Although the Cold War was a time of terrible threat, it also marked an era of stability and prosperity. Security was the province of the military, and companies concentrated on the growth that led the West to decisive economic victory in the Cold War.
Today, industry is the target, and the enemy lives among us. As much as 75 to 80 percent of the cyber-security crimes for business today are internal, not external.
The terrorist attacks of September 11th have clearly pointed out the fine line between the benefits of greater openness and networking among individuals, institutions and nations, and the corresponding heightened exposure to risk.
In particular, the attacks demonstrated a vulnerability to "interdependence risk" -- a new kind of discontinuity that is of special importance to the high-tech industry. Interdependence risk is the potential for ostensibly small events -- a rogue computer hacker, a trader improperly covering derivatives trades, a fire in a supplier's factory -- to spiral rapidly into company-threatening crisis.
Protecting against interdependence risk takes more than installing appropriate technologies, buying the right insurance policies, protecting data networks, and guarding critical infrastructure. It requires the integration of organisational security and corporate strategy. This not only lessens risk exposure, but also secures opportunity, thus maintaining business resiliency (the combination of continuity and conditions for growth).
To create business resiliency, a security regimen must be framed around three primary goals:
- Securing people Reducing the vulnerability of individuals in the company and the fear that vulnerability generates.
- Securing the core business Protecting critical operations and facilities, to accommodate and adapt to traditional events as well as new kinds of discontinuities.
- Securing the networks Preserving the open information systems, supplier links, alliances, customer relationships and knowledge that are necessary to the functioning and growth of the modern corporation and the economies it comprises.
The third point is especially critical for the high-tech industry, where no organisation is an island. Each is exposed to the vulnerabilities of the participants in its network, whether those participants are a company's own employees -- or even the employees of a supplier's supplier.
Securing against discontinuities in the extended network is no longer a foreign concept. About six years ago, IBM created a Missions Relocations process, which facilitates the shift of manufacturing operations around the globe within 90 days. Among other benefits, this capability allowed IBM to move production of chips used by the defense industry rapidly from Germany to the United States following the September 11th attacks.
However, understanding the need for resilience within the extended network is still not routine at most companies. The peril for the unprepared can be profound -- as can the opportunity for ready competitors.
Consider the differing responses of the Nokia Corporation of Finland and Telefon AB L.M. Ericsson of Sweden when a fire at a Koninklijke Philips Electronics NV semiconductor plant in New Mexico disrupted chip supplies. Nokia officials noticed a hiccup in the product flow even before Philips informed the company of the problem, and had its chief supply troubleshooter on the case immediately. Within two weeks, the company patched together a solution. They redesigned chips, accelerated a project to boost production, and used the company's clout to get more chips from other suppliers. Ericsson, with fewer safeguards built into its supply network, moved more slowly and came up short of the supply needed. Nokia gained three share points. Ericsson lost the same, and ultimately exited the handset market.
What can high-tech companies do to better protect the enterprise? In summary:
- Recognise your interdependence Interdependence risk may be the single greatest threat to the enterprise.
- Integrate security and strategy While risk is stove-piped by nature, security cuts across operational, financial, as well as information issues. When achieving this integration, firms not only lessen their exposure, but can also obtain lasting competitive advantage.
- Put security on the CEO agenda Tightening up operating procedures is not enough to adapt to future threats -- security has to be internalised at the CEO level. The CEO is in the best position to understand the interdependence of direct risks -- to personnel, physical properties and equipment and information, and indirect risks -- to business markets and channels, supply chains, or external infrastructure.
The payoff for taking a strategic approach to security transcends protecting against cyber-attacks. By recognising and dealing with interdependence risks, companies not only reduce risk exposure, but also secure opportunity through enhanced business resiliency.
Retired Vice Admiral Mike McConnell is a vice president at Booz Allen Hamilton, and former director of the National Security Agency. He can be reached at mcconnell_oped@bah.com.
