Corporate Security - A Retrospective from 9/11
By
James L. Fowler, Director of Security, Unilever, New York, USA

The past year has had a significant impact on all aspects of the security profession. Indeed, it is only necessary to scan the book review section of your local newspaper to become aware of the plethora of publications which point at providing a meaningful and insightful perspective on the calamitous events of last September. My particular city has the New York Times and while I do not wish to be parochial, the tabloid of the primary target provides an extensive reading list if one cares to examine the new offerings on terrorism and the 9/11 attack.

As you might expect, the increase of new publications has brought with it a wealth of previously unidentified experts. In addition virtually all organizations of any stature, be they governmental, quasi-governmental or private sector associations, have felt compelled to develop a list of maxims for their constituency. Further, there has been a change in the national psyche with respect to security which may fairly be attributed to the 9/11 attacks. The corporate opinion climate with respect to security augmentation has changed dramatically following September. Indeed, with the passage of a year, there is concern that the appropriate level of awareness might wane - absent further manifest demonstrations of the new reality of terrorism.

All across the U.S. there has been a concern over the balance between adequate security and individual liberty. The goddess who holds the scales of justice (Justitia) is by legend and tradition blindfolded. The question has arisen whether she will have to improve her vision and thus decrease her impartiality if our national liberty is to be maintained.

This paper wishes to examine steps taken by corporate security during the past twelve months to enhance security posture in the private sector while the federal government was preparing to undertake the largest reorganization in its history - in the name of homeland security.

The National Scene

The Department of Homeland Security, a Cabinet-level superagency that will combine twenty-two separate federal agencies, was signed into law on November 25, 2002. The new entity will have 170,000 employees and bring together such agencies as the Immigration and Naturalization Service, the Secret Service, The Customs Service, the Federal Emergency Management Agency (FEMA); the Transportation Security Administration and the Border Patrol*. The President initially resisted calls to establish a homeland security department but changed his mind during the summer as criticism mounted on the performance of US intelligence agencies before the September 11, 2001 attacks.

The function of this new department will be to analyze intelligence on terrorist factions and match it against the nation's vulnerabilities, develop new technologies to detect threats, coordinate the training and funding of state and local police and fire departments, while at the same time scrutinizing US borders and ports of entry. This is the largest reorganization of the US Government since the passage of the National Security Act of 1947 under the administration of President Harry Truman which brought into being the Department of Defense, The Central Intelligence Agency and the National Security Council. This legislation further delineated the CIA's role in foreign intelligence gathering and the FBI's role in domestic law enforcement. It should be noted that these two organizations are not included within the Department of Homeland Security.

Governor Tom Ridge (formerly the chief executive of the Commonwealth of Pennsylvania) will take office on January 24, 2003. By March 1, a number of component agencies will be transferred to the new Department and according to plan, all the agencies will be merged by September 2003. It is fair to point out that this is a mammoth task which necessitates the melding together of federal organizations with unique and at times conflicting mandates, traditions and cultures. Whether or not this ambitious schedule of implementation will become a reality is best left to Washington governmental columnists, all of whom offer various prognostications to their readers. My personal view is that despite the fine efforts and good intentions of the planners and those charged with the plan's execution, the time constraints are not realistic. The organization will thus experience both a cost and time overrun.

*The Washington Post 26 November 2002, p.18 

The Corporate Scene

Events of September 11 not only put in motion major governmental reorganizations set forth above, but also affected the practice of security in general and within corporations in particular. Prior to the attack, most security functions played a consultative role by advising the line managers on risk evaluation and the appropriate steps to mitigate security vulnerabilities. Depending on the political clout of the security function, the nature of the risks faced by the corporation itself, these recommendations were acted upon in part or not at all. Since security or audit reports seldom made it to the executive level or board of directors, line personnel generally accepted observations based on what they determined they would endure from a cost or operational standpoint.

What then has changed? The simple answer might well be "everything" but from a business planning and implementation perspective the specific factors include:

• Domestic security in the territorial US can no longer be assumed
• War is being waged by, and against, "non-state" actors
• The potential scale of disaster has expanded from single buildings to entire business districts
• Biological weapons are now a reality
• Major disruptions in transportation systems and supply chains have occurred
• Major disruptions in telecommunications and mail systems have occurred
• Information management systems and the Internet are potentially vulnerable
• Employees, customers and communities have become extraordinarily sensitive to security issues*

*"Corporate Security in a Time of Crisis"
Cavanaugh and Bennett, Nov. 2001

What implications can be drawn from these changes? One view suggests that the old adage "security is everybody's business" is now the new business reality. Today's risks are not only greater than before but are also much more difficult to anticipate, quantify and plan for. The tragedy of September 11 underscores the need to integrate security management throughout business operations. Security is no longer the province of a discrete functional unit that is called upon to deal with temporary emergencies and otherwise left alone. Security must be regarded as essential to the management process and to the continued viability of corporate operations.

Security Directors must ensure that:

• Current security operations are adequate to protect their business
• Existing capabilities can accommodate the increased level of potential risk
• Security assignments and contingency plans are fully understood
• Those accountable for results have the tools, resources and authority they need to execute their security responsibilities*.

As with all business considerations, there remains the question of cost. September 11 brought with it a new climate of understanding with respect to the mandate for adequate and effective security. It is necessary however to identify expenditure which is required as distinct from that which is superfluous. Those charged with this responsibility must draw the line. A fair guide can be found by examining whether the cost of foregoing security is greater than the cost of providing it. This, however, is easier to articulate than to estimate. But irrespective of the difficulty, the challenge is real and must be met.

* "Corporate Security in a time of Crisis," 
Cavanaugh and Bennett, Nov. 2001