Disruptions can be random, accidental, or intentional. Chapters 2 and 3 dealt with some of the methods for assessing and reducing the likelihood of random and accidental disruptions. Reducing the likelihood of intentional disruptions means increasing security. Efforts to reduce the likelihood of high-impact intentional disruptions involve several principles that, at their core, are as applicable to reducing the likelihood of a damaging theft, or a computer virus, as they are to reducing the likelihood of a successful terrorist attack. The specifics and the intensity may differ, but many of the security principles are universal.
Left unattended for only a few moments, an American Airlines courier van parked at a loading dock outside Heathrow Airport in London was stolen just before lunch on Sunday, January 12, 2003. The van wasn’t holding a typical shipment of overnight parcels. It held a valuable consignment of Intel processors that had just arrived from Miami.
The thieves knew exactly which van to take and exactly which cargo in the van to remove; they took $7.5 million in high-end Pentium IV chips while ignoring the $2.5 million in low-end Pentium III chips also in the van. At several hundreds of dollars per chip,1 Intel’s fastest processors are worth their weight in gold. A 26-pound box of chips can be worth half a million dollars; a pallet can hold $10 million to $60 million, and a truckload holds hundreds of millions of dollars worth of chips at retail prices.2
But to add insult to the injury, many of the stolen chips were not simply sold to anonymous PC makers. Instead, they were first over-clocked and then sold. With chips, speed is money. Like other semiconductor makers, Intel marks each computer chip with its officially rated speed and sells it according to the marked speed. Counterfeiting the rating, by re-marking a few numbers on the back of an Intel processor, can add $100 to $200 to the sale price of the processor. This profit potential has attracted a steady stream of counterfeiters since computers became commonplace with the introduction of the Intel 286 processor in 1982. A string of arrests from Singapore to Europe to Australia to the United States has highlighted the magnitude of the problem.3 The added challenge for Intel is that running the chip at higher-than-rated speeds may cause frequent crashes and shorter chip life spans. Re-marked chips not only cannibalize sales of the higher-margin, high-performance chips, but they also create higher warranty costs because customers turn to Intel when these chips fail, and these failures can damage the brand’s reputation.
Intel’s supply chain stretches around the globe, including almost 300 corporate locations. Motivated by rising theft in the mid1990s, Intel launched an initiative to reduce and eliminate the problem. It mapped its supply chain to identify all the places where chips could be stolen. To prioritize its security investments, Intel developed a “threat scoring model,” classifying facilities into three risk categories with the highest category getting the most attention.
With facilities secured, Intel turned its attention to its shipments because those shipments move outside of Intel’s control. It developed a process to assess the security of its suppliers’ premises and their security procedures; it began measuring freight carriers’ security and putting those metrics into its negotiated supply contracts; it insisted on background checks on drivers, because drivers are routinely out of reach of Intel’s controls; and it introduced “security through obscurity” by shipping its chips in plain unmarked boxes so that potential thieves don’t know that there is Intel inside.
To defeat counterfeiters, Intel implemented a long list of defensive measures. It replaced removable painted numbers with more permanent laser-etched numbers; developed retail packages with holograms and other hard-to-copy markings; and created software to detect any mismatch between the chip’s internal rating and operating speed. “Re-marking in the next year [2000] is going to be significantly more difficult than a year ago,” said Craig Johnson, a member of an Intel task force working to combat re-marking.4
As an added security measure, Intel changes the routing of its shipments at irregular intervals to make it more difficult to spot its distribution patterns. It has also instituted regular security drills to test the preparedness of its employees. Former Intel CEO Andy Grove named his book Only the Paranoid Survive.5 Grove may have been motivated not only by the need to keep on top of changing technology but also by such attacks on his company. In keeping with that philosophy, he instilled a culture of skepticism and wariness that promotes preparedness.
The overarching principle underlying all security measures is that they must work in concert with the company’s main mission—conducting business and making money. Because companies are run by executives who are charged with this mission, the challenge for security professionals is to “make the business case” for investments in reducing the likelihood of disruptions. The business case is easier to make when the investments are an integral part of the business, supporting and enhancing the main mission. In addition, the processes put in place are more likely to be followed and thus be more effective.
