5 7.4

Sales over 7.7 $1 billion 50.0 17.3 52 25.0

Under 8.9 62.2 10,000 FTE’s 13.3 45 13.3

Over 8.8 41.2 10,000 FTE’s 23.5 34 26.5

Fewer Same 1-9% higher 10% higher or more

* Number of respondents

14 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board The Chief Security Officer Position Following 9/11, expectations seemed to be that corporate America would move to centralize the security function under the control of a Chief Security Officer (CSO) reporting directly to the CEO. That does not appear to be the case.

The Chief Security Officer (CSO) position is intended to be analogous to that of a Chief Financial Officer (CFO) or Chief Information Officer (CIO). The CSO would coordinate all security responsibilities throughout the company and would be accountable to top management and the governing board. With a single person accountable for security responsibilities, the many silos involved in security operations could be better coordinated and information could be disseminated more effectively throughout the corporation.

The CSO concept hinges on the perceived need to integrate security concerns into corporate strategy. In theory, the position would give security issues a place at the table whenever high-level decisions are being made about location of facilities, supply chain sources, choice of corporate partners, and procedures to ensure the safety of a company’s products and stakeholders. The CSO would concentrate on the “big picture,” delegating routine oversight of physical security to managers at the operating level.

With regular access to the C-suite, the CSO would be better able to redirect company policies quickly in response to an emergency or a perceived threat. Finally, the CSO would control the security budget for the corporation as a whole, so security spending could be managed more effectively.

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 15 Authority and Financial Resources However, there is much less agreement with the statement: “I have the financial resources I need to deal with Looking at their current situation in their companies, the security concerns that I am directly responsible for security executives tend to be much more satisfied with in my company” or the equivalent for risk management their decision-making authority than with the financial or IT security. Only 26 percent of security directors, resources under their control. Security executives were 19 percent of risk managers, and 14 percent of IT secu- asked to agree or disagree with the statement: “I have rity directors agree strongly that they have the financial the decision-making authority I need to deal with the resources they need. Meanwhile, 27 percent of security security concerns that I am directly responsible for in my directors, 25 percent of risk managers, and 35 percent company” or an equivalent statement dealing with risk of IT security officers disagree with this statement. management or IT security concerns. Almost all security executives agree with this statement; 51 percent of secu- Security executives in non-critical industries are the rity directors, 35 percent of risk managers, and 43 per- least satisfied with their control over financial resources. cent of IT security officers agree with it strongly. Fully one-third (33 percent) of security directors in non- critical industries disagree that they have enough control over finances, compared to 21 percent of security Security executives are more satisfied with their directors in critical indus- decision-making authority than with their financial resources tries. The disparities are even greater for risk

“I have the decision-making authority I need…” “I have the financial resources I need…" managers: 32 percent in non-critical industries 50.8% 25.6% 39.2% Security directors 47.2% disagree, compared to 10.0% 199* 27.1% 17 percent in critical 34.6 19.2 50.0 Risk managers 55.8 industries. The dissatisfac- 15.4 52 25.0 42.5 13.8 tion is most acute among 43.8 IT security officers 51.2 13.7 80 35.0 IT security officers—almost half (45 percent) in non-

Agree strongly Agree somewhat Disagree critical industries disagree

* Number of respondents that they have adequate financial resources, compared to 24 percent in critical industries.

Security executives in non-critical industries are least satisfied with their control over financial resources Apparently in critical industries, it is easier for security

“I have the financial resources I need…” executives to make a business case for obtaining the Critical industries Non-critical industries financial resources they feel 30.2% 21.4% 49.0% 96* Security directors 103* 45.6% they need. In the non-critical 20.9% 33.1% industries, because security 29.2 10.7 54.2 24 Risk managers 28 57.1 does not appear to be quite 16.7 32.2 as integral to the business, it 15.8 11.9 60.5 38IT security officers 42 42.9 is more difficult for security 23.7 45.2 executives to battle success- Agree strongly Agree somewhat Disagree fully for a share of the cor- * Number of respondents porate budget.

16 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Changes in Accountability Many companies reexamined their security operations Most companies report in the wake of 9/11. Most companies, however, have no change in accountability not made dramatic changes in the organization of their for security since 9/11 security operations as a result of these deliberations.

When security directors are asked how the accountabil- “Since the events of September 11, 2001, ity for security issues has changed in their companies, how has the accountability for security issues in your company changed?” just under half (49 percent) report no change at all. Changes in corporate organization charts appear to No change 49.2% be relatively rare. Some 9 percent of companies have More urgency, attention, concern, created a new executive position to centralize and visibility, interest, focus 12.7 coordinate security, and 4 percent have realigned their reporting relationships. Better access to senior management 10.1

New security position created Most of the changes mentioned are subtle, and have to to centralize, coordinate 9.0 do with increased priority placed on security issues in Emergency preparedness/ their company’s management. For example, 13 percent crisis/recovery planning 7.9 of security directors note an increased urgency and More responsibility, visibility for security issues; 10 percent report having recognition, authority 4.8 better access to senior management; 5 percent enjoy More resources, staff, funding, support 4.8 more recognition and authority; and 5 percent have received more resources. Other security directors find Security upgrades, access controls, surveillance 4.2 there is a new stress on procedures: 8 percent see more Vulnerability/risk assessment, emphasis on emergency preparedness and crisis man- compliance auditing 3.7 agement; 4 percent report security upgrades; and Realignment in 4 percent see more concern with risk assessment reporting relationships 3.7 and compliance auditing. Interface with government agencies, law enforcement 2.6

Concern with current events, terrorism 2.1

Integration with business management/strategy 1.6

Other comments 3.2

(Summary coded from open-ended responses)

Number of respondents: 189

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 17 Case Study Emergency Response at Duke Energy

Many companies reviewed their security operations in the wake of 9/11. These were the results at Duke Energy.

Company: Duke Energy Employees: 22,000 Located: Charlotte, North Carolina Sales (2002): $15.7 billion

Business: A builder of power infrastructures and a wholesale energy seller, the company is a top tier gas and power marketer in the U.S. and a Fortune 500 company.

After 9/11, Duke Energy began “Our biggest weakness was in our events. Each business unit within new efforts and accelerated existing corporate office areas,” continues Duke Energy is conducting a risk ones to strengthen safety and secu- Hendricks. “Not all areas had emer- analysis, based on more than 850 rity for employees, customers, and gency plans, and those that did did- identified processes. neighbors. At the heart of these n’t exercise them regularly. None of activities was the work done in the plans considered the possibility So far, some 325 business continu- late 2001 and early 2002 by the of multiple, simultaneous events, ity plans have been developed for Enterprise Safety and Security which could severely impact our the company’s major operating Network (ESSN). operations. Our ability to quickly business units—electric utility, locate employees who might be gas transmission, and unregulated The ESSN was charged to examine traveling or were otherwise away power generation—as well as for ways to coordinate more effectively from the office was an area we corporate offices. The process can across the company during a crisis also needed to improve.” get complicated. For instance, in the or event. ESSN also identified company’s gas pipelines business potential security and safety risks Prior to 9/11, the security function there are six different businesses in that were not on the horizon prior resided in a number of groups and the United States and Canada, with to 9/11, and response efforts that locations. Today, the company’s Risk facilities in more than 30 states. were needed to address those new Management Services group over- risks. Jim Hendricks, vice president sees corporate security, insurance, A major concern is securing the of corporate environment, health crisis management, and business information technology operations. and safety at that time, served as continuity. The group is headed by Hendricks says, “No one had seri- executive sponsor of the ESSN. vice president Jeff Triplette. Triplette ously contemplated the ramifica- reports to the chief risk officer, who tions of a major attack on our IT “Duke Energy’s nuclear operations, in turn reports directly to the chair- infrastructure. Since 2001 we have and the nuclear industry as a whole, man of the board. relocated our backup operations to have an advantage,” Hendricks a site far away from headquarters. says. The plant emergency Duke Energy’s Tom Bowman, man- Setting up the new, rigorous processes are tested and exercised aging director of crisis management security and emergency response regularly. As a result, the company’s and business continuity planning, systems and documenting them nuclear plants were able to respond also manages a new Enterprise requires a significant investment.” quickly to instructions provided by Crisis Operations Center (ECOC), the Nuclear Regulatory Commission which is activated during severe after September 11. emergencies or potential crisis

18 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Creating the CSO Position In the survey of security directors, 24 percent reported Most companies don’t plan that their company currently has the position of CSO. to have a Chief Security Officer (It should be noted, however, that none of the security directors surveyed had this exact title.)

Most of the companies without a CSO position do not appear to have much interest in creating one. Only 5 percent of companies overall say they are definitely planning to create the position; 4 percent are actively considering the idea; and 6 percent are engaged in preliminary discussions. Over half of all companies (51 percent) are not discussing the idea at present, and 10 percent have definitely decided not to create the position.

When asked which kinds of experience are most valued 51.3% No discussions 24.1% Company currently has in a CSO, the protective services are still given pride of at present a Chief Security Officer 4.5% Definitely planning to place. Security directors were asked to rank four kinds of 10.1% Definitely will not create CSO position create position experience on a scale of 1 to 4 in terms of their impor- 4.0% Actively considering tance (1 being most important) as preparation for the 6.0% Preliminary discussions CSO position. Military and police work finished first, with an average rank of 1.99, followed by strategic busi- Number of respondents: 199 ness management (2.37), finance and risk management (2.57), and information technology (3.07).

Protective service experience is most valued in a CSO

“Please rank the importance of each of the following kinds of experience as preparation for the position of Chief Security Officer, from 1 for most important to 4 for least important.”

Average Military/ Police/Security 1.99

Strategic business management 2.37

Finance/Risk management 2.57

Information 3.07 technology

Number of respondents: 197

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 19 Companies in critical industries are more likely to have Companies in critical industries a CSO than those in non-critical industries (29 vs. are more likely to have a CSO... 19 percent), suggesting that centralization of the security

function is especially important in industries where secu- Critical industries rity is most vital. Domestic companies are also more 96* 29.2% Non-critical industries likely to have a CSO than multinationals (32 percent vs. 103 19.4% 18 percent).

…but smaller domestic companies However, smaller companies are most likely to have a are most likely to have a CSO CSO. While 35 percent of companies have a CSO if they have less than $1 billion in sales, this figure drops to Domestic 97 32.0% 15 percent for companies with over $1 billion in sales. Multinational 18.2% Similarly, 31 percent of companies with under 10,000 77 FTE’s have a CSO, compared to 11 percent of compa- Sales under $1 billion nies with over 10,000 FTE’s. 88 35.2 Sales over $1 billion 110 15.5 Security operations are clearly more centralized in smaller companies. We believe this is probably because Under 10,000 FTE’s 129 31.0 organizational silos and senior-level executive positions Over 10,000 FTE’s 70 11.4 are more likely to proliferate in larger companies, making it more difficult to consolidate security authority * Number of respondents behind a single individual in the person of a CSO. Of course, one could also argue that this proliferation is precisely why a CSO might be needed to bring order out of this potential for organizational chaos.

As one would expect, CSOs are more likely than other CSO’s are more likely security directors to report to top management. A total to report to top management of 43 percent report to a C-suite executive, compared to 27 percent of security directors in companies that have Security director reports to… no interest in creating the CSO position. In companies CEO 15.2% (Chief Executive Officer) 10.7% that do not currently have a CSO but are considering 6.6% COO 13.0 creating the position, 43 percent report to a C-level 0 (Chief Operating Officer) executive, the same as in companies that already have a 5.0 CFO 8.7 CSO. However, 28 percent of CSOs report to the very 14.3 (Chief Financial Officer) top level (CEO or COO), compared to only 11 percent 5.8 of security directors in companies that are considering CLO 6.5 (Chief Legal Officer) 17.9 whether to create the CSO position. 9.9 17.4 SVP for Facilities 17.9 The pattern suggests that the decision to create a CSO 21.5 is influenced by certain pre-existing patterns in security SVP for 10.9 Human Resources 14.3 management. If a company’s security director already 14.0 28.3 reports directly to upper management, then the company Other 25.0 37.2 is more likely to consider designating this executive as

the CSO to reflect the importance of the responsibilities. Respondents

Company has CSO 46 May create CSO position 28 No interest in CSO position 121

20 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board CSOs are far more likely to have … but CSOs are no more likely to have the authority they feel they need… the financial resources they feel they need

Percentage of security directors Percentage of security directors agreeing strongly that they have the agreeing strongly that they have decision-making authority they need: the financial resources they need:

72.3% Company has CSO 25.5% 47*

39.3 May create CSO position 28.6 28

45.1 No interest in CSO position 24.6 122

* Number of respondents

There is evidence that the CSO solution does indeed Even so, while CSOs may be just as dissatisfied with enhance the ability of security directors to implement their financial clout as other security directors, they are policies within their companies. Almost three-quarters increasing spending more rapidly. The median spending (72 percent) of CSOs agree strongly that they have increase on security since 2001 in companies with a the decision-making authority they need, compared to CSO is 5.3 percent, compared to 2.4 percent in compa- 39 percent of security directors in companies that are nies with no interest in the CSO position. Spending is considering appointing a CSO, and 45 percent in increasing most rapidly (6.7 percent) in companies that companies with no interest in the CSO position. do not currently have a CSO but are thinking of creating the position. This pattern again suggests that as a com- However, the major complaint of security executives pany upgrades the priority it places on security, it is concerns their lack of control over the purse strings, more likely to consider creating the position of CSO. and having a CSO does not appear to amelio- rate that concern. Regardless of where a company stands on the CSO issue, only about one-quarter of security directors agree strongly Companies with CSOs are more likely that they have the financial resources they need. to increase security spending

Median increase in total security spending since 2001:

Company 46* has CSO 5.3%

May create 27 CSO position 6.7

No interest in 117 CSO position 2.4

* Number of respondents

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 21 Table 2 This point becomes even clearer if we Companies discussing a CSO position look at the relationship between certain have specialized spending needs… kinds of security sending increases and interest in creating the CSO position. Percentage of companies reporting Company May create No interest in increase in spending on… has CSO CSO position CSO position Companies that are considering the creation of the position have specialized IT security 34.1% 77.3% 38.7% needs. They are twice as likely as other Business recovery and continuity 28.2 59.1 34.3 companies to report increases in spending on IT security (77 percent) or business Insurance/financial risk management 36.8 50.0 32.9 recovery and continuity (59 percent). Protecting buildings and facilities 56.8 64.0 50.0

Executive security 14.3 22.7 18.3 We can refine this analysis even further by looking only at companies that do not cur- Biological/chemical/radiological hazards 16.7 21.7 23.4 rently have a CSO. Among the remaining Background investigations 22.0 25.0 25.2

companies, those that report certain kinds Number of respondents 47 27 122 of spending increases are also much more likely to report interest in the CSO position. … compared to other companies without a CSO For example, among non-CSO companies If companies without a CSO are May create Number of that have increased spending on IT secu- spending more on… CSO position respondents rity, 32 percent are thinking of creating a CSO, compared to only 8 percent of non- IT security 32.1% 53 CSO companies that have not increased IT Business recovery and continuity 27.7 47 spending. Among non-CSO companies Insurance/financial risk management 25.0 36 that have increased spending on business Protecting buildings and facilities 22.2 72 recovery and continuity, 28 percent are discussing the CSO option, compared to Executive security 20.0 25 12 percent that have not increased such Biological/chemical/radiological hazards 18.5 27 spending. Somewhat smaller disparities Background investigations 18.2 33 exist among non-CSO companies depending on whether or not they have increased spending on risk management (25 vs. If companies without a CSO are May create Number of spending the same or less on… CSO position respondents 14 percent) or protecting buildings and facilities (22 vs. 14 percent). IT security 8.1% 62

Business recovery and continuity 12.2 74 The conclusion seems inescapable: interest in creating a CSO is driven by Insurance/financial risk management 14.1 64 a higher profile for security concerns Protecting buildings and facilities 13.8 65 within a company. As the security director Executive security 16.0 106 becomes more accountable to the C-suite, Biological/chemical/radiological hazards 20.0 90 and spending increases on specialized concerns like IT security and business Background investigations 18.4 98 recovery, senior management is more likely to consider the CSO option as a means to improve the coordination and effectiveness of security management.

22 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Spending on Corporate Security

Except for risk management and insurance, corporate spending on security has increased only moderately since 9/11.

The heightened concern over corporate security since September 11, 2001 has occurred in a difficult economic climate, which has discouraged major new commitments of funds. In the current environment, large-scale capital improvements that cannot demonstrate an immediate return on investment are a particularly tough sell to management.

