• United States



by Richard Power

A Corporate Security Strategy for Coping with the Climate Crisis

Oct 01, 200816 mins
Business ContinuityData and Information SecurityIT Leadership

Richard Power on how to adapt security and risk management policies - including IT security - to deal with climate change.

US military strategists, CIA analysts, international agency officials and Nobel Prize winning economists concur with the consensus of the world’s scientific community: the Climate Crisis is a planetary security issue, as well as a national security issue for each of the one hundred ninety two countries that belong to the United Nations. But the Climate Crisis is also, by extension, a corporate security issue, as well as, yes, a cyber security issue.

Of course, not every national security issue is a corporate security issue; nuclear weapons proliferation, e.g., is a national security issue that does not demand a direct and meaningful response from all corporations in every sector and at every level, or the security professionals who are responsible for protecting operations, assets and work forces.

The Climate Crisis, however, does demand a direct and meaningful response for corporations. This response is demanded not just by imperatives related to corporate social responsibility, but also on the basis of risk management and security.

Consider some conclusions drawn, not by environmental activists, or even just by scientists, but by military leaders and economists:

According to one Pentagon report revealed in 2004, “climate change over the next 20 years could result in a global catastrophe costing millions of lives in wars and natural disasters. &’Disruption and conflict will be endemic features of life,’ concludes the Pentagon analysis. ” (The Observer, 2-22-04)

In a 2005, Sir Nicholas Stern, former chief economist for the World Bank, warned that global warming could shrink the global economy by 20 percent, and that it would be cheaper to deal with the problem now than to deal with its consequences later.

In a 2007 report from an advisory board of retired generals and admirals said that “the effects of global warming, the study said, could lead to large-scale migrations, increased border tensions, the spread of disease and conflicts over food and water. All could lead to direct involvement by the United States military.” New York Times, 4-15-07

Earlier this year, in the first such statement of its kind, one thousand seven hundred of the USA’s most prominent scientists and economists joined in a call on policymakers to require immediate, deep reductions in heat-trapping emissions that cause global warming. Union of Concerned Scientists, 5-29-08

And a month earlier, the Royal United Services Institute (RUSI) issued its own study, which concluded that “if climate change is not slowed and critical environmental thresholds are exceeded, then it will become a primary driver of conflicts between and within states & if uncontrolled, climate change will have security implications of similar magnitude to the World Wars, but which will last for centuries&’ Reuters, 4-22-08

Seven Dimensions of Risk

This planetary and national security issue has inescapable consequences for the captains of industry and their stockholders; it is a threat that requires proactive and preparatory efforts by business leaders and security professionals.

There are three big questions to answer in regard to what the Climate Crisis means in terms of business risks and corporate security:

  • What do C-Level Executives need to know about the Climate Crisis as a security issue for the businesses they direct?
  • What do security professionals need to know about the Climate Crisis as a security issue for the businesses they protect?
  • What do Board of Directors members need to know about the Climate Crisis as a security issue for the businesses they oversee?

To develop some actionable answers to these tough questions, I brainstormed with some people of vision and depth of experience, including Regina Phelps, CEO of EMS Solutions. Phelps is a world-class business continuity, disaster recovery and crisis management expert, and has traveled from Antarctica to Mongolia (and most major metropolitan areas in between) helping corporate leaders get their minds around this issue.

She cites seven dimensions of corporate risk related to the Climate Crisis.

The obvious one is “Physical Risk,” of course, i.e., extreme weather.

As I write this story, grim news from the Gulf Coast served as a poignant backdrop: “Galveston stopped allowing residents to enter the city ravaged by Hurricane Ike, now layered in mud and debris without power, water or sewers.” (Bloomberg, 9-17-08) It was only three years ago that Hurricane Katrina devastated New Orleans. That’s two US cities in three years, and further evidence of an emerging trend.