In the short term, a company’s risk profile is determined by the location of its facilities and the nature of its business. For most companies, these location decisions were made well before modern threats were a reality. As companies make such decisions today, many realize that they involve not only long-term cost and service levels but also new risk factors.
Based on its risk profile, a company should identify the possible disruptions and prepare a set of processes to reduce the probability of each one. These processes should be based on the following principles:
• Use layered and balanced methods.
• Separate the threats from the baseline activity.
• Collaborate and build partnerships.
• Build a culture of awareness and sensitivity to security.
• Drill, drill, and drill.
These principles lead to a set of defensive actions that overlap with and complement each other. After first outlining an example of a comprehensive security framework at work, the next section examines each of these principles in turn.
Boston’s Logan International Airport was the departure airport of the two Boeing 767s that struck the World Trade Center on September 11, 2001. Burdened with the responsibility for the weak security processes that allowed these two terrorist teams through, Logan’s managers were determined to turn the airport into a model of security.
To begin with, Massport, the agency that runs Logan, identified the ways in which the airport can be attacked, including attackers entering over a perimeter fence, posing as passengers, or impersonating airport workers. An attack could also include a bomb inside passengers’ luggage or an assault on the airport terminals themselves.
The next step was to prepare a layered defense against each one of these modes of attack. The first one was a possible entry through the airport’s perimeter. Since the airport abuts private homes on one side and the busy waters of Boston Harbor on the other, the standard security approach of setting a “clear zone” beyond the airport perimeter was not feasible. Instead, the airport decided to enlist the people who conduct normal business outside its perimeter as the first layer of the defense team. Massport asked the people who know the environment best—neighboring homeowners and fishermen—to report any suspicious behavior to the airport authorities; they even gave cellphones to clam diggers. As a second layer of defense and detection it installed smart surveillance equipment, consisting of motion detectors and remote monitors, so a perimeter breach can be identified immediately.
But the security needed to be balanced. That means that protecting against a perimeter breach would only mean that perpetrators will try to find another way to enter the airport. To forestall entry to the airport as part of the stream of passengers, the detection procedures start when the passenger books the flight. The passenger’s name (including spelling variations) and billing information are checked against airline databases and FBI information to identify profiles of risky travelers requiring more in-depth checks.
As in other airports, police patrols do not allow any vehicle to park unattended at the terminals’ curbsides. The state police at Logan also routinely alter the traffic flow patterns throughout the airport to make it more difficult to plan an attack. In addition, Logan police officers patrolling the curbsides and terminals were trained in behavior pattern recognition, designed to identify people who may pose a risk. Officers were also trained in the proper approach and questioning of suspicious passengers. A scaled-down version of this training was also given to the 15,000 employees at Logan and to 1,000 Transportation Security Administration (TSA) personnel working at Logan.7
The screening of passengers is augmented by TSA managers working the front of the security queue, looking for suspicious patterns. Additionally, special TSA teams conduct random checks of screened passengers at their gates. These teams not only introduce an element of uncertainty into any potential attack, but they also provide extra manpower deep at the heart of the terminals if a problem arises.
To make sure that their security measures do not interfere with the airport’s main mission, Massport scans all bags after they are checked in, rather than at the front of the airline desks. The reason is that such scanning can be more efficient and takes less time. Massport also invested in special operator training so luggage is not delayed unnecessarily and does not miss the plane. The goal is to support the main mission of the airport, which is moving people and their luggage efficiently from the curbside to the planes. With the same goal in mind, the airport also instituted a comprehensive quick response system, so it will not have to shut down the terminals if security is breached as a result of non-threatening carelessness or a mistake. For example, an arriving passenger may remember belatedly that something was left on a plane and rush back through an exit. In most airports, this would trigger a “total airport shut down” that would require re-screening of all the people in the airport. Such was the case in Atlanta Airport on November 16, 2001, when a football fan rushed past guards and down an “up” escalator to reach a flight to catch the University of Georgia game in Mississippi.8 On April 8, 2002, Cincinnati airport was shut down because of a screener’s mistake. Similarly, security officials ordered the evacuation of United Airlines Terminal 8 and two adjacent terminals in L.A. Airport and re-screened all passengers after a passenger got off a plane and went back into a secure area on September 4, 2004. Similar incidents took place in several other airports9.
