Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (6393)

Over the past 2½ years, Christchurch's business environment has challenged many assumptions and contracts. In this six-part series, lawyers from Christchurch legal firm Malley & Co look at some of the lessons all businesses can learn. In this article Michael McKay looks at some of the insurance issues.
Repairs to earthquake damaged shops on New Regent Street after the Christchurch earthquakes. If a loss in profit was because of damage to a business's property, it was likely to be covered by insurance. If, however, the loss was due to fewer customers visiting the affected area, it may be excluded under another circumstances clause. Photo / File
Repairs to earthquake damaged shops on New Regent Street after the Christchurch earthquakes. If a loss in profit was because of damage to a business's property, it was likely to be covered by insurance. If, however, the loss was due to fewer customers visiting the affected area, it may be excluded under another circumstances clause. Photo / File

Insurance is one of the biggest business issues to emerge from the Christchurch earthquakes.

It's led several businesses to consider whether they can claim under their existing policy and whether that policy is still appropriate.

After the earthquakes, it became apparent that many insured and insurers held different views about the scope of their policies. Policy provisions were often untested, and interpretations differed.


Wednesday, 24 July 2013 16:00

Will CSOs Become CROs in the Future?

CSO — Few would deny the chief security officer role has evolved quite a bit in recent years. At many large companies, the heads of both physical and information security now report in to the same person, an enterprise CSO. The pace of change for the function is accelerating along with the ever-changing nature of threats.

Today, many believe CSOs will morph, sooner rather than later, into chief risk officers (CROs), monitoring and mitigating enterprise risks, including those relating to information security and facilities (but excluding financial risks, which are covered by the more traditional CRO function in large companies). At a high level, the new responsibilities include understanding your company's risk profile and risk appetite and then mitigating the risks accordingly.


CSO — A recent study that greatly reduces an often-cited estimate on the economic impact of cybercrime and cyberespionage should not give companies a reason to spend less on security, experts say.

The McAfee-sponsored report, released on Monday, found that Internet-based crime and spying cost the U.S. economy as much as $100 billion a year, not the $1 trillion originally estimated by the Intel-owned security vendor. The study was done in conjunction with the nonprofit Center for Strategic and International Studies.


You work in compliance. Now you are on the horns of a dilemma.  Are you going to become a whistleblower or not?

Serious Misconduct

You have learned of serious misconduct within your organization that has been overtly or tacitly approved by high-level management.   You have alerted those above you –or outside counsel– about the misconduct or have tried your best to put a stop to it.  But neither has worked.  You are appalled by what you have witnessed and may even be concerned with being held accountable if and when the misconduct gets exposed and turns into a civil or criminal action.  You understandably are worried about your reputation, both professionally and personally.  You’re near the end of your rope.  Perhaps, you’ve even spoken out so vehemently that you’ve already lost your job.


On July 22, 2013, a 6.6 magnitude earthquake, followed by hundreds of aftershocks, jolted China’s northwest Gansu Province, one of the country’s most under-developed regions. Ninety four people were initially reported dead, although that number is likely to rise in coming days. Hundreds were injured and some 227,000 people were displaced by the earthquake, which damaged 127,000 homes. Heavy rain is forecast to hit the affected area—potentially affecting rescue and relief efforts and increases chances of landslides or houses collapsing.

The Red Cross Society of China immediately responded to assess needs on the ground and dispatch relief supplies, including tents, family kits, jackets and quilts, and more items are being mobilized from warehouses around the country. A 24-member health Emergency Response Team, including volunteer doctors and psychosocial specialists, have also deployed to the affected area.

China is one of the world’s most disaster-prone countries—with approximately 70% of its cities and half of its population located in disaster-prone areas. Earlier this year, the Red Cross Society of China responded to a 7.0 magnitude earthquake in the hit Sichuan province, which killed 196 people and injured over 13,400.

The International Federation of Red Cross and Red Crescent Societies is closely monitoring the situation together with the Red Cross Society of China.

Wednesday, 24 July 2013 15:51

… addicted to thinking

Every so often I find something that sparks me out of the intellectual wasteland that so much of the debate around risk, BC and resilience seems to have become. One example is the book I recently finished reading - Addicted to Performance by John Bircham and Heather Connolly.

I would recommend this to those interested in risk and resilience thinking.
If your primary approach to risk, BC and resilience is standardised, templated and adhering to conventional wisdom – rather than application of critical thinking – this book is for you. But you may not fully appreciate that.


Company Growth Rate Remains Above 40% as Company Exceeds $43 Million in Annualized Revenue


HOUSTON, TX – Alert Logic (, the recognized leader in Security-as-a-Service solutions for the cloud, today announced GAAP revenues for the quarter ending June 30, 2013 of $10.1 million, up 43 percent from the second quarter of 2012, and up 7 percent from the first quarter of 2013. Alert Logic’s annualized revenue under contract in the month of June 2013 exceeded $43 million, and is tracking ahead of the company’s plan to reach a $50 million run-rate by the end of 2013.

Alert Logic realized strong Q2 momentum within the public cloud sector as the company’s release of Threat Manager for Cloud and Log Manager solutions helped secure more than 100 Amazon Web Services customers.

“Our strong growth this quarter keeps us on track to reach our goal of being a $50 million business by the end of 2013,” said Gray Hall, Alert Logic’s president and CEO. “Our new product releases from the second half of 2012 and the first half of 2013 helped fuel our growth this quarter, and we expect a similar boost in the future from the exciting new products and capabilities we plan to launch in the second half of 2013.”

To date, Alert Logic has more than 2,200 customers using its Security-as-a-Service solutions, both via service providers and directly from Alert Logic.

Alert Logic’s notable highlights for Q2 2013 include:

·         Releasing the next generation of Threat Manager, the first fully managed threat management solution deployable in any elastic cloud infrastructure, irrespective of hypervisor and networking architecture.

·         Being named a “Cool Vendor“ by Gartner in its 2013 Security Services report, which recognizes Alert Logic for its innovative business model, intrusion detection, vulnerability assessment, log management and web application firewall Security-as-a-Service solutions and cloud-based architecture.

A privately held company, Alert Logic publicly reports its Generally Accepted Accounting Principles (GAAP) revenue results and growth rates quarterly, in addition to its annualized recurring revenue under contract. Alert Logic’s financial statements have been audited in accordance with GAAP since 2005. All Alert Logic revenue is derived through long-term subscription contracts, consistent with the company’s Security-as-a-Service business model. Alert Logic’s solutions are sold directly to enterprise customers and through a diversified channel of resellers and cloud service provider partners.

Alert Logic specializes in providing a portfolio of Security-as-a-Service solutions for customers of hosting and cloud service providers. More than half of the largest managed hosting and cloud service providers use Alert Logic to secure their customer environments, making Alert Logic the de facto standard for securing infrastructure in hosted and cloud environments.

Alert Logic’s Security-as-a-Service solutions provide customers four distinct advantages: market-leading security tools, a fully outsourced and managed SaaS delivery model, integrated 24×7 Security Operations Center (SOC) services to monitor and provide expert guidance, and the ability to deploy wherever a customer has IT infrastructure, including the cloud.



About Alert Logic
Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides solutions to secure the application and infrastructure stack. By integrating advanced security tools with 24×7 Security Operations Center expertise, customers can defend against security threats and address compliance mandates. By leveraging an “as-a-Service” delivery model, Alert Logic solutions include day-to-day management of security infrastructure, security experts translating complex data into actionable insight, and flexible deployment options to address customer security needs in any computing environment. Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-as-a-Service solutions for business application deployments for over 2,200 enterprises. Alert Logic is based in Houston, Texas, and was founded in 2002. For more information, please visit

A policy debate is raging in Europe over cloud computing and those who want to bind the cloud in over-prescriptive regulation threaten to prevent the benefits of the new technology being felt, argues Thomas Boué.

Thomas Boué is director of government relations for Europe, the Middle East and Africa at the Business Software Alliance, a trade association.

A quiet battle of wills has broken out among European policymakers who are pushing competing visions for how to capitalise on the most significant wave of innovation now underway in information technology: cloud computing.

All agree that by creating a new, more efficient architecture for computing, the cloud offers vast economic benefits. It lets enterprises avoid the cost of buying and maintaining some of the IT hardware and software they need to run their operations. Instead, they can have their computing resources delivered over the internet, as infinitely scalable services. For established companies, this creates cost savings that can be reinvested in the core business. For smaller start-ups, it represents one less obstacle on the path to growth.

But while some rightly see the cloud as an opportunity to accelerate commerce and expand global trade in digital services, others harbour more protectionist urges, focused on creating a European fiefdom in the cloud at the expense of global scale.


"Well, it will never happen!" is an underlying rationale when nonprofits fail to engage in risk management practices.

When "it" does happen, leadership's first question often is "Can we (translated: ‘me') be sued?"

At this point their question is neither timely nor relevant. The relevant question is whether the party harmed can recover from the nonprofit. The answer often confirms the "ounce of prevention" principle. To prevent harm and to minimize its impact requires an effective risk management strategy.


What if you could look over the shoulder of every one of your customers as they used your mobile apps, web pages, kiosks, and other digital channels? What could you learn? How might you use what you learn to dynamically adjust your digital experiences?

In the days when web applications were king, this type of insight was doable with simple web analytics and similar tools. Today, continual experience optimization is much more difficult because of:


Yesterday Intel had a major press and analyst event in San Francisco to talk about their vision for the future of the data center, anchored on what has become in many eyes the virtuous cycle of future infrastructure demand – mobile devices and “the Internet of things” driving cloud resource consumption, which in turn spews out big data which spawns storage and the requirement for yet more computing to deal with it. As usual with these kinds of events from Intel, it was long on serious vision, and strong on strategic positioning albeit a bit parsimonious on actual future product information with a couple of interesting exceptions.

Content and Core Topics:

Demand side drivers – No major surprises here, but the proliferation of mobile device, the impending Internet of Things and the mountains of big data that they generate will combine to continue to increase demand for cloud-resident infrastructure, particularly servers and storage, both of which present Intel with an opportunity to sell semiconductors. Needless to say, Intel laced their presentations with frequent reminders about who was the king of semiconductor manufacturing.

... intel_lays_out_future_data_center_strategy_serious_focus_on_emerging_opportunities

Tuesday, 23 July 2013 16:01

All Hail the Data

A report from the National Insurance Crime Bureau (NICB) has revealed that insurance claims resulting from hailstorm damage in the United States increased by a whopping 84 percent from 2010 to 2012.

In 2010, there were 467,602 hail damage claims filed, but by 2012 that number had jumped to 861,597.

All told, over two million hail damage claims were processed from January 1, 2010 to December 31, 2012, the NICB said.

Perhaps not surprisingly the top five states generating hail damage claims during this period were Texas (320,823); Missouri (138,857); Kansas (126,490); Colorado (118,118) and Oklahoma (114,168).


CIOSoftware defined networking is one of the most misunderstood concepts in infrastructure computing. It's a phenomenon that's growing in relevance, but it's still mysterious to many CIOs, particularly those who were not reared in overly technical practice. Many myths still surround SDN. What exactly is the notion behind the technology? How can you apply SDN at your business? And how can your organization benefit from it.

Software-Defined Networking Basics

Essentially, SDN takes the virtualization phenomenon that's been sweeping datacenters around the globe for the past several years and extends it from computing hardware and storage devices to network infrastructure itself. By inserting a layer of intelligent software between network devices (such as switches, routers and network cards) and the operating system that talks to the wire, software defined networking lets an IT professional or administrator configure networks using only software. No longer must he travel to every physical device and configure—or, in many cases, reconfigure—settings.

SDN achieves the same abstraction that hardware virtualization does. With hardware virtualization, the hypervisor inserts itself between the physical components of a computer (the motherboard, main bus, processor, memory and so on) and the operating system. The operating system sees virtualized components and operates with those, and the hypervisor itself translates the instructions coming to these virtualized components into instructions the underlying physical hardware can handle.


TRENTON, N.J. -- From Liberty State Park in North Jersey to Lucy the Elephant at the Shore, the state has a wealth of historic sites along the coast that have weathered the whims of Mother Nature for many years. Some, like Lucy, are more than 100 years old.

These important historic sites require protection both before and after a disaster, when any damage that has occurred needs to be repaired in a historically and environmentally sound way.

FEMA’s Environmental Planning and Historic Preservation Cadre (EHP) plays a critical role in helping municipalities and agencies understand the importance of compliance with environmental and cultural regulations so they may make informed planning decisions when repairing or rebuilding a damaged historic site.  

EHP provides expertise and technical assistance to FEMA staff, local, state and federal partners, and applicants who are tasked with the challenge of preserving historic, cultural and natural aspects of our national heritage. They help applicants understand what is required under the law and how best to meet these requirements. 

FEMA’s goal is to ensure that when FEMA funding is to be made available for the restoration of historic sites, all applicable federal, environmental and cultural statutes are identified and met.

The EHP program integrates the protection and enhancement of a state’s environmental, historic and cultural resources into FEMA’s mission, programs and activities.

Typical environmental and historic preservation laws and executive orders that may apply to an historic restoration project include the Endangered Species Act, the Clean Air Act, the Clean Water Act, the National Historic Preservation Act, and floodplains, wetlands and federal executive orders such as Environmental Justice. Also included are state historic preservation offices.

In a continuing partnership with local and state governments, FEMA seeks, through funding grants, to help states recover from a presidentially declared disaster and EHP is careful to advise all applicants to recognize environmental concerns in order to avoid project delays and permit denials while preserving and minimizing effects on New Jersey’s environmental and historic resources.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at,,, and Also, follow Administrator Craig Fugate's activities at

Large companies have the resources and the incentive to implement risk management systems. With the increase in compliance by medium and small-sized companies, chief compliance officers and internal auditors are developing and implementing risk management systems. I have never been a fan of complicating or confusing compliance and risk management. After all, risk management naturally belongs in the compliance program functions. Creating a whole new risk management function separate from compliance makes no sense.

With this caveat on the structure and operation of a risk management system, I believe that companies should conduct risk assessment and management strategies. When I use the terms risk assessment and management systems, I am referring to overall organizational risks, including business and operational risks, not a specific anti-corruption risk assessment.

A basic risk management system can be developed through an annual collaborative process which requires the participation of all senior management, as well as mangers in each business unit/product or service line. Essentially, a senior risk management group should be charged with the responsibility of identifying the most significant risks facing the organization.


Pushing compliance responsibilities closer to the front lines of a business can help make the overall process of enterprise risk management more efficient and less painful, but without proper planning it can also create new challenges. When processes are adopted or updated, critical compliance tasks may be inadvertently mitigated or cancelled without anyone understanding the impact on the company.

The challenges and benefits of well-planned compliance program execution are discussed in a new book, Enterprise Compliance: The Risk Intelligent Approach from Deloitte‘s Governance, Risk and Compliance Services. The book is organized around three main components of creating a compliance culture—starting with assessing the environment that drives an organization’s compliance risk and requirements and then continuing to the execution and evaluation phases. It also features important questions boards should be discussing with management and discussing among themselves. This article, the second in a series of three, addresses the seven components that comprise the execution aspects of compliance programs. The first article looks at the three facets that shape an organization’s compliance and risk environment: its industry, geography and emerging issues.


Monday, 22 July 2013 13:50

Why the Mob Rules

Computerworld — A Kickstarter project called Tile set out to raise $20,000 to create small, flat, battery-powered stickers that you attach to your stuff, enabling you to find anything with your smartphone.

They've raised more than $1.6 million so far.

But why?

Tracker gadgets have been around for years. They're useful for finding your lost remote control, keys and other objects. But Tile does something incredible that no other tracking product can. Here's how it works.

You attach a tile to your tablet, remote control, dog's collar or you drop it into your purse, backpack or briefcase. Use the smartphone app to register each Tile device -- basically tell the Tile cloud service what object each Tile is associated with.


International travel has many wonderful benefits – one possible risk is the spread of illness into your home, community and where you work.  It can happen in a blink of an eye.  How do illnesses get discovered and tracked?  Good question.  And there is a Global Surveillance System that does just that.

In 2012, the number of international tourist arrivals worldwide was projected to reach a new high of 1 billion arrivals, a 48% increase from 674 million arrivals in 2000. International travel also is increasing among U.S. residents. In 2009, U.S. residents made approximately 61 million trips outside the country, a 5% increase from 1999. Travel-related morbidity can occur during or after travel. Worldwide, 8% of travelers from industrialized to developing countries report becoming ill enough to seek health care during or after travel. Travelers have contributed to the global spread of infectious diseases, including novel and emerging pathogens. Therefore, surveillance of travel-related morbidity is an essential component of global public health surveillance and will be of greater importance as international travel increases worldwide.


Monday, 22 July 2013 13:47

When Your Commute Becomes Derailed

Just yesterday I remarked to my husband that my train, the Hudson line, has been amazingly stable and almost always on time. Especially when you consider that there have been major derailments of the Connecticut (May 17) and the Long Island (June 17) lines of the Metropolitan Transit Authority (MTA).

I should have known better. Just when you think you can take a breather, something is bound to happen, as it did this morning. Normally I would have been listening to the news and traffic report, but I was spending some time with my puppy before rushing to the ferry station. Once there I waited, but no ferry, and the few people who were there didn’t seem to know why. Annoying.

I called my husband and asked him to drop me off at the train station across the Hudson (parking is impossible there). On the train platform, however, I quickly learned that there was a big problem—the derailment of 10 CSX garbage train cars on a narrow portion of track used by the Hudson line. There were no injuries, but that is a whole lot of cleanup, not to mention the two tracks that need to be replaced, according to the conductor I talked to. He estimated it would take at least the weekend to repair the damage.


Monday, 22 July 2013 13:42

What We’re Watching: 7/19/13

By Lars Anderson, Director, Public Affairs

At the end of each week, we post a "What We’re Watching" blog as we look ahead to the weekend and recap events from the week. We encourage you to share it with your friends and family, and have a safe weekend.

Weather Outlook
For many parts of the U.S. it’s been a scorcher all week long, but it looks as though things are finally going to cool off as slightly lower temperatures are expected next week. In the meantime, here are some extreme heat safety tips to keep in mind until the cool down arrives:

  • Cover windows that receive morning or afternoon sun with drapes, shades, awnings, or louvers. (Outdoor awnings or louvers can reduce the heat that enters a home by up to 80 percent.)
  • Know those in your neighborhood who are elderly, young, sick or overweight. They are more likely to become victims of excessive heat and may need help
  • Never leave children or pets alone in closed vehicles.
  • Stay indoors as much as possible and limit exposure to the sun.
  • Consider spending the warmest part of the day in public buildings such as libraries, schools, movie theaters, shopping malls, and other community facilities. Circulating air can cool the body by increasing the perspiration rate of evaporation.
  • Eat well-balanced, light, and regular meals. Avoid using salt tablets unless directed to do so by a physician.
  • Drink plenty of water; even if you do not feel thirsty. Avoid drinks with caffeine and limit intake of alcoholic beverages.
  • Dress in loose-fitting, lightweight, and light-colored clothes that cover as much skin as possible. Avoid dark colors because they absorb the sun’s rays. Protect your face and head by wearing a wide-brimmed hat.
  • Avoid strenuous work during the warmest part of the day. Use a buddy system when working in extreme heat, and take frequent breaks.

For more extreme heat safety tips and information, visit
Our friends at the National Weather Service don’t expect any other severe weather over the next couple of days, but as we know weather conditions can rapidly change.  We encourage everyone to monitor your local weather conditions at or on your mobile phone at

Photos of Week
Here are a few of my favorite photos from the week. You can find more photos at the FEMA Photo Library.

San Francisco, Calif., July 18, 2013 -- Attendees and participants of the 11th FEMA Think Tank listen and contribute to the discussion facilitated by Deputy Administrator Rich Serino at the San Francisco Tech Shop.
San Francisco, Calif., July 18, 2013 -- Attendees and participants of the 11th FEMA Think Tank listen and contribute to the discussion facilitated by Deputy Administrator Rich Serino at the San Francisco Tech Shop.

Alakanuk, Alaska, July 16, 2013 -- The Alaska State Coordinating Officer Sam Walton and Federal Coordinating Officer Dolph A. Diemont meet with City Manager James Blowe to discuss the FEMA programs.
Alakanuk, Alaska, July 16, 2013 -- The Alaska State Coordinating Officer Sam Walton and Federal Coordinating Officer Dolph A. Diemont meet with City Manager James Blowe to discuss the FEMA programs which will assist in the recovery efforts after severe flooding crippled the entire infrastructure. Federal funding in the form of Public Assistance (PA) is available to state, tribal and eligible local governments and certain nonprofit organizations on a cost sharing basis for emergency work and the repair or replacement of facilities damaged by the flooding in the Alaska Gateway Regional Educational Attendance Area (REAA), Copper River REAA, Lower Yukon REAA, Yukon Flats REAA, and the Yukon-Koyukuk REAA.

IDG News Service — Six British citizens were wrongly detained or accused of crimes as a result of mistakes made by authorities when requesting access to Internet data, the U.K. Interception of Communications Commissioner said.

A report detailing law enforcement's errors in the UK was published as interest in surveillance of ordinary citizens' online activities runs high, in the wake of disclosures about the U.S. National Security Agency's secret surveillance programs.

In 2012, U.K. public authorities submitted 570,135 notices and authorizations for communications data, according to the report published on Thursday. The principal users of this communications data are still the intelligence agencies, police forces and other law enforcement agencies, wrote Paul Kennedy who served as the Interception of Communications Commissioner through last year.


It’s mid-July and for many parts of the United States this means persistent hot and dry weather increases the risk of wildfires.

Some 46 percent of the contiguous United States is currently experiencing moderate to exceptional drought conditions, according to Tuesday’s report from the U.S. Drought Monitor.