According to Munich Re, the world’s insurance industry faced $75 billion of losses from natural catastrophes” (50% higher than the previous year) and “the number of natural catastrophes tallied 950 this year, up from 850 in 2006 and the highest figure since 1974,” when the group began tracking the information. (MarketWatch, 12-27-08)

But the other six are also of great significance, as Phelps explains:

  • Regulatory Risk: Expect regulation for the emissions of products that you make (I.e. car emissions) and/or for the manufacturing process that you use to create products.
  • Supply Chain Risk: “All companies will need to evaluate the vulnerability of their suppliers to potential regulation, the cost of suppliers complying with regulations, the geographical distribution of supplier network, etc.
  • Product and Technology Risk: Some companies will do better than others in coping in a carbon-restrained world. Those who create new climate friendly products or services will benefit.
  • Litigation Risk: Companies that generate significant carbon emissions will likely face litigation over time (like tobacco, asbestos, etc.). Swiss Re notes that there may well be personal liability for directors and officers.
  • Financial Risk: Citibank, JP Morgan Chase and Morgan Stanley, three of the nation’s largest investment banks, have developed new environmental standards to help lenders evaluate risks associated with investments in coal-fired power plants.
  • Reputational Risk: Companies that fail to seize the opportunity to demonstrate “good citizens” of the planet to key stakeholders respond will face the court of public opinion, i.e., consumer and investor backlash.

Kicking the Door Open

Another person of vision and depth of experience I brainstormed with was Steven Sams, Vice President of Global Site and Facilities Services for IBM Global Technology Services division. Sams is one of the drivers of IBM’s transformation from Big Blue to Big Green.

The story IBM has to tell is compelling and offers great promise for its clients and partners. For example, IBM itself consolidated 3,900 servers into 33 System z mainframes, migrated servers delivering largest savings first, eliminated assets with lowest utilization first, aggregated customer work portfolio to leverage strong customer buy-in, focused on freeing up raised floor space, and provisioned new applications to the mainframe. As a result, IBM reduced annual energy usage by 80% and total floor space by 85%.

Working with one of its clients, University of Pennsylvania Medical Center (UPMC), IBM helped UPMC maximize service level and mitigate costs by saving $30-40M over three years with Wintel, UNIX and storage virtualization, reducing from forty storage databases to two centralized SAN arrays, and consolidating one thousand physical servers to three hundred IBM servers (multiple platforms) and supporting increased business growth. In China, an $180 million reduction in annual operating expenses from consolidating thirty-eight to two data centers and improving business resilience. In Germany, a $7.2M in annual operational savings by consolidating four centers into one 3,800 square foot data center.

To meet with Sams, I journeyed to an IBM research center in upstate New York. The building designed by legendary architect I.M. Pei is organized around glass and metal pyramids, similar to those Pei designed for the Musée du Louvre in Paris. The specter of these pyramids added a dimension of timelessness to our three hour discussion on the how and why of going green. After all, IBM was one of the companies that was there at the dawn of the IT revolution, it is understandable that it is also one of the companies that is present here at the dawn of the green revolution.

We discussed going green to battle energy costs as a way to kick open the doors of perception in the executive suite and the board room.

IT consumes two percent of the energy produced on the planet. Currently, IT-related energy use is doubling every five years. If this doubling continues, then IT energy use will increase sixteen times over the next twenty years, and consume just over ten percent of the total energy output of the planet by 2030.

We talked about putting this projection in a personal context for executives, i.e., spending billions on energy over the next five years. The numbers are potentially unbelievable when the future is mapped out. If a client spending at a rate of $2.6M per year on energy, doubled energy use every five years, then they will be spending $41.6M a year of energy in 20 years at today’s prices; and at a 10% inflation rate for energy per year the $41.6M becomes about $278M.

“Can you imagine a bill of $2.6M per year escalating to $278M per year by 2030?” Sams remarked. “It is unaffordable; something else will have to change.”

We also talked about the significant impact of switching to water for cooling on server racks. Water requires a lot less energy. “Data Centers typically use air conditioned cool air to flow through technology to cool it down,” Sams explained. “Water is much more efficient for technologies that generate more than 30,000 watts of heat per rack.”

