[iwar] RE: NYTimes.com Article: Trying to Plan for the Unthinkable

From: Leo, Ross (Ross.Leo@csoconline.com)
Date: 2001-09-24 14:43:41

Next message: Tony Bartoletti: "Re: [iwar] [fc:ERRI.SPECIAL.TERRORISM.REPORTS.FOR.SATURDAY.-.#11]"
Previous message: Fred Cohen: "[iwar] [fc:Bin.Laden.exploits.technology.to.suit.his.needs]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <72222DC86846D411ABD300A0C9EB08A156FF3E@csoc-mail-box.csoconline.com>
To: iwar@yahoogroups.com
Cc: "George Guillory (E-mail)" <george.guillory@compaq.com>
From: "Leo, Ross" <Ross.Leo@csoconline.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 24 Sep 2001 16:43:41 -0500
Reply-To: iwar@yahoogroups.com
Subject: [iwar] RE: NYTimes.com Article: Trying to Plan for the Unthinkable
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

This article was sent to me by a very dear friend, and I read it with great
interest.  It can be found at
http://www.nytimes.com/2001/09/17/technology/17DISA.html?ex=1002229804&ei=1&
en=6d3fc68688a64e92.  

My thoughts:

The sad fact is that the reason all the large recovery firms fail to achieve
the real goal of disaster recovery is because they always overlook the human
capital issue when advising their clients.  The focus on the technology, the
operation, and the information - all of which is vital to take care of , but
in the end it is the human factor that makes it all work.  I have been
through several projects lead by these so-called "leaders" (in profits only,
I suspect), and never once has this issue been given more than a passing
mention by any of them

In my humble opinion (IMHO) - no disaster recovery or operational
contingency planning effort is complete  without planning for the human
assets as well as the technology and information assets.  If absolutely
necessary, the information can be recreated (at a cost), and the hardware
and software can be purchased (again, at a cost).  In the end, it the human
component that is irreplaceable at any cost, because of the knowledge,
experience, and judgement that always disappears when they do, no matter
what the reason.

In the short-sighted nature of American Business, the Disaster
Recovery/Operational Contingency Plan and its cost to produce and implement
is a draw-down on the bottom-line, without the visibility of any immediate
ROI.  That is why less than 5% of American businesses have DR plans that are
fully tested and implemented, and only 35% even have one at all.

Such plans are viewed like insurance: it's a cost, and you're glad you have
it, but only when the time comes that you need it.  BUT, if that time comes,
and you don't have any insurance, you can't get it even if you could afford
to (which you couldn't).

Most of the firms, regardless of their particular business, that vanished
when the WTC in NYC two weeks ago, are gone for good.  Maybe some had a
disaster recovery plan, most did not.  Those for whom the WTC was their only
location, it won't matter.  But for those that had other locations, there is
no excuse.  They at least have the opportunity to recover.  For those that
vanished, tragically they will not.

Too often American Business management plays a game of "corporate craps"
with costly, scarce, sometimes irreplaceable assets, information, and
people.  The worst of it is these managers are betting assets that are only
theirs to manage - they don't own them.  Many don't even own a piece of
them.  The assets at risk of loss belong to shareholders, who at worst are
blind or at best are simply uninformed.  

The managers often think they are exercising sound business decision-making
when they don't spend money on projects of this sort because "they are a
cost with no ROI", and there is no telling whether or not the plan will ever
even be used.  What these managers don't grasp is just how irresponsible
such a decision is in legal or fiduciary terms.  They don't grasp the
magnitude of the corporate liability they assume on behalf of the
shareholders, whose assets are being placed at risk, and who did not give
their permission to do so.  Nor would they if asked.

It is becoming increasingly obvious that the managers who play this game
(and it is most of them, at all levels) place at risk many billions of
shareholder dollars.  It is becoming equally obvious that it is not only the
shareholders who will bear the cost of a loss.  The shareholders paid their
packets up front, the rest of us will cover the cost of cleanup and
re-construction.

And all it took to bring this quickly, and painfully to their aggregate
awareness was the unthinkable loss of the New York World Trade Centre, and
the 6000+ lives lost when it vanished.

Ross A. Leo, CISSP, CBCP
Chief Information Security Officer
Security Programs & Engineering

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/JNm9_D/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: Tony Bartoletti: "Re: [iwar] [fc:ERRI.SPECIAL.TERRORISM.REPORTS.FOR.SATURDAY.-.#11]"
Previous message: Fred Cohen: "[iwar] [fc:Bin.Laden.exploits.technology.to.suit.his.needs]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:49 PDT