Rethinking Supply Chain Security

Aside from improving the security practices of your partners, this helps "socialize" security with your partners so that, in due time, this will be commonly recognized as an important central business function-rather than a secluded auxiliary compliance or cost-reduction subgroup. In practice, this upstream and downstream collaboration should include contractual requirements for secure systems, with a logistics "standards of care" defining security conditions for shipment movements. Ideally, these "standards of care" are developed together by shippers and carriers to take best advantage of their relative expertise and interests. For example, specific low-theft routes may be defined for specific product movements, with stops limited to previously-approved high-security locations for limited periods of time. As the saying goes, freight at rest is freight at risk; so these standards often call for limiting stops and downtime on freight hauls.

Collaboration in securing the supply network should also extend to include law enforcement officials in security planning, simulation training and drilling, and incident investigation. Groups such as the Los Angeles County Sheriff's Cargo Criminal Apprehension Team (popularly known as the Cargo CATS) work with the various parties handling and responsible for cargo-including insurers-to reduce theft, recover stolen cargo, and develop critical information to increase conviction rates and inform the public about the risks. Additionally, U.S. Customs and Border Protection (CBP) runs several programs and initiatives, which are mentioned in the next section, to increase cargo security in conjunction with industry, offering faster customs clearance rates for those participating in the programs.

In the course of studying security practices of the most progressive industrial firms, we have observed four different levels of response that outline a progressive pathway towards a high-functioning, secure, and resilient security system.

Our studies also indicate that there are several different paths to the same end objective. While there is no one path that is optimal for all, firms may find this useful as a stepping stone to compare progress against and to guide future system development. While these observations will not guarantee results, they appear to be the practices that leaders adopt and therefore warrant study and potential reapplication to those interested in learning from leaders.

Basic Initiatives: This first level of security response showed firms engaging in multiple efforts that are important but focused. These firms have mainly beefed up existing security initiatives. Basic initiatives include:

- Physical security measures. Added access control, badges, guards, camera systems.

- Personnel security. Conducted criminal, credit, and background checks on potential employees.

- Standard risk assessment. Put added consideration of risks such as fire, flood, vandalism, utility disruptions.

- Basic cyber security. Added anti-virus software, firewalls, passwords.

- Continuity plan. Produced for internal purposes and small-scale incidents as well as how to recover within one's own operations.

- Freight protection. Conducted employee background checks, added cargo seals, tracking technologies, and sensors.

Reactive Initiatives: This second level showed firms that went beyond Basic Initiatives and illustrated a deeper understanding of their vulnerabilities as evidenced by their actions. These firms added supply chain security initiatives since September 11. Reactive initiatives include:

- Larger security, risk, or business continuity organizations. Firm increased commitment either through reallocation of human or capital resources.

- C-TPAT compliance. Firm filed an application for compliance, perhaps as a result of internal leadership or government pressure.

- Analysis of supply base. Firm better understood supplier capabilities in the event of disruption.

- Supply continuity plan. Consequences of September 11 and the threat of a new disruption in supply lead to the development of dedicated continuity plans.

- Limited training. Firm selected employees to receive training or education on what our research group has termed Level 1 and Level 2 initiatives.

Proactive Initiatives: This third level went beyond Reactive Initiatives and added new initiatives that expanded beyond the firm to include suppliers, customers, and law enforcement officials on improving supply network security. Proactive initiatives include: