A Corporate Security Strategy for Coping with the Climate Crisis

Richard Power on how to adapt security and risk management policies - including IT security - to deal with climate change.

US military strategists, CIA analysts, international agency officials and Nobel Prize winning economists concur with the consensus of the world's scientific community: the Climate Crisis is a planetary security issue, as well as a national security issue for each of the one hundred ninety two countries that belong to the United Nations. But the Climate Crisis is also, by extension, a corporate security issue, as well as, yes, a cyber security issue.

Of course, not every national security issue is a corporate security issue; nuclear weapons proliferation, e.g., is a national security issue that does not demand a direct and meaningful response from all corporations in every sector and at every level, or the security professionals who are responsible for protecting operations, assets and work forces.

The Climate Crisis, however, does demand a direct and meaningful response for corporations. This response is demanded not just by imperatives related to corporate social responsibility, but also on the basis of risk management and security.

Consider some conclusions drawn, not by environmental activists, or even just by scientists, but by military leaders and economists:

According to one Pentagon report revealed in 2004, "climate change over the next 20 years could result in a global catastrophe costing millions of lives in wars and natural disasters. &'Disruption and conflict will be endemic features of life,' concludes the Pentagon analysis. " (The Observer, 2-22-04)

In a 2005, Sir Nicholas Stern, former chief economist for the World Bank, warned that global warming could shrink the global economy by 20 percent, and that it would be cheaper to deal with the problem now than to deal with its consequences later.

In a 2007 report from an advisory board of retired generals and admirals said that "the effects of global warming, the study said, could lead to large-scale migrations, increased border tensions, the spread of disease and conflicts over food and water. All could lead to direct involvement by the United States military." New York Times, 4-15-07

Earlier this year, in the first such statement of its kind, one thousand seven hundred of the USA's most prominent scientists and economists joined in a call on policymakers to require immediate, deep reductions in heat-trapping emissions that cause global warming. Union of Concerned Scientists, 5-29-08

And a month earlier, the Royal United Services Institute (RUSI) issued its own study, which concluded that "if climate change is not slowed and critical environmental thresholds are exceeded, then it will become a primary driver of conflicts between and within states & if uncontrolled, climate change will have security implications of similar magnitude to the World Wars, but which will last for centuries&' Reuters, 4-22-08

Seven Dimensions of Risk

This planetary and national security issue has inescapable consequences for the captains of industry and their stockholders; it is a threat that requires proactive and preparatory efforts by business leaders and security professionals.

There are three big questions to answer in regard to what the Climate Crisis means in terms of business risks and corporate security:

  • What do C-Level Executives need to know about the Climate Crisis as a security issue for the businesses they direct?
  • What do security professionals need to know about the Climate Crisis as a security issue for the businesses they protect?
  • What do Board of Directors members need to know about the Climate Crisis as a security issue for the businesses they oversee?

To develop some actionable answers to these tough questions, I brainstormed with some people of vision and depth of experience, including Regina Phelps, CEO of EMS Solutions. Phelps is a world-class business continuity, disaster recovery and crisis management expert, and has traveled from Antarctica to Mongolia (and most major metropolitan areas in between) helping corporate leaders get their minds around this issue.

She cites seven dimensions of corporate risk related to the Climate Crisis.

The obvious one is "Physical Risk," of course, i.e., extreme weather.

As I write this story, grim news from the Gulf Coast served as a poignant backdrop: "Galveston stopped allowing residents to enter the city ravaged by Hurricane Ike, now layered in mud and debris without power, water or sewers." (Bloomberg, 9-17-08) It was only three years ago that Hurricane Katrina devastated New Orleans. That's two US cities in three years, and further evidence of an emerging trend.

According to Munich Re, the world's insurance industry faced $75 billion of losses from natural catastrophes" (50% higher than the previous year) and "the number of natural catastrophes tallied 950 this year, up from 850 in 2006 and the highest figure since 1974," when the group began tracking the information. (MarketWatch, 12-27-08)

But the other six are also of great significance, as Phelps explains:

  • Regulatory Risk: Expect regulation for the emissions of products that you make (I.e. car emissions) and/or for the manufacturing process that you use to create products.
  • Supply Chain Risk: "All companies will need to evaluate the vulnerability of their suppliers to potential regulation, the cost of suppliers complying with regulations, the geographical distribution of supplier network, etc.
  • Product and Technology Risk: Some companies will do better than others in coping in a carbon-restrained world. Those who create new climate friendly products or services will benefit.
  • Litigation Risk: Companies that generate significant carbon emissions will likely face litigation over time (like tobacco, asbestos, etc.). Swiss Re notes that there may well be personal liability for directors and officers.
  • Financial Risk: Citibank, JP Morgan Chase and Morgan Stanley, three of the nation's largest investment banks, have developed new environmental standards to help lenders evaluate risks associated with investments in coal-fired power plants.
  • Reputational Risk: Companies that fail to seize the opportunity to demonstrate "good citizens" of the planet to key stakeholders respond will face the court of public opinion, i.e., consumer and investor backlash.

Kicking the Door Open

Another person of vision and depth of experience I brainstormed with was Steven Sams, Vice President of Global Site and Facilities Services for IBM Global Technology Services division. Sams is one of the drivers of IBM's transformation from Big Blue to Big Green.

The story IBM has to tell is compelling and offers great promise for its clients and partners. For example, IBM itself consolidated 3,900 servers into 33 System z mainframes, migrated servers delivering largest savings first, eliminated assets with lowest utilization first, aggregated customer work portfolio to leverage strong customer buy-in, focused on freeing up raised floor space, and provisioned new applications to the mainframe. As a result, IBM reduced annual energy usage by 80% and total floor space by 85%.

Working with one of its clients, University of Pennsylvania Medical Center (UPMC), IBM helped UPMC maximize service level and mitigate costs by saving $30-40M over three years with Wintel, UNIX and storage virtualization, reducing from forty storage databases to two centralized SAN arrays, and consolidating one thousand physical servers to three hundred IBM servers (multiple platforms) and supporting increased business growth. In China, an $180 million reduction in annual operating expenses from consolidating thirty-eight to two data centers and improving business resilience. In Germany, a $7.2M in annual operational savings by consolidating four centers into one 3,800 square foot data center.

To meet with Sams, I journeyed to an IBM research center in upstate New York. The building designed by legendary architect I.M. Pei is organized around glass and metal pyramids, similar to those Pei designed for the Musée du Louvre in Paris. The specter of these pyramids added a dimension of timelessness to our three hour discussion on the how and why of going green. After all, IBM was one of the companies that was there at the dawn of the IT revolution, it is understandable that it is also one of the companies that is present here at the dawn of the green revolution.

We discussed going green to battle energy costs as a way to kick open the doors of perception in the executive suite and the board room.

IT consumes two percent of the energy produced on the planet. Currently, IT-related energy use is doubling every five years. If this doubling continues, then IT energy use will increase sixteen times over the next twenty years, and consume just over ten percent of the total energy output of the planet by 2030.

We talked about putting this projection in a personal context for executives, i.e., spending billions on energy over the next five years. The numbers are potentially unbelievable when the future is mapped out. If a client spending at a rate of $2.6M per year on energy, doubled energy use every five years, then they will be spending $41.6M a year of energy in 20 years at today's prices; and at a 10% inflation rate for energy per year the $41.6M becomes about $278M.

"Can you imagine a bill of $2.6M per year escalating to $278M per year by 2030?" Sams remarked. "It is unaffordable; something else will have to change."

We also talked about the significant impact of switching to water for cooling on server racks. Water requires a lot less energy. "Data Centers typically use air conditioned cool air to flow through technology to cool it down," Sams explained. "Water is much more efficient for technologies that generate more than 30,000 watts of heat per rack."

We talked about how to reach different C-level executives in different ways: e.g., with the CIO, Sams suggested emphasizing IT flexibility, i.e., being able to have current data centers support new low-cost and highly scalable technologies like blade servers; with the CFO, Sams suggested emphasizing the cutting of costs both for the growing energy bill (typically 40-50% savings) and capital cost of building a new Data Center if they run out of power and cooling capacity; with the CEO, Sams suggested emphasizing the image of the environmentally supportive company, e.g., $1 million dollars in energy savings a year is equivalent to one thousand cars off the road or 2.7 million pounds of coal not burned in a coal-fired energy generation plant.

Elements of a Corporate Climate Crisis Security Strategy

Here is a seven-point corporate Climate Crisis strategy for CSOs and CISOs to promote within their organizations.

1. Intelligence: Monitor the business risks on the global, national and regional scales as well as in your industry sector. Organizations should be closely tracking climate change in their region, and in the regions that they rely on for resources and our markets, and on a planetary level, and regularly re-evaluating the impact and implications on business operations, personnel safety, etc. Organizations should be pondering how climate change in their regions and at a planetary level impacts other types of risks and threats, and how they attempt to mitigate and cope, e.g., collapse of governments, displacement of populations, organized crime, violent conflict, pandemic and other health issues, travel security issues, natural disasters, etc.

Phelps agrees. "Operative word is should. Globally most international companies will look at traditional risks such as physical security, natural disasters (e.g., flooding, cyclones, tsunami, etc.) or counterfeiting, brand infringement and sabotage. Since Climate Change will likely cause increases in natural disasters, human disasters (famine, migration, border tensions, diseases, etc.) and national security issues (just to name a few), it should be on the recognized list of "known risks" for all companies to plan for."

But does she see it getting done anywhere?

"No. There is more discussion about it outside the US, but here in the US I know of no global company adding climate change to their risk assessments."

2. Understand your business's carbon footprint. Actually looking at the numbers is going to blow your mind. Such an assessment will produce plenty of surprises. Both in terms of how much greenhouse gas your organization is turning out, and in terms of how much your current level of emissions can be reduced. You need to know where you are in order to get to where you are going.

3. Green Power: Go green, particularly in your IT environment. Imagine the impact on your carbon footprint if you couple the kind of cost-cutting and energy-saving designs IBM and other technology giants are working on with the many building sector schemes to construct all-green facilities or retrofit existing facilities to turn them green. Imagine virtualization on the inside and solar panels and wind mills on the outside. This is not a Utopian dream, this is a business imperative.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)