Where Do We Go From Here?

Six experts offer their ideas on the future of the CIO role, the supply chain, just-in-time manufacturing, security, management and other issues affected by the terrorist attacks in the US.

It has become a clichA©: The September 11 terrorist attacks on New York City and Washington DC changed everything. But"everything" covers a lot of ground. What, specifically, has changed, and how does it affect the way companies do business? Even more specifically, how does this new world look from the CIO's seat? CIO asked six experts what CIOs should expect and do in critical areas including security, supply chain and staff management in this putatively altered worldGlobal Business.

Importance of IT Just Went Up

David Dobrin-President, B2B Analysts, and CIO (US) WorldView columnist.

Before September 11, many people thought we'd have a mild recession. No one believes that any more. In certain industries - like electronics - people just aren't buying anything.

CIOs need to provide timely, accurate reports on volatile business situations and do so with limited resources. For global and multinational businesses, this can be complicated. Many such companies have B2B systems with suppliers and partners. But what happens when things break down? For example, transportation across borders is no longer as reliable as it was before September 11. Companies are very high velocity these days. Even having two weeks of demand disappear creates all sorts of surprises. For example, your company may have to build up inventory, but that's expensive. What if you run out of warehouse space? The integrated supply chains companies have built can only tolerate so many variables.

Companies will have to redesign their supply chains. There will be less belief in the highly integrated, low-lead-time, low-inventory supply chain stitched together with IT. CIOs need to provide the business with the capability to be more responsive, to get advanced warnings from customers, to look at point-of-sale data from retailers and feed that back to manufacturing. In a recessionary environment, IT can make a huge difference because it can give companies early warnings about changing business situations.

Another big change will be in how business gets done. It's absolutely clear that people aren't travelling, but multinationals still have to communicate. There's a demand on IT to use the Internet and telecommunications to accomplish what travel enabled before.

Suddenly there's this huge demand for technologies such as teleconferencing and videoconferencing that previously few CIOs thought to be important. And it's not just a question of installing technology. In virtual meetings, many participants don't pay full attention. They are answering e-mail or surfing the Internet. With such technology-facilitated meetings replacing personal communications, these contacts should be shorter and occur more frequently. Virtual meetings should also be supported by documents; action items written down at one meeting should be part of the agenda at the next meeting. Essentially, meetings have to be approached with a different discipline, and that will take time to learn.

Intercompany communication on a global scale also has challenges. There are cultural issues as well as practical ones like time-zone differences. Using technology to communicate instead of face-to-face contact has implications for network support, usage policies and firewalls. The good news: for multinationals, connection to the Internet isn't much of an issue, nor is reliability. The Internet was designed for a nuclear attack.

The cost of business travel will now be spent on technology. CIOs will now be responsible for a large redeployment of resources. As communication technologies replace travel, the technology itself becomes more important. And that means that managing the technology is more important.

Page Break

Plan for People, Not Just Systems

John McCarthy--Senior manager in information risk-management practice, KPMG (US).

One of the great lessons of this tragedy, and others in the last decade, has been helping company leaders to see the people in their organisation as part of the risk-management equation. Most companies have a business plan for technology failure - things like someone putting bad software on the system or dealing with a security or hacker threat. Now what we're seeing post-September 11 is the recognition by leadership that there's an even greater need to understand people processes in the context of risk management and disaster recovery.

Companies need to think about how they will take care of their employees, account for the missing and deal with the families in the event of a fire, a flood or an explosion in the building. How will you take the services and processes handled by those people and transfer that responsibility to another part of the organisation so the business can continue while you're dealing with a disaster? You can't let a major disaster draw the attention of the entire organisation and stop it from doing anything else - you have to look at how you can separate the tragedy from the necessity to keep delivering services. You have to know what the critical functions are and how to continue them in the face of disaster. How will you communicate internally and externally? You must figure out how you will talk to industry peers and associations, and how you will deal with state, local and federal authorities. Also, think about how you will communicate with customers. How will you talk to them about the status of your business and your employees, particularly if the business - say, a financial institution - has a piece of the customer's money?

