Copyright 2001 John Zipperer.
(11/01/01) Whether as a result of acts of God or humans your company is in dire straits, facing potential or even actual catastrophe, and you need someone to set things right again so you can stay in business or get back in business with no disruption visible to your customers. Your needs range from office space to fill-in staff for lost employees and from workstations with laptops to network connections for your up-to-the-minute databases.
Welcome to the business of disaster recovery, which deals with dramatic worst-case scenarios, ranging from hurricanes to fires to terrorist attacks. It is an industry that IBM has tackled as a natural outgrowth of its vision of itself as the essential corporate technology-solution provider. The origins of IBMs business continuity and recovery services (BCRS) unit, part of its huge global business services efforts, go back to 1989, when the unit had a more-limited focus on back up and recovery for its mainframe and mid-range customers.
Our focus nowadays is more on creating business-continuity programs for customers, says Patrick Corcoran, director of development for BCRS at IBM. We want to focus on the business processes, not just the technology. In short, that means focusing on whatever is critical to a business, whether it is accounts receivable, payroll, inventory, or anything else that needs support. Corcoran says rapid recovery is increasingly the focus of companies, especially in the financial industries. At issue are how quickly business data can be back up and running, and at what point was the data backed up; you will have lost everything beyond that point.
IBM has 17 facilities in
the United States to support its BCRS clients, a group that includes
Chase Manhattan, Eli Lilly, and Gillette. Common threats to a companys
uninterrupted operation are power outages and weather disturbances.
On Sept. 11, Corcoran was in his office in upstate New York at 8:55 a.m. ET when an employee told him a plane had hit one of the World Trade Center towers in New York City. At the same time, a customer called in and declared a disaster. Corcoran says he really knew how big a disaster it was when he watched the live television broadcast of the second plane hitting the other tower. The BCRS team around the country went on alert, making available a pool of skills for a variety of technology and business needs.
The date of the attacks coincided with peak hurricane season, according to IBM spokesman Clint Roswell. With plenty of experience dealing with hurricanes Floyd and Georges in past years, IBM was in fact already tracking a new tropical storm. That meant the IBM disaster-recovery team was prepared for a disaster, just of a different sort.
This wasnt your normal hurricane disaster, Corcoran says. This was a regional and national disaster. As a result, a second emergency-operations center was set up. With 1,200 customers located near the World Trade Center, IBMs BCRS unit had its job cut out for it finding office space for the affected companies. IBM even leased out open space in its New Yorkarea offices, a practice shared by many other companies in the city, including this magazine.
But even IBM customers who werent BCRS clients called needing support. These requests were more narrow than the others and focused more on end-user support. (Expensive WTC office space wasnt an economic location for many data centers.) They needed help with office space, networking, LANs, WANs, dealing with phone companies, and similar matters. Corcoran pulled together thousands of staff members to contribute a broad set of skills.
In the days after the attack, BCRS clients moved from shock and resettlement to face the what next? question. Whatever the answer, IBM plans to be with them the whole way.
(11/01/01) Seth M. Jutan has nine phones. The CEO of TrustAsia, VeriSigns Southeast Asian affiliate, spends so much time on the roadwell, actually in the air, flying from country to countrythat he wants to make sure his customers can reach him any time and any place. Its part of his emphasis on customer relationships, and if the stress of setting up operations across at least 12 Asian countries doesnt keep him up at nightand he claims it doesntthen the late-night phone calls may do the trick.
TrustAsia set up offices last year in Singapore, from which it plans to spread to other Southeast Asian countries. It also has an office in Shanghai that it uses specifically to target the Chinese market in northern Asia. With operations that range from Thailand and Laos to Indonesia and many countries in between, TrustAsia is working with governments to build, step by step, the agreements that will allow his company to establish its authentication, security, and other services in each country.