Thus, the perceived need to upgrade corporate security has clashed with the perceived need to control expenses until the economy recovers. There have been sharp increases in spending on unavoidable costs involving insurance and risk management, but relatively modest increases in security spending overall. The biggest increases have been concentrated among large multinationals and companies in critical industries, which are perceived to have the highest exposure to risk.

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 23 A Permanent Increase in Spending companies say that spending has hit a new, higher plateau Security spending jumped immediately after 9/11 as since 9/11, but do not expect additional increases in the many companies tightened the security perimeter control- future. Finally, 18 percent say that their spending on secu- ling access to their facilities. Among the most common rity will continue to increase for the next several years. changes were hiring additional guards and installing surveillance cameras, turnstiles, and other mechanisms Adding together the last two categories, just over half at entry points. These upgrades were especially common (52 percent) of companies report a permanent increase in New York City (particularly Manhattan) and the in their level of security spending since 9/11. However, Washington, D.C. area, the two regions attacked on 9/11 there is a considerable difference between companies and considered most at risk of continued terrorist activity. in critical and non-critical industries. In the critical industries, 56 percent of companies report a permanent There was some uncertainty, however, as to whether the increase, vs. 39 percent not reporting a permanent increases in spending were merely a temporary response to increase. In the non-critical industries, the division a time-bounded emergency or represented a more perma- is much more even: 48 percent report a permanent nent increase in the level of security spending, with impli- increase, while 52 percent do not. cations for corporate budgets going forward. The survey results indicate that for most companies, security spending There are major differences among specific industries has increased and the increase appears to be permanent. with regard to the trend in security spending. Over two- thirds (71 percent) of companies in the energy and utili- Security directors were asked which of four statements ties industry report a permanent increase, followed by comes closest to describing their company’s spending 62 percent of companies in the financial services industry. since 9/11. Roughly one-third of companies say that their Smaller proportions of companies report a permanent spending has not been affected in any significant way, increase in security spending in the technology sector leaving two-thirds reporting an increase. Some 13 percent (47 percent), healthcare (46 percent), retail and whole- report a spike in spending, i.e., a temporary increase that sale trade (42 percent), and manufacturing (38 percent). is expected to recede in the future. Another one-third of

Table 3 About half of companies report a permanent increase in security spending

Which of these statements comes closest to your view about your company’s spending on security-related concerns since September 11, 2001?

All Critical Non-critical companies industries industries Our company’s spending on security has not been affected in any significant way 32.2% 27.1% 36.9%

Our company’s spending on security has increased on a temporary basis, but it will probably decline in the future 13.1 11.5 14.6

Our company’s spending on security will continue at a higher level than it was prior to September 11, 2001, but we do not anticipate significant future increases in the level of security spending 33.7 43.8 24.3

Our company’s spending on security will continue to increase every year for the next several years 18.1 12.5 23.3

None of the above 3.0 5.2 1.0

Number of respondents 199 96 103

24 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Table 4 Utilities and financial companies report a permanent increase in security spending

Which of these statements comes closest to your view about your company’s spending on security-related concerns since September 11, 2001?

Energy Finance Digital Health Trade Mfg. Our company’s spending on security has not been affected in any significant way 11.8% 27.6% 35.3% 28.6% 50.0% 41.4%

Our company’s spending on security has increased on a temporary basis, but it will probably decline in the future 11.8 10.3 5.9 17.9 8.3 20.7

Our company’s spending on security will continue to increase every year for the next several years 11.8 10.3 11.8 14.3 16.7 13.8

None of the above 5.9 0.0 11.8 7.1 0.0 0.0

Number of respondents 17 29 17 28 12 29

A Modest Increase Overall Although most security directors report a permanent increase in spending, the size of the increase is not very large on the whole. The median increase across all companies is 4 percent, a relatively modest figure. However, this aggregate statistic fails to capture the wide range of change in security spending since 2001.

The companies cluster in three groups, each comprising approximately one-third of the sample. Most companies report a modest increase in overall security spending • The first group reports no increase: 8 percent actually report spending less in 2002 than in 2001, and 29 percent Change in total security spending since 2001 report spending about the same on security. Less 8.3%

• The second group of 32 percent report moderate increases About the same 29.2 between 1 and 9 percent. 1 to 9% higher 31.8 The remaining companies (31 percent) report increases • 10 to 19% higher 16.7 of 10 percent or more. A small group of companies is increasing spending dramatically: 14 percent are now 20 to 49% higher 6.8 spending at least 20 per cent more on security per year, 50 to 99% higher 5.7

and 7 percent have stepped up their spending by 100% higher or more 1.6 50 percent or more.

Median increase: 4% Number of respondents: 192 Note: “Don’t know” eliminated

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 25 Larger multinational companies report bigger increases Large multinationals report in security spending than smaller domestic companies. bigger increases in overall The median increase for multinationals (defined as security spending companies receiving 10 percent or more of their sales overseas) is 4.7 percent, vs. 3.6 percent for domestic Change since 2001 Median increase companies. For companies with sales over one billion All companies 192* 4.0%

dollars, the median increase is 5.5 percent vs. 1.4 percent Critical industries 3.8 92 for companies below that level of sales. The median Non-critical industries 4.4 increase for companies with 10,000 or more employees 100 Domestic is 5.4 percent, compared to 3 percent for companies 95 3.6 Multinational below that staffing level. 76 4.7

Sales under $1 billion 1.4 83 Interestingly, there is no significant difference in the Sales over $1 billion 108 5.5 level of spending increase between companies in critical Under 10,000 FTE’s 3.0 and non-critical industries. In fact, the median increase is 123 Over 10,000 FTE’s 5.4 slightly higher for non-critical industries (4.4 percent vs. 69

3.8 percent in critical industries). On the surface, this * Number of respondents may seem counterintuitive. It may indicate that companies in critical industries had already spent considerable sums on security prior to 9/11 because they have always been perceived to be at greater risk, while other companies have felt more need to catch up since that date. Most industries report a modest increase in security spending The level of increase is quite consistent across industries. Among companies in the critical industries, the median increases for the four major industry groups Change since 2001 Median increase cluster in the 4 to 5 percent range. In the non-critical Energy/utilities 16* 5.0% sector, the median increase for manufacturing companies Digital industries is 3.8 percent, compared to 1.3 percent in retail and 15 5.0 wholesale trade. Healthcare 28 4.2

Financial services 28 4.1

Manufacturing 29 3.8

Trade 12 1.3

* Number of respondents

26 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Case Study Consolidating Security at Avaya

Internal security reviews can impact corporate spending in a variety of ways. At Avaya, spending on physical security has actually declined, but spending for risk management has increased.

Company: Avaya Inc. Located: Basking Ridge, New Jersey Employees: 18,800 Sales (2002): $5 billion

Business: Builds and manages communications networks for more than one million businesses worldwide, including 90 percent of the Fortune 500

Marene Allison, Avaya’s director of Security policies were thoroughly The insurance environment has global security, joined the company examined and updated as needed, proved to be as challenging for in January 2002 and immediately including expiration-dated pass- Avaya as it has for other buyers. began to bring the multiple aspects words, new external network Insurance costs have increased but of security under one management connections, occupancy rules, the company has also done a more system. and security camera networks. detailed risk assessment in order to Externally, there are almost no signs ensure business continuity and miti- Allison sees Avaya’s consolidation of increased security, although the gate its risks. strategy as emblematic of a wide- guard contracts were changed and ranging business pattern: “The new there is a new emphasis on emer- Diane Askwyth, risk manager for generation of security professionals gency response training. Allison Avaya, says, “One of the positive must be comfortable in the gover- says, “We wanted to have the ability outcomes for Avaya is the intense nance arena as well as in opera- to secure our environment, but we focus on business continuity plan- tions. They need much broader want our facilities to remain wel- ning. Being able to demonstrate a backgrounds than their predeces- coming to employees and visitors.” strong corporate commitment to sors. They must also be able to disaster recovery and business con- articulate the case for security mea- Avaya reduced its operational secu- tinuity planning has helped Avaya in sures that affect overall company rity costs with the consolidation and its negotiations with insurance policy and operations. The business increased effectiveness and respon- underwriters.” protection challenge is huge.” siveness. Allison attributes this to “having a single point of account- One of Allison’s first tasks was to ability for security with an under- coalesce a corporate security man- standing of the overall situation and agement team. The group, which how it fits into the business.” This includes the corporate risk manager contrasts with other cost increases and several director-level execu- which have occurred in business tives, brings together representa- continuity/disaster recovery tives of Avaya’s business continuity planning and insurance. For Avaya, planning, discovery and recovery, disaster recovery means not only real estate and risk management, their own IT operations and busi- environmental, health & safety, ness continuity, but that of their public relations and human customers as well. resources, and legal functions.