Such procedures interrupt the entire airport for several hours, causing delays throughout the U.S. air transportation system. Instead, when such a security breach takes place at Logan, the airport managers come together immediately at the scene, review surveillance, and determine whether a shutdown is required, or if a more limited response will suffice.
More than forty agencies, airlines, and service providers with operations in the airport participate in the daily business at Logan. High-level representatives of all these organizations meet daily for a security briefing. The briefing covers current threats, new procedures, new personnel, and intelligence from outside sources.
In the winter of 2003, to prepare for the worst, the airport conducted a major disaster exercise, involving all the area hospitals, local emergency responders, and city and state officials.
Logan’s layered defenses are modeled after the scheme used in Ben Gurion Airport in Tel Aviv, modified to reflect the lower risk and the lower tolerance of the American public to privacy intrusions. To check arriving passengers, Israeli security starts with a checkpoint well before passengers and their companions enter the airport grounds, continuing with roaming security personnel watching the curbside. When entering the terminal all passengers are interviewed at special security stations before they are even allowed to approach the airline counters. Passengers pass through another checkpoint before getting to the police’s passport control station and then through the usual litany of metal detectors, Xrays, and hand screening checks. El Al, the Israeli airline, adds another layer of security with on-board trained air marshals on every flight, in case a hijacker should ever make it on board.
Following the principles laid out above, one can start thinking methodically about how to apply them in efforts to increase security and reduce the likelihood of high-impact intentional disruptions.
The immediate components of the supply chain for any company include its own sites—plants, warehouses, and offices. As mentioned above, strategic decisions such as where facilities are located determine much of the company’s disruption risk profile. Chapter 3 focused on assessing the likelihood of earthquakes and weather phenomena; such methods can be used to choose sites less likely to be disrupted by such events. Choosing a site that is less likely to be a terrorist object involves geopolitical considerations in the choice of country and region. Within any country, and within the United States, such considerations should include avoiding proximity to likely targets such as national symbols and important infrastructure components. Aon Re, the U.S. reinsurance arm of Aon Corp. demonstrates a potential client’s vulnerability to a terrorist attack by simply placing the company’s existing locations on top of a database of about 5,000 possible terrorist targets across the United States. “Most clients are shocked when they see the analysis,” says Michael Bungert, Aon Re’s chief executive.10
Choosing a location where unions are not dominant may increase the likelihood of harmonious labor-management relationships and reduce the likelihood of labor disruptions, particularly in industries characterized by a history of acrimonious labor-management interactions. Consequently, in 1993, the German automaker Daimler-Benz put its first U.S. factory in Alabama because of the low penetration of labor unions in that state. Alabama is a so-called “Right to Work” state, where unions cannot force workers to pay union dues. By 2004 the state hosted factories for DaimlerChrysler, Honda, and Hyundai, employing nearly 84,000 workers. Good labor-management relationships are important not only for avoiding strikes. In the context discussed here, labor can be the most important asset of a company; it can play a critical role in awareness and prevention. On the other hand, it also represents a crucial vulnerability—representing “the enemy from within.” Thus, security considerations add weight to employee selection and monitoring procedures already used by most companies.
Since a company lives within its supply chain, security and resilience considerations are important in the process of choosing trading partners, suppliers, transportation carriers, and other providers. Adding “external” considerations to suppliers’ choice, it should be noted, is not new. For example, after the technology bubble burst in the early 2000s, many companies required a review of the financial viability of software vendors before purchasing their products, in addition to the usual functionality, quality, pricing, and service considerations.
TAPA, a high-technology industry initiative described in chapter 8, includes a supplier certification program in its Freight Security Requirement document. The program is aimed mainly at certification of logistics suppliers, including trucking and warehousing companies. Insurance companies, such as the Chubb Corporation, help their customers choose “safe” suppliers by tallying the losses on various lanes of commerce and by each logistics provider. Similar processes, whether through industry consortia, insurance companies, or informal networks, can help certify and select all manner of suppliers.
Automobile companies design safety systems to ensure that a driver’s survivability in a head-on collision does not rely on a single defensive measure. Instead, the front of the car is designed to crumple and absorb energy, airbags are designed to inflate and cushion, and the seat belt is designed to stretch just enough to slow the forward momentum of the driver. (In addition, to avoid specific dangers, the engine block is designed to slide under the passenger compartment and the steering wheel shaft is designed to collapse.)
