Dr. Daniel Ostergaard

    In the previous edition of this publication, our security article considered the importance of South Carolina firms developing comprehensive corporate security programs.  Within the context of security and preparedness, understanding and managing risk is paramount. In the context of security risk, we then outlined three elements that business professionals must consider: threats, vulnerabilities, and consequences. Whereas the previous article focused on threats, this article focuses on vulnerabilities and consequences as part of a planning process resulting in resource allocation decisions and which side of the balance sheet we need to apply those decisions.

Since the tragic events of 9/11, a great deal of the burden for implementing national security strategies have fallen on the private sector.  The first Secretary of Homeland Security, Tom Ridge, used to say, “The homeland is not secure until the hometown is secure.” Never have truer words been said.  But as public sector assets were repurposed for other missions and/or new security protocols have been implemented over time, the expanding role of the private sector in security enforcement has raised serious issues about where on the balance sheet security investment should go. Firms have asked for years: Is security an investment? Is security an asset or a liability?

While conducting interviews for research on the long-term impact of 9/11 on business, one of the interviewees made the following statement: “Security is an expense in the sense that tightening security makes it harder for the bad guys and businesses pass on that cost to their customers…. But it is also an investment as we are hardening our vulnerabilities. So it is probably a little of both… What is it that we want? As a society, what is it that we want? We want our flights to be more secure but we don’t want to take our shoes off… we want to be safe in movie theater but you don’t want to see a policeman at the ticket booth…What is it that the public wants?”

What exactly does the public want versus what the firm is prepared to secure? Questions have also begun to surface about the sustainable competitiveness for firms investing in security versus those that do not. On the one hand, if a security incident were to happen, those firms that had prepared might fare better than those that did not. On the other hand, if Firm X did not prepare and nothing happened, it stands to reason that Firm X could have better utilized the fungible nature of unspent security dollars and invested them in other types of investment (e.g., R&D, marketing, and so on).  Does this give the firm that did prepare and spent the money on security a disadvantage if nothing ever happens?

Some of these questions get at the very nature of the role of the firm versus the role of government. We will explore this relationship in next month’s article. But for now, we will focus on asset allocation.

Once we have a thorough (and if not thorough, at least insomuch as is possible) understanding of the myriad threats facing us at any given time, we must then assess our firm’s vulnerabilities.  After all, no one will know our firm’s specific vulnerabilities better than the firm itself. This requires us to be honest with ourselves in terms of vulnerabilities and to better understand which of these vulnerabilities might become serious liabilities farther down the road.

Any time we develop something akin to a list of vulnerabilities we must be cautious in how we store the list and who has access to the list. Obviously, actual vulnerabilities represent potential exposure both from those who might do us ill or for commercial exploitation from competitors.  Decide in advance how you plan to store this type of information if at all. Again we have witnessed “impenetrable” databases hacked and data stolen and having your firm’s specific list of vulnerabilities in the public sphere would be undesirable to say the least. Do you store a list of vulnerabilities in the cloud or do you keep hardcopies of files?  Regardless, if you use computers to create and transmit the information to be printed as hardcopy, electronic files still exist (or at least did exist). Deleting files from your computer is likely not as easy as simply clicking delete. Be sure to understand your firm’s policy on permanent deletion of electronic files.

When considering vulnerabilities, do not limit yourself to only your own firm’s assets.  Consider the broader world around you as well. Critical infrastructure, limited ingress and egress routes, or proximity to other more vulnerable targets may severely impact our own operations as well.  It is often said that 85 percent of the critical infrastructure in the United States is owned or operated by the private sector. Critical infrastructure, defined by Presidential Policy Directive (PPD-21), “…provides the essential services that underpin American society,” according to the U.S. Department of Homeland Security. Thus, when considering your firm’s vulnerabilities, we must bear in mind those services and partners that we rely on in order for our firm to function. Catastrophic incidents with water or electricity may have a cascading effect on us. Hence, the need to consider and think about your firm’s vulnerabilities. Where might your firm be vulnerable?

Understanding the threats and the vulnerabilities that we face, we then consider the consequences. In a perfect world with limitless resources, we might be able to ensure our firm’s security with some degree of assurance. However, due to limited resources and, perhaps, limited knowledge available, we generally need to prioritize allocation of security assets. As we begin to consider resource allocation, we must weigh the marginal benefits versus the age-old security dilemma:  how much is enough? Are the consequences so high and so likely for any given/vulnerability combination that we need to consider redundancy or even change how we do business? As in any business enterprise, constant adaptation and evolution is necessary to maintain sustainable competitive advantage. This is no less true when it comes to security. It is quite possible that the security plan your firm created in October 2001 is no longer valid. Do you face the same threats today? Have your firm’s vulnerabilities changed or has reliance on changing critical infrastructures exposed you to new vulnerabilities that you might not have had a decade ago? All of this points to a dynamic and living process requiring constant evaluation, planning, allocation, and exercising.