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 27 Security Spending in the Northeast Security spending is increasing Geographic location is one of the strongest predictors most rapidly in Northeast Metro areas... of increased spending on corporate security. Companies were assigned to a region based on the location of their Change in total security spending since 2001 Median increase headquarters. Northeast Metro 57* 9.0%

Rest of United States Security spending is increasing much more rapidly in 130 2.8 the metropolitan Northeast, defined as a headquarters “Northeast Metro” is defined as companies location in the Boston, New York, Philadelphia, or having headquarters in the Boston, New York, Washington metropolitan areas. In the Northeast Metro Philadelphia, and Washington, DC metropolitan areas. corridor, the median increase for total security spending *Number of respondents since 2001 is 9 percent, compared to 2.8 percent in the rest of the country.

Smaller Companies Bear a Larger Burden In purely dollar terms, security spending is not a major budget item for most companies. Security directors were Most companies report spending less than $10 million per year on security asked to estimate the total spending on security by their companies in the United States. (A preliminary focus 28.8% group determined that estimating security spending over- Less than seas would be extremely difficult and very inaccurate, so $1 million 47.0% 15.0% the study did not attempt to estimate security spending

outside the country.) 56.0 $1 to 47.0 $9 million The median security spending for all companies in 2002 62.6 was $4.4 million. Fifteen percent of all companies report 9.4 spending over $10 million a year on security, and only $10 to $49 million 3.6 6 percent report spending $50 million a year or more. 14.0

4.7 Companies with at least $1 billion in sales (approxi- $50 to 1.2 mately the cutoff for the Fortune 1000) report spending $99 million 7.5 a median of $6 million a year on security, compared to Median (million) Respondents a median of $1.6 million for companies below that sales 1.0 $100 million All companies $4.4 191 level. Of the billion-dollar companies, 22 percent report or more 1.2 Sales under $1 billion $1.6 83 0.9 spending at least $10 million a year on security, and Sales over $1 billion $6.0 107 8 percent spend at least $50 million a year. Note: “Don't know” eliminated

28 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board There is considerable variation among companies in the Companies use a wide variety of methods to determine amount of security spending as a percentage of annual their level of spending on security. The most important sales. While 63 percent report spending less than one means is benchmarking against industry standards, percent of sales on security, 5 percent of companies utilized by 54 percent of companies. Other commonly spend 3 percent or more of their sales on security. employed ground rules include the cost of previous incidents (used by 37 percent of companies), the value One would of course expect security spending to be of facilities (28 percent) and recommendations from higher in dollar terms among the larger companies. And consultants (26 percent). we have already seen that the recent increase in security spending is generally concentrated among larger companies. However, relative to the size of the company, the Benchmarking is used to determine total cost of security appears to be more of a burden for the appropriate level of security spending smaller companies than for larger firms.

Expressed as a percentage of sales, smaller companies Benchmarking against industry standards 53.8% spend more on security than larger companies. Over half (53 percent) of firms with less than $1 billion in sales Cost of previous security incidents 37.2 spend one percent or more of their sales on security, compared to slightly more than one-quarter (26 percent) Value of facilities 28.1 of firms with over one billion dollars in sales. Recommendations from consultants 25.6

As much as we can afford 17.6

Security spending is more of Actuarial statistics a burden for smaller companies on expected losses 16.1

Security spending as a Internal budget percentage of annual sales process/requests 14.0

62.7% Less than In-house assessments/ 1% 47.0% recommendations 13.1 73.9%

24.1 Value of goods shipped 8.0 1 to 1.9% 33.3 17.4 Recommendations from vendors 7.0 8.2 2 to 2.9% 10.6 6.5 Threat level 5.5 Respondents 5.0 All companies 158 Government 3% or more 9.0 Sales under $1 billion 66 regulations/standards 2.0 2.2 Sales over $1 billion 92

Percentage of 2.0 Note: “Don’t know” eliminated annual sales

Other comments 5.0

Number of respondents: 199

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 29 Security directors were asked to estimate the degree of The Cost of IT Security change in spending in a variety of security categories. Despite its importance, IT security is a relatively low- Over half of companies (54 percent) report an increase budget item in many companies. Over half of all compa- in spending on protecting buildings and facilities. nies in the sample of IT security officers (55 percent) Spending on IT security is reported to be rising by report spending less than $1 million per year on IT secu- 43 percent of companies, followed by business recovery rity, and this proportion rises to 89 percent in companies and continuity (36 percent) and insurance and risk man- with under $1 billion in sales. Larger companies devote agement (36 percent). more resources to this line item. Among companies with $1 billion or more in sales, one-quarter (24 percent) spend at least $5 million per year on IT security, and 4 percent spend $20 million or more. Most companies have increased spending on buildings and facilities

Percent reporting increased spending Most companies spend less than 181* Protecting buildings $1 million per year on IT security and facilities 54.1%

156 IT security 43.3 54.5% 160 Business recovery Less than and continuity 36.3 $1 million 88.9% 36% 138 Insurance and risk management 36.2

172 Background 29.9 $1 to investigations 24.7 11.1 $5 million 159 Biological/chemical/ 40 radiological hazards 21.3

173 Executive security 18.4 10.4 $5 to $9 million 0 16 * Number of respondents Note: “Don’t know” eliminated 2.6 $10 to $19 million 0 4

2.6 Respondents $20 million All companies 77 0 or more Sales under $1 billion 27 4 Sales over $1 billion 50

Note: “Don't know” eliminated

30 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Benchmarking is the most common means of determin- Benchmarking and affordability ing spending on IT security, used by 40 percent of com- drive IT security spending panies, but a close second is affordability: one-third of companies say they spend “as much as we can afford.” Methods used to determine appropriate Other common guidelines are recommendations from level of IT security spending: consultants (19 percent); and the cost of previous Benchmarking against industry standards 40.0% incidents (14 percent). As much as we can afford 32.5

The median company spends 1.9 percent of its total IT Recommendations budget on IT security. The median is considerably higher from consultants 18.8 for companies in the critical industries (2.4 percent) than Cost of previous security incidents 13.8 companies in the non-critical industries (1.6 percent). Percentage of 12.5 overall IT budget As with security spending in general, IT security tends Risk assessment to be more of a burden for smaller companies. Among 8.8 companies with under $1 billion in sales, 39 percent Business needs/ priorities 6.3 report spending 5 percent or more of their IT budget on Budget constraints/ security compared to 14 percent of companies with over analysis 5.0

$1 billion in sales. Domestic companies also spend rela- Recommendations tively more on security, with 35 percent spending at least from vendors 3.8 5 percent of their IT budget on security, compared to Other 10.0 13 percent of multinationals.

Number of respondents: 80

Table 5 IT security is more of a burden for smaller domestic companies

IT security spending as percentage of IT budget

Less 1% to 2% to 5% to 10% or Number of than 1% 1.9% 4.9% 9.9% more Median respondents

All companies 28.0% 26.7% 22.7% 16.0% 6.7% 1.9% 75

Critical 22.2 25.0 27.8 13.9 11.1 2.4 36 Non-critical 33.3 28.2 17.9 17.9 2.6 1.6 39

Domestic 23.5 17.6 23.5 23.5 11.8 3.2 34 Multinational 28.2 35.9 23.1 10.3 2.6 1.6 39

Under $1 bil. sales 23.1 19.2 19.2 23.1 15.4 2.8 26 Over $1 bil. sales 30.6 30.6 24.5 12.2 2.0 1.7 49

Under 10K FTE’s 23.8 28.6 21.4 14.3 11.9 2.0 42 Over10K FTE’s 33.3 24.2 24.2 18.2 0.0 1.8 33

Note: “Don’t know” eliminated

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 31 There is a wide disparity among companies in the rate The increases are pronounced in the critical industries, of spending increase on IT security. The median increase where 28 percent of companies have increased IT since 2001 is only 1.9 percent, but this figure hides an security spending by 20 percent or more, compared enormous amount of variation. Almost half of all compa- to 15 percent of companies in non-critical industries. nies (47 percent) have not increased spending on IT Larger companies are also more likely to increase IT security since 2001; on the other hand, 36 percent have security spending: 31 percent of companies with 10,000 increased spending by 10 percent or more, and 21 per- or more employees have stepped up IT security spending cent have increased it by at least 20 percent. by 20 percent or more compared to 14 percent of companies below that payroll level.

