by CIO Staff

Six Experts Tell How IT Should Cope Post-9/11

Nov 15, 200115 mins
Disaster Recovery

It has become a clichŽ

The Sept. 11 terrorist attacks on New York City and Washington, D.C., changed everything. But “everything” covers a lot of ground. What, specifically, has changed, and how does it affect the way we do business? Even more specifically, how does this new world look from the CIO’s seat? We asked six experts what CIOs should expect and do in critical areas including security, supply chain and staff management in this putatively altered world.


Importance of IT Just Went Up


President, B2B Analysts, Cambridge, Mass., and CIO WorldView columnist

Before Sept. 11, many people thought we’d have a mild recession. No one believes that anymore. In certain industries?like electronics?people just aren’t buying anything.

CIOs need to provide timely, accurate reports on volatile business situations and do so with limited resources. For global and multinational businesses, this can be complicated. Many such companies have B2B systems with suppliers and partners. But what happens when things break down? For example, transportation across borders is no longer as reliable as it was before Sept. 11. Companies are very high velocity these days. Even having two weeks of demand disappear creates all sorts of surprises. For example, your company may have to build up inventory, but that’s pricey. What if you run out of warehouse space? The integrated supply chains companies have built can tolerate only so many variables.

Companies will have to redesign their supply chains. There will be less belief in the highly integrated, low-lead-time, low-inventory supply chain stitched together with IT. CIOs need to provide the business with the capability to be more responsive, to get advanced warnings from customers, to look at point-of-sale data from retailers and feed that back to manufacturing. In a recessionary environment, IT can make a huge difference because it can give companies early warnings about changing business situations.

Another big change will be in how business gets done. It’s absolutely clear that people aren’t traveling, but multinationals still have to communicate. There’s a demand on IT to use the Internet and telecommunications to accomplish what travel enabled before.

Suddenly there’s this huge demand for technologies such as teleconferencing and videoconferencing that previously few CIOs thought to be important. And it’s not just a question of installing technology. In virtual meetings, many participants don’t pay full attention. They are answering e-mail or surfing the Internet. With such technology-

facilitated meetings replacing personal communications, these contacts should be shorter and occur more frequently. Virtual meetings should also be supported by documents; action items written down at one meeting should be part of the agenda at the next meeting. Essentially, meetings have to be approached with a different discipline, and that will take time to learn.

Intercompany communication on a global scale also has challenges. There are cultural issues as well as practical ones like time-zone differences. Using technology to communicate instead of face-to-face contact has implications for network support, usage policies and firewalls. The good news: For multinationals, connection to the Internet isn’t much of an issue, nor is reliability. The Internet was designed for a nuclear attack.

The cost of business travel will now be spent on technology. CIOs will now be responsible for a large redeployment of resources. As communication technologies replace travel, the technology itself becomes more important, which means that managing the technology is more important.


Plan for People, Not Just Systems


Senior manager in information risk-management practice, KPMG, Washington, D.C.

One of the great lessons of this tragedy, and others in the last decade, has been helping company leaders see the people in their organization as part of the risk-

management equation. Most companies have a business plan for technology failure?things like someone putting bad software on the system or dealing with a security or hacker threat. Now what we’re seeing post-Sept. 11 is the recognition by leadership that there’s an even greater need to understand people processes in the context of risk management and disaster recovery.

Companies need to think about how they will take care of their employees, account for the missing and deal with the families in the event of a fire, a flood or an explosion in the building. How will you take the services and processes handled by those people and transfer that responsibility to another part of the organization so the business can continue dealing with a disaster? You can’t let a major disaster stop the entire organization from doing anything else?you have to look at how you can separate the tragedy from the necessity to keep delivering services. You have to know what the critical functions are and how to continue them in the face of disaster. How will you communicate internally and externally? You must figure out how you will talk to industry peers and associations, and how you will deal with state, local and federal authorities.

Also, think about how you will communicate with customers. How will you talk to them about the status of your business and your employees, particularly if the business?say, a financial institution?has a piece of the customer’s money?

A big lesson for CIOs and other leadership is that continuity management is not a line function. It’s a core function that must be managed from the top of the organization. CIOs are familiar with this, as they have long argued that technology also cuts across the business and needs attention from the executive team. After Sept. 11, CIOs will have a lot more credibility when making arguments for replicating critical systems. The case has been made graphically for CEOs that the kind of discussion that has gone on at the CIO and CFO level in terms of risk management aren’t way out there?they need to be addressed ahead of time. The watchword coming out of this is going to be enterprise risk management?no more point solutions. If you want to survive something this extreme, an enterprise approach is what will make the difference between making the business go or not.


Build Safety Stock, Then Forget You Have It


Head of the center for transport studies, MIT, Cambridge, Mass.

I think security is a long-term issue, and it may lead to some of the following mitigation strategies. One is deciding which parts are crucial for your production line and which parts can withstand a longer lead time. Usually these decisions are based on how well you can forecast demand for these items and how good the forecast is. For hard-to-forecast items, companies may want to start building some safety stock, but for the bread-and-butter items that are replenished day in and day out there will not be a big impact. Original equipment manufacturers are not going to increase their safety stock for items across the board?just the ones that are hard to forecast.

The other strategy is to have good suppliers. For example, the majority of your stock may come from overseas at low cost, but now you will have a secondary local supplier to whom you have to give some business right now. You can’t just keep them on standby. People always knew that you had to have more than one supplier, but it was OK to have one supplier in Taiwan and one supplier in Singapore because while one might have political or labor problems you always had the other. Now, introducing security into the equation, I may want one abroad and one in America.

Just-in-time manufacturing is here to stay. Smart companies may build some safety stock, but it will be independent of just-in-time. They will not give in to the temptation of using the safety stock, because there are lots of other benefits of just-in-time besides low inventory?specifically high quality and quick diagnosis of supply chain problems. With just-in-time you don’t have inventory to cover up your problems. Now you will have to act as if you don’t have inventory even though you do.

Inventory is a security blanket?it allows you to cover up your problems. The key to running just-in-time is to cover yourself from supply chain disruptions with some inventory or a local supplier. It will be a mistake to move to just-in-case.

The decision of when to use your safety stock depends upon the fundamental difference between something you control and something you do not. For example, if you have a disruption because terrorists attack the World Trade Center and the border is closed, there is nothing you can do to fix it. Then you use your safety stock. However, if your supplier starts shipping defective material, stop the line and fix the problem immediately as if you don’t have the extra inventory. With safety stock, the temptation is to say, “We have inventory, don’t worry about it.” But that’s exactly when you need to address the problem.


Balance Change with Routine


Harvard Business School professor focusing on leadership and ethics, Cambridge, Mass.

The first thing for managers to consider is the importance of preparation. It’s true that preparation for Y2K helped many CIOs on Sept. 11 because they had redundant systems.

So contingency planning is important. But the kind of contingency planning most people do is “best case plus 20 percent,” “worst case minus 20 percent.” Sept. 11 presents us with a much more dramatic situation.

But there’s only so much you can do. There will always be things you can’t foresee. What you can do as a manager is keep all lines of communication open so you can communicate quickly when something unexpected happens, even something drastic. You’ve got to be ready to scramble?and not just as an individual but as a team. The team will always be more resourceful than a single person. Scrambling means learning about what’s happened quickly and formulating a response.

Another thing to consider is that it’s going to be very hard for people to differentiate between long-term and short-term changes after the Sept. 11 attacks. One scenario is that we really stamp down terrorism. Another comparably probable scenario is that there are more attacks, and we move into an Israel-like state, with permanent insecurity. Those are radically different worlds. It’s going to be hard to know for a while how things will turn out.

That said, people have a strong need for routines. Their old routines will assert themselves. From time to time, people will be pulled back, reminded. Maybe when they go into a tall building, for instance. This catastrophe reached people at a very deep level.

For the next couple of months, managers need to do two things?and these things are a bit contradictory. The first is to get back to work, because things need to be done and because people need routines. At the same time, managers have to find a way to give people space and let them work through this. You have to be sensitive to the way people are feeling. People respond to crises differently and at different speeds.

If flying is an inescapable part of someone’s job and they refuse to fly, at some point you’re going to have to find somebody else to do the job. At some point, the work has to go on. But somebody who says, “I can’t deal with flying now” might be willing to fly in a month.

Try to think creatively about other ways to get business done. My sense is that people relied on airplanes vastly more than they needed to. The cost and inconvenience of flying is very high. We’re getting streaming video from Afghanistan right now; I don’t understand why everyone’s got to fly to Des Moines.


Lead Them Through the Transition


Cofounder and managing partner, Foote Partners, New Canaan, Conn.

When I talk with executives, one of the first references I use is Charles Darwin, who said, “It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.” That’s true for companies and for our country as a whole right now. We’re certainly strong, but can we make a transition?

Change is the easy part; changes are situational, external. Transition is the response to change. Transitions are psychological, internal, focused on an ending. People don’t like endings.

A transition is the end of something but also the beginning of something. But the in-between is scary. Employees are focusing on what we’re losing?that’s happening big time right now. They know that life is not going to be the same, but they don’t know what that’s going to be like. It’s a transition to an unknown.

What you have to do for employees is create temporary systems to get through it. First off, you’ve got to get people talking about this. Bring in a psychologist or therapist. You have to acknowledge losses openly and sympathetically.

You need to strengthen connections [between employees]. It’s interesting how people are using intranets to get through this. People are on the road or working from home; the workforce isn’t all together in many organizations. What has happened is they’ve been taking these bland corporate intranets and turning them into boards where employees can talk to each other. They post what they’re feeling where others can see it and respond. It’s a great example of a temporary system.

You want to help people define the transition. You do this by defining what’s over and what’s not. Not everything is over. Right now a lot of conventions and events are being canceled. Some travel is curtailed, some projects are canceled?but a lot of things are just being pushed out. You know, a lot of people measure their careers by their projects. Tell them, “We haven’t canceled that project.”

Layoffs are still on people’s minds. That was happening before Sept. 11. Now, even people who aren’t being laid off are saying, “Maybe I should circulate my rŽsumŽ.” Tell them, “There will be no layoffs; we’re not canceling projects.” Or, “Here’s who’s being laid off: them, but not you.” Or, “We’re canceling one thing but nothing else.” Don’t lose people over this.

Executives need to change the metaphors to lead employees into the next phase. Leading by metaphor is about redefining things. Look at our president: He’s leading by wrapping everything around the flag?and people are eating it up! Executives need to talk about what their companies stand for instead of just what they do.

This is where real leadership comes in. A lot of executives who are dealing with this really aren’t leaders?they’re managers. The companies with strong leaders are the ones that were talking with employees and customers right away.


The World Hasn’t Changed. We Have.


Author of Secrets & Lies: Digital Security in a Networked World, founder and CTO, Counterpane Internet Security, Cupertino, Calif.

People think everything has changed. Is air travel more dangerous than it was a month ago? No. Are there more terrorists? Actually, there are fewer terrorists. Is the world more dangerous? No. Is jet fuel somehow more lethal? No. America is very much a bright-shiny-object sort of culture. We’ll talk about whatever the bright shiny object is, and if the bright shiny object changes next month we’ll talk about that. Right now, security is important. But will anything change? Who knows? Ask me in six months.

Wake-up calls are a dime a dozen. Why wasn’t the Code Red worm a wake-up call? Why weren’t the denial-of-service attacks on sites like Yahoo and eBay in February 2000 a wake-up call?

So here we are. We’ve got the largest loss of life in our country, and now this is a wake-up call. Is it really? You’ve got to hope so. We need something that will convince people that security is important. This might be it.

If, indeed, this physical attack changed people’s perception of electronic security, then this talk about an electronic Pearl Harbor, a massive, high-profile cybersecurity breach, was wrong. It took a real-world attack to convince companies that there was a cyberrisk. I would not have expected that. The question is, Is it permanent or just the thing I’m worried about today? I’d like to think it’s permanent, because the threats are real.

Cyberterrorism is something that can be done. It takes a lot of expertise, but you can be safely at home in your own country and launch your attacks. You don’t need a lot of logistical support. You do need expertise that your average terrorist doesn’t have, even a terrorist who can fly an airplane.

I have a feeling cyberterrorism is going to happen, just like we see cyberorganized crime. You go where the money is; you go where the bang for your buck is. And as more of our critical systems go online, that’ll be where terrorists launch their attacks. The Internet is really a target-rich environment, but most of the targets hackers select are dorky targets. So you knock down a CNN webpage, big deal. If you could knock down the power grid…. But flying planes into buildings is a completely different league. If you’re willing to do that, cyberterrorism is kid’s stuff.