Singapore was chosen as an initial base of operations because of what Jutan characterizes as its superior infrastructure. The company obtained a multistory building that it reinforced with a metal shell. The legal infrastructure was also attractive. Jutan calls Singapore one of the most progressive countries in the world for technology. Government grants, technology incubators, and other projects are used to promote technology aggressively. Singapore also boasts an electronic transaction law that serves as a model for other Southeast Asian governments: Thailand, Indonesia, and the Philippines are said to be basing their own e-commerce legislation on it.
But TrustAsias biggest market is China, where Jutan spends a lot of time responding to government concerns about information security. For a company like TrustAsia, thats not a problem. In turn, the company has access to a wealth of native encryption and security talent. I would argue that today in China you can get the highest level of security skill sets of anywhere in the world, Jutan says. He hopes to leverage those skills.
Chinas our largest market, Jutan says. In Singapore, well meet our goals; its very much a financial services hub. China is a very large developing market. Well make our projections. In the rest of Southeast Asia, Jutan is already working to build up an infrastructure of certificates, domain assistance, and the other meat-and-potato offerings. TrustAsia has also been involved in advising the e-ASEAN initiative of the Association of Southeast Asian Nations (ASEAN) on developing e-commerce information security guidelines, which should assist the companys entry into other nations. Jutan is already planning his companys move into Thailand.
One of the things I learned in Asia is that you dont just arrive, says the South African-born Jutan. Offices must be set up well ahead of the time when you expect to start work, and the local government must be consulted. And dealing with local businesses may be very different from doing business in the United States, where companies may generate deals worth $100,000 or more over the phone. In Asia, Jutan says, face-to-face meetings are more important, even if its only to meet the CEO at the start of negotiations to set the tone of the relationship. Its that need for face time with customers that keeps Jutan busy juggling those nine phones.
(11/08/01) Two things are becoming clearer about information security in these early months after the September 11 attacks: first, there will be expanded government attention paid to info security; second, the government is looking toward the private sector to provide ideas, products, services, and other participation. Those messages came through loud and clear in a Web-based press conference last week that brought together representatives of business and the federal government to discuss cyber security.
Congressman Sherwood L. Boehlert, who hosted the conference, told participants that "What the recent anthrax attacks and the attacks of September 11 have in common is that they turn our own basic systems of daily connections against us -- in those cases, our postal system and our transportation system. Turning our computer systems against us would seem to be a logical extension of that mode of operation."
He explained the government's view of the situation, noting that Congress' Science Committee had recently issued a report that made four points: first, the United States has made a "woefully inadequate investment" in computer security; second, we're not drawing enough top research talent to the computer security field; third, the federal government lacks an agency dedicated to research and implementation of improved computer security; and fourth, market forces have failed to give private industry enough incentive to invest in computer security.
It was that last point, in particular, that stood out in the conference, and the private industry representatives rushed to offer ways of meeting the need -- and by so doing, they demonstrated that those market forces may be getting a heavy boost from government and private concerns over security in the post-Sept. 11 era. Also at the conference was Paul Kurtz, President Bush's director of critical infrastructure protection, who announced that there is a movement to centralize the federal government's authority over its own cyber security. As part of that movement, Bush is interested in forming a board that would coordinate critical infrastructure issues among all government agencies. Kurtz assured industry representatives that one of the board's goals "is to offer a conduit through which the ideas, products, and resources available in the private sector can be passed to the whole range of government agencies."
Stressing that "all boards work -- we must work -- in partnership with the private sector," Kurtz said the government needed to draw on the resources of the private sector, and as part of that effort would create an advisory council of CEO-level corporate executives. The reaction from the conference participants was positive.
"I find it heartening that in this process, the government is understanding of the creativity of the marketplace and is looking for answers as well as solutions," said John Conlin, COO of Vericept. "This is a great idea."
It now means the private sector needs to deliver. Connected Corp. CEO Bob Brennan said, "The onus is upon private technology providers to present solutions in addition to providing security [to] lower the total cost of doing business, and in many cases that is true today."
The needs for private industry to meet include improved detection, maintenance, and reaction systems. Companies need to do a better job of keeping their own systems secure -- both to protect their information and systems, and to prevent their systems from being used as a launching base by third parties to attack other systems. The Center for Digital Government recently issued a paper calling for technology companies to "examine their products and services to see if they can be utilized in Defense of the Homeland efforts. If they have solution sets that can be deployed for these purposes, they should quickly bring them to the attention of the appropriate government customers. Good solutions may be overlooked because vendors fail to explain their applicability."
If that last sentence is true, it would be a truly a historical failure of vendor public relations. As anyone who has been reading their inbox knows, companies are already stepping up to promote computer and information security products that were either already on the market or that are being launched now to meet the new demand. For example, Document Technologies launched RemoteMAIL at the end of October. The product addresses the concern over contaminated postal mail; it converts hard-copy mail into PDF attachments that are then mailed to the original recipient.
Other products and services are being rolled out or are being reintroduced. That part of the challenge seems to be a straight-forward one for private industry to meet. The part that is less clear and that will develop over many months and years is the issue of whether enough investment in research and development for future products will now be put into the pipeline.
(11/08/01) The cartoon image we've probably all seen many times has the character getting into a car crash, getting out of the car, and then doing a body check -- touching his legs, feet, arms, chest, head -- to make sure he's all there. Andersen's Risk Consulting Group has issued a report that suggests companies essentially do a body check, as well as reconsider their car and driving habits. It's good advice.
In the recently issued "The New Reality: Report on Key Risk Considerations for Business Post-September 11, 2001," Andersen deals with many aspects of steering your business during wartime, but for us here, the focus is on the way it addresses business continuity management and information security.
And in those areas, the report is right on target. It urges companies to not only have a business continuity plan (we all do have one these day's, don't we?), but that companies make them living documents that are regularly checked and updated, as well as being communicated to all members of the organization. All of that is easier said than done, but corporate security chiefs probably have more room to maneuver today than they would normally have in times of tight purses. Companies have recently realized just how vulnerable their connected businesses are. And how the losses in information, people, money, customers, and public goodwill from a catastrophic failure -- along with the international situation -- has increased attention on vulnerable systems (and has shined the light of concern on many of them for the first time).
But besides urging companies to update and enforce their business continuity preparedness plans, the report makes a suggestion that may be more controversial in addition to being unnecessary. "Recent events have demonstrated the need to assess the company's dependence on third parties (e.g., key supply vendors, customers, outsource service providers) to support or provide services and resources that are critical to operations, and evaluate alternatives to mitigate risk."
We would argue that it is necessary to reassess those arrangements, but it should be done more with a goal of making them work than of striking out all on your own. We may be too far down the road of outsourcing and business chains anyway to have them undone, but don't assume anything. (Remember that the last great wave of globalization was undone by a world war and a depression. We have, in a manner, been here before, and American business and government took the wrong path then of self sufficiency.) You may not be able to afford to scrap such arrangements in this day of tight budgets anyway. What businesses need to do is still heed Andersen's advice to a degree by working with your third-parties, and if they refuse to meet your higher standards, then you may have to replace them with someone who will. And trust us, there will be a market for companies that do, so there will definitely be someone to replace any laggards.
Work with your third parties to make sure they understand your security needs and the need for their systems to be no threat to yours. Service-level agreements will certainly come into play here, but probably you'll primarily be relying on your sense of perception to decide whether the companies with which you're dealing really get it and are capable of meeting your needs or if they are nodding along to keep you mollified.
If you are the third party, then now's the time to be proactive and go to companies with a best-of-breed security program and solid, attainable promises of compliance. Think like NATO; an attack on any of your connected supplies or partners is an attack on you. It's do-or-die time.
In short, the Andersen report urges company leaders to take the time to do a serious review of all of their company needs, making sure they meet the requirements of customers, partners, employees, and shareholders. Each company should do that, keeping in mind its multiple roles as both supplier and buyer, customer and seller, and partner to many. Interconnectedness in the business world -- this wired, hyper-efficient world we've all been building for years -- can win out in the end.