Table 6 IT security spending is increasing in critical industries

Change since 2001

1—9% 10—19% 20—49% 50% + Number of Less Same higher higher higher higher Median respondents

All companies 7.9% 39.5% 17.1% 14.5% 10.5% 10.5% 1.9% 76

Critical 8.3 36.1 16.7 11.1 13.9 13.9 4.2 36 Non-critical 7.5 42.5 17.5 17.5 7.5 7.5 0.7 40

Domestic 3.0 33.3 21.2 21.2 15.2 6.1 7.1 33 Multinational 12.5 42.5 12.5 10.0 7.5 15.0 0.0 40

Under $1 bil. sales 3.7 40.7 22.2 22.2 0.0 11.1 3.3 27 Over $1 bil. sales 10.2 38.8 14.3 10.2 16.3 10.2 1.4 49

Under 10K FTE’s 4.5 45.4 18.2 18.2 4.5 9.1 0.6 44 Over10K FTE’s 12.5 31.3 15.6 9.4 18.8 12.5 5.0 32

Note: “Don’t know” eliminated

32 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Case Study IT Security at Unisys

Companies in the IT sector must evaluate security not just in terms of the integrity of their technology products and operations but their physical security as well. Here is the way that Unisys management has dealt with the challenge.

Company: Unisys Located: Blue Bell, Pennsylvania Employees: 36,400 Sales (2002): $5.6 billion

Business: a worldwide information technology services and solutions company operating in more than 100 countries.

Ensuring employee security was The third action was to establish an Director of risk management, the first priority in Unisys’s five- emergency contact list available to James McMullen, says he has seen step action plan following the all employees worldwide. Through insurance premium increases in World Trade Center attacks on this system, employees can identify excess of 100 percent. “Terrorism 9/11. “With many of our 40,000 the facility, security, safety, IT, and insurance as part of a global employees worldwide unnerved HR contact by name and number property program carries a huge by the tragedy, we felt it was cru- for any Unisys facility worldwide. premium and most companies cial to add extra physical security, are not going to buy it—unless and to take steps to improve over- All employees are now required their headquarters are in midtown all security,” says Greg Fischer, to take a basic training course Manhattan or in some high profile vice president for facilities and on facility safety and security, and location. Most Fortune 500 com- asset management. review it annually. The final action pany facilities are not in that kind plan was to create a coordinating of situation. It’s an issue of bal- The first step was to have the exist- council to integrate the business ance. We are going to purchase ing security systems evaluated. continuity, disaster recovery, and it for specific policies for the time Extra cameras and guards were emergency response functions— being, but we’ll be watching it added, as were roaming patrols in which previously had been scat- closely for the future.” facility parking lots. Access to park- tered among several departments. ing near the company’s data cen- “Unisys has been actively involved ters and other important buildings As a measure of the importance in business continuity planning was tightened, and access control placed on security issues as a at its major manufacturing and systems were upgraded. result of September 11, Fischer service locations for more than emphasizes that, “At least half fourteen years,” he continues. A facility incident notification of the activities reviewed at the “We have identified our single system, operating through Unisys’ annual review for the board of source suppliers and put backups website, email, telephone, and directors were security related.” in place, and our scenario planning pager channels, was established allows us to know just how quickly to allow any employee or other “We are also moving to a new we can be back in business after individual worldwide to reach the access control system requiring almost any kind of disaster. right contact for reporting or inquir- our employees to use identification September 11 did not show us ing about the status of a facilities cards to swipe in and out of a any reason to change those problem. Fischer says, “Now, if facility. This system will provide policies and processes.” you’re in Moscow and hear about more accurate information on a facility problem, you can reach facility utilization from a security the right person in minutes.” and safety basis.”

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 33 The Soaring Cost of Risk Management Insurance and risk management There is one dramatic exception to the pattern of moder- costs are soaring ate increases in security spending: insurance and risk Increase since 2001 management. Costs have been soaring in this arena 0 to 9% because of the massive losses incurred on 9/11. To 11.4% reflect the increased risk to corporate facilities and 10 to 19% 25.0 employees, insurers have dramatically raised premiums 20 to 49% 34.1 for certain kinds of coverage. 50 to 99% 9.1

100% or more 20.5 The Conference Board survey of corporate risk managers found a median increase of 33 percent in spending on Median increase: 33% insurance and risk management since 2001. Even this Number of respondents: 44 Note: “Don’t know” eliminated figure understates the severity of the costs borne by some companies. A remarkable 21 percent of risk managers report that their costs have at least doubled since 2001.

The increases in risk management costs are spread Multinationals are bearing quite evenly across various sectors of the economy. the largest increases in insurance The median increase for multinationals is 40.6 percent, and risk management costs compared to 26.4 percent for companies with a domestic

focus. Geographic location is an important factor: the Median increase since 2001 median increase in Northeast Metro areas is 42.5 percent, compared to 31.3 percent in the rest of the United 44* All companies 33.0% States. Companies in critical industries are reporting a larger increase than those in non-critical industries 20 Critical industries 38.8 (38.8 percent vs. 32.3 percent). Smaller companies 24 Non-critical industries 32.3 report larger increases in percentage terms than larger companies, but the differences are relatively minor. 24 Domestic 26.4 20 Multinational 40.6

20 Sales under $1 billion 37.5

24 Sales over $1 billion 31.7

27 Under 10,000 FTE’s 35.0

17 Over10,000 FTE’s 32.9

10 Northeast Metro 42.5

30 Rest of country 31.3

* Number of respondents

34 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Changes in Insurance Coverage medical insurance spending is 15.7 percent for domestic Half of risk managers report paying higher insurance companies vs. 8.8 percent for multinationals. Companies premiums since 2001, and 10 percent have increased with less than $1 billion in sales report a much higher their level of insurance coverage. The increase in insur- increase in medical costs (15.6 percent) than those over ance costs has prompted companies to assume more of that level of sales (6.7 percent). The finding suggests that the risk themselves to hold down their spending. For there are important economies of scale for securing cost- example, 40 percent of risk managers have increased effective medical coverage for companies doing almost their level of self-insurance, and 31 percent are taking all of their business in the United States. policies with higher deductibles. Business interruption coverage differs from the pattern For categories of insurance that are most directly related to for other security-related coverage. The median increase security threats, the biggest increases in insurance costs are in both critical and non-critical sectors hovers around the being incurred by companies in critical industries, which 16.5 percent reported for companies overall. The key are perceived to be most at risk. For example, the median factor here appears to be the scale of the business. increase in property insurance is 37.5 percent for compa- Multinationals report much larger median increases in nies in critical industries vs. 22.1 percent in non-critical business interruption insurance costs than domestic com- industries. For liability insurance, the median increase is panies (29 vs. 12.5 percent), and companies with 10,000 40.6 percent in critical industries compared to 13.6 percent or more employees report larger median increases than in non-critical industries. Companies in critical industries those with fewer employees (29 percent vs. 14.4 percent). face a median 23.8 percent rise in spending for medical insurance vs. 9 percent for non-critical industries.

Table 7 Large multinationals are facing the biggest increases Critical industries face the biggest increases in cost for property insurance. The median increase in in security-related insurance costs property insurance spending for multinationals (39.3 percent) is double the rate for domestic companies (19 per- Median increase Property Liability Business Medical cent). Companies with over $1 billion in sales report a since 2001 insurance insurance interruption insurance higher median increase than companies below that size All companies 28.1% 21.5% 16.5% 13.0% (35 vs. 20 percent). Critical industries 37.5 40.6 18.0 23.8 Non-critical industries 22.1 13.6 16.0 9.0 On the other hand, domestic companies face the biggest increases in costs for liability insurance and medical Domestic 19.0 27.5 12.5 15.7 Multinational 39.3 18.3 29.0 8.8 insurance. Health coverage is a particular problem for smaller domestic companies. The median increase in Sales under $1 billion 20.0 19.0 15.0 15.6 Sales over $1 billion 35.0 25.0 19.0 6.7

Under 10,000 FTE’s 24.3 23.0 14.4 13.9 Over 10,000 FTE’s 35.0 23.0 29.0 9.0 Companies bear more of the insurance risks themselves Number of respondents

Changes in insurance coverage since 2001 All companies 40 40 38 29 Critical industries 18 18 17 12 Higher premiums 50.0% Non-critical industries 22 22 21 17

More self-insurance 40.4 Domestic 22 22 20 17 Multinational 18 18 18 12 Higher deductible 30.8 Sales under $1 billion 19 19 17 16 Sales over $1 billion 21 21 21 13 Increased coverage 9.6 Under 10,000 FTE’s 25 26 24 22 Over 10,000 FTE’s 15 14 14 7 Number of respondents: 52

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 35 Risk Management as a Line Item Actuarial data are employed by 62 percent of risk man- Insurance and risk management is one of the biggest agers to gauge the appropriate level of spending. Other single line items in a typical company’s security-related commonly employed tools are benchmarking against spending. The median spending on insurance and risk industry standards (56 percent) and recommendations management for all companies in the risk managers’ from consultants (33 percent). sample is $7.4 million. The median spending is much higher for companies with more than $1 billion in sales ($19.2 million) than for companies below this sales level Actuarial data are most common ($3 million). Indeed, 63 percent of companies above the means of determining spending billion-dollar level in sales pay at least $10 million per on risk management year for risk management, and 8 percent pay at least $100 million per year. Methods used to determine appropriate level of spending:

Actuarial statistics on expected losses 61.5% Benchmarking against industry standards 55.8 Most large companies spend Recommendations 32.7 at least $10 million per year on from consultants Recommendations insurance and risk management from vendors 28.8 Cost of previous security incidents 19.2 As much as we can afford 13.5 20.0% Percentage Less than of annual sales 5.8 $1 million 38.1% 4.2% Other 19.2

42.2 $1 to 52.4 Number of respondents: 52 $9 million 33.3

33.3 $10 to $49 million 9.5 54.2

$50 to 0 $99 million 0 0

4.4 $100 million or more 0 8.3

Median Respondents

All companies $7.4 mil 45 Sales under $1 billion 3.0 21 Sales over $1 billion 19.2 24

Note: “Don't know” eliminated

36 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Companies in the critical industries spend a higher Medical insurance is the biggest risk management expense amount on risk management as a percentage of their for most companies, with 63 percent of all companies annual sales. Over half (53 percent) of companies in crit- spending $1 million or more per year on health coverage. ical industries spend 1 percent or more of their sales on The comparable proportion for liability insurance is risk management, compared to 36 percent of companies 49 percent, followed by property insurance (48 percent) in non-critical industries. and business interruption insurance (32 percent).

The disparity between companies above and below the billion-dollar sales level is especially pronounced Critical industries spend for property insurance (76 vs. 16 percent spending a higher percentage of their $1 million per year or more) and liability insurance sales on risk management (68 vs. 26 percent).

All 56.4% companies 28.2% 39* 15.4% Medical insurance is the biggest insurance cost for most companies Critical 47.1 industries 29.4 17 23.6 Percentage of companies spending $1 million or more in 2002 on…

63.3% 63.6 Non-critical Medical insurance 56.3% industries 27.3 71.4% 22 9.0 48.8 Liability insurance 26.3 68.2

Less than 1% 47.5 1 to 1.9% Property insurance 15.8 76.2 2% or more Business interruption 31.7 10.5 * Number of respondents insurance 50.0 Note: “Don’t know” eliminated 29.6 Life insurance 13.3 50.0

27.6 Disability insurance 18.8 38.5 All companies 8.3 Travel insurance 0 Sales under $1 billion 16.7 Sales over $1 billion

Number of respondents Medical insurance 30 16 14 Liability insurance 41 19 22 Property insurance 40 19 21 Business interruption insurance 41 19 22 Life insurance 27 15 12 Disability insurance 29 16 13 Travel insurance 36 18 18

Note: “Don’t know” eliminated

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 37 A Methodological Note on Risk Management Data

Security directors are much We also believe that the security In sum, many security directors less likely to perceive a dramatic directors’ estimates of dollar either did not provide data on risk increase in spending on risk spending on risk management management spending, or appear management than are the risk are unrealistically low. For all to have greatly underestimated managers themselves. While only companies, the security directors’ both the dollar amount and the 36 percent of security directors median estimate of spending on degree of increase in risk manage- report an increase in spending on risk management in 2002 is ment spending in their companies. insurance and risk management $1.4 million and among companies It appears likely that the security since 2001, 98 percent of risk with $1 billion or more in sales, the directors answered the spending managers report an increase. median estimate is $5 million. Both questions in the survey with refer- The median increase reported by of these figures are less than one- ence primarily to the budgets that the risk managers is 33 percent. third the median estimates from they personally control within Although the sample of risk the sample of risk managers their companies. managers is much smaller ($7.4 million and $19.2 million (52 as opposed to 199 security respectively). Here again, Thus, we believe that the directors), we believe the risk 37 percent of security directors estimates of dollar amounts managers’ estimates are are unable to provide an estimate, and increases in total security more accurate. and we believe the risk managers’ spending gleaned from the secu- data are more reliable. rity directors’ questionnaire are The risk managers work with best regarded as estimates of total budget data on insurance and Perhaps most telling is the fact spending on security exclusive of other financial issues on an ongo- that the median estimates on risk costs for insurance and risk man- ing basis, while this responsibility management spending from the agement. We believe that the risk is often far removed from the risk managers’ survey actually managers’ estimates of spending function of the security director. exceed the median estimates for on insurance and risk management Indeed, 31 percent of the security total security spending from the are more accurate, and should be directors are unable to estimate security director’s survey. The utilized in analyses of that aspect the change in spending on risk median total security spending of security-related spending. management. Thus, we believe for all companies in the security the risk managers’ data should director’s survey is $4.4 million, be relied upon for estimates of the and the median for companies over rise in spending on this particular $1 billion in sales is $6 million. If aspect of security. we accept the risk managers’ data as accurate, then the totals reported by the security directors are clearly too low unless they exclude most or all of the actual spending on risk management.

38 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board The Costs of Terrorism Larger companies are also more likely to report a Concerns about terrorism have clearly influenced the problem with office space insurance. Two-thirds of com- ability of some companies to secure adequate insurance panies with $1 billion or more in sales report that insur- coverage since 9/11. Over half of all risk managers ance for Class urban properties is a problem, compared (57 percent) report that it is becoming more difficult to to 46 percent of companies below that sales level. secure adequate insurance coverage for Class A office Similarly, 70 percent of companies with 10,000 or more space in urban locations since 2001. (Note: this percent- employees report difficulty insuring such space com- age excludes “don’t know” responses and companies not pared to half of companies below that payroll level. having Class A office space in an urban location.) Direct coverage for terrorism is also becoming more This problem is most acute for companies with head- difficult to secure. While 27 percent of companies have quarters in the Northeast Metro region, where fully such coverage, 17 percent have been unable to renew it, 88 percent report increased difficulty in insuring Class A while an additional 29 percent did not have it before or office space compared to 41 percent in the rest of the after 9/11. There seems to be considerable ambiguity country. Companies in critical industries are much more with regard to this type of coverage: 6 percent of compa- likely to report difficulty (72 percent) than companies nies say it depends on circumstances, and 21 percent are non-critical industries (30 percent). not sure if they are covered.

Class A office space is becoming Most companies lack coverage for terrorism more difficult to insure

Percentage of companies reporting it is more difficult “Does your company’s current insurance coverage to secure adequate insurance coverage for Class A include coverage for terrorist events?” office space in prime urban locations since 2001

All risk managers 28* 57.1%

Critical industries 18 72.2 Non-critical industries 10 30.0

Domestic 17 52.9 Multinational 10 60.0

Sales under $1 billion 13 46.2 Sales over $1 billion 15 66.7

Under 10,000 FTE’s 18 50.0 28.8% No 26.9% Yes Over10,000 FTE’s 10 70.0 5.8% Depends 17.3% Unable to 21.2% Not sure renew Northeast Metro 8 87.5

Rest of country Number of respondents: 52 17 41.2

* Number of respondents

Note: “Don't know” and “not applicable” eliminated

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 39 What Security Executives Worry About The sheer variety of threats faced by contemporary businesses presents a long list of contingencies for which security executives must be prepared.

40 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board All three types of security executives (security directors, A different question was posed to gauge the severity risk managers, and IT security officers) were asked an of different types of threats. Security directors were open-ended question to elicit what they are most worried asked to rate the severity of threats to their companies about. Security directors are most concerned about the on a 7-point scale, with 7 representing the most severe possibility of workplace violence, a worry voiced by threat. The threats rated most highly on this scale are one-third of the sample. Terrorism was the next most theft (averaging 5.06 on the 7-point scale) and computer frequent mention (by 19 percent), followed by financial hackers and viruses (5.05). These worries are followed crime (15 percent) and computer hacking (15 percent). by current and former employees (4.59) and natural disasters (4.24).

The relatively low rating for terrorism (3.31) on the Security directors worry most scale question, compared to the open-ended question, about workplace violence suggests that most security directors believe the proba- bility of a terrorist incident affecting their own company In thinking about all of the potential security threats that your company faces, is relatively low. At the same time, the damage from what worries you the most? such an incident could be quite severe if it were to occur.

Workplace violence/ disgruntled employees 33.0%

Terrorism 18.9 Theft and computer hacking

Theft/fraud/ are the most direct threats financial crime 14.6

Computer hackers, data loss 14.6 “On a scale from 1 to 7, where 1 represents a minimal threat and 7 represents a severe threat, Biological/chemical/ how would you rate the threat to your company 9.2 product contamination posed by the following?”

Street crime/physical security/facilities protection 8.6 Theft 5.06 Computers hackers Sabotage/vandalism 7.0 and viruses 5.05

Current and 4.59 former employees Natural disasters 5.4 Natural disasters 4.24 Loss of confidential/proprietary information, trade secrets 4.9 Sabotage 3.34 Business continuity/ disaster recovery 4.9 Terrorist attacks 3.31

Executive security/kidnapping/ Industrial accidents abduction/hijacking 4.3 2.97

Lack of resources/risk Radical protest activists 2.79 assessment/management focus 4.3 0 1 2 3 4 5 6 Overseas threats/ foreign instability 3.8 Number of respondents: 197

Arson, fire 1.6

Background checks/ negligent hiring 1.6

Other worries 7.6

Number of respondents: 185

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 41 Risk managers have a somewhat different set of con- The Desirability of Dispersing Facilities cerns. Perhaps because they deal with insurance issues, Risk managers were also asked to estimate the maximum they seem much more attuned to the dangers posed by number of employees they consider prudent to locate in terrorism and emergency preparedness. In the open-ended a single facility. The median is 425. Only 14 percent of question, terrorism is most often cited as the threat that risk managers consider it prudent to situate 1,000 or worries risk managers the most (by 22 percent), followed more employees at a single location. If companies were by business interruption and disaster recovery (17 per- to act on these perceptions, the recent trend toward con- cent) and workplace violence (11 percent). solidation of facilities in downtown office towers and suburban office parks might give way to a desire to disperse employees and operations.

Risk managers are most worried about Maximum number of employees terrorism and disaster recovery considered prudent to locate in a single facility

In thinking about all of the potential risk management threats that your company faces, what worries you the most? Less than 100 21.6%

Terrorism 21.7% 100 to 199 5.4

Business interruption/ disaster recovery/emergency 17.4 200 to 499 32.4

Workplace violence/ 500 to 999 27.0 disgruntled employees 10.9

Cargo transit security, border 1,000 to 1999 5.4 closures, delivery problems 8.7 2,000 to 4,999 8.1 Equity exposure, 8.7 credit market risk 5,000 or more 0

Contamination/ toxic release 8.7 Median: 425

Number of respondents: 37 Natural disasters 8.7 Note: “Don’t know” eliminated

Litigation 6.5

International travel/ risks overseas 6.5

Workers compensation losses 6.5

Rising medical costs, insurance premiums 6.5

Fraud 6.5

Unanticipated loss, undiscovered risk 4.3

IT security, cyber crime 4.3

Other comments 13.0

Number of respondents: 100

42 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board However, most companies do not report plans to dis- Most companies are not planning to perse their facilities. Only 5 percent of security directors disperse facilities for security reasons indicate that their companies are definitely planning to rent, buy, or construct additional facilities to disperse Planning to rent, buy, or construct employees for security reasons, and 8 percent of additional facilities in order to disperse employees for security reasons: companies are planning additional facilities to disperse operations. An additional 10 percent of companies are Yes, definitely 4.5% discussing the possibility of dispersing employees for Actively considering 3.5 security reasons, and another 15 percent are discussing Preliminary discussion 6.0 whether to disperse operations. That leaves over-three No discussion at present 45.2 quarters of companies that are not currently discussing No, definitely 40.7 the idea of dispersing facilities. Number of respondents: 199

Given the lack of interest in additional facilities, it is not surprising that very few companies are planning to spend Planning to rent, buy, or construct much money on construction for security reasons during additional facilities in order to disperse operations for security reasons: the next five years. Almost two-thirds of security direc- Yes, definitely tors (65 percent) expect to spend less than $1 million on 7.5% security-related construction, and only 7 percent antici- Actively considering 5.0 pate spending $10 million or more. Preliminary discussion 10.1

No discussion at present 41.2

No, definitely 36.2

Number of respondents: 199

Estimated spending on construction for security reasons during next five years:

Less than $1 million 65.1%

$1 to 9 million 28.3

$10 to 49 million 5.3

$50 to 99 million 1.3

Number of respondents: 152 Note: “Don’t know” eliminated

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 43 Case Study Crisis Management at Air Products

Although most corporations are not planning major security-related construction, some companies in critical industries are undertaking major capital improvement projects. One of them is the chemical manufacturer Air Products

Company: Air Products and Chemicals Located: Lehigh Valley, Pennsylvania Employees: 17,200 Sales (2002): $5.4 billion

Business: The company is the largest global supplier of electronic materials, hydrogen, helium and select performance chemicals.

Nirmal Chatterjee is Air Products’ The next step was to analyze The process has been expensive. vice president for environment, company policies and processes Ken Petrini, vice president for health and safety (EH&S) and in light of the new threat. Air taxes, reports that some $10 mil- corporate engineering. He admits Products is applying the principles lion has already been appropriated that prior to 9/11: “Like most US of the American Chemical to upgrade security in areas identi- chemical companies we had basic Council’s Responsible Care fied through the security vulnera- security, ID badges, visitor registra- security code globally and security bility assessments conducted at tion, fences, and gates with cam- vulnerability assessments at all the company’s highest risk sites. eras and uniformed security at our facilities are being completed Another $10 million is expected to larger facilities, but we didn’t have worldwide. Chatterjee says, be required to further improve enough to pass the ‘red face test.’ “These tools are invaluable in security at all sites. Traditionally there have been no helping us classify potential industry security standards. Each targets, determine possible threat These numbers reflect only company was more or less on its sources, and evaluate any gaps capital expenditures for upgrading own in determining how much was in our security practices.” facilities. They do not include the enough when it came to security time and money involved in the measures. We have since become Crisis management programs crisis management process, the our own worst critic and are took on a significant new dimen- hardening of the company’s now implementing our security sion. Among the additions to the transportation infrastructure, processes as stringently as we usual emergency response exer- or IT security measures. do our safety programs.” cises was terrorism scenario planning. The only change within the A more stringent customer qualifi- On the morning of 9/11, the corporate structure, aside from cation process has been developed company immediately mobilized a creation of the position of global for the company’s more sensitive crisis management team compris- director of process safety integrity, products. If a customer were to ing representatives from manufac- was to move responsibility for order a much larger quantity of turing, energy and materials, and security standards and best prac- one of these products, a flag would travel, as well as security, EH&S, tices into the office of environ- go up and the order would shift corporate communications, and ment, health and safety. immediately to another level. As human resources. This team was an extension of the company’s never disbanded since the threat product stewardship efforts, of terrorism remained high in the current policies also seek to intervening months. The team’s ensure product security even focus was only sharpened by the after delivery. onset of war in Iraq.

44 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Threats to IT Security When presented with a 7-point scale to rate the severity of various IT threats, the most highly rated threat was IT security officers primarily focus on preserving the viruses and worms (mean of 4.11, or about halfway, integrity of their networks and web sites. When respond- on a 7-point scale). This was followed by insider abuse of ing to the open-ended question, the most common worry Internet access (3.59), laptop theft (2.94), theft of propri- concerns network intrusion and perimeter protection, etary information (2.22), denial-of-service attacks (2.21), mentioned by 21 percent. Close behind are viruses and and firewall penetration (2.20) Most of the items received worms (cited by 19 percent), protecting confidential ratings near the bottom of the severity scale, suggesting information (18 percent) and web site disruption that most IT security officers are fairly sanguine about (13 percent). their ability to protect their companies’ systems.