The first monthly drought outlook from NOAA’s Climate Prediction Center recently warned that drought in the U.S. Southwest is exceptionally intense and unlikely to break completely, despite some relief from the summer thunderstorm season. Most of the already parched West will likely see drought persist or worsen, NOAA said.

Meanwhile, the Wall Street Journal reports that overgrown forest land poses fire risk to a growing number of communities.

It cites U.S. Forest Service statistics that 65 million to 82 million of National Forest lands are at a “high or very high risk of fire” and are in need of restoration.


Wanna know a secret? Here it is. Chances are, the same reason you’re reading this blog is why many folks at CDC do what they do: a fascination with infectious diseases and a desire to help others. Although the work of CDC employees is frequently glamorized in movies like Outbreak and Contagion, we face the same challenges as any other large, complex organization: communication, logistics, funding, and teamwork. These challenges become especially apparent when outbreaks occur, such as during CDC’s recent response to a dengue outbreak in Angola. Based on our experiences in Angola, this blog will dispel 5 myths about outbreak investigation that are often dramatized by Hollywood.


More and more workers around the world are bringing their personal mobile devices to the office daily, and companies appear to be having trouble keeping up with the trend.

About 60 percent of organizations acknowledged they either don't have a policy that specifies how employees may use their own devices in the workplace (41 percent) or are just planning to write such a policy, a study released on Wednesday from Acronis and the Ponemon Institute has found.

"Even though we're still in the early stages of BYOD [Bring Your Own Device], companies are playing catch-up to where their users are," Anders Lofgren, director of Mobility Solutions for Acronis, told CSOonline.

Even as recently as three years ago, IT departments had an iron grip on the endpoints to their networks. "They could secure and provision a fixed device that was procured by the enterprise," said Ben Gibson, chief marketing officer for Aruba Networks.


Friday, 19 July 2013 17:47

Disaster Planning for Magical Rabbits

I have a pet rabbit at home. His name is Boba Fett, named after the popular bounty hunter character in the Star Wars movies, and he’s a pretty laid-back little guy, as far as pets go. He’s not the type of animal that requires a ton of maintenance and he definitely doesn’t need a formal risk management plan. But according to a recent article in the Washington Post, not all rabbits get off so easily. Evidently not only does the U.S. Department of Agriculture require certain rabbits to be licensed, but their owners must also have a written disaster plan for what they will do with their rabbit in case of emergency. It sounds crazy, but bureaucracy often does, I guess.

According to the article, some years back Marty Hahne, otherwise known as Marty the Magician, got a notice from the USDA that based on a law that requires licenses for “animal exhibitors,” the rabbit Marty used in his magic act needed to be licensed. Marty complied. And then, this summer, the USDA informed him of a new rule from the agency’s Animal and Plant Health Inspection Service (APHIS):


There is no question that April 27, 2011 changed the lives of Alabamians. On that one day, our state experienced more than 60 confirmed tornadoes causing widespread devastation. Soon after, we decided to do all we could to make our state safer in the future.

In the days, weeks and months following the tornadoes, Governor Bentley and I toured the state and heard the personal stories of disaster survivors.  Many of them told us how they only had moments to find safety while praying for their lives and the lives of their loved ones.

They were the lucky ones that day.  No matter how much they had lost, they were grateful to still be here, and live through one of the state’s most devastating disasters.  Unfortunately, more than 250 people lost their lives during that 24-hour span of tornadoes.

Once my staff and I grasped the sheer magnitude of what had just happened, we all knew we had to do something to prevent this from happening again.


Thursday, 18 July 2013 15:54

Giving Alabamians A Safe Place To Go

During the April 2011 tornadoes, Prattville, Ala. resident Ty Story took cover in a closet with his wife Becky and their three daughters using a mattress for extra protection.

“We were about a mile from where it hit,” he said of the EF-3 tornado that destroyed and damaged numerous homes in his community. “We knew it was close to us, but we couldn’t see it because our house is next to a tree line. But you could see all the trees going in different directions from the wind.”

Although the Story family and their home were undamaged, the devastation around their home and community made one decision very easy.  They quickly became one of the 4,267 Alabama families to register for and receive an individual safe room grant from the state of Alabama funded through the Federal Emergency Management Agency’s hazard mitigation program.

“The safety of Alabama’s residents was a main priority of Governor Bentley following the April 2011 storms,” said Alabama Emergency Management Agency Director Art Faulkner, whose agency administered the program. “Our directive was to assist every homeowner and municipality who submitted the required application within the deadline to ensure they would soon have a safe place to go.”

Following federally declared disasters, states are given grant money from FEMA, through the Hazard Mitigation Grant Program, to help their residents and communities be more resilient in preparation for future disasters. The April 27, 2011 event in Alabama resulted in 62 tornadoes creating a path of destruction more than 1,711 miles long and causing more than 250 deaths in the state. 

Due to that devastation, the state was eligible for more than $70 million in mitigation funds.

“We knew we never wanted to face this situation again,” Faulkner said. “We wanted to give Alabama families and communities the resources they needed to be prepared.”

Because the state established priorities for mitigation projects early, FEMA was able to provide up-front funding for program management costs, allowing the state to hire and train grant reviewers early in the process. Then, as grant applications came in from communities throughout the state, reviewers were already in place to handle them.

In addition, FEMA committed staff to work in Alabama for nearly two years to help process the mitigation grant applications, said FEMA Region IV Administrator Phil May.

 “A key component in Alabama’s recovery has been the state’s commitment to implement mitigation measures to lessen the impacts of future disasters,” he said. “This allowed FEMA and state staff to work hand-in-hand during the project application and approval process.”

The partnership between the federal and state government, along with the rapid ability to receive funding wasn’t lost on the Story family, whose storm shelter is now installed underground, through their garage.  The family received 75 percent of the cost through the grant program.

“Having the peace of mind we have now? That’s just huge,” he said. “We knew we wanted one after seeing the damage. But when we heard about the program and getting reimbursement to do this, well that was just a no-brainer. With three girls in school, I’m just glad FEMA and Alabama made this decision.”

Another example of the unified effort was the FEMA and AEMA co-sponsored “Safer Alabama Summit” held in June 2011 on the University of Alabama’s campus, which allowed storm survivors and elected officials to learn more about the importance of mitigation activities and how to make informed decisions on their recovery. The summit led to numerous other mitigation-related outreach meetings and events throughout the state.

In addition to safe rooms and storm shelters, state officials also obligated money to fund generators for critical infrastructure, alert notification systems, and a project to harden portions of the Druid City Hospital’s trauma center in Tuscaloosa that also sustained damages.

Alabama Mitigation Priorities:

  • $63 million for 4,267 individual & 282 community safe rooms/storm shelters.
  • $3.6 million for alert notification systems.
  • $5 million for generators to critical infrastructure facilities.
  • $1.3 million to harden Druid City Hospital’s trauma center.

More and more businesses have been allowing employees to use their personal mobile devices as a primary means of communication in the workplace.  The increased usage of employee-owned smartphones, though convenient, can also pose a serious risk to security; questions may also arise concerning the control and ownership of company data.

It is important for your business to establish strict guidelines for the use of personal mobile devices in the workplace. For example, there should be a clause in company policy allowing for the remote wiping of mobile devices upon termination of employment. Further, company data should be kept separate from personal data, and the use of third-party applications should be kept to a minimum.


Computerworld - Manhattan is one of the best locations in the U.S. for data center network connectivity, but in the era of climate change it is also an increasingly risky location. Even so, major data center provider Telx thinks the benefits of NYC outweigh the risks.

Telx said Wednesday that it is opening its third facility in New York, a 72,000 square-foot data center at 32 Avenue of Americas in a former AT&T building rich in network connections.

There are more than 600 network alternatives available in the building, said Chris Downie, president and CFO of Telx. For many customers, "leveraging access to connectivity" and low latency remains a priority, he said. And having data center facilities close to their Manhattan offices is also a consideration.


A security breach can happen to a business of any size, not just the big ones. In fact, 75% of data breaches are targeted at small and medium sized businesses. The cost of a breach can be significant, and not just financially, but for your reputation as well. With an average cost of $214 per compromised customer record, it is no wonder that within half a year of being victimized by cybercrime, 60% of small businesses close. With the correct Cyber Liability Insurance and these 10-Steps to a Safer Business you and your company do not have to be a victim of a breach in security.


CIO — The thought of a CIO turning to spying technology to peek inside a personal iPhone makes people furious. They fret about an employer remotely reading personal emails and text messages, seeing personal photos and videos, and listening to personal voicemail.

But they would be wrong to worry about such things.

At least that's the message from Ojas Rege, vice president of strategy at MobileIron, a mobile device management software developer.

"There's a ton of confusion out there, and so the trust gap has widened," says Rege. "Employees don't really know what their employer can and can't see. They're just guessing."


Wednesday, 17 July 2013 15:53

How to protect your business information

The biggest information security problem for small businesses is coping with the complexity of their systems when they have no-one with the specialist knowledge on how to protect the data, and maybe no IT specialist at all.

Louise Bennett, Chair of the Information Security Specialist Group at the Chartered Institute for IT (BCS), says it's a significant problem. There are sources of information on the web for dealing with most issues, and there's always the option of hiring a consultant, but any firm that wants to keep its sensitive data secure needs a basic level of understanding in-house.

There is evidence that small firms are suffering; in April the Department for Business and Skills (BIS) published the annual Information Security Breaches Survey, showing that 87% of small companies had suffered a breach in the previous year, with the median number rising from 11 to 17.

Bennett says she thinks it's realistic for a small firm to develop the understanding to place itself in the minority that are not affected.


Wednesday, 17 July 2013 15:44

Why risk management can succeed in IT

This is a counterpoint to the Network World article "Why risk management fails in IT" by Richard Stiennon, chief research analyst at IT-Harvest.

Earlier this week Richard Stiennon published an article that questions the value of risk management in IT, and I would argue that, although risk management presents challenges to IT, best practice-driven approaches leveraging aspects of risk management are essential to good security.

Stiennon's perspective reflects the prevailing view in the media -- supported by valid industry statistics -- that IT security is losing the war against the bad guys. Data breaches are front page news and companies are being fined millions of dollars for losing personal information. Given we have been fighting this battle for so long, we must have made some progress, right?


Wednesday, 17 July 2013 15:42

15 Ways to Screw Up an IT Project

CIO — Paul Simon famously sang that there must be 50 ways to leave your lover. Similar could be said (if not sung) regarding projects: There must be 50 ways to screw up your IT projects. Indeed, ask IT executives and project management experts, as did, and they will rattle off dozens of reasons why projects go astray. For the sake of brevity, however, we are starting with the top 15 ways to derail a project--and how to avoid these project management pitfalls.

1. Having a poor or no statement of work. "I've seen many projects encounter troubles due to the lack of a well-defined project scope," says Bryan Fangman, senior project manager at Borland, a Micro Focus Company.