A big lesson for CIOs and other leadership is that continuity management is not a line function. It's a core function that must be managed from the top of the organisation. CIOs are familiar with this, as they have long argued that technology also cuts across the business and needs attention from the executive team. After September 11, CIOs will have a lot more credibility when making arguments for replicating critical systems. The case has been made graphically for CEOs that the kind of discussion that has gone on at the CIO and CFO level in terms of risk management aren't way out there - they need to be addressed ahead of time.

The watchword coming out of this is going to be enterprise risk management - no more point solutions. If you want to survive something this extreme, an enterprise approach is what will make the difference between making the business go or not.

Page Break

Build Safety Stock, Consider a Domestic Supplier Yosef Sheffi-Head of The Centre for Transport Studies, Massachusetts Institute of Technology (MIT).

I think security is a long-term issue, and it may lead to some of the following mitigation strategies. One is deciding which parts are crucial for your production line and which parts can withstand a longer lead-time. Usually these decisions are based on how well you can forecast demand for these items and how good the forecast is. For harder-to-forecast items, companies may want to start building some safety stock, but for the bread-and-butter items that are replenished day in and day out there will not be a big impact. Original equipment manufacturers are not going to increase their safety stock for items across the board - just the ones that are hard to forecast.

The other strategy is to have good suppliers. For example, the majority of your stock may come from overseas at low cost, but now you will have a secondary local supplier to whom you have to give some business right now. You can't just keep them on standby. People always knew that you had to have more than one supplier, but it was OK to have one supplier in Taiwan and one supplier in Singapore because, while one might have political or labour problems, you always had the other. Now, introducing security into the equation, I may want one abroad and one in [my home country].

Just-in-time manufacturing is here to stay. Smart companies may build some safety stock, but it will be independent of just-in-time. They will not give in to the temptation of using the safety stock because there are lots of other benefits of just-in-time besides low inventory - specifically high quality and quick diagnosis of supply chain problems. With just-in-time you don't have inventory to cover up your problems. Now you will have to act as if you don't have inventory even though you do.

Inventory is a security blanket - it allows you to cover up your problems. The key to running just-in-time is to cover yourself from supply chain disruptions with some inventory or a local supplier. It will be a mistake to move to just-in-case.

The decision of when to use your safety stock depends upon the fundamental difference between something you control and something you do not. For example, if you have a disruption because terrorists attack the World Trade Centre and the border is closed, there is nothing you can do to fix it. Then you use your safety stock. However, if your supplier starts shipping defective material, stop the line and fix the problem immediately as if you don't have the extra inventory. With safety stock, the temptation is to say:"We have inventory, don't worry about it."But that's exactly when you need to address the problem.

Page Break

Lead Them Through the Transition

David Foote-Cofounder and managing partner, Foote Partners.

When I talk with executives, one of the first references I use is Charles Darwin, who said:"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change."

Change is the easy part; changes are situational, external. Transition is the response to change. Transitions are psychological, internal, focused on an ending. People don't like endings. A transition is the end of something but also the beginning of something. But in-between is scary. Employees are focusing on what we're losing - that's happening big time right now. They know that life is not going be the same, but they don't know what that's going to be like. It's a transition to an unknown.

What you have to do for employees is create temporary systems to get through it. You need to strengthen connections [between employees]. It's interesting how people are using intranets to get through this. People are on the road or working from home; the workforce isn't all together in many organisations. What has happened is they've been taking these bland corporate intranets and turning them into boards where employees can talk to each other. They post what they're feeling where others can see it and respond. It's a great example of a temporary system.

You want to help people define the transition. You do this by defining what's over and what's not. Not everything is over. Right now a lot of conventions and events are being cancelled. Some travel is curtailed, some projects are cancelled - but a lot of things are just being pushed out. You know, a lot of people measure their careers by their projects. Tell them:"We haven't cancelled that project." Layoffs are still on people's minds. That was happening before September 11. Now, even people who aren't being laid off are saying:"Maybe I should circulate my rA©sumA©." Tell them:"There will be no layoffs; we're not cancelling projects." Or:"Here's who's being laid off: them, but not you." Or:"We're cancelling one thing but nothing else." Don't lose people over this.

Executives need to change the metaphors to lead employees into the next phase. Leading by metaphor is about redefining things. Executives need to talk about what their companies stand for instead of just what they do.

This is where real leadership comes in. A lot of executives who are dealing with this really aren't leaders - they're managers. Strong leaders are showing their stuff right now. Their companies are the ones that were talking with employees and customers right away.

Page Break

Balance Change with Routine

Joseph Badaracco-Harvard Business School professor, leadership and ethics.

The first thing for managers to consider is the importance of preparation. It's true that preparation for Y2K helped many CIOs on Septem-ber 11 because they had redundant systems.

So contingency planning is important. But the kind of contingency planning most people do is"best case plus 20 per cent","worst case minus 20 per cent". September 11 presents us with a much more dramatic situation.

But there's only so much you can do. There will always be things you can't foresee. What you can do as a manager is keep all lines of communication open so you can communicate quickly when something unexpected happens, even something drastic. You've got to be ready to scramble - and not just as an individual but as a team. The team will always be more resourceful than a single person. Scrambling means learning about what's happened quickly and formulating a response.

Another thing to consider is that it's going to be very hard for people to differentiate between long-term and short-term changes after the September 11 attacks. One scenario is that we really stamp down terrorism. Another comparably probable scenario is that there are more attacks, and [the US moves] to an Israel-like state, with permanent insecurity. Those are radically different worlds. It's going to be hard to know for a while how things will turn out.

If flying is an inescapable part of someone's job and they refuse to fly, at some point you're going to have to find somebody else to do the job. At some point, the work has to go on. But somebody who says:"I can't deal with flying now" might be willing to fly in a month.

Try to think creatively about other ways to get business done. My sense is that people relied on planes vastly more than they needed to. The cost and inconvenience of flying is very high. We're getting streaming video from Afghanistan right now; I don't understand why everyone's got to fly to [conduct business].

Page Break

The World Hasn't Changed. We Have

Bruce Schneier-Author of Secrets & Lies: Digital Security in a Networked World, founder and CTO, Counterpane Internet Security.

People think everything has changed. Is air travel more dangerous than it was a month ago? No. Are there more terrorists? Actually, there are fewer terrorists. Is the world more dangerous? No. Is jet fuel somehow more lethal? No. [The US] is very much a bright-shiny-object sort of culture. We'll talk about whatever the bright shiny object is, and if the bright shiny object changes next month we'll talk about that. Right now, security is important. But will anything change? Who knows? Ask me in six months.

Wake-up calls are dime a dozen. Why wasn't the Code Red worm a wake-up call? Why weren't the denial-of-service attacks on sites like Yahoo and eBay in February 2000 a wake-up call? So here we are. We've got the largest loss of life in [the US] , and now this is a wake-up call. Is it really? You've got to hope so. We need something that will convince people that security is important. This might be it.

If, indeed, this physical attack changed people's perception of electronic security, then this talk about an electronic Pearl Harbour, a massive, high-profile cybersecurity breach, was wrong. It took a real-world attack to convince companies that there was a cyber risk. I would not have expected that. The question is: Is it permanent or just the thing I'm worried about today? I'd like to think it's permanent, because the threats are real.

Cyberterrorism is something that can be done. It takes a lot of expertise, but you can be safely at home in your own country and launch your attacks. You don't need a lot of logistical support. You do need expertise that your average terrorist doesn't have, even a terrorist who can fly a plane. I have a feeling cyberterrorism is going to happen, just like we see cyberorganised crime. You go where the money is; you go where the bang for your buck is. And as more of our critical systems go online, that'll be where terrorists launch their attacks. The Internet is really a target-rich environment, but most of the targets hackers select are dorky targets. So you knock down a CNN Web page, big deal. If you could knock down the power grid . . . But flying planes into buildings is a completely different league. If you're willing to do that, cyberterrorism is kid's stuff.

CIO staffers Simone Kaplan, Susannah Patton, Edward Prewitt, Megan Santosus, Sarah D Scalet and Ben Worthen interviewed the experts