Network intrusion is the biggest Viruses and worms are worry for IT security officers the most direct threats to IT security

In thinking about all of the potential “On a scale from 1 to 7, where IT security threats that your company faces, 1 represents a minimal problem and what worries you the most? 7 represents a severe problem, how severe have the following problems Network intrusion/ been for your company’s IT security?” perimeter protection/ remote access 20.8% Mean

Viruses, worms, Viruses and worms 4.11 malicious code 19.4

Protection of Insider abuse of confidential information/ Internet access 3.59 18.1 identity theft Denial of service attacks, web site Laptop theft 2.94 disruption, hacking 12.5

Complacency, apathy, Theft of proprietary 2.22 lack of management 11.1 information concern/support Internal Denial-of- 2.21 security breaches/ 11.1 service attacks disgruntled employees

Firewall penetration 2.20 Disaster recovery 8.3

Connections to Fraud Internet/telecom/ 4.2 2.13 power grid

Cyber terrorism Embezzlement 1.85 2.8

Physical damage/ Sabotage of data/ vandalism to IT web pages 2.8 1.79 hardware/buildings

Overreactions, cost of responding 2.8 to trivial problems Number of respondents: 80

Other comments 5.6

Number of respondents: 72

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 45 Insiders and outsiders are Just under half of companies (49 percent) report that equally threatening to IT security they could restore their IT system within 24 hours of a disaster. Another 40 percent could restore their system Most important risk to IT security posed by… within one week, leaving 10 percent who would need a Outsider full month to restore their IT system. penetration 16.2 Company’s own employees 30.0

Both equal 48.8 About half of companies could Not sure 5.0 restore their IT system within

Number of respondents: 80 24 hours of a disaster

Time needed to restore main IT system if it was destroyed When asked whether insiders or outsiders are the great- Instant switchover to backup system 1.3% est threats to their IT systems, almost half of IT security Within 6 hours 10.4 officers (49 percent) rate both as equal threats, while 30 percent fear their own company’s employees and only Within 24 hours 37.7 16 percent worry most about outsiders. Within one week 40.3

Within one month 10.4 Most companies (63 percent) have tested their disaster recovery programs, and 45 percent have tested their Number of respondents: 77 business continuity programs. Five percent of companies report that they have actually used their disaster recovery program in an emergency, and 6 percent have used their business continuity program in an emergency. Only 15 percent of companies report that they do not have a disaster recovery program, and one-quarter do not have a business continuity program.

Most companies have tested their disaster recovery and business continuity programs

62.5% Tested 45.0%

Used in 5.0 emergency 6.3

Program not 21.3 tested or used 23.8

Company doesn’t 15.0 Disaster recovery program have program 25.0 Business continuity program

Number of respondents: 80

46 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board essons Learned The four corporate case studies in this report (Duke Energy, Unisys, Avaya, and Air Products) illustrate some common trends in the ways that major companies are organizing their emergency response operations.

Concerns about terrorism have prompted major corporations to review their security policies and practices to reorganize, consolidate, and upgrade their security programs.

In industries producing volatile materials, security processes for the manufacture and delivery of potentially hazardous products had been in place for decades. In these critical industries, the challenge after 9/11 was to extend the security mindset to include people, facilities, products, and delivery systems globally. In other industries, the terrorism wake-up call meant looking seriously at security as a pervasive issue for the first time.

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 47 People First on 9/11 The following steps were generally taken to enhance In the immediate aftermath of the terrorist attacks on physical security: 9/11, the first priority was to identify the whereabouts of employees, communicate their circumstances to their • strengthening facility perimeters families and to management, and get those who were • increasing uniformed security protection traveling home. • installing or upgrading identification and surveillance systems Crisis Management Teams • limiting facility access Formation of a security oversight and emergency- increasing security training and drills response team was one of the first actions taken by • all of the companies interviewed. Including executives • hardening physical security. representing the security, EH&S, business continuity, communications, human resources, legal, insurance, Two of the four companies have established crisis opera- and other relevant functions, these groups were tions centers to be activated during severe emergencies generally charged with: or potential crises and to serve as a clearinghouse for all aspects of emergency response. • reviewing existing security measures • analyzing security risks Consolidation of Security Management • aligning security policies and processes for all operations Security oversight was scattered prior to 9/11, so security issues had never been addressed holistically. Some • evaluating physical and IT security needs companies have chosen to totally consolidate responsi- for the short and long term bility for security management, creating a new position • recommending changes in the corporate of chief security officer who reports to top management structure to strengthen emergency and works closely with the corporate risk manager and response capabilities IT director to align all aspects of security. Other companies vested the EH&S or risk management office • recommending capital improvements with responsibility for security, or effected some com- to cope with the increased threat bination of the two strategies. Security management has clearly gained stature and recognition as a vital busi- These groups continue to function actively, driving ness function. integration of security throughout the corporation.

48 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board A Priority on Risk Analysis Coordination with Government Agencies The terrorism threat focused business’ attention on The September 11 experience has highlighted a dilemma areas of vulnerability not always considered prior to for companies attempting to establish effective emer- September 11. All four companies invested heavily in gency response programs. One company identified more risk analysis reviews, addressing every aspect of their than 40 agencies charged with advising its business units operations from product security in manufacture and about potential threats, sometimes asking for conflicting delivery to the location of IT operations to terrorism or inconsistent information. There is general agreement, scenario planning and travel policies. For companies especially among companies operating critical infrastruc- with hundreds and even thousands of installations, ture or manufacturing volatile products, that coordina- going beyond the immediate hardening processes to tion among the agencies themselves is crucial. identify specific vulnerabilities at every facility is an enormous undertaking.

Whether or not new risk management programs were considered necessary appears to depend largely on the company’s type of business. After looking closely at its existing risk management programs, one firm felt that no new systems were necessary. Others have spent tens of millions of dollars to upgrade their risk management programs. Some had begun to plan for terrorism attacks long before 9/11. For example, several chemical companies were working as early as 1999 with the American Chemical Council and its Center for Chemical Process to develop what has become a highly respected vulnerability assessment technology for the industry.

Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 49 Appendix About the Sample

Senior security executives were interviewed online from Multinational companies are defined as companies that October 2002 through February 2003. Separate question- derive 10 percent or more of their sales from overseas. naires were developed for security directors, risk man- All other companies are defined as domestic. There are agers, and IT security officers, and were targeted at the 77 multinational companies and 97 domestic companies senior executive responsible for each of those functions in the sample of security directors. There are 25 multina- in a given company. The samples comprise 199 security tional and 25 domestic companies in the sample of risk directors, 52 risk managers, and 80 IT security officers. managers. There are 42 multinational and 34 domestic companies in the sample of IT security officers. Over 50 percent of each sample was derived from companies with $1 billion or more in annual sales, roughly the Respondent companies were classified into regions cutoff for inclusion in the Fortune 1000. In the sample according to the ZIP code of their headquarters location. of security directors, there are 110 companies above Companies in the Boston, New York, Philadelphia, and $1 billion in sales and 88 below. In the sample of risk Washington metropolitan areas were classified as managers, there are 28 companies above $1 billion in Northeast Metro; companies headquartered in the United sales and 24 below. In the sample of IT security officers, States outside these areas are classified as “Rest of United there are 53 companies above $1 billion in sales and States.” Companies headquartered outside the United 27 below. States were omitted from this particular classification. There are 57 Northeast Metro respondents in the sample Following the usage of the U.S. Department of of security directors, and 130 from the rest of the country. Homeland Security, critical industries are defined as the There are 12 Northeast Metro respondents in the sample following: transportation; energy and utilities; financial of risk managers, and 35 in the rest of the country. There services; media and telecommunications; information are 16 Northeast Metro respondents in the sample of IT technology; and healthcare. Remaining industries are security officers, and 62 in the rest of the country. classified as non-critical. There are 96 companies from critical industries and 103 from non-critical industries in the sample of security directors. There are 24 companies from critical industries and 28 from non-critical industries in the sample of risk managers. There are 38 companies from critical industries in the sample of IT security officers, and 42 from non-critical industries.

50 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board The Conference Board, Inc. 845 Third Avenue New York, NY 10022-6679 United States Tel 212 759 0900 Fax 212 980 7014 www.conference-board.org

The Conference Board Europe Chaussée de La Hulpe 130, box 11 B-1000 Brussels Belgium Tel 32 2 675 5405 Fax 32 2 675 0395 www.conference-board.org/europe.htm

The Conference Board of Canada 255 Smyth Road Ottawa, Ontario K1H-8M7 Canada Tel 613 526 3280 Fax 613 526 4857 www.conferenceboard.ca

This document is printed on recycled paper.