Wednesday, 17 July 2013 15:41

Who Can Pry Into Your Cloud-based Data?

Computerworld — Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It's a good question, made all the more relevant by the revelations regarding the National Security Agency's Prism program. So how can you best address these issues in your contract with your cloud vendor?

With cloud computing, data access is inevitably a shared responsibility between the customer and the cloud vendor. Those shared responsibilities need to be addressed in the contract, and most cloud vendors' standard contracts leave something to be desired.

While the cloud vendor is responsible for providing the customer with access to its own data, the cloud vendor should also be contractually obligated to not share the customer's data with others, intentionally or not. This may seem obvious, but there are nuances to be addressed in the following areas:


Wednesday, 17 July 2013 15:22

Making an Agile IT Strategy

An agile enterprise is a flexible, robust organization that is capable of rapid response to unexpected challenges, events, and opportunities. Agile enterprises achieve continuous competitive advantage in serving their customers by following strategies that facilitate speed and change. Enablers of enterprise agility include diffused authority; flat organizational structures; trust-based relationships with customers and suppliers; and, of course, an agile information technology strategy. In this post, I focus on what it takes to have an agile IT strategy.

IT departments that are truly agile, or are at least on the path to becoming so, exhibit several key characteristics. First, the majority of their project teams are taking an agile approach to the full delivery lifecycle. This typically is either a disciplined agile delivery (DAD)-based strategy or a strategy that they formulated themselves that is evolving toward something that looks a lot like DAD. This doesn’t mean that all project teams are agile, but most are and the ones that aren’t are starting to move in that direction. Second, the IT organization natively supports — and more importantly, embraces — agile strategies for cross-solution activities such as portfolio management, operations, enterprise architecture, asset management, enterprise administration, governance, and other activities. Third, the IT organization seeks to optimize all of these activities as a whole, to borrow from lean terminology, instead of suboptimizing around functional silos as they may have in the days of the waterfall/traditional paradigm. Let’s explore each of these characteristics one at a time.


CIO — After more than 4,000 votes were cast, the final Big Data startup rankings are in. Keep in mind that while voting was weighted heavily, it was not the be-all-and-end-all consideration. Other criteria included big-name end users, VC funding, the pedigree of the management team and market positioning.

Here are the final rankings, along with why they finished where they did:


Trend Micro held its first Asia Pacific (AP) Industry Analyst summit on April 9, 2013 in Singapore. The most obvious message for me is that the company is clearly seeking to expand its focus well beyond the “legacy” antivirus market. Throughout the event, Trend Micro emphasized the need for cloud security solutions and the opportunities that exist in the Asia Pacific market. Speakers also highlighted the need to invest in breaking Trend Micro’s image as an antivirus vendor to help capitalize on the market opportunities for enterprise cloud security. 

Below are the two key themes highlighted by Trend Micro during the event and my take on each:

  • Enabling cloud-related security is central to company growth.Security-related concerns remain the most prominent reason that organizations cite for not adopting cloud services.  Recently Cloud Security Alliance (CSA) outlined the “Notorious Nine” threats for 2013, and the top three cloud-related threats include data breaches, data loss and account hijacking. (Source: Forrester’s Forrsights IT Budgets and Priorities Survey conducted in Q4 2012 shows that 30% of organizations in the AP region aim to create a comprehensive strategy and implementation plan for public cloud and other as–a-service offerings over the next 12 months. Cloud-related spending therefore represents a big market opportunity. Security will be central to organization’s cloud strategies, and hence spending. Trend Micro is aiming to meet this nascent demand but must better explain why they’re best positioned.


Intellectual property is an essential part of a company’s bottom line. It encompasses various forms, including patents for useful features that make products more desirable or make manufacturing processes and business methods more efficient and economical; trademarks that protect the names, logos, and symbols used to identify and distinguish a company and its goods and services; trade secrets that protect customer lists, vendor lists, formulations, and the like; copyrights that protect marketing materials, product guides and manuals, audio-visual works, software, information compilations, and artwork; and design patents or trade dress that protect the way products look. Not all forms of intellectual property are important to every company, but some form of intellectual property is important to virtually every company.

Notwithstanding the importance of IP, businesses have overlooked its value until fairly recently. In the 1990s, business strength was focused on tangible assets, with intangible IP being relegated to mention in footnotes. The internet business boom and government regulation changed business thinking. Now companies more typically recognize the importance of IP in business decisions and transactions, and that recognition has increased the demand for IP audits. In a 2011 survey by CPA Global, 77 percent of in-house IP professionals said their companies had a greater understanding of the importance of IP and IP valuation, but 74 percent highlighted the need for more focused IP management strategies. The following discussion describes IP audits, explains why they are  essential for good IP management, and provides information about IP audit costs.


I’m at that point in my life where one of the greatest joys I have is playing tennis with my teenage grandson. I’ve always looked at competition through sports as a great bonding opportunity for fathers and sons.  My grandson is taking lessons once a week at local club near us.  Over the past couple of years, he’s gotten pretty darn good.  To help him practice between lessons, I serve as his “sparring partner”.  We find time to play a couple of times a week together.

When I was younger (i.e. high school and college) I played some racquetball, but never tennis.  What I know about tennis has come from my being an easy mark for “the kid”.  But with my competitive nature, I’ve learned and practiced along the way to the point where I can actually give him a run for his money – oh that’s right, it’s my money.

Anyway, I just got in from playing tennis this evening with my grandson and while I was out on the court “getting schooled” again, I began thinking about how playing tennis can be similar to what we do in crisis management.


Tuesday, 16 July 2013 15:52

The 3 Year Itch

I have been involved in the BCM industry for the past few years – knee-deep in our company’s marketing, branding and social media activities. I also wear a CRM hat and track all the sales and marketing efforts.  On average, we receive a few hundred enquiries for our products from our contact widget on our website.  We get a few hundred more qualified leads from our participation in various industry trade shows. All these sales opportunities are followed up diligently by our Sales team.

When analyzing the CRM database, a very interesting pattern emerges:

The 3-year itch

Prospects with whom we’ve dealt before often return with requests for product and pricing information.  Most of them occur on 36-month cycles. These prospects stay engaged for varying periods – from a single conversation to as long as 6 months. If they decide to buy a competitor’s product the conversation ends – temporarily. They often pop up again in 36 months to start the whole process again.


Tuesday, 16 July 2013 15:48

Sleepless in Philadelphia

Here at FEMA we’re committed to the “Whole Community” approach to emergency management which Administrator Fugate initiated when he arrived. For those of you that haven’t heard of the Whole Community concept, it basically says that FEMA can’t manage emergencies by ourselves; we need to make sure that we’re including the private sector, community organizations, faith-based organizations, state local, and tribal government, the general public, non-profits, schools, our partners in other federal agencies, and almost any other group you can think of. One specific part of the Whole Community idea that we’re really working on is integrating the needs of people with access and functional needs in an inclusive setting and to accomplish this, we’re working collaboratively with our community partners who can bring resources, skills, and expertise to the table.  To support this effort Administrator Fugate created the Office of Disability Integration & Coordination and positions like mine, as the Regional Disability Integration Specialist here in the Region III office in Philadelphia.

A large part of my job is making sure that the access and functional needs of people with disabilities are addressed in an inclusive manner, as well as making connections between emergency managers and disability leaders.  So I want to tell you a little bit about an exciting project we are participating in with our community partners.

Philadelphia, Pa., June 28, 2013 -- LesleyAnne Ezelle, Regional Disability Integration Specialist, FEMA Region III visits the Philadelphia Chapter of the American Red Cross office where they held a Shelter Sleepover Exercise.

On June 28th, 2013 I went to the Philadelphia Chapter of the American Red Cross office where they held a Shelter Sleepover Exercise. The point of the exercise was to test their ability to provide services and support to people with access and functional needs in a general shelter. There were volunteers from the local community, many of whom are active with the Functional Needs Subcommittee of the Southeastern Pennsylvania Regional Task Force.

They asked me to give an overview of effective communication, so I gave a demonstration on the equipment that we now have in our Disaster Recovery Centers (DRC). This equipment can also be used in other settings so that people with access and functional needs can get the same information as everyone else and get it in their preferred method of communication.  FEMA now has 175 accessible communication kits that are used to provide effective communication access in every DRC.

While this technology gives us many new options to communicate more effectively, it was pointed out by one of the shelter ‘clients’ that sometimes a skilled person who can interpret and provide information is needed too. We realize that having trained and knowledgeable shelter staff and access to on-site interpreters, scribes, and personal care attendants is just as important to providing effective and accessible services.  FEMA can offer these services to the state, during a Presidentially-declared disaster, if requested.  By having exercises like this one, both the shelter clients and the shelter volunteers get the opportunity to learn what works, what doesn’t, what may be available and we’re able to find solutions, together, to make the shelter experience truly inclusive and accessible.

One of the things that I found very impressive about this exercise is that it was a good example of the saying “nothing about us, without us” that we use a lot in the advocacy movement when we talk about planning services for people with disabilities. Shelter Sleep Over and other activities in Region III are an example of embracing that philosophy and we are looking forward to many more collaborative learning experiences.

CIO — Mobile devices are working their way into every facet of our lives these days. For instance, according to Accenture Interactive, 72 percent of consumers ages 20 to 40 now use mobile devices to comparison shop while in retail stores.

The problem for retailers? The majority of them leave without making a purchase with their smartphone or tablet; they purchase online—often using a different device, such as a desktop PC.

How do you track the success of your marketing under these circumstances and ensure that you are delivering your customers the best possible experience? BloomReach, which specializes in big data marketing applications, believes big data provides the answer.

BloomReach today took the wraps off BloomReach Mobile, a cross-channel-optimized mobile search and discovery solution built on the company's signature Web Relevance Engine technology.


Computerworld - Given the dire warnings about climate change, some business leaders and IT professionals are pondering this question: How should data center managers handle the crop of so-called 100- and even 500-year storms, coastal floods and other ecological disasters that climatologists predict are heading our way?

Some experts suggest that managers of mission-critical data centers simply need to harden their existing facilities, other observers say data centers need to be moved to higher ground, and a third group advises data center managers to pursue both strategies.

One thing is certain, experts say: Few IT organizations -- even those that suffered or narrowly escaped damage during recent major storms -- are thinking long term. Most IT leaders are, if anything, taking the path of least resistance and least expense.


Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.

Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.


In 2008, Hurricane Ike devastated the upper Texas coast with many animals lost and many more suffering needlessly.  This storm triggered a request for the Texas A&M College of Veterinary Medicine & Biomedical Sciences to form a deployable veterinary emergency team. 

The Texas A&M Veterinary Emergency Team External Web Site Icon(TAMU VET) is comprised of veterinary faculty, staff, and senior veterinary medical students. Since the inception, the TAMU VET has been deployed for Hurricanes Rita and Gustuv, the 2011 Grimes County Wildfire and Bastrop Complex Wildfire, an Alzheimer’s patient search in Brazos County in 2012, and the 2013 West, Texas fertilizer plant explosion.

