Interview with Tom Ridge

Ask Tom Ridge, the two-term governor of Pennsylvania and first U.S. secretary of homeland security, about preparing for disaster and his answer won’t surprise you: Collaboration is paramount, whether it be between public and private sectors, CEO and CSO or IT and security.

Ridge recently launched Ridge Global, an advisory firm based in Washington, D.C., with practice areas such as technology innovation and integration, global trade security, risk assessment and contingency planning, and crisis management and communications. Ridge spoke to CSO Associate Staff Writer Katherine Walsh about his challenges at the Department of Homeland Security, the importance of disaster preparedness and how to battle complacency.

CSO: One frustration with security has to do with complacency. Why do you think that is, and how does our current level of preparedness as a nation compare to pre-9/11?

Tom Ridge: Complacency is what keeps me awake at night. It’s predictable in human terms, but unacceptable as well. It’s predictable in the sense that it’s been six years. And in spite of global communication, when we see risk and tragedy and disasters and terrorist attacks, we just don’t seem to have that same sense of urgency that we did in the first couple years after 9/11. The professionals have it: the police, firemen, emergency service personnel and the military. But in the corporate world—and even to a certain extent, the political world—there isn’t quite that same sense of urgency.

One of your themes is the importance of collaboration. Why is that so necessary to disaster preparedness at an organization?

To give an example from the public sector, homeland security is much bigger and more important than one cabinet agency, although the agency does have to be the catalyst for change, the catalyst for communication and the catalyst for collaboration. But at the end of the day, the country cannot maximize its ability to protect itself or maximize its ability to become as secure as possible without involving all levels of government, as well as the private sector. Homeland security goes far beyond distributing billions of dollars to state and local governments to build infrastructure. It’s actually building a network of, and building and sustaining relationships with, the private sector. Frankly if [the federal government] had built a better mechanism for disaster recovery and allowed the private sector to assist, Hurricane Katrina wouldn’t have been such a mess. But right now it’s very difficult for the private sector to contribute to and collaborate with the government. As such, we are missing enormous opportunities to make ourselves safer. So that’s why at the end of the day collaboration is critically important. The federal government, as big as it is, needs to work with the private sector. We can’t secure the country from inside Washington, D.C.

What are some specific ideas for how the government should work with the private sector?

I firmly believe that as the country responds to HSPD 7 (related to critical infrastructure) we should look to the private sector for best practices and to help us build residual capacity to respond to disaster. We should look to them to get more loaned executives in the government to deal not only with security and safety but to make the government more efficient and effective. That will take a major upheaval, but I strongly believe in it. We’ve got the talent and interest and commitment in the private sector, but because of some of the rules here in Washington, we can’t tap into them as aggressively as we would like. When I was casting a net to pull in some members of the Homeland Security Advisory Council, I had some friends of mine reject my solicitation because they had to fill out massive documents disclosing everything they’d ever done throughout their whole life. Keep in mind, this is an advisory council: It’s not as if they’d have access to any top secret intelligence; it’s not as if they know anything in great detail about operations. I wanted smart people thinking differently about different things. There are so many things the private sector could help us do more effectively here in the U.S., but we’d have to change some ethics rules in Washington.

Along those same lines, what was it like to head up a new agency? How did you bring order and foster collaboration among other government agencies when you became secretary of DHS?

Well, the management team that we assembled—many of whom were volunteers coming out of the private sector—were top-notch subject matter experts who were committed to making their country safer and building a strong foundation within the department. There was a sense of mission that made it a little easier [to foster collaboration] than most people might think. The integration of people and technology will continue to take years to achieve, but if you have a good team around you and confidence in their ability to address anything that comes down the path, then you get up in the morning and feel good about what you’re doing.

What were your major challenges and accomplishments at DHS?

The biggest challenge that continues in DHS wasn’t as much on the security side, it was on the business side. I like to tell my friends in the private sector that DHS was really a big holding company. It still is. Under the umbrella of the holding company there were mergers, acquisitions, divestitures, startups and other things that couldn’t be anticipated. Under that incredible litany of activity, it was difficult trying to rationalize the business line function and bring economic and fiscal rationality to this merger of units of government. It’s a hurdle that continues today, and I think even my successor’s successor will have similar challenges. Also, from the policy and security point of view, we knew there were a lot of things we needed to do: build in multiple-layered defense and security measures around commercial shipping and aviation at the border. We needed innovation; we needed change.

One struggle of CIOs and CSOs right now is convincing upper management of the ROI of security: It’s the challenge of selling security. How do you go about doing that?