This is the principle of layered defense. It is based on a series of measures, each of which may work, say, only 75 percent of the time. The chance that four such independent layers will fail, however, is less than half of 1 percent.
Most security processes embed the principles of layering. Perimeter fencing, burglar alarms, closed-circuit television monitoring, and access control have become commonplace since 9/11 in many corporate locations. In addition, getting into most large corporate locations requires a pre-arranged appointment and an employee escort while on the premises. Similarly, safety measures for operating a chemical processing tank are based on several layers of safety devices and procedures such as pressure and temperature meters with shutoff valves, cooling mechanisms, overflow tanks, and water sprinklers.
Defensive measures, however, need to be balanced as well as layered. Investing in a highly secure front door to deter house burglars is not effective if the back door or the windows are vulnerable. Thus, a defensive scheme needs to address all disruption possibilities at a level commensurate with the vulnerability of the firm to these disruptions, including all potential random, accidental, and intentional threats.
Few companies need to have the same level of defense as an airport, a nuclear plant, or a food distribution center. But the principle of investing in layered and balanced defensive measures holds for all.
The vast majority of events faced by companies are benign. To find out the few that pose a threat, companies need to develop ways to differentiate between risky and normal patterns. For example, to secure their cyber space, corporate information technology managers use special applications that monitor Internet traffic. These programs single out viruses, hackers, and spy-ware, which move in irrational ways compared to normal traffic (e.g., rather than moving in the most efficient way, their circuitous flow is designed to hide their origin). When an attack is successful, its pattern is added to the library of aberrant patterns and disseminated, so that firewalls and virus-killer applications can identify the pattern and trap it. Similarly, spam detection software uses a “scoring” function to rate each incoming e-mail message and decide whether it should be classified as spam or as a legitimate message, based on such information as the subject line, sender profile, known spam originating servers, and match-up with stored spammer databases.11
Most other security measures (and, more generally, disruptionavoidance measures) are based, in one form or another, on recognizing abnormalities or “outliers” in an otherwise regular pattern. For example, it was the hesitant behavior of Ahmed Ressam when he tried to enter the United States at Port Angeles, Washington, on December 14, 1999, that attracted the attention of Diana Dean, a 19-year veteran U.S. customs inspector. “There was something in his eyes,” she said. When asked for further identification, Ressam tried to flee, only to be caught with more than 150 pounds of explosives12 stashed in the wheel-bed of the trunk of his rented Chrysler 300M and written plans for bombing Los Angeles International Airport.
Clearly, it would be unrealistic to expect every guard in an office building reception desk to be endowed with the intuition of a veteran customs service inspector. Yet normal patterns of behavior do exist for business operations and their surroundings—basically, people need to have a purpose to be in any given location or perform any given activity—and several companies have trained their entire work force to recognize people and activities that do not fit into the normal patterns.
An important use of pattern recognition in the context of supply chain management is in understanding the normal flow of shipments in and out of a company’s facilities. With today’s technology, most companies have some idea where their shipments are at any point in time. GPS-equipped vessels and trucks transmit their locations, and because the company’s databases contain information about which shipment is on which vessel or truck, the shipments can be followed through their predetermined shipping plan. Once a pattern of “normal” deviations from the plan is established and associated, for example, with severe weather or port congestion, outliers can be identified and investigated. In fact, existing supply chain visibility software applications are designed to perform this task automatically. The applications integrate the data from carriers and other logistics service providers into a system that can alert companies if their shipments are going to be late—an important function in the just-in-time world.
Another example of threat segmentation based on pattern recognition is the “profiling” of potential threats at airports. For example, El Al Airlines13 would generally pay little attention to a Hebrew-speaking Israeli passport holder who is a frequent flier traveling with his family. It would vigorously interrogate, however, a young foreigner traveling alone on a one-way ticket.14 The questions touch on trip purpose, history of activity and places of stay just before coming to the airport, names of associates who are traveling together and their relationships to the traveler, employment history, and more. The questioners listen to the answers but monitor the passenger’s behavior at the same time, looking for telltale signs of lying and nervousness.15
More generally, pattern recognition is the bedrock of all process control functions. Deviations from normal behavior in a manufacturing process or a shipping pattern can be detected by using well-developed statistical models of process control (see chapter 9).