TAMU VET was formed in response to an increasing frequency of emergencies and disasters, the pressing need for veterinary support for the canine component of search and rescue efforts, and a societal decision that animals were worthy of care and support during disasters.

When a call to respond to a disaster comes in, an alert is put out to the team via a phone call down system, and everyone responds with their availability to deploy. The goal is to be out the door within four hours of a request to deploy. Working hand in hand with the first responders, one of the most important benefits of TAMU VET is their ability to be on the front lines of a disaster. Not only are they there to support, treat, and assist canine search teams, but the first responders are often the first groups to find or rescue animals that have been involved in the disaster. TAMU VET is able to coordinate the capture and rescue of found animals, and gives first responders a place to bring injured or ill animals.

This triage point for the field allows first responders to do their job and also begins the process of animal rescue and recovery early on. It has become the expectation that TAMU VET will be on the ground in an emergency because everyone realizes that animal issues are an aspect of any disaster. “First responders have told us repeatedly that it helps them do their job when they know we are there to help take care of their canine search teams, but also to take care of animals that might otherwise be ignored, left behind, or rescue delayed until the human response is completed. This is a truly special partnership and is one that we know works,” says Deb Zoran, Associate Professor and TAMU VET Medical Operations Chief at Texas A&M University College of Veterinary Medicine and Biomedical Sciences.

The diverse range of deployments has allowed the veterinary students to participate in serving the citizens of Texas while simultaneously providing professional development through the complex and rapidly changing disaster environment in which they are providing veterinary medical care. The educational value of emergency response deployments led to the development of a required clinical veterinary medical rotation during the fourth year of the veterinary program – the first of its kind in the United States.

The clinical rotation at TAMU is designed to provide veterinary medical students with the knowledge base and skills to assist their communities with planning to mitigate or respond to animal issues during disasters. The rotation is divided into two major parts: preparedness and response. The preparedness component requires students to make a personal preparedness plan, assigns them the task of working through the process of developing a practice preparedness plan, and introduces the students to the concept of developing a county emergency animal sheltering and veterinary medical operations plan. In the response component, students learn risk communications, medical and field triage concepts, and medical operations in austere conditions. They also have the opportunity to spend a day at Disaster City – a local training site for first responders from around the state and the nation to get to understand some of the medical and environmental conditions the first responders must work in.

As a leader in veterinary emergency preparedness and response, TAMU just marked the first anniversary of their required clinical rotation and continues to act as a strong service for animals in a disaster.  For more information, visit the TAMU VET websiteExternal Web Site Icon.

IDG News Service (Miami Bureau) — In another example of the consumerization of IT, people have embraced cloud storage and file sharing services like Dropbox both at home and at work, and CIOs better take notice about this trend, according to a Forrester Research report.

"There is huge business value in these types of services," said Rob Koplowitz, co-author of the study "File Sync and Share Platforms, Q3 2013. "They solve a bunch of business problems."

Dropbox and similar services, with their intuitive and user-friendly interfaces, make it easy and convenient for people to sync files across multiple personal and enterprise devices, including tablets and smartphones, and share these often large files with colleagues, clients and partners, he said.


There's a very old IT problem that's gaining renewed attention lately: The problem of keeping too many copies of data. The analyst firm IDC has quantified the problem and come up with some rather startling statistics:

  • More than 60% of all enterprise disk capacity worldwide is filled with copy data
  • By 2016, spending on storage for copy data will approach $50 billion and copy data capacity will exceed 315 million terabytes
  • In the next 12 months, [IT departments] expect increased use of data copies for app development and testing, regulatory compliance, multi-user access and long-term archival


Risk modeling is a useful tool for business continuity managers, but over-reliance and flawed approaches can create difficulties. By Geary W. Sikich.


Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics and interdependencies. Abundant stochastic variation in risk parameters further exacerbates the ability to clearly assess uncertainties.

Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.

Such uncertainty underpins the arguments both of those exploiting risk, who demand evidence that exploitation causes harm before accepting limitations, and those avoiding risk, who seek to limit risk realization in the absence of clear indications of sustainability.


The wrong words online can come back to haunt you

The case of Justin Carter, the Central Texas teen jailed for over five months as a result of a Facebook comment, is a powerful lesson in just how serious social media has gotten, and why your personal crisis management considerations should include careful censorship of controversial conversation.

Here’s what went down, as described in a HuffPost blog by Ryan Grenoble:

Earlier this year, Carter and a friend got into an Facebook argument with someone regarding “League of Legends,” an online video game with notoriously die-hard fans. Justin’s father, Jack, explained to ABC local affiliate KVUE that at the end of the conversation “[s]omeone had said something to the effect of ‘Oh you’re insane, you’re crazy, you’re messed up in the head,’ to which [Justin] replied ‘Oh yeah, I’m real messed up in the head, I’m going to go shoot up a school full of kids and eat their still, beating hearts,’ and the next two lines were lol and jk [all sic].”

- See more at:

Network World — There are two trends happening in the IT hardware market, each gaining momentum but offering very different ways of outfitting data centers.

On the one hand, companies with enormous data centers such as Facebook, Rackspace, Google and Goldman Sachs are creating their own compute, storage and network devices using cheap, commodity components. The pieces are built to a standard - organized by the Open Compute Project (OCP) - to ensure they interoperate, and they are then are assembled to create hardware that is finely tuned to the specific needs of an organization. This "disaggregation" of hardware allows one company to have a system that is optimized for high-storage capacity with low CPU, for example, while another company could customize the hardware for intense reading capabilities, but low writing.


Friday, 12 July 2013 16:57

It’s all in your head

Or is it?


According to, Australia’s courts seem to be spending a lot of time considering “psychiatric harm” in the workplace.

While these concerns seem primarily based on conditions “Down Under,” risk management practitioners should be aware that the issue can become global and effect their clients. Similar cases may be coming to a courtroom near you.

In one case, the court ruled that “Employers not necessarily liable for psychiatric harm to employees who are stressed or overworked” ( In separate decisions, two employees who sustained psychiatric injuries in the course of their employment in Victoria were denied damages in recent decisions of the Supreme Court of Victoria and the Victorian Court of Appeal.

In another case, “Law firm successfully defends against claim of bullying” (, the court decided that an employee who experienced an overwhelming workload, professional and personal pressure, conflict and a strained relationship with a colleague was found not to have been bullied.

Interestingly, all cases were heard in the same Australian state, Victoria.


Thursday, 11 July 2013 14:21

Developing a Crisis Management Plan

“Houston, we have a problem.”

Even the most professionally run businesses, including law firms, occasionally run into times of crisis.

In the specific example of a law firm, crises can arise in many forms, like issues that compromise operations, financial dilemmas, and ultimately, problems that threaten or damage the integrity and reputation of a firm.

Entertaining thoughts of potential predicaments can be uncomfortable, not to mention daunting. However, as is the case in any type of disaster scenario, it is best to have an anticipatory plan of action in place before catastrophe occurs. Doing so can be the difference between putting out the fire and fanning the flames in times of crisis.


DSD manifesto clarifies “significant risks” and strategies for secure BYOD

David Braue | July 11, 2013");" class="stMainServices st-sharethis-counter"> 

Strategies for securely implementing bring your own device (BYOD) policies have been formalised in an extensive document recently published by the Defence Signals Directorate (DSD) that outlines business cases, regulatory obligations and legislation relevant to securely implanting BYOD.

The document, entitled Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD), aims to help readers understand and mitigate the "significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data", according to its authors.

DSD has long held primacy in information-security matters, offering technical certification of products for use in secure environments and offering IT-security guidance for government and non-government bodies through publications such as its Information Security Manual (ISM).

- See more at:

By Sunil Cherian

Business continuity planning (BCP) should cover an organization’s ability to avoid major business disruption from a disaster while addressing the principal concerns of business risk mitigation, and protecting and preventing lost data. Business transactions delivered from the data center / centre pose major challenges to business continuity.

Data center infrastructure and the networks that support it play a prominent role in automating business processes and communication across the organization, customers, partners, suppliers and regulators to ensure the organization continues to run during a disaster. Connectivity in data center infrastructure and the networks can be adversely affected by bottlenecks or complete failure due to network outages, hardware failures, human error and natural disasters.

Application delivery controllers (ADCs) protect these vital corporate assets and keep the network up and running. Below are five capabilities to look for to create a reliable application delivery infrastructure for business continuity planning:


The emerging H7N9 avian influenza virus responsible for at least 37 human deaths in China has qualities that could potentially spark a global influenza pandemic, according to a new study published yesterday (July 11th, 2013) in the journal Nature.

An international team led by Yoshihiro Kawaoka of the University of Wisconsin-Madison and the University of Tokyo conducted a comprehensive analysis of two of the first human isolates of the virus from patients in China. Their efforts revealed the H7N9 virus's ability to infect and replicate in several species of mammals, including ferrets and monkeys, and to transmit in ferrets — data that suggests H7N9 viruses have the potential to become a worldwide threat to human health.

"H7N9 viruses have several features typically associated with human influenza viruses and therefore possess pandemic potential and need to be monitored closely," says Kawaoka, one of the world's leading experts on avian flu.

"If H7N9 viruses acquire the ability to transmit efficiently from person to person, a worldwide outbreak is almost certain since humans lack protective immune responses to these types of viruses," says Kawaoka.


Thursday, 11 July 2013 14:18

EMC 'Bringing the Sexy Back' to Data

CIO — Backup isn't exactly the sexiest area within an IT organization. In many cases, it's perennially understaffed and under-resourced. But as data becomes an increasingly valuable commodity in the enterprise, and the volumes of data generated by the enterprise expand exponentially, backup is buckling under the strain. A new way of thinking about protection storage architecture may be required.

"Imagine a dam with a single, small sluice gate near the bottom, and there's water just gushing over the top," says Guy Churchward, president of Backup and Recovery Systems at EMC. That sluice gate represents your backup platform and the water represents your data. "Backup can't handle the load."

And worse is coming, Churchward says. If you were to pan the camera back from your little dam with water spilling over the top, you'd see 15 other raging rivers rushing toward you.


The title of this article is a question that comes up often in Business Continuity Management industry LinkedIn Group Discussions.  Many planners and practitioners struggle with where BCM in situated in their organizational hierarchy – resulting in a hopeful search for a better solution.

Business Continuity Management is often the homely foster child in many organizations.  (For those not familiar with the US foster-care system, a foster child is removed from his/her natural parents and sent to live with a volunteer ‘foster family’ who receives government funds to provide their care).  Few C-level executive want responsibility for BCM.  There’s little ‘up’ side; it doesn’t make any money, and failure – in either a compliance audit or a real-life disruption – may win a one-way ticket to unemployment.

So the winner of the Business Continuity Management sweepstakes is decided by fiat or by default, depending upon the organization’s culture.


Techworld — Many organizations are still dependent on archaic data centre infrastructures despite the knock on effect they can have on the end-user experience and levels of productivity, according to research released today.

Brocade, which commissioned the survey said the results showed that many organisations were using the same data centre technology that has been in place for the last 20 years.

The study, carried out by Vanson Bourne on behalf of the networking company, found that 91 percent of 1,750 IT decision-makers needed to carry out substantial infrastructure upgrades on their networks if they wanted to meet the demands presented by virtualisation and cloud computing.


Wednesday, 10 July 2013 21:22

BYOD Breeds Distrust Between Workers and IT

CSO — The Bring Your Own Device (BYOD) movement is supposed to boost worker productivity but a study released on Monday said it can also breed distrust between employees and IT departments.

Nearly half of American workers (45 percent) said they're worried about IT accessing personal data on devices they use for work and home, a report by Aruba Networks revealed.

Similar sentiments were expressed by European workers (25 percent) and those in the Middle East (31 percent), said the survey of 3,000 workers worldwide.

In additon, nearly one out of five European workers (18 percent) and more than a quarter of Middle Eastern respondents (26 percent) feared their IT departments would interfere with their private data if they got their hands on the worker's devices.


Wednesday, 10 July 2013 21:20

A Technological Edge on Wildfires

When the winds change, a ferocious forest inferno can make a sharp turn, and the fire crews battling it may need to depend on their eyes and instincts to tell them whether they are in danger.

Sometimes, as appears to be the case in the deaths of 19 elite firefighters in Arizona, it is already too late.

Of course, the best way to fight catastrophic fires is to keep them from growing to catastrophic scale. But that is becoming more and more difficult as global warming raises the likelihood of fires, especially in Western forests. By 2050, the annual extent of forests burned is predicted to rise by 50 percent or more.

So officials and experts are increasingly relying on technology both high and low to counteract the trickery of raging wildfires.

In computer simulations, the United States Forest Service sets tens of thousands of virtual fires — factoring in different weather patterns, topography, vegetation and historical weather patterns. “You would sort of get a map that depicts a likelihood of fire occurrence,” said Elizabeth Reinhardt, an assistant director of fire ecology and fuels for the Forest Service.


Wednesday, 10 July 2013 21:17

Defining The Mobile Security Market

Understanding the terms and technologies in the mobile security market can be a daunting and difficult task. The mobile ecosystem is changing at a very rapid pace, causing vendors to pivot their product direction to meet the needs of the enterprise. These changes in direction are creating a merging and twisting of technology descriptions being used by sales and marketing of the vendor offerings. What we considered “Mobile Device Management” yesterday has taken on shades of containerization and virtualization today.
Mobile antivirus used to be a standalone vision but has rapidly become a piece of the mobile endpoint security market. Where do we draw the lines, and how do we clearly define the market and products that the enterprise requires to secure their mobile environment?

There is a young lady carousing in the Caribbean with designs on south Florida.

Turn on the tv and you hear the name “Chantal.” Once named, the tv news readers tell us we are advised to get our hurricane preparations underway.

Turn on the radio and you hear the same thing.

Pick up a newspaper – yes, there still are newspapers in south Florida – and you not only are encouraged with hurricane preparations but you also get a hurricane tracking map.


CSO — Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach. It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve.

"Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff, said Michael Versace, insights director of worldwide risk at IDC. "The hard stuff is in the next 30 percent."

Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.


CIO — Recently, BPR-Rico Manufacturing decided it was time for a change in its human resource systems.

The Medina, Ohio-based engineering outfit, which builds lift trucks and other material-handling equipment, had been using Sage North America's Abra HR solution. The on-premises deployment was more than a decade old and had acquired some eccentricities. The system would randomly change employee dental insurance deductions to the two-year prior rate. An employee who generally worked a 32-hour week would occasionally flex to 40 hours, but the system would still pay for only 32 hours.

As it happened, Rico Manufacturing already was replacing its paper-based time card system with cloud-based time and attendance software from Kronos. The company decided to tap Kronos to replace its human resources and payroll system as well—and move it to the cloud.


Prolexic has shared information on a popular cyber attack technique, SYN reflection attacks, which can leverage the defense mechanisms of DDoS mitigation devices to increase the strength of the attacks.

SYN reflection attacks are one of the more sophisticated DDoS attack methods and typically require some skill to execute. However, they have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.

“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”

SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet, such as web pages and email.


Certifications of one sort or another have been around seemingly forever.  If you are old enough you may remember (some 30 years ago) when there were very few non-institutional IT certifications available.  The certification boom started in the mid 80’s when some of the network operating system providers were trying to establish a base of knowledge competency (or a new revenue stream – depending on your perspective).  At the time, passing some of these certification exams was a joke.  They didn’t prove the competency or skill that they were created to achieve.

Of course most of those certification programs have matured.  They’ve become more challenging – including theoretical as well as practical testing to ensure competency of the individual.  Typically, the rate of change in technology has driven the recertification processes; as new products and technological advancements are revealed, certification qualifications have changed with them.


Monday, 08 July 2013 14:18

Always wear clean underwear

If a risk management practitioner needs a motto over his or her office door to observe on the practitioner’s way out, it should be:

Always wear clean underwear

Now at first blush you may think this scrivener has lost it. While that is generally debatable, I assure you in this instance I am fully in charge of all my facilities.

What is it we – risk management practitioners – do? Bottom line?

We anticipate and plan for the unexpected.

No, I’m not talking about swans of any hue; I don’t believe in black swans as an event that could not be predicted.


Monday, 08 July 2013 14:16

No plan for planes

Catching up on the news Sunday morning I learn that a plane crash at San Francisco’s airport (SFO) caused cancelled flights across the country.

I live close to two major airports: Hollywood/Fort Lauderdale (FLL) and Miami (MIA).

The local tv stations sent people to interview stranded travelers, asking what they were going to do until flights to SFO resumed.

Not one traveler – not one – planned to do anything other than “hunker down” either at the south Florida airport or at a nearby lodging.

If I had been booked on an SFO-bound flight I would be talking to the airline’s representatives to get a flight to LA or Seattle.

Ahh, but that’s not San Francisco.


By Ray Abide

In the past, I have mostly referred to the activity in which participants are assembled to work through a simulated business continuity event in order to determine their familiarity with the plan, its completeness, and perform their individual roles to recover from a given scenario as a business continuity plan test. Sometimes I have interchangeably used the term ‘exercise’ or ‘simulation’ instead of ‘test’.


By Barry Shteiman.

Recently a very interesting article on the Armed Forces Communications and Electronics Association website caught my eye: ‘DISA Eliminating Firewalls.’

Although the title seemed provocative at first, the article itself just made me smile.

DISA gets it, it really gets it.

One of the advantages of working with the father of the modern firewall (Shlomo Kramer) is that I have an insider’s perspective on how security has evolved over the years: from the early days of Stateful Inspection firewalls, when perimeter and interdepartmental separation was the focus, to the realization that data (a company’s lifeblood) is the single most important asset to protect. Not this or that network, but the data.

In the AFCEA article, Lt. Gen. Ronnie Hawkins JR explains that network separation, while widely accepted, does not encourage business collaboration, such as easily accessing and sharing content.


Tripwire, Inc., has announced the first instalment of results from an extensive survey on the state of risk-based security management conducted by the Ponemon Institute. The survey covers risk-based security management program governance and maturity and includes 571 UK and 749 US respondents from the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

“The findings from this report strongly indicate that risk-based security management is still viewed as an IT or security task instead of a business task,” noted Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the full value of a risk-based approach to security can only be realized when senior business leaders fully participate in the process.”


Those of us who spend our business lives immersed in the Business Continuity industry swim through a sea of acronyms.  Meanwhile, we are constantly seeking the support and cooperation of colleagues who are often confused by those same acronyms.

We can make understanding easier simply by using real terms instead of acronyms.  But unless we can clearly define those fundamental Business Continuity terms, we still risk confusing our potential supporters and partners.

There are two common terms that are too often used (or confused) interchangeably:  Incident Management and Crisis Management.  They are not the same.  They are related – but have differences in purpose and objectives that ought to make their definitions clear:


close up image of a school bus with handicap sign

By Georgina Peacock

When Hurricane Katrina hit, Julie thought she was ready.  She always had an emergency kit prepared because her son Zac needs medical supplies and equipment to keep him happy and healthy. Zac has spina bifida, a major birth defect of the spine; hydrocephalus, which means he has extra fluid in and around the brain; and, a number of food and drug allergies. He has sensitivities to changes in temperature and barometric pressure. Therefore, she always made sure they had a week’s worth of supplies and medicine ready when it was time to evacuate. “There is a very delicate medical balance,” she said.  “When he has an issue, the dominos tend to fall quickly.”

As communities around the Gulf braced for Katrina, Julie’s family left New Orleans for Baton Rouge with their one week reserve of Zac’s medical supplies including catheters, feeding tubes, and special medications. But like most families facing the devastation of this hurricane, they ended up being gone for much longer.  “It was a very challenging time for so many people, but especially for families of children with special health care needs, like ours,” said Julie. “Zac is a unique guy who needs a lot of support.” 

Zac posing in his wheel chair for his baseball team photo“Now, we always keep a one month supply of Zac’s supplies in our emergency kit,” she said. “It’s critical. It’s life and death for us.” Her insurance pays for this stockpile of emergency supplies. She also keeps a document of Zac’s daily needs and medical history in print and electronic format.  This vital document includes:

  • Daily plan of care
  • How to use his medical equipment
  • Recipe for formula
  • Catheterization schedule
  • Allergy information: food and medication allergies, type of reaction, and what to do if he has a reaction
  • Surgeries
  • Diagnoses by body system
  • List of his doctors with contact information
  • Equipment providers
  • Pharmacist
  • Medications and supplies including stock numbers and basic descriptions of products for comparable substitutions
  • Allergy information
  • Insurance information
  • Case manager for his Medicaid waiver
  • Since he is over 18 – legal documentation of  “continuing tutorship” which allows parents to make medical decisions for him.
  • Biographical sketch including his likes/dislikes; hobbies/interests; and triggers-things that will disturb him.

Julie urges families with children who have special needs to know what emergencies are likely in their area. For Julie’s family, they know the areas that flood and prepare for hurricanes and tornados. Also they live in an area that is home to many chemical factories and a nuclear plant, so they prepare for plant explosions, nuclear reactor accidents, and fires.  “Preparing and planning can give you peace of mind,” she said. “Get a kit. Make a plan. Be informed. It applies to everyone, especially to those of us who care for children with special needs.”

Children with Special Healthcare Needs in Emergencies

Children with special healthcare needs may be more vulnerable during an emergency.  They may have difficulty moving from one location to another, urgent or persistent medical needs, difficulty communicating or have trouble with transitioning to different situations. A disaster can present all these difficulties at once. Knowing what to do can help maintain calm in your family and keep them safe.

Please visit the following sites for more resources:

Leave a Comment

Does someone in your family have unique needs? How do you prepare? How have you addressed these needs during an emergency? Share your experiences and tips below.

Georgina Peacock, MD, MPH is a medical officer and developmental-behavioral pediatrician with the Prevention Research Branch in the Centers for Disease Control and Prevention’s National Center on Birth Defects and Developmental Disabilities.  Follow her on Twitter @DrPeacockCDC

Further illustrating how important reputation can be to a business enterprise, Paula Deen’s rapidly crumbling empire took another hit this week when Ballantine Books announced that it was cancelling the publication of the celebrity chef’s latest cookbook, Paula Deen’s New Testament: 250 Favorite Recipes, All Lightened Up, which was scheduled to be released in October as the first in a five-book deal signed last year. Even more surprising, was that based on pre-orders alone the book was already Amazon’s number-one best seller (Interestingly enough, the book was replaced at the top spot by another Paula Deen cookbook, Paula Deen’s Southern Cooking Bible.)

The book cancellation brought the total of business deals killed by Deen’s admission that she had used racial slurs in the past to 12. According to the Consumerist, the tally includes:


Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:

1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.


CHICAGO--When Hurricane Katrina struck the states near the Gulf of Mexico in August 2005, human resources at Target Brands Inc. was right in the middle of handling the crisis for the well-known retailer.

The company managed to get the cash registers up and running in a very short time, but it was left with the question of who would run them, Terri Howard, who worked for Target then and is now senior director of FEI Behavioral Health in Milwaukee, recalled.

In a crisis, “HR's role is strategic. It is to make sure that your folks are taken care of,” Howard said June 19 at the Society for Human Resource Management's Annual Conference & Exposition.

That has numerous ramifications, she said. In the aftermath of Hurricane Katrina, banks were closed and ATMs weren't working due to power failures, so “we had to fly in cash to pay people, which had implications for compensation,” Howard said. There also were questions about employees with health insurance going to health care providers who were out of network temporarily, she said, and whether the employees would be charged copays.


Tuesday, 02 July 2013 11:44

Data outside the data centre

The data centre gets the spotlight when organisations look to improve their management and storage of data, but a growing proportion of the information in the average enterprise is found at its branch offices and on end-user devices.

Security vendor Symantec, for example, estimates that around 46% of the data in most enterprises is found outside their data centres. The volume of data outside the safe perimeter of the data centre is growing at a rapid rate, thanks to the rise of mobility and cloud computing.

In addition, many companies still maintain Windows file servers and low-end storage arrays in branch offices, so users can access applications and data without having network bottlenecks slow them down. This exposes companies to both data storage risks and inefficiencies.


Mobile devices such as smartphones, laptops and thumb drives are becoming increasingly vital to productivity, but your organization’s data could be at risk if one of these devices is lost or stolen. The amount of protected health information (PHI) that is transported through mobile environments is staggering and healthcare organizations have a responsibility to investigate security incidents and report PHI exposures. To protect the organization and its patients, it is crucial that IT staffs and privacy and security officers know what to do if a breach is suspected.

Having even a simple incident response plan in place that focuses on rapid identification and a coordinated response gives healthcare organizations important advantages in the fight against cyber crime. First, a plan allows IT to greatly reduce the time between the discovery of a possible exposure and the identification of any data that was compromised. Reduced response time can keep the data loss to a minimum and assists the organization in providing mandatory notification within the time frame allowed. In addition, a formal process gives IT the ability to quickly limit unauthorized access to the network and sensitive data, thus limiting the amount of information that may be exposed.


Disaster can strike in an instant. Whether it is weather-related, man-made or due to some other cause,disasters often occur with little or no warning. That's why creating and implementing an emergency-preparedness plan could mean the difference between saving your business and losing it all.

At the heart of every successful plan is clear communication. Mobile devices such as smartphones andtablets can help ag retailers and their employees connect with each other and authorities, spreading critical information in a time of crisis. Helping to keep the lines of communication open are dozens of mobile appsspecifically designed for emergency preparedness. I’ve researched the most commonly used ones and compiled them in this handy list (in no particular order):


The year 2013 will be a turning point in how governments around the world view the threat of floods in a new age of extreme weather events.

India, Nepal, Canada and many countries in Europe have experienced huge losses over the last two months due to intense precipitation that has triggered extreme flooding affecting millions of people’s well-being and livelihoods.

The shocking loss of life in India underlines how vitally important it is that we start planning for future scenarios far removed from anything that we may have experienced in the past.

When we look at the worldwide escalation in economic losses from disasters over the last five years, it is clear that our exposure to extreme events is growing and this trend needs to be addressed through better land use and more resilient infrastructure as we seek to cope with population growth and rapid urbanisation.


Kylie Fowler got controversial when she spoke last month to an audience of asset management and configuration management professionals at the BCS CMSG Conference in London about the five constants she always encounters in her 10-plus years of working as an IT asset management consultant.

While these constants may always hold true, and her advice on how to deal with them held some surprises.

She counselled the audience always to listen to their data - “your data has a huge amount to tell you if you use it correctly,” she said.


Monday, 01 July 2013 14:45

HP Secures Data Migration To The Cloud

With the explosion of data in the enterprise and the ability to use as-a-service storage models, important security-level practices are undermined and organisations lose sight of potential threats. In the absence of these standards, IT teams are struggling to identify and assess potential risks, opening their organisations to catastrophic security breaches.

The new HP Cloud Security Risk and Controls Advisory Services, part of the HP Converged Cloud Professional Services Suite, deliver choice, confidence and consistency to customers by combining expertise from across HP, supporting the management of data risk, identification of vulnerabilities and maintenance of compliance with IT governance. This provides clients with solutions that protect their information before it migrates to or from the cloud, whether it is a public cloud, private cloud or hybrid deployment. As a result, organisations can reassign IT resources from spending time on manual tasks to focusing on innovation.


No business today is immune from the ravages of storms and power outages – not to mention earthquakes, fires or other unforeseen disasters that can strike in a minute.

Although all companies need a disaster recovery plan, insurance agents have an even greater obligation to put one in place to enable them to operate after a catastrophe to handle the claims of hard-hit clients.

Here are five tips to keep in mind when developing a plan for confronting disaster and for keeping your agency operating through tough times.


Disaster Recovery as a Service (DRaaS) backs up the whole environment, not just the data.

"Most of the providers I spoke with also offer a cloud-based environment to spin up the applications and data to when you declare a disaster," says Karyn Price, Industry Analyst, Cloud Computing Services, Frost & Sullivan. This enables enterprises to keep applications available.

Vendors offer DRaaS to increase their market share and revenues. Enterprises, especially small businesses are interested in the inexpensive yet comprehensive DR solution DRaaS offers. There are cautionary notes and considerations too that demand the smart businesss attention before and after buying into DRaaS.


Yesterday I was interviewed by NPR for a program airing this weekend about PR and reputation problems caused by racism. It’s always good for someone who helps others prepare for media interviews to do a real one themselves to bring some lessons home. I wasn’t too happy with the interview despite having prepared by thinking through key messages.

In case you catch the story, and some of what I said is included, here is how I intended to answer the question.

1. It’s always about credibility.

While there isn’t a denial, or he said/she said in this case, people are still looking at Paula closely to see if she is to be believed. No doubt trust and respect for at least some has been shaken by revelation of her past attitudes and behavior. Now they are looking to see if she is telling the truth and can rebuild trust. Sincerity is everything. Sadly, I think Paula is very much lacking in this right now with bungled apology, standing up the Today Show, a rocky performance there, and as far as I know, no real action taken–just words. Sincerity and credibility, like all things trust related, are judged more by actions than words.


Federal chief information security officers (CISOs) know that it isn’t a matter of whether their agency will be subject to a cyber-attack; it is a question of how frequently the attacks will occur. 

But, the real concern that keeps CISOs awake at night is wondering when one of the attacks succeeds -- and they know one eventually will -- whether it will successfully compromise the network and disrupt operations, or even worse, result in stolen sensitive, classified or personally identifiable information (PII). 

The traditional approach to addressing common system and network vulnerabilities, which includes placing the problem in silos based on the particular type of attack or its target, is no longer enough to meet the challenges posed by today’s hackers and cyber criminals. Instead, the federal cyber-security landscape requires that agencies take an enterprise approach to cyber risk management, and to do so, CISOs must be able to understand and visualize the human and technology interactions that impact the agency in cyberspace. That’s where analytics can help.


With the operational complexities and regulations businesses face today, basic computer services and support may not be enough to allow them to keep pace with their competition. Myriad regulations and a multitude of other activities make it difficult for any contemporary organization to survive (let alone thrive) without people who can design and implement increasingly specialized systems…and keep them up and running. Of course, before the first piece of that IT infrastructure has even been identified, someone has to determine the company’s goals and build the guidelines that will help achieve those objectives.

Those are several of the roles solution providers should be involved in. Businesses need someone to be their architect; not just for system design but also to develop the policies and programs that must be in place to automate their processes. For example, before customer-related information and business-critical data can be safely and securely stored using a cloud backup solution, someone has to determine which files, records and other details need to be saved.


Any cyber attack can bring unprecedented damage to a company, but can these damages be quantified in financial terms? This year, experts at B2B International calculated the damages stemming from cyber-attacks based on the results of a survey of companies around the world.

The survey titled, 2013 Global Corporate IT Security Risks survey, found that the average cost incurred by large companies in the wake of a cyber attack is a whopping $649,000. To arrive at the most accurate picture of costs, B2B included only incidents that had occurred in the previous 12 months. Additionally, the assessment was based on information about losses sustained as a direct result of security incidents.


From the smallest business decisions to the largest ones, risk influences all that we do. But taking a risk is not exactly like spinning a roulette wheel, where luck is the primary ingredient for success. With use of the right tools, risks can carefully be calculated, controlled and managed, greatly reducing the variable of bad luck.

Many successful CFOs today are accounting for the impact of outside forces – from regulatory changes, interest rates, supply chain and other operational events to natural disasters and even consumer sentiment – to inform, shape and govern their corporate strategies.

While the nature of the finance function has historically been to analyze past performance, risk is inherently forward-looking. CFOs must move beyond their traditional domain and use performance indicators and risk to predict the future. By discovering hidden patterns of risk rooted within their ledgers and spreadsheets – and integrating risk with financial management – CFOs can provide critical linkages between strategy and execution and stay ahead of the curve.


A quarter of European insurers say it’s hard to find knowledgeable, qualified risk management staff, compared to 16% of their US counterparts.


European insurers are becoming increasing troubled by the lack of knowledgeable, qualified risk managers in the talent pool, according to research from State Street.

According to its survey, carried out by the Economist Intelligence Unit in April, 25% of European insurers said they found it difficult to find the right sort of risk manager, compared to 16% of US insurers.

The dearth of suitable talent is concerning, given 89% of insurance executives said improving the assessment and pricing of risk was a challenge.

In addition, 80% of respondents globally viewed balancing liquidity and reserve adequacy as a challenge, and almost a third (29%) said their companies have divested lines of business since the start of the financial crisis due to new capital requirements or risk management considerations.


