It has become a clich\u017d The Sept. 11 terrorist attacks on New York City and Washington, D.C., changed everything. But "everything" covers a lot of ground. What, specifically, has changed, and how does it affect the way we do business? Even more specifically, how does this new world look from the CIO\u2019s seat? We asked six experts what CIOs should expect and do in critical areas including security, supply chain and staff management in this putatively altered world.GLOBAL BUSINESSImportance of IT Just Went Up\nDAVID DOBRIN\nPresident, B2B Analysts, Cambridge, Mass., and CIO WorldView columnistBefore Sept. 11, many people thought we\u2019d have a mild recession. No one believes that anymore. In certain industries?like electronics?people just aren\u2019t buying anything.CIOs need to provide timely, accurate reports on volatile business situations and do so with limited resources. For global and multinational businesses, this can be complicated. Many such companies have B2B systems with suppliers and partners. But what happens when things break down? For example, transportation across borders is no longer as reliable as it was before Sept. 11. Companies are very high velocity these days. Even having two weeks of demand disappear creates all sorts of surprises. For example, your company may have to build up inventory, but that\u2019s pricey. What if you run out of warehouse space? The integrated supply chains companies have built can tolerate only so many variables. Companies will have to redesign their supply chains. There will be less belief in the highly integrated, low-lead-time, low-inventory supply chain stitched together with IT. CIOs need to provide the business with the capability to be more responsive, to get advanced warnings from customers, to look at point-of-sale data from retailers and feed that back to manufacturing. In a recessionary environment, IT can make a huge difference because it can give companies early warnings about changing business situations.Another big change will be in how business gets done. It\u2019s absolutely clear that people aren\u2019t traveling, but multinationals still have to communicate. There\u2019s a demand on IT to use the Internet and telecommunications to accomplish what travel enabled before. Suddenly there\u2019s this huge demand for technologies such as teleconferencing and videoconferencing that previously few CIOs thought to be important. And it\u2019s not just a question of installing technology. In virtual meetings, many participants don\u2019t pay full attention. They are answering e-mail or surfing the Internet. With such technology-facilitated meetings replacing personal communications, these contacts should be shorter and occur more frequently. Virtual meetings should also be supported by documents; action items written down at one meeting should be part of the agenda at the next meeting. Essentially, meetings have to be approached with a different discipline, and that will take time to learn. Intercompany communication on a global scale also has challenges. There are cultural issues as well as practical ones like time-zone differences. Using technology to communicate instead of face-to-face contact has implications for network support, usage policies and firewalls. The good news: For multinationals, connection to the Internet isn\u2019t much of an issue, nor is reliability. The Internet was designed for a nuclear attack.The cost of business travel will now be spent on technology. CIOs will now be responsible for a large redeployment of resources. As communication technologies replace travel, the technology itself becomes more important, which means that managing the technology is more important. RISK MANAGEMENTPlan for People, Not Just Systems\nJOHN MCCARTHY\nSenior manager in information risk-management practice, KPMG, Washington, D.C.One of the great lessons of this tragedy, and others in the last decade, has been helping company leaders see the people in their organization as part of the risk-management equation. Most companies have a business plan for technology failure?things like someone putting bad software on the system or dealing with a security or hacker threat. Now what we\u2019re seeing post-Sept. 11 is the recognition by leadership that there\u2019s an even greater need to understand people processes in the context of risk management and disaster recovery. Companies need to think about how they will take care of their employees, account for the missing and deal with the families in the event of a fire, a flood or an explosion in the building. How will you take the services and processes handled by those people and transfer that responsibility to another part of the organization so the business can continue dealing with a disaster? You can\u2019t let a major disaster stop the entire organization from doing anything else?you have to look at how you can separate the tragedy from the necessity to keep delivering services. You have to know what the critical functions are and how to continue them in the face of disaster. How will you communicate internally and externally? You must figure out how you will talk to industry peers and associations, and how you will deal with state, local and federal authorities. Also, think about how you will communicate with customers. How will you talk to them about the status of your business and your employees, particularly if the business?say, a financial institution?has a piece of the customer\u2019s money? A big lesson for CIOs and other leadership is that continuity management is not a line function. It\u2019s a core function that must be managed from the top of the organization. CIOs are familiar with this, as they have long argued that technology also cuts across the business and needs attention from the executive team. After Sept. 11, CIOs will have a lot more credibility when making arguments for replicating critical systems. The case has been made graphically for CEOs that the kind of discussion that has gone on at the CIO and CFO level in terms of risk management aren\u2019t way out there?they need to be addressed ahead of time. The watchword coming out of this is going to be enterprise risk management?no more point solutions. If you want to survive something this extreme, an enterprise approach is what will make the difference between making the business go or not.SUPPLY CHAINBuild Safety Stock, Then Forget You Have It\nYOSEF SHEFFI\nHead of the center for transport studies, MIT, Cambridge, Mass.I think security is a long-term issue, and it may lead to some of the following mitigation strategies. One is deciding which parts are crucial for your production line and which parts can withstand a longer lead time. Usually these decisions are based on how well you can forecast demand for these items and how good the forecast is. For hard-to-forecast items, companies may want to start building some safety stock, but for the bread-and-butter items that are replenished day in and day out there will not be a big impact. Original equipment manufacturers are not going to increase their safety stock for items across the board?just the ones that are hard to forecast. The other strategy is to have good suppliers. For example, the majority of your stock may come from overseas at low cost, but now you will have a secondary local supplier to whom you have to give some business right now. You can\u2019t just keep them on standby. People always knew that you had to have more than one supplier, but it was OK to have one supplier in Taiwan and one supplier in Singapore because while one might have political or labor problems you always had the other. Now, introducing security into the equation, I may want one abroad and one in America. Just-in-time manufacturing is here to stay. Smart companies may build some safety stock, but it will be independent of just-in-time. They will not give in to the temptation of using the safety stock, because there are lots of other benefits of just-in-time besides low inventory?specifically high quality and quick diagnosis of supply chain problems. With just-in-time you don\u2019t have inventory to cover up your problems. Now you will have to act as if you don\u2019t have inventory even though you do.Inventory is a security blanket?it allows you to cover up your problems. The key to running just-in-time is to cover yourself from supply chain disruptions with some inventory or a local supplier. It will be a mistake to move to just-in-case. The decision of when to use your safety stock depends upon the fundamental difference between something you control and something you do not. For example, if you have a disruption because terrorists attack the World Trade Center and the border is closed, there is nothing you can do to fix it. Then you use your safety stock. However, if your supplier starts shipping defective material, stop the line and fix the problem immediately as if you don\u2019t have the extra inventory. With safety stock, the temptation is to say, "We have inventory, don\u2019t worry about it." But that\u2019s exactly when you need to address the problem.LEADERSHIPBalance Change with Routine\nJOSEPH BADARACCO\nHarvard Business School professor focusing on leadership and ethics, Cambridge, Mass.The first thing for managers to consider is the importance of preparation. It\u2019s true that preparation for Y2K helped many CIOs on Sept. 11 because they had redundant systems. So contingency planning is important. But the kind of contingency planning most people do is "best case plus 20 percent," "worst case minus 20 percent." Sept. 11 presents us with a much more dramatic situation. But there\u2019s only so much you can do. There will always be things you can\u2019t foresee. What you can do as a manager is keep all lines of communication open so you can communicate quickly when something unexpected happens, even something drastic. You\u2019ve got to be ready to scramble?and not just as an individual but as a team. The team will always be more resourceful than a single person. Scrambling means learning about what\u2019s happened quickly and formulating a response.Another thing to consider is that it\u2019s going to be very hard for people to differentiate between long-term and short-term changes after the Sept. 11 attacks. One scenario is that we really stamp down terrorism. Another comparably probable scenario is that there are more attacks, and we move into an Israel-like state, with permanent insecurity. Those are radically different worlds. It\u2019s going to be hard to know for a while how things will turn out.That said, people have a strong need for routines. Their old routines will assert themselves. From time to time, people will be pulled back, reminded. Maybe when they go into a tall building, for instance. This catastrophe reached people at a very deep level. For the next couple of months, managers need to do two things?and these things are a bit contradictory. The first is to get back to work, because things need to be done and because people need routines. At the same time, managers have to find a way to give people space and let them work through this. You have to be sensitive to the way people are feeling. People respond to crises differently and at different speeds.If flying is an inescapable part of someone\u2019s job and they refuse to fly, at some point you\u2019re going to have to find somebody else to do the job. At some point, the work has to go on. But somebody who says, "I can\u2019t deal with flying now" might be willing to fly in a month.Try to think creatively about other ways to get business done. My sense is that people relied on airplanes vastly more than they needed to. The cost and inconvenience of flying is very high. We\u2019re getting streaming video from Afghanistan right now; I don\u2019t understand why everyone\u2019s got to fly to Des Moines.I.T. STAFFLead Them Through the Transition\nDAVID FOOTE\nCofounder and managing partner, Foote Partners, New Canaan, Conn.When I talk with executives, one of the first references I use is Charles Darwin, who said, "It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change." That\u2019s true for companies and for our country as a whole right now. We\u2019re certainly strong, but can we make a transition?Change is the easy part; changes are situational, external. Transition is the response to change. Transitions are psychological, internal, focused on an ending. People don\u2019t like endings.A transition is the end of something but also the beginning of something. But the in-between is scary. Employees are focusing on what we\u2019re losing?that\u2019s happening big time right now. They know that life is not going to be the same, but they don\u2019t know what that\u2019s going to be like. It\u2019s a transition to an unknown.What you have to do for employees is create temporary systems to get through it. First off, you\u2019ve got to get people talking about this. Bring in a psychologist or therapist. You have to acknowledge losses openly and sympathetically.You need to strengthen connections [between employees]. It\u2019s interesting how people are using intranets to get through this. People are on the road or working from home; the workforce isn\u2019t all together in many organizations. What has happened is they\u2019ve been taking these bland corporate intranets and turning them into boards where employees can talk to each other. They post what they\u2019re feeling where others can see it and respond. It\u2019s a great example of a temporary system.You want to help people define the transition. You do this by defining what\u2019s over and what\u2019s not. Not everything is over. Right now a lot of conventions and events are being canceled. Some travel is curtailed, some projects are canceled?but a lot of things are just being pushed out. You know, a lot of people measure their careers by their projects. Tell them, "We haven\u2019t canceled that project."Layoffs are still on people\u2019s minds. That was happening before Sept. 11. Now, even people who aren\u2019t being laid off are saying, "Maybe I should circulate my r\u017dsum\u017d." Tell them, "There will be no layoffs; we\u2019re not canceling projects." Or, "Here\u2019s who\u2019s being laid off: them, but not you." Or, "We\u2019re canceling one thing but nothing else." Don\u2019t lose people over this.Executives need to change the metaphors to lead employees into the next phase. Leading by metaphor is about redefining things. Look at our president: He\u2019s leading by wrapping everything around the flag?and people are eating it up! Executives need to talk about what their companies stand for instead of just what they do.This is where real leadership comes in. A lot of executives who are dealing with this really aren\u2019t leaders?they\u2019re managers. The companies with strong leaders are the ones that were talking with employees and customers right away.SECURITYThe World Hasn\u2019t Changed. We Have. \nBRUCE SCHNEIER\nAuthor of Secrets & Lies: Digital Security in a Networked World, founder and CTO, Counterpane Internet Security, Cupertino, Calif.People think everything has changed. Is air travel more dangerous than it was a month ago? No. Are there more terrorists? Actually, there are fewer terrorists. Is the world more dangerous? No. Is jet fuel somehow more lethal? No. America is very much a bright-shiny-object sort of culture. We\u2019ll talk about whatever the bright shiny object is, and if the bright shiny object changes next month we\u2019ll talk about that. Right now, security is important. But will anything change? Who knows? Ask me in six months.Wake-up calls are a dime a dozen. Why wasn\u2019t the Code Red worm a wake-up call? Why weren\u2019t the denial-of-service attacks on sites like Yahoo and eBay in February 2000 a wake-up call? So here we are. We\u2019ve got the largest loss of life in our country, and now this is a wake-up call. Is it really? You\u2019ve got to hope so. We need something that will convince people that security is important. This might be it. If, indeed, this physical attack changed people\u2019s perception of electronic security, then this talk about an electronic Pearl Harbor, a massive, high-profile cybersecurity breach, was wrong. It took a real-world attack to convince companies that there was a cyberrisk. I would not have expected that. The question is, Is it permanent or just the thing I\u2019m worried about today? I\u2019d like to think it\u2019s permanent, because the threats are real.Cyberterrorism is something that can be done. It takes a lot of expertise, but you can be safely at home in your own country and launch your attacks. You don\u2019t need a lot of logistical support. You do need expertise that your average terrorist doesn\u2019t have, even a terrorist who can fly an airplane. I have a feeling cyberterrorism is going to happen, just like we see cyberorganized crime. You go where the money is; you go where the bang for your buck is. And as more of our critical systems go online, that\u2019ll be where terrorists launch their attacks. The Internet is really a target-rich environment, but most of the targets hackers select are dorky targets. So you knock down a CNN webpage, big deal. If you could knock down the power grid.... But flying planes into buildings is a completely different league. If you\u2019re willing to do that, cyberterrorism is kid\u2019s stuff.