A very important vulnerability results from complexity. As systems become more complex, they become more difficult to design, build, and ensure for proper operation without hidden exposures. In addition, outliers are more difficult to discern from the normal pattern of events when the underlying “baseline” events or transactions are complex. One of the most spectacular examples of complexity leading to a dangerous disruption was the September 23, 1998, collapse of Long Term Capital Management (LTCM). The hedge fund invested in derivatives so complicated that even some of the people at LTCM who created them, including economics Nobel Laureates Myron Scholes and Robert Merton, apparently thought they had a “sure system” and did not adequately defend against certain market risks.16
By themselves, most company security professionals cannot deal with intentional threats around the globe. Because the supply chains on which their companies rely span dozens of countries under a variety of regimes, companies need to collaborate with their local suppliers, customers, logistics providers, and other trading partners in order to be effective. Learning from other companies’ experience, and from the experience accumulated in various regulatory and law enforcement agencies, is also crucial for reducing the likelihood of accidents.
Working together with trading partners along the supply chain creates a safe and secure chain of custody for shipments. Working with other companies within the same industry, including competitors, leads to benchmarking and learning from others’ experience. And government agencies bring not only resources to fight terrorism, corruption, sabotage, and other crimes, but also a wealth of knowledge regarding proven processes.
Beyond all that, some firms collaborate with and “deputize” their own work force by creating a “security culture.”
After 9/11, Quaker Foods, a division of PepsiCo, awoke to the new importance of security. Realizing that locks and fences were no longer adequate, Quaker created an antiterrorism task force. “We didn’t know how to protect our plants from professional criminals who weren’t afraid to lose their lives,” said Steve Brunner, a former Quaker Oats executive who was a member of the facilities and distribution center antiterrorism task force. “The threat was different from anything we’d dealt with before.”17
Quaker wanted to do more than provide security against loss at each of its 11 facilities. It also wanted to prevent tampering with the Quaker food products that millions of Americans eat every morning. At first, Quaker implemented standard security measures such as reducing access points, requiring electronic badges, and moving parking lots further from buildings. Even so, the company felt that the new measures were not enough.
“We determined that the only way to make our total security plan successful was to harness the eyes, ears, mind, spirit and support of every employee,” said Dan Wombold, senior manager of HR and community relations for the Iowa plant. Workaday employees make useful extensions of a corporate security net. “They know who belongs and who doesn’t,” said Al Hartl, president of Retail Wholesale Department Store Union (RWDSU) Local 110, whose members make up roughly 875 of the 1,300 workers at Quaker’s Cedar Rapids, Iowa, plant.18
The key was plant-wide employee training that covered safety, identification of threats, and instructions on what to do about suspicious objects or people. Employees were told whom to contact about potential situations. Managers were trained to take seriously any security issues raised by frontline staff. Of particular concern was the etiquette of dealing with strangers. Because managers, engineers, or vendor representatives might have a legitimate right to enter different parts of the company, Quaker needed vigilance without confrontation. Thus, Quaker developed a training program for its employees on how to approach strangers.
A similar concern, rooted in law rather than etiquette, caused Logan Airport to clear its procedures for approaching strangers with the Massachusetts Attorney General’s Office and the American Civil Liberties Union. Logan managers wanted to make sure that they would not be seen as discriminating or encroaching on privacy rights when approaching suspicious travelers.
“The human side of security is the most important element,” Quaker’s Wombold said. “Instead of relying solely on security guards, we will have 1,300 Americans who are committed, observant, alert and will know how to handle any dangerous situation.” Quaker is not the only company to realize that security is everybody’s business. Bob Byrne, IBM’s director of security for product group support stated: “One very important distinction is that security in IBM is the responsibility of the process owners. It’s not IBM security who has a responsibility to execute on all of these security requirements.”19
Building a culture of security and involving employees in the task is something that labor and management can work on together, because their interests clearly coincide; this cooperation can lead to cooperation on other issues. Such improvement in labor-management relationships came about from the efforts undertaken by CSX and its unions to improve safety.
A particularly high accident rate led to a large number of injuries in the rail yards of CSX Railroad in the mid-1980s. The yards are particularly dangerous because they are large facilities in which giant locomotives and lumbering rail cars get assembled and disassembled over a vast maze of tracks. To combat the trends in injuries, the railroad initiated joint management-labor teams to investigate the problem, suggest solutions, implement them, and follow through. The teams came up with a slew of processes, from a “buddy system” where each worker was responsible for the welfare of another, to a campaign of safety and security that involved sending brochures and leaflets about safe workplace practices to employees’ homes, thus enlisting spouses in the campaign. The result was not only a marked reduction in accidents and injuries, but a much better labor climate in the tough union environment of U.S. railroads. In part, that improvement in the labor climate was attributed to employees’ spouses being impressed with the level of care the company exhibited toward its employees.
Better collaboration and trust between management and labor is particularly important for flexibility and resilience because it facilitates fast response. Trust enables either party to contact the right person for help, without needing to build confidence, establish a chain of command or verify authenticity. Creating trusting relationships between labor and management, however, is not always easy. Joint work to develop security and resilience is one mechanism for creating trusting relationships, which can extend to and benefit other areas of business.
One of the dangers of disruption avoidance measures is that they become routine. With the daily challenges of running a business, it is easy to relax and fall into a habitual pattern of security and safety procedures. The twin dangers of this trend are that employees become complacent, and that stable patterns are easy for malicious perpetrators to study and overcome.
The theft of the Intel Pentium IV chips at Heathrow in 2003 was clearly well planned and based on accurate information regarding the shipment routing and content. As mentioned before, some companies change their shipping patterns, using different carriers and different routes, in order to make it more difficult for would-be thieves, saboteurs, and terrorists to perpetrate an attack. Such changes not only keep the “other side” guessing, but they also serve to keep security personnel, and the rest of the company, more alert.
In commercial settings, however, firms need to balance the trade-off between the frequency of changing processes to avoid predictability and maintaining standard processes to achieve efficiency. Because it takes time for employees to learn, debug, and optimize a new process, frequent changes hinder efficiency.
Even when processes are not changed, it is important to reinforce continuously the existence of risks. Exercises, tests, and other events designed to reinforce security processes and a culture of vulnerability awareness should be used routinely. Quaker, for example, follows up its security training with randomized vigilance checks, such as putting a strange object or person in the factory and testing how long it takes for employees to notice. Winners of such checks are celebrated, further encouraging a cultural norm of security. More elaborate versions of testing how long it takes for employees to find an unattended package are the “Red Team” exercises mentioned earlier, in which a team of outside experts tries to penetrate the company’s defenses.
Not all attacks use brute force or technical feats of hacking. Attackers can leverage the system itself for malicious purposes by exploiting natural social tendencies. For example, when a leading UK retailer wanted to test its security system in 1998, it hired an outside expert to try to break into key facilities. A few weeks later, the expert delivered a series of photographs showing himself with his hands on the retailer’s main computer controls. With a flick of a switch, he could have brought down the entire company’s computer system.
To gain entry into these sensitive areas, the expert didn’t use a James Bond-like array of gadgets. Rather, he simply approached locked doors that he wanted to enter wearing workman’s overalls with his arms full of fluorescent lighting boxes and a confident smile on his face. The polite, helpful employees of the retailer opened the locked doors for him one by one, all the way to the heart of the data center.20
Businesses face many risks; the increased danger of terrorism is only the latest one. But antiterrorism security measures have been mandated by the government or added to the list of qualification for doing business in some sectors. When security measures are added to ongoing business processes after the fact, or in response to a specific incident, they are largely ineffective and are viewed by operating managers as a hindrance. To be effective, security has to be “built in” as an integral part of business processes. Although such a goal may seem an added burden and detrimental to good business practices, two examples of integrating new requirements into business processes with great success may show the way. These examples, which were also viewed as hindrances at one time, are safety and quality.
The toll in lost life and limbs at manufacturing, construction, transportation, mining, and other industries during the first part of the twentieth century was horrific. Workplace accidents were commonplace and calls for safety measures by workers and their unions were met with howls of protest by executives who decried the added costs of such measures. During the twentieth century, however, unions won safer working conditions and many of their achievements were anchored into laws monitored by the U.S. Occupational Safety and Health Administration (OSHA) and the European Agency for Health and Safety at Work. More important, few business leaders today see safety as an added burden on company operations; their employees, the communities they work in, and the public at large have simply come to expect safe working conditions.21
To achieve safety, companies have followed a set of procedures aimed at identifying unsafe conditions: reporting, investigating, and learning from accidents; collaborating with authorities; and, most important, creating a “safety culture.” Such a culture entails the development of an atmosphere in which safety is everybody’s business—not the responsibility of the safety officer, the union, or the insurance company. Workers who report unsafe conditions and unsafe behavior should not be considered whistle-blowers but should rather be acknowledged and rewarded.
There are plenty of examples of companies that instituted a strong safety culture, like the “buddy program” adopted by the CSX Railroad for yard workers. Koch Petroleum Group in Pine Bend, Minnesota, for instance, introduced a behavior-based safety (BBS) system that included a set of tools and procedures designed to promote workers’ responsibility for their own safety, as well as for their peers’ safety. Additionally, the organization’s formal management systems and leaders’ management practices facilitate safety by recognizing and reinforcing appropriate behaviors.22 Ryder Systems Inc., the Miami-based logistics company, is striving to instill safety in everything it does. It starts every company meeting with a safety message, regardless of the participants or the topic of the meeting. ABF, the Arkansas trucking company, awards prizes and publicly recognizes safe driving by inducting safe drivers into its “million miles club” of accident-free driving. Organizations operating in high-risk environments, such as nuclear plants and air traffic control systems, have long worked to introduce safety culture into their operations.23
In the 1950s, Ford executives were famous for not disclosing where they worked to casual acquaintances in order to avoid the inevitable litany of complaints about the quality of Ford’s cars. For a long time, U.S. and European automobile companies were convinced that building quality into their product was simply too expensive. They believed that cars were sold based on looks and performance and that the trade-off between cost and quality indicated that quality was just not worth the investment.
In the 1980s, Toyota Motor Corporation turned this perception on its head using the principles advocated by Edward Deming.24 Toyota demonstrated that it was feasible to build quality cars at low cost. One of the guiding principles of the Toyota manufacturing system was that doing things right the first time saved the costs of reworking flawed products, reduced the need for testing at every stage of manufacturing, cut the need to compensate unhappy customers, and decreased warranty and after-sales service. Furthermore, the public appreciated the reliability of Toyota cars, leading to meteoric sales growth for Toyota automobiles. This notion was popularized by Bill Crosby’s book Quality Is Free,25 which became the mantra of businesses all over the world.
The quality movement roadmap to security was not lost on several authors after 9/11.26 Focus on security measures can enhance the efficiency of the supply chain in the post-9/11 world just as the focus on quality enhanced efficiency. The quality movement has focused on building quality into the product rather than trying to inspect for defects later; it stressed process integrity so that if there is a problem on the production line, the line stops and the problem is corrected before multiple defective products would roll off the assembly line. Most important, it stressed that to build quality in products or services, the entire organization should be enlisted and be part of the effort. The security lessons are obvious: fighting problems at the source (for example, securing freight origins and departure ports); continuous monitoring for anomalies (for example, in shipping patterns and people’s behavior); and the development of security culture throughout the organization.
The success of the quality and safety movements was not limited to the introduction of new processes and new institutions. More important, these movements also succeeded in changing corporate attitudes and company cultures on a large scale. These changes suggest that such cultural changes are possible and point the way to how security can be enhanced.
Quality efforts, safety programs, and security processes cannot succeed if they are viewed as a one-time “project.” Instead, they require continuous updating and reinforcement. In particular, security against malicious attacks has to account for the fact the “other side” can learn how to overcome routine measures. Part of such an effort involves making changes to the environment, updating plans, and frequent training, so that security and response plans are well rehearsed. Another part of the security effort involves auditing of the company’s own operations for security, in the same way that quality and safety audits are performed. More and more global companies extend this practice to their suppliers. They carry out supplier training sessions—frequently for multiple suppliers in the same region. To make sure that security standards are developed and maintained, Seagate, IBM, HP Hasboro, Gillette, Target, and many others conduct pre-engagement security audits as well as ongoing (including unannounced) on-site security audits. The continuous effort against malicious perpetrators also involves updating the security measures themselves in response to new counterfeiting, theft, and sabotage incidents, as demonstrated by the following example.
On May 20, 2002, the FDA found 1,004 bottles of Johnson & Johnson’s blockbuster anemia drug Procrit without the required paperwork certifying the authenticity of the drug. Tests showed that counterfeiters had relabeled inexpensive low-dose vials to look like pricey high-dose vials, with twenty times the active ingredient, in order to remark the price from $22 a vial to $475 a vial.
With the health of millions of cancer, kidney disease, and AIDS patients potentially at risk, J&J decided it would not release any of the $1.2 billion of the product in its warehouses until the company had addressed the problem.27
First, J&J alerted distributors, hospitals, and doctors—sending 200,000 letters and repeating the process eight times—to tell customers how to recognize the counterfeits. The letters also provided updates and explained J&J’s new anti-counterfeiting measures. J&J also tightened its distribution chain, warning distributors that they would lose their accounts with the company if they bought the medicine from other sources. The company asked its customers to watch for mailings or faxes that were from unknown companies and forwarded these suspicious offers to the FDA for investigation.
As an anti-counterfeiting measure, Johnson & Johnson adopted technology used by the U.S. Treasury, using the color-shifting ink found on $20 bills, which looks green or silver depending on the angle of the light. About six weeks after the FDA call, J&J was shipping vials in repackaged boxes with the new ink and improved seals. Within 13 weeks, J&J had repackaged the entire six months worth of inventory.
Less than nine months after J&J introduced the color-shifting ink and improved box seals, the first crude fakes appeared. But J&J continues to upgrade its anti-counterfeiting features: Colorcoded wrappers and vials and new seals ensure that no one can confuse the dosage or reuse the vials. “We hope to keep one step ahead of them, to make sure even if they do figure out what we have on this label, in six months we will have something different so they won’t be able to duplicate that,” said Elizabeth Hansen, a J&J package development engineer.28
In November 2001, MIT Institute Professor and Nobel laureate Robert Solow assessed the impact of increased corporate investment in security by surmising that “Last year there were 100 elves working in the North Pole preparing toys for the Christmas season, while this year, 95 of them will be making toys and five will be guarding the perimeter fence.”29 Such a comment embodies the view that increased security outlays are going to be a burden on corporations, leading to lower productivity, increased costs, and lower profits.
Justifying security measures faces the same problem that any other project involving cost avoidance does: “Nobody ever got promoted by avoiding costs.” Since costs avoided do not show up on any financial statement, or in any incentive system, and costs incurred are visible (including security outlays), there is little natural incentive to invest in cost avoidance.
The result is that continuous security efforts can be hampered by their own success. When Sun Microsystems suffered a spate of freight thefts in Europe, it used a multi-pronged effort to stem the losses.30 Sun hired escorts for trailers carrying high-value Sun gear and monitored logistics personnel to reduce inside-job leaks of information about high-value shipments. With these measures, Sun cut its losses to zero.
Later, when managers asked why the company was spending so much money for escorts when they were no longer having hijackings, security managers faced the classic catch-22 of security: how to put a value on avoiding a problem that you don’t have because you spent money to avoid it. Sun’s security managers benchmarked other companies, quantified the likely loss rates if they stopped using escorts, and successfully justified their security measures.
According to Steven Lund, Intel’s director of corporate security, Intel uses statistical models to estimate the amount, frequency, and expected losses for each facility. Intel also commissioned a study by RAND Corporation to understand further the patterns of losses and costs in the high-tech industry.31 The study found that indirect costs resulting from theft (including lost sales, costs to customers, and investigation costs) totaled two to five times the replacement costs of the stolen goods. In analyzing the relationship between security expenditures and losses at a group of 18 firms, RAND also found that, at the level of security expenditure at the time, each 1 percent in added spending on security provided more than a 7 percent reduction in losses.
Cross-industry benchmarking efforts and careful analysis of all the costs involved in a breach of security can help companies make the business case for security investments. They also help direct such investments and size them in accordance with the disruption they are trying to thwart.