Corporate Security Management Organization and Spending Since 9/11
Total Page:16
File Type:pdf, Size:1020Kb
research report Corporate Security Management Organization and Spending Since 9/11 Today, security is more than just locking the door behind you. Many expected a movement toward strategically aligning functions like physical protection, risk management, and IT security under a Chief Security Officer. But senior security executives report that we are seeing an evolution - not a revolution - in how companies manage corporate security. R-1333-03-RR The Conference Board creates and disseminates knowledge about management and the marketplace to help businesses strengthen their performance and better serve society. Working as a global, independent membership organization in the public interest, we conduct research, convene conferences, make forecasts, assess trends, publish information and analysis, and bring executives together to learn from one another. The Conference Board is a not-for-profit organization and holds 501 (c) (3) tax-exempt status in the United States. About the authors About this report Thomas E. Cavanagh is a Senior Research Associate in Global The study was sponsored by ASIS International. Senior security Corporate Citizenship at The Conference Board. Since September executives were interviewed online from October 2002 through 2000, he has been directing TCB e-Surveys, The Conference February 2003. Separate questionnaires were developed for Board’s newly formed unit offering online survey research security directors, risk managers, and IT security officers, and services to commercial and non-profit clients. While at The were targeted at the senior executive responsible for each of Conference Board, he has authored Community Connections: those functions in a given company. The samples comprise 199 Strategic Partnerships in the Digital Industries, a study of security directors, 52 risk managers, and 80 IT security officers. corporate partnerships to overcome the “digital divide,” and Over 50 percent of each sample was derived from companies Corporate Community Development: Meeting the Measurement with $1 billion or more in annual sales. This information was Challenge, a study of the returns on corporate investments in supplemented by in-depth case study interviews conducted community economic development projects. He was the lead with senior security executives at four major corporations. author of After September 11th: The Challenge Facing American For a complete breakdown of the survey sample see Appendix: Business and of The Conference Board’s series of Executive About the Sample. Action Reports on Corporate Security in a Time of Crisis. Meredith Armstrong Whiting has served as The Conference Board’s senior research fellow, government affairs, since 1987. About ASIS International She authors research on topics relating to public policy, ASIS International is the preeminent organization for security environmental issues, and corporate citizenship, and organized professionals, with more than 33,000 members worldwide. ASIS the Board’s first council for chief environmental, health, and is dedicated to increasing the effectiveness and productivity of safety executives. security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine - Security Management - ASIS leads the way for advanced and improved Chuck Mitchell editor Peter Drubin design security performance. To learn more about ASIS go to Pam Seenaraine production www.asisonline.org Corporate Security Management Organization and Spending Since 9/11 by Thomas E. Cavanagh with the assistance of Meredith Whiting contents 4 Key Findings 5 Organization and Spending 6 Patterns of Organization 6 Security Directors 8 Risk Managers and IT Security Officers 10 Accountability is Widely Dispersed 11 Salary Levels 12 Staffing Levels 15 The Chief Security Officer Position 16 Authority and Financial Resources 17 Changes in Accountability 18 Case Study: Emergency Response at Duke Energy 19 Creating the CSO Position 23 Spending on Corporate Security 24 A Permanent Increase in Spending 25 A Modest Increase Overall 27 Case Study: Consolidating Security at Avaya 28 Security Spending in the Northeast 28 Smaller Companies Bear a Larger Burden 30 The Cost of IT Security 33 Case Study: IT Security at Unisys 34 The Soaring Cost of Risk Management 35 Changes in Insurance Coverage 36 Risk Management as a Line Item 38 A Methodological Note on Risk Management Data 39 The Costs of Terrorism 40 What Security Executives Worry About 42 The Desirability of Dispersing Facilities 44 Case Study: Crisis Management at Air Products 45 Threats to IT Security 47 Lessons Learned 50 Appendix: About the Sample Corporate Security Management: Organization and Spending Since 9/11 The Conference Board 3 Key Findings Corporate security has become a high-profile issue since the events of September 11, 2001 exposed America’s vulnerability to terrorist attack. Because roughly 80 percent of America’s critical infrastructure is managed by the private sector, corporate security managers have an essential role to play in the protection of key industries and the people who work in them. In the wake of September 11, many companies reviewed their security operations. The events of that day made clear that security was not merely a matter of protecting employees and facilities from physical harm. A terrorist attack on a major business district could disrupt operations, inhibit travel, snarl supply chains, and pose major strategic issues for the conduct and even the survival of a multinational business. CEO’s were often dismayed to discover that the security function was highly decen- tralized and widely dispersed through their companies’ management structures, mak- ing accountability and coordination difficult. Some observers expected that there would be a widespread move in corporate America toward centralizing the security function under the control of a Chief Security Officer reporting directly to the CEO. This has not been the case. While there has been some movement toward greater coordination of the security function since 9/11, it remains decentralized in most companies. In general, we are seeing an evolution, not a revolution, in the manage- ment of corporate security. 4 Corporate Security Management: Organization and Spending Since 9/11 The Conference Board Organization and Spending Key findings from the survey show: Organization of the Function Spending Patterns • The process of security management is only • Corporate security spending has clearly beginning to evolve into a strategic business increased since 9/11, but the increases function in corporate America. At present, have been unevenly distributed. About half of security issues are generally divided into three companies report a permanent increase in the separate silos (physical protection, risk level of security spending, with companies management, and IT security) with distinct in the critical industries leading the way. accountability and reporting relationships. • The median increase in total security • Despite having strategic implications for spending is only 4 percent, but this figure business management, security is still being disguises a wide range, with 7 percent of treated as an operational concern by most companies stepping up their security spending companies in the United States. The traditional by 50 percent or more. Larger, multinational emphasis on physical protection is reflected in companies report larger increases than smaller, the recruitment of security directors from law domestic companies. However, smaller enforcement and the military. companies pay a larger share of their sales volume for security. • High-level reporting and accountability are still the exception rather than the rule in • Insurance and risk management is the area corporate security management. It remains to be showing the most dramatic increase in spending, seen if the usual ways of doing business will with a median increase of 33 percent. Fully one- prove adequate to the challenge of managing fifth of companies report that their spending on corporate security in an increasingly threatening insurance has at least doubled since 2001. The international environment. increase in insurance costs has been concentrated among companies in the critical industries. • Centralization, coordination, and strategic management of the corporate security function • In terms of salary and executive level, are still relatively unusual. While one-quarter of IT security is the most prestigious security companies have a Chief Security Officer, most portfolio, although it is often simply an of the remainder do not appear to have much extension of the IT operation. Risk management interest in creating the position. is generally part of the financial management of the company. The position of security director is the lowest-ranking and tends to be focused on issues of physical protection. Most security Defining critical industries executives serve below the vice presidential level and earn less than $150,000 per year. Following the usage of the U.S. Department of Homeland Security, critical industries are defined • Companies in the Northeast Metro region are reporting