Ask Tom Ridge, the two-term governor of Pennsylvania and first U.S. secretary of homeland security, about preparing for disaster and his answer won\u2019t surprise you: Collaboration is paramount, whether it be between public and private sectors, CEO and CSO or IT and security. Ridge recently launched Ridge Global, an advisory firm based in Washington, D.C., with practice areas such as technology innovation and integration, global trade security, risk assessment and contingency planning, and crisis management and communications. Ridge spoke to CSO Associate Staff Writer Katherine Walsh about his challenges at the Department of Homeland Security, the importance of disaster preparedness and how to battle complacency.CSO: One frustration with security has to do with complacency. Why do you think that is, and how does our current level of preparedness as a nation compare to pre-9\/11? Tom Ridge: Complacency is what keeps me awake at night. It\u2019s predictable in human terms, but unacceptable as well. It\u2019s predictable in the sense that it\u2019s been six years. And in spite of global communication, when we see risk and tragedy and disasters and terrorist attacks, we just don\u2019t seem to have that same sense of urgency that we did in the first couple years after 9\/11. The professionals have it: the police, firemen, emergency service personnel and the military. But in the corporate world\u2014and even to a certain extent, the political world\u2014there isn\u2019t quite that same sense of urgency.One of your themes is the importance of collaboration. Why is that so necessary to disaster preparedness at an organization? To give an example from the public sector, homeland security is much bigger and more important than one cabinet agency, although the agency does have to be the catalyst for change, the catalyst for communication and the catalyst for collaboration. But at the end of the day, the country cannot maximize its ability to protect itself or maximize its ability to become as secure as possible without involving all levels of government, as well as the private sector. Homeland security goes far beyond distributing billions of dollars to state and local governments to build infrastructure. It\u2019s actually building a network of, and building and sustaining relationships with, the private sector. Frankly if [the federal government] had built a better mechanism for disaster recovery and allowed the private sector to assist, Hurricane Katrina wouldn\u2019t have been such a mess. But right now it\u2019s very difficult for the private sector to contribute to and collaborate with the government. As such, we are missing enormous opportunities to make ourselves safer. So that\u2019s why at the end of the day collaboration is critically important. The federal government, as big as it is, needs to work with the private sector. We can\u2019t secure the country from inside Washington, D.C.What are some specific ideas for how the government should work with the private sector? I firmly believe that as the country responds to HSPD 7 (related to critical infrastructure) we should look to the private sector for best practices and to help us build residual capacity to respond to disaster. We should look to them to get more loaned executives in the government to deal not only with security and safety but to make the government more efficient and effective. That will take a major upheaval, but I strongly believe in it. We\u2019ve got the talent and interest and commitment in the private sector, but because of some of the rules here in Washington, we can\u2019t tap into them as aggressively as we would like. When I was casting a net to pull in some members of the Homeland Security Advisory Council, I had some friends of mine reject my solicitation because they had to fill out massive documents disclosing everything they\u2019d ever done throughout their whole life. Keep in mind, this is an advisory council: It\u2019s not as if they\u2019d have access to any top secret intelligence; it\u2019s not as if they know anything in great detail about operations. I wanted smart people thinking differently about different things. There are so many things the private sector could help us do more effectively here in the U.S., but we\u2019d have to change some ethics rules in Washington.Along those same lines, what was it like to head up a new agency? How did you bring order and foster collaboration among other government agencies when you became secretary of DHS? Well, the management team that we assembled\u2014many of whom were volunteers coming out of the private sector\u2014were top-notch subject matter experts who were committed to making their country safer and building a strong foundation within the department. There was a sense of mission that made it a little easier [to foster collaboration] than most people might think. The integration of people and technology will continue to take years to achieve, but if you have a good team around you and confidence in their ability to address anything that comes down the path, then you get up in the morning and feel good about what you\u2019re doing.What were your major challenges and accomplishments at DHS? The biggest challenge that continues in DHS wasn\u2019t as much on the security side, it was on the business side. I like to tell my friends in the private sector that DHS was really a big holding company. It still is. Under the umbrella of the holding company there were mergers, acquisitions, divestitures, startups and other things that couldn\u2019t be anticipated. Under that incredible litany of activity, it was difficult trying to rationalize the business line function and bring economic and fiscal rationality to this merger of units of government. It\u2019s a hurdle that continues today, and I think even my successor\u2019s successor will have similar challenges. Also, from the policy and security point of view, we knew there were a lot of things we needed to do: build in multiple-layered defense and security measures around commercial shipping and aviation at the border. We needed innovation; we needed change.One struggle of CIOs and CSOs right now is convincing upper management of the ROI of security: It\u2019s the challenge of selling security. How do you go about doing that? I have a lot of empathy for CIOs and the CSOs because when they would like to beef up their IT systems and want to embed preparedness and recovery plans into their networks, they have to go to the CFO and CEO and say, \u201cI need X number of dollars to do this,\u201d and the first response they\u2019re going to get is, \u201cWhat\u2019s the risk? What\u2019s the threat? That\u2019s a big expense, where\u2019s the ROI?\u201d But I think in a more globally competitive marketplace, a more interdependent marketplace\u2014a post-9\/11, Sarbanes-Oxley world\u2014there are far greater vulnerabilities to a commercial enterprise today than ever before. It\u2019s not just about profitability, it\u2019s about the intangible asset\u2014your brand\u2014that\u2019s at risk. I would hope CFOs and CEOs and boards of directors would pay a little more attention to the risk assessment rendered by security officers or information officers when parceling out annual budgets. You have to manage the risks, and there are certain ones that need to be managed regardless of ROI. People buy insurance and hope they never have to use it. At the end of the day, that\u2019s an enormous expense. But it\u2019s an expense that we use to safeguard [against] the possible undermining of our brand or profitability. There are all kinds of pressures\u2014quarterly returns and market expectations\u2014but given the nature of the competitive world and the interdependency of the marketplace, 9\/11 and Sarbox, we better start paying a little more attention to CIOs and CSOs.What is the most important thing these executives can do in their organizations in terms of business continuity and disaster recovery? There are occasions in which the CSO or CIO can make a case for an additional security investment that has economic benefits. Perhaps it makes the commercial enterprise more productive or more efficient. You have to go on a case-by-case basis. The best way to convince the business you need to spend more money is to show it will yield a security benefit and a productivity benefit. But you can\u2019t ignore the reality that even if you can\u2019t show a strict ROI, these are expenses that buy you some extra protection in a world of greater vulnerabilities. And that expense, compared to the cost if something goes wrong\u2014if your supply chain is disrupted, if there is criminal activity or a disaster or a terrorist strikes\u2014is minimal.Did you view technology as central to preparedness before 9\/11? Or did that event change your view of the intersection of IT and security? I can\u2019t think of a company that doesn\u2019t use technology as its backbone for operations. So just like anything else, the first thing you do is protect the most critical thing to your operations, and that\u2019s IT. But the business enterprise today has a nervous system in IT which is basically the sine qua non of the entire operation. Security and risk assessment of IT systems includes looking for points of access in the event of disruption, safeguarding proprietary information and protecting consumer and customer information\u2014they are all related. I don\u2019t pretend to be a technology expert, but I\u2019ve known intuitively and instinctively that whenever you have an opportunity to embed technology with well-trained people around a very specific mission, you need to do it. You can\u2019t operate any entity, large or small, this day and age without a good IT system.How did technology affect the events on 9\/11? On 9\/11 we learned that the traditional means of communications within the first responder community was inadequate. We had different communication systems that were not interoperable. One of my great frustrations six years after the event is that there has been much discussion about interoperability but very little has been done about it. The FCC has indicated they are prepared to dedicate a certain spectrum on the broadband for a nationwide public safety network. They are to be commended for their vision and foresight.... I just wonder where Congress has been for the last five or six years. One can imagine the enormous benefit of data, voice and video being available to the first responder community, not just in the event of a terrorist attack, but so many other occasions. This goes back to the sense of complacency. One of the most glaring examples has been the failure to build a national system, and it\u2019s going to take years to get it to where it needs to be. Clearly, technology failed a lot of people on 9\/11. On the flip side, the people on United 93 were able to communicate with others and learn the fate of the other three planes. Armed with that information and more courage than most people can muster, they understood their fate had been sealed; they decided this was one commercial airliner that was not going to be turned into a missile. So there was good and bad. It was good enough to inform the passengers of United 93 but not good enough for the firemen and policemen on the ground surrounding the twin towers.Do you think our lack of progress in this area is a result of complacency, a lack of funding or a combination of both? I think funding is an issue. While local and state governments have some responsibility, a national system should be built by the federal government. We spend millions annually on communications, so there is plenty of opportunity to invest those dollars into supporting a new infrastructure. Over the last few years we\u2019ve expended billions on equipment and had we had a commitment to a broadband infrastructure, the money would have been more effectively used. Once the FCC gets this through, other jurisdictions will know where their dollars need to be spent in order to be compatible. It will revolutionize the intersection of public safety and security.You served in Vietnam. How can you apply preparing for disaster in a war to your work today? There are certain maxims that combat soldiers understand better than others. You need to train and exercise in a certain way. And if you fail to plan, train and exercise against certain potential challenges, and they appear, you are probably going to fail. Even within that environment you can\u2019t prepare for everything, so you have to be prepared for the unpredictable. There is a certain element of surprise associated with every crisis and challenge you face. But most people in the military will tell you that you reduce losses and enhance odds for success by having the right equipment, training and the right people. And it applies to the corporate world too. Have you empowered your CIO or CSO to look critically at your entire infrastructure and make specific requests? Do you have a business continuity plan and do you exercise it? Have you tried it out? There are basic lessons in regard to planning and training that are helpful because sometimes you don\u2019t have time to think, you just have time to react. But if you\u2019ve trained a certain way and planned a certain way, the chances are pretty good you will react the right way.