Security takes center stage

Doors that were usually left open before Sept. 11 at Precise Software in Dallas are now locked. Workers are quick to report anything suspicious - either in the building itself or online. And when something is reported, the company is a lot quicker to respond.

Precise Software may not have doubled its security budget or locked down its network since terrorist attacks ripped into the World Trade Center, but employees are on a heightened state of alert.

"I guess we have added to the security staff," says Kurt Ziegler, executive vice president of the $50 million performance software company. "Now, everyone is on the security staff. Now everyone is involved, and that's good."

Corporate users and industry watchers say IT executives are well aware of the threat from conventional and cyber terrorism. The Sept. 11 attacks, and the devastation that so many companies faced, sent IT staffs across the country running to double-check their back-up tapes and put in nervous calls to their hot-swap sites.

What Sept. 11 fears haven't done, at least yet, is cause CEOs and executive committees to recalculate and expand their security budgets. In this time of economic belt-tightening, even the fear of a corporate attack hasn't made extra monies flow.

On the other hand, security budgets are being kept intact while other areas are being cut.

In many cases, enhanced security already was in the works. And users interviewed say there's no plans to curtail those expenditures.

"What we're seeing is that security accountability has shifted from the IS staff to the CEO," says Elad Yoran, executive vice president of RipTech, a network security firm in Alexandria, Va.

"Security now is a strategic issue rather than a tactical issue. Woe is the CEO who hasn't taken the measures to protect the company," he adds.

Yoran says client calls dropped to nearly nothing in the two weeks after Sept. 11 and then immediately spiked back up early in October to rates much higher than before the attacks.

Dave Jarrell, computer security officer at the Federal Communications Commission in Washington, D.C., says the terrorist attacks forced the agency to be more vigilant, both in monitoring its network and in keeping upper management informed about their efforts.

"We've always been very aggressive about system monitoring and having a proactive approach to computer security," says Jarrell, who monitors the perimeter of the network and traffic on the inside. "We're just a little bit more aware of what's going on. . . . The entire population that focuses on security, whether cyber or physical, is more concerned about their programs."

And Jarrell says he used to report on security issues to his bosses as they occurred but now he makes weekly reports regardless of what is happening on the system.

"They have the assurance that on the cyber side of the house, everything is more attended to," Jarrell says. "There's more communication. It's more fluid now. . . . If nothing has happened, I let them know that so they have peace of mind."

That peace of mind - or lack of it, actually - is most of the problem, according to some analysts and users.

Most major companies have been aware for years of the potential of a large-scale, coordinated attack on corporate America. But now those concerns, which were in the back of people's minds, are in the forefront of their security thoughts . . . and those fears come with visuals, thanks to the images of the attacks that were played repeatedly on 24-hour news stations.

"There's more of an awareness of what could happen," says David Smith, network manager of C&S Wholesale Grocers, a $9 billion company in Brattleboro, Vt. "It's that knowledge of one's mortality. . . . It makes it all seem more critical."

That feeling of vulnerability - both at home and in the workplace - has users testing the security measures they've already had in place, according to Daniel Woolley, COO of NetSec, a security company in Herndon, Va. Woolley says NetSec has seen a three- to fourfold increase in customers asking for vulnerability assessments. And he says for the first time, nearly every client calling in wants to know if NetSec's people have gone through security checks.

At First American Bank in Illinois, a $1.6 billion financial institution with 32 branches, checking

its own security strategy in light of the Sept. 11 attacks means creating a plan to split up the company's IT team.

"Since Sept. 11, the issue of the geographical dispersion of our staff really heightened," says Noel Levasseur, executive vice president of IT at First American Bank. "All of our IT department is in one location. If we had something catastrophic . . . we might have systems running but no one to run them."

Levasseur says he now needs to figure out how to split up his IT team, whose members are used to working together. "I don't think it makes it more difficult to work but it makes the management challenging and the teamwork challenging," he says. "You can't always leave someone at a remote location. You need to rotate it."

Ziegler of Precise Software says it's important to make sure that changes in security strategy are changes with which workers can live - and work.

"People are much more amenable to security," Ziegler says.

"Before, it was a bother. Now they see the need. When someone puts rules in place, they're not complaining about it. . . . This is a good thing. It hasn't affected business. It's not intrusive and offensive," he adds.

Disaster recovery: then and now
Lehman Brothers' network survives
How ready are the nation's networks?
The terrorist network
Planning for the worst: Bring in the best
Spending shifts

How to start the disaster-recovery processes

Disaster-recovery planning advice

The latest disaster-recovery news