I have a lot of empathy for CIOs and the CSOs because when they would like to beef up their IT systems and want to embed preparedness and recovery plans into their networks, they have to go to the CFO and CEO and say, “I need X number of dollars to do this,” and the first response they’re going to get is, “What’s the risk? What’s the threat? That’s a big expense, where’s the ROI?” But I think in a more globally competitive marketplace, a more interdependent marketplace—a post-9/11, Sarbanes-Oxley world—there are far greater vulnerabilities to a commercial enterprise today than ever before. It’s not just about profitability, it’s about the intangible asset—your brand—that’s at risk. I would hope CFOs and CEOs and boards of directors would pay a little more attention to the risk assessment rendered by security officers or information officers when parceling out annual budgets. You have to manage the risks, and there are certain ones that need to be managed regardless of ROI. People buy insurance and hope they never have to use it. At the end of the day, that’s an enormous expense. But it’s an expense that we use to safeguard [against] the possible undermining of our brand or profitability. There are all kinds of pressures—quarterly returns and market expectations—but given the nature of the competitive world and the interdependency of the marketplace, 9/11 and Sarbox, we better start paying a little more attention to CIOs and CSOs.

What is the most important thing these executives can do in their organizations in terms of business continuity and disaster recovery?

There are occasions in which the CSO or CIO can make a case for an additional security investment that has economic benefits. Perhaps it makes the commercial enterprise more productive or more efficient. You have to go on a case-by-case basis. The best way to convince the business you need to spend more money is to show it will yield a security benefit and a productivity benefit. But you can’t ignore the reality that even if you can’t show a strict ROI, these are expenses that buy you some extra protection in a world of greater vulnerabilities. And that expense, compared to the cost if something goes wrong—if your supply chain is disrupted, if there is criminal activity or a disaster or a terrorist strikes—is minimal.

Did you view technology as central to preparedness before 9/11? Or did that event change your view of the intersection of IT and security?

I can’t think of a company that doesn’t use technology as its backbone for operations. So just like anything else, the first thing you do is protect the most critical thing to your operations, and that’s IT. But the business enterprise today has a nervous system in IT which is basically the sine qua non of the entire operation. Security and risk assessment of IT systems includes looking for points of access in the event of disruption, safeguarding proprietary information and protecting consumer and customer information—they are all related. I don’t pretend to be a technology expert, but I’ve known intuitively and instinctively that whenever you have an opportunity to embed technology with well-trained people around a very specific mission, you need to do it. You can’t operate any entity, large or small, this day and age without a good IT system.

How did technology affect the events on 9/11?

On 9/11 we learned that the traditional means of communications within the first responder community was inadequate. We had different communication systems that were not interoperable. One of my great frustrations six years after the event is that there has been much discussion about interoperability but very little has been done about it. The FCC has indicated they are prepared to dedicate a certain spectrum on the broadband for a nationwide public safety network. They are to be commended for their vision and foresight…. I just wonder where Congress has been for the last five or six years. One can imagine the enormous benefit of data, voice and video being available to the first responder community, not just in the event of a terrorist attack, but so many other occasions. This goes back to the sense of complacency. One of the most glaring examples has been the failure to build a national system, and it’s going to take years to get it to where it needs to be. Clearly, technology failed a lot of people on 9/11. On the flip side, the people on United 93 were able to communicate with others and learn the fate of the other three planes. Armed with that information and more courage than most people can muster, they understood their fate had been sealed; they decided this was one commercial airliner that was not going to be turned into a missile. So there was good and bad. It was good enough to inform the passengers of United 93 but not good enough for the firemen and policemen on the ground surrounding the twin towers.

Do you think our lack of progress in this area is a result of complacency, a lack of funding or a combination of both?

I think funding is an issue. While local and state governments have some responsibility, a national system should be built by the federal government. We spend millions annually on communications, so there is plenty of opportunity to invest those dollars into supporting a new infrastructure. Over the last few years we’ve expended billions on equipment and had we had a commitment to a broadband infrastructure, the money would have been more effectively used. Once the FCC gets this through, other jurisdictions will know where their dollars need to be spent in order to be compatible. It will revolutionize the intersection of public safety and security.

You served in Vietnam. How can you apply preparing for disaster in a war to your work today?

There are certain maxims that combat soldiers understand better than others. You need to train and exercise in a certain way. And if you fail to plan, train and exercise against certain potential challenges, and they appear, you are probably going to fail. Even within that environment you can’t prepare for everything, so you have to be prepared for the unpredictable. There is a certain element of surprise associated with every crisis and challenge you face. But most people in the military will tell you that you reduce losses and enhance odds for success by having the right equipment, training and the right people. And it applies to the corporate world too. Have you empowered your CIO or CSO to look critically at your entire infrastructure and make specific requests? Do you have a business continuity plan and do you exercise it? Have you tried it out? There are basic lessons in regard to planning and training that are helpful because sometimes you don’t have time to think, you just have time to react. But if you’ve trained a certain way and planned a certain way, the chances are pretty good you will react the right way.