We talked about how to reach different C-level executives in different ways: e.g., with the CIO, Sams suggested emphasizing IT flexibility, i.e., being able to have current data centers support new low-cost and highly scalable technologies like blade servers; with the CFO, Sams suggested emphasizing the cutting of costs both for the growing energy bill (typically 40-50% savings) and capital cost of building a new Data Center if they run out of power and cooling capacity; with the CEO, Sams suggested emphasizing the image of the environmentally supportive company, e.g., $1 million dollars in energy savings a year is equivalent to one thousand cars off the road or 2.7 million pounds of coal not burned in a coal-fired energy generation plant.

Elements of a Corporate Climate Crisis Security Strategy

Here is a seven-point corporate Climate Crisis strategy for CSOs and CISOs to promote within their organizations.

1. Intelligence: Monitor the business risks on the global, national and regional scales as well as in your industry sector. Organizations should be closely tracking climate change in their region, and in the regions that they rely on for resources and our markets, and on a planetary level, and regularly re-evaluating the impact and implications on business operations, personnel safety, etc. Organizations should be pondering how climate change in their regions and at a planetary level impacts other types of risks and threats, and how they attempt to mitigate and cope, e.g., collapse of governments, displacement of populations, organized crime, violent conflict, pandemic and other health issues, travel security issues, natural disasters, etc.

Phelps agrees. “Operative word is should. Globally most international companies will look at traditional risks such as physical security, natural disasters (e.g., flooding, cyclones, tsunami, etc.) or counterfeiting, brand infringement and sabotage. Since Climate Change will likely cause increases in natural disasters, human disasters (famine, migration, border tensions, diseases, etc.) and national security issues (just to name a few), it should be on the recognized list of “known risks” for all companies to plan for.”

But does she see it getting done anywhere?

“No. There is more discussion about it outside the US, but here in the US I know of no global company adding climate change to their risk assessments.”

2. Understand your business’s carbon footprint. Actually looking at the numbers is going to blow your mind. Such an assessment will produce plenty of surprises. Both in terms of how much greenhouse gas your organization is turning out, and in terms of how much your current level of emissions can be reduced. You need to know where you are in order to get to where you are going.

3. Green Power: Go green, particularly in your IT environment. Imagine the impact on your carbon footprint if you couple the kind of cost-cutting and energy-saving designs IBM and other technology giants are working on with the many building sector schemes to construct all-green facilities or retrofit existing facilities to turn them green. Imagine virtualization on the inside and solar panels and wind mills on the outside. This is not a Utopian dream, this is a business imperative.

4. Business Continuity: Re-evaluate and revise business continuity, disaster recovery and crisis management plans and capabilities. Plans and capabilities should be re-evaluated and revised to cope with events of greater intensity, greater frequency and greater duration. Plans and capabilities should be re-evaluated and revised to cope with the increased likelihood of multiple crises and/or disasters simultaneously. Plans and capabilities should be re-evaluated and revised to cope with different kinds of events than previously thought likely for region, e.g. tornadoes in downtown Atlanta.

Again, Phelps agrees. “Without a doubt&.this will also provide fuel to the current fire for voluntary certification for crisis management in the private sector being driven by Title IX of “The Implementing the 9/11 Commission Recommendations Act of 2007″ (Public Law 110-53) which addresses a variety of other national security issues as well. It was signed into law. Risk and hazard analysis will have to evolve to meet the changing environment. Insurance companies will drive a lot of this change&mdashlikely to require more extensive research on the risks and appropriate planning for coverage to kick in.”

But, again, does she see it getting done anywhere?

“The planning I see is not under the umbrella of Climate Change but of the symptom& flooding, severe winter weather, etc. My Midwestern clients have had more activations in the past few years than in all of my 26 years&. they have been rather risk-free’ for years but I believe that is all changing. To borrow George Lakoff terminology&mdashthis is a framing issue. You could literally rephrase an entire risk assessment/hazard analysis and at the top list Climate Change’ and then as a subset below it list all of the impacts&mdashdrought, flooding, severe winter weather, more hurricanes, etc.”

5. Develop climate change awareness and education program for your workforce, offering guidance for going green in both professional and personal lives. A few years ago, I proposed utilizing the existing delivery system for security awareness and education programs, e-mail newsletters, intranet web site, annual events, training days, wall posters, etc. to provide Climate Crisis guidance to the work force, i.e., both what they need to know to adapt at work, but also what they need to know to adapt in their personal lives. “Why would we want to do this,” was the push-back, “it isn’t our responsibility?” “No,” I responded, “it isn’t your responsibility, it is your opportunity.”

6. Mobility, Travel Security and Virtual Reality: The Climate Crisis area will demand thinking outside the box on the culture of the road warrior. It is not as simply as decreeing that there should be less travel to reduce the size of the carbon footprint&mdashalthough that will certainly be a vital aspect of your overall approach. It will also require, ironically, a new commitment to greater, more powerful and more sophisticated mobility technology. In a world where extreme weather events and population displacement can occur anywhere anytime, the 21st Century workforce will have to be equipped to re-establish their work environment anywhere anytime. Furthermore, greater attention will have to be invested in travel security. You will want to know where people are going, and be able to weigh the risks against the advantages, you will want to be able to track their itineraries and contact them at a moment’s notice, you will want to pay more attention to equipping and training them. In short, we will have to expand virtual meeting capabilities to reduce physical travel, increase mobility technology to ensure that business can continue in challenging new circumstances, and evolve travel security program to adapt to deteriorating conditions in areas of the world hit early and hard.

7. Cyber Security: Two important points to stress. Remember the old adage of Confidentiality, Integrity and Availability being the pillars of information security? Well, the Climate Crisis touches on all three. Just as with the seven areas of related risk, the most obvious, is the one that relates to physical reality, i.e., in the era of Climate Crisis, the pursuit of availability becomes ever more vital and ever more elusive. And not just because of disruption due to hurricanes, tornadoes, floods, wild fires, etc. but also because of spiraling demand for more and more energy drawn from overloaded and deteriorating infrastructures to combat ever colder winters and ever hotter summers In regard to confidentiality and integrity, there will also be emerging issues that have yet to be properly addressed. New technology brings new vulnerabilities. In the rush to go green, many new technologies will be designed fast and deployed in haste. To the extent possible, security concerns should be factored into this accelerated R&D curve. But just as with the IT revolution, it is likely that security will be at best an afterthought. So those organizations adapting these new technologies must factor security assessment into their evaluation, testing and deployment processes.

Whether I am speaking about these issues with C-level executives, corporate Board members or security professionals, I encounter the same mix of responses: some people’s eyes glaze over, they cannot make the connection, some people’s eyes hardened, they refuse to make the connection, but there are other’s whose eyes light up, they have already made the connection and they are looking for affirmation and support.

Remember, in the 21st Century, as physical space and cyber reality become increasingly integrated and inter-dependent, physical security issues significantly impact cyber security, and cyber security issues significantly impact physical security

If you prioritize 21st Century risks, the Climate Crisis not only ranks at the highest level of concern (along with nuclear proliferation and pandemic), it also impacts every other risk, either directly or indirectly.

The orderly threat matrixes of the 20th Century are breaking down into a toxic soup, in which risks will interact on each other in new and dangerous ways:

  • Organized crime in Eastern Europe, East Asia, etc.
  • Failed States
  • Terrorism
  • Cyber Crime and Cyber War
  • Infrastructure Failures
  • Natural Disasters
  • Pandemics
  • Nuclear Proliferation
  • Food Security
  • Water Scarcity
  • Extreme Poverty
  • Economic Insecurity
  • Etc., etc., etc.

You can choose to hang back and stay in the pack, you can choose to get out ahead and lead, or you can deny that there is a race at all, but which ever strategy you choose, in a few years from now, there will be no place to hide. ##

Richard Power is a Distinguished Fellow at Carnegie Mellon CyLab. He writes, speaks and consults on security, risk and intelligence issues. He has conducted executive briefings and led professional training in over thirty countries. Power is the author of five books. Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute.