The following article is from the September 2002 edition of Smart Business: Strategic Insight from CSC.

The events of September 11, 2001 sent shockwaves through the United States and beyond, and pushed security to the top of the boardroom agenda. In an interview with Smart Business editor Jo Reeves, Ben Gianni, vice president of Homeland Security at CSC, discusses the impact on risk management one year on.

Smart Business: In which areas were companies least prepared in the wake of September 11?

Ben Gianni: Many companies and government agencies had inadequate disaster planning and recovery planning. Some had disaster recovery sites for systems but had no means of getting the personnel identified in the plans to staff them. Telecommunications had broken down, and there was no way of getting hold of the staff. This highlighted the fact that the availability of information and ability to communicate during the first few minutes and hours of an event is critical to effective response. The enormity of the crisis was also something that many companies had not, or could not have anticipated.

While they may have had disaster plans that meant they could continue to function, the same may not have been true for their customers’ or suppliers’ operations. This ripple effect adversely impacted a lot of companies.

Smart Business: How did existing crisis management plans stack up?

Ben Gianni: A lot of companies and government agencies used Y2K or other disaster plans. In many cases, plans stacked up better when routine testing and exercises had been carried out, and the plans continuously improved as a consequence. But prevention is still a better option.

Smart Business: What were the lessons learned?

Ben Gianni: September 11 was a monumental example of a new type of threat facing companies. Asymmetric threats (threats posed by independent groups based in multiple locations which are not state sponsored) are evolutionary and difficult to anticipate or predict. It is important to understand the particular nature of the asymmetric threat - who is behind it, what their tactics are, the kind of weapons they use, and the impact of any disruptions, whether economic or physical. Coupled with that, we need to look at the opportunities presented to these groups in terms of existing vulnerabilities.

September 11 highlighted the need for a new approach to analyzing information to deal with weapons of mass destruction or threats to critical infrastructure or people. It proved that vulnerabilities must be systematically identified and resolved as an ongoing process - regardless of the probability of them occurring - if the impact to the organization will be high. We also need new methods for analyzing threats and vulnerabilities, especially in areas of shared responsibilities between partners, suppliers and interoperating organizations.

Judicious sharing of information is absolutely vital. The private sector has to learn to be more comfortable with sharing information with the government and vice versa. Such co-operation is crucial because the private sector owns and operates 95 percent of the US’s critical infrastructure. Some progress has already been made on this front. We’ve become more active in finding ways, be it through new legislation or just more familiarity with each other, to be able to share even more information even faster. Finally, many architectural lessons were learned regarding making buildings and escape routes and procedures more effective. But there is still more to be done.

Smart Business: Having watched events in the US, what should be on the minds and on the agendas of CEOs in the UK and Europe?

Ben Gianni: Companies must treat security as rigorously as any other business undertaking. They must continuously evaluate risk, loss, liability and disruption analytically to make sure that proper attention is effectively placed.

Smart Business: September 11 was clearly an exceptional incident. How exposed are companies really?

Ben Gianni: No single measurement exists to support an answer to this kind of question. By nature of their lines of business, some organizations are obviously more exposed than others, for example public utilities that own or operate parts of the national critical infrastructure, that are difficult to hide or difficult to protect. These companies have to work with government agencies to produce strategies for threat alerts and incident response activities.

The other point is that exceptional incidents have direct and indirect effects on companies by virtue of their consumers’ reactions to the incident over time. This makes it even harder to measure.

Smart Business: Do the greatest threats come from within or outside an organization?

Ben Gianni: The way that people use technology within an organization still creates the greatest vulnerabilities to the technology infrastructure, and yet this is the area that companies overlook the most. Employees who don’t use hard-to-crack passwords, and who treat that responsibility casually, become a threat without meaning to do harm. All companies should have proper procedures and policies with reporting programs to define allowable and unallowable processes and activities. Yet a survey conducted by CSC just before September 11 revealed that IT executives from around the world saw "eliminating systems vulnerabilities to minimize risk" as only their fifth highest priority.

Smart Business: What are the kinds of threats they face? Does it all come down to secure information and IT?

Ben Gianni: The protection of people, information, and infrastructure is an ideal way to view the subject of risk management. IT can’t function without personnel, and neither IT nor personnel can be effective without some minimum level of working physical and logical infrastructure. The three do not operate in a vacuum. There is a greater level of interdependency between companies today, and an extended assessment of risk externally as well as internally would be wise.

Smart Business: Prevention is clearly better than cure. What can companies do?

Ben Gianni: There are a number of steps to take, but the most important point is to treat risk management as a business issue, not simply a cost. Beyond that, there are four key points. Identify a model for information risk management within the enterprise. Once identified, value and prioritize assets, operating capabilities and processes in an analytical way, according to that model. How much protection is enough is a very difficult question to answer, but quantitative security service measurements do exist, and should be used to help assess whether existing risk management procedures are adequate. Have specific activities geared to personnel, information, and infrastructure protection and assign to each one specific deliverables, metrics and benefits. Include incident responses to all vulnerabilities and practice the responses periodically. And don’t sit back at that stage. Analyze the results and implement the necessary changes to ensure that improvements are made.

Companies should take a thorough and systematic approach to the above. Quick fixes and checklist approaches will leave an organization vulnerable. A determined criminal or terrorist will be patient, flexible and creative in finding the opportunity to pose a threat.

Smart Business: CSC’s Homeland Security has worked for both the government and commercial sectors. Do the same principles apply to both?

Ben Gianni: We do business with virtually every department and agency of the federal government as well as many Fortune 500 companies. Yes, both have commitments and obligations to sustained performance of critical services. Many of the lessons learned are the same. We have implemented enterprise risk management programs, physical assessments, analyses of threats, analytical assessment of vulnerabilities, and trained personnel in both public and private organizations. Although people are taking the message seriously, the problem remains the same - getting sufficient funding for security work. There is never enough money to do the work we all agree needs to be done. Companies and governments must view information and physical security as a strategic business issue, not an add-on cost factor. But at least the issue has risen up the agenda.

Smart Business: The nature of threats companies face is constantly evolving. How can they keep up?

Ben Gianni: We tell our customers to examine their organizations from the perspective of a determined, patient and flexible threat. Their identities and motives are not necessarily important. CSC’s holistic approach to protecting our client’s people, information and infrastructure prepares our customers to deal with the unexpected. There are also analytical tools and subject matter experts for analyzing asymmetric threats. The application of these tools sometimes produces very cost-effective strategies for how to transfer the burden of operations onto the threat and make it more difficult to act. This is an extremely effective strategy to help create deterrence and increase preparedness and more effective response.

Smart Business: What new technologies are available?

Ben Gianni: It is not so much a question of creation of new technologies as effective enterprise solutions that allow the creative integration of existing technologies. Organizations also have to adapt and change to allow the technology to be effective. An example is biometrics. Various forms have existed for some time, but the effective application of biometrics in real world environments - such as security, privacy and commerce in multi-organizational settings - is still a complex issue.

Related Information:

Contact Us and Let Our Experience Help You Produce Results.

Learn more about CSC’s Homeland Security services and offerings.

Download the September 2002 edition of Smart Business.