CSO — Securing important corporate or personal information has never been more challenging. Every day, new vulnerabilities are discovered, more breaches are reported and we all become less secure. Just look at the headlines, whether it is Anonymous latest attack, state sponsored Cyber espionage or warfare, criminal activity or just someone being exploited by five year old malicious code that still finds victims, the picture metaphor is of a snowball rolling downhill and getting bigger and bigger as it rolls.

Currently, we have a broken model and the state of security continues to spiral downwards. The main root of the issue is that the economics aren't aligned correctly to ensure accountability and responsibility. As a result, we have less security, higher costs, and greater pressure to opt for convenience over security and a fundamental failure to provide proper alignment and transparency to either company or government information security. Without making fundamental changes we are destined to have an ongoing erosion of our security which also translates into an erosion of our privacy and national security.


CALGARY — The flood crisis is a wake-up call for Calgary companies to adopt flexible work arrangements.

With the city in disarray this past week and the downtown closed for business, many companies may find this a spark to put in place telework programs that can prove invaluable not only during crises, but on a more regular basis, said Dr. Laura Hambley, Calgary-based industrial/organizational psychologist with The Leadership Store.

“Having employees well practiced and equipped to work from home, or telework, is an excellent business continuity strategy. In fact, it should be a key component of such plans whenever possible,” she said.

Companies who already have a flexible work policy in place, seamlessly work through natural disasters without losing productivity while keeping safe in their homes, she said.


A series of violent storms put Aaron Titus, disaster coordinator for the New Jersey branch of Mormon Helping Hands, through his paces last summer. He coordinated the dispatching of several hundred volunteers to about 300 locations to help remove damaged trees. The effort was so taxing that he doubted one person would be able to successfully coordinate large-scale disaster mitigation smoothly in all cases.

“I realized, if you try to do it as a single individual, you’re never going to be able to,” Titus said.

In response, he developed an early version of Crisis Cleanup, a free open source mapping tool that allows disaster relief organizations to coordinate cleanup and rebuilding efforts after catastrophes. The system’s undergone successive modifications since, and today members of volunteer disaster relief organizations logon to the tool and input data into an assessment form about a resident who needs help. This data includes the resident’s address and the type of incident, like flooding, tree removal or food delivery. That information then generates icons on a dynamic map alongside the assessment form.


In the May issue of Risk Management, Emily Holbrook reported on the prevalence of food fraud in restaurants and supermarkets around the world. Characterized by counterfeit or purposely mislabeled foods used by unscrupulous producers looking to make a quick buck, food fraud manifests itself in many ways. Sometimes its as unsettling as pig rectum in place of calamari or horse meat for hamburger, while other times its farm-raised fish sold as “fresh-caught.” Regardless of the nature of the deception, customers are put at risk. Not only are they conned into buying more expensive items, but they can also be exposed to pathogens or toxins that they would have no reason to expect in their food.

The New York Times recently reported about instances of fake vodka laced with bleach to lighten its color or olive oil contaminated with engine oil to extend the supply and increase profits. It turns out that food fraud is more widespread than most people realize.


Granted, the drop hedcq is bad grammar, but it works for the military and it could – most likely would – work for any organization.

The military is very big on roll calls and knowing who is present and who is absent – in the latter case, also why the person is absent.

The military roll call is done in reverse pyramid fashion.

On the bottom is the squad. This can be maybe 4 to 10 people.

Next is the platoon. A platoon is composed of several squads.

Moving on up there are companies, each having several platoons; then – well, the graphic shows it all.


Friday, 28 June 2013 16:41

Tips For Surviving A Mega-Disaster

The U.S. is ready for tornadoes, but not tsunamis.

That's the conclusion of a panel of scientists who spoke this week on "mega-disasters" at the American Geophysical Union's science policy meeting in Washington, D.C.

The nation has done a good job preparing for natural disasters like hurricanes and tornadoes, which occur frequently but usually produce limited damage and relatively few casualties, the panelists said. But government officials are just beginning to develop plans for events like a major tsunami or a large asteroid hurtling toward a populated area.

The difference between a disaster and a mega-disaster is scope, the scientists say. For example, Hurricane Sandy was defined as a disaster because it caused significant flooding in New York and New Jersey last year, says of the U.S. Geological Survey. But the flooding was nothing like what happened to California in the winter of 1861 and 1862, she says.

"It rained for 45 days straight," Jones says, creating a lake in the state's central valleys that stretched for 300 miles. The flooding "bankrupted the state, destroyed the ranching industry, drowned 200,000 head of cattle [and] changed California from a ranching economy to a farming economy," she says.


Enterprises need to assess the risks of cloud computing and have clarity on data protection and security responsibilities when contracting cloud services to avoid another “2e2 disaster”, a cloud lawyer has said.

Cloud is not a magical solution that will fix all of IT’s problems and customers must understand that the service they get depends on what they pay for, Frank Jennings, cloud lawyer at DMH Stallard told Computer Weekly at the annual Cloud World Forum 2013 event.

“If you are a big blue chip company paying more for the cloud service, you may get a higher level of protection, but if you are a small enterprise, your contract doesn’t provide enough value to the cloud service provider,” Jennings said.


Thursday, 27 June 2013 15:07

The three key stages to managing risk

Risk arises because of uncertainty about the future. It could involve the possibility of economic or social loss, or incur damage or delay. Risk management provides a structured way of assessing and dealing with future uncertainty. This leads to more efficient and effective decisions, greater certainty about the future and reduced risk exposure.

In every procurement transaction a degree of risk is involved, although most of the time it is not recognised and expressed as such. This is true for simple purchases, for example, ordering a meal or a bottle of wine in a restaurant. It is especially true when ordering complex goods or services, where the specification is not pre-determined, the outcomes are unsure, and the provider unknown.


Thursday, 27 June 2013 15:06

Hurricane watch? There's an app for that

Emergency preparedness applications are a growing trend in smart phone technology.

It’s hurricane season in Louisiana, and that means people will keep a watchful eye on the Gulf of Mexico. Preparing should go farther than that, however. Local, state and national disaster relief organizations flood their websites with emergency information. Smart phones allow the information to be more accessible with the development of emergency-related mobile apps.

The American Red Cross last year launched six mobile apps — Tornado, Hurricane, Shelter Finder, First Aid, Earthquake and Wildfire.

The Red Cross of Central Louisiana used the hurricane app for the first time when Hurricane Isaac threatened Central Louisiana. The app monitors local conditions, and aids in storm preparations. One feature allows users to find help or let others know they are safe.


Thursday, 27 June 2013 15:04

Eight Tips for Implementing a DR Program

Unlike Dorothy in The Wizard of Oz, IT doesn’t have to worry about “lions and tigers and bears, oh my!” Tornados, however, are a shared problem, not to mention hurricanes, earthquakes, blackouts and blizzards. When disaster strikes, it may be tempting to close your eyes and repeat “there’s no place like home,” but unless you have a pair of ruby slippers, the following are better tips to get you safely back to Kansas.

#1 – Distance Matters

Select a disaster recovery location that is far enough away that it won’t be affected by whatever brings your own systems offline.

Florida Hospital, a member of the Adventist Health System, is the nation’s largest privately-owned hospital with 17,600 employees and 2,230 physicians working at 22 campuses. The hospital has its own disaster recovery (DR) site just a few miles from its primary data center in Orlando, but since its primary concern is hurricanes, it also selected a managed SunGard DR site that is 1000 miles up the coast in a location that won’t likely be hit by the same storms.


A seeming innocuous phrase that sounds as if it could be the name given to a downtown district of a sprawling metropolis or a local sports team, “Five Nines” actually refers to a desired level of system availability.

Ever since man began to create and use more complex machines and tools he has been locked in an eternal battle to keep them working and to improve their performance. But the emergence of cloud computing has freed many companies from the daily tussle between hardware, software, random events and erratic connectivity.

The idea of Five Nines is a classic case of an essentially contested concept, and the debates that whirl across the internet over its validity as a concern of modern businesses demonstrate that it cuts to the very heart of the direction that cloud services are heading in.

But can such a contentious subject be of any use to you and your business?


Thursday, 27 June 2013 15:01

Benefits of cloud-based disaster recovery

An effective business disaster recovery plan is like building or travel insurance - you don't realise how important it is until adversity strikes.

Unexpected events that disrupt normal business activity can have a major impact on operations, staff and customers. Having in place a comprehensive plan to deal with such events is a vital part of effective management.

When it comes to their IT systems, many large companies tackle disaster recovery (DR) by establishing an offsite facility that can support business systems should a catastrophe strike. Critical applications and data is replicated in this facility and kept in a state of readiness at all times.

Smaller companies, however, often find they cannot readily afford such an approach. The overheads associated with purchasing and maintaining duplicate hardware and applications that may never be used make it a very expensive option. Add the extra IT management requirements and this approach to DR moves even further out of reach.


Often the employees at a small to mid-size business feel they already have their hands full just running day to day operations. But what if a worst case scenario were to strike?

It’s not pleasant to think about, but necessary to do so. Consider the small businesses that have seen their offices washed away in the recent Alberta floods, or seen their employees stranded and displaced – or worse. How will the business pull together and survive the disaster, while communicating a plan of action to its employees?

When it comes for disaster planning there are few organizations in the world that have as much experience as the U.S. Federal Emergency Management Association (FEMA), an agency under the department of Homeland Security. So we’re looking to Robert Jensen, the principal deputy assistant secretary for public affairs at Homeland Security, for some strategies for disaster recovery communications planning.


I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]


Business leaders and IT professionals don't often like to think about contingency plans. It seems like the more a company plans for a disaster, the more it expects one to occur. This attitude doesn't necessarily cause arrogance or ignorance, but what it can result in is too little attention paid to business continuity plans, of which disaster recovery is a significant component. Denying the problem doesn't make it any less likely to occur, but it can mean taking a harder hit to business-critical functionality if it does. These businesses, in addition to those that do seek out extensive disaster recovery plans, should be aware of the strengths of enterprise cloud computing.

Part of what will drive security and business continuity improvement in enterprise clouds is the oversight inherent in the cloud computing model, according to the Jacksonville Business Journal. Cloud service providers and adopters enter into agreements in which CSPs are responsible for protecting another business' resources, be it data, infrastructure or IT. Further developments in cloud partner programs will only increase the number of businesses that are directly responsible for upholding the integrity of another's networked resources.


Techworld — Dutch water experts have teamed up with IBM to launch a new initiative called Digital Delta, which will investigate how to use Big Data to prevent flooding.

The Netherlands is a very flat country with almost a quarter of its land at or below sea level, and 55 percent of the Dutch population is located in areas prone to flooding. The government already spends over 7 billion in water management every year, and this is expected to increase 1-2 billion by 2020 unless urgent action is taken.

While large amounts of data are already collected, relevant data can be difficult to find, data quality can be uncertain and with data in many different formats, this creates costly integration issues for water managing authorities, according to IBM.


Wednesday, 26 June 2013 18:03

DDoS: A 'Perfect Weapon' for Attackers

Distributed-denial-of-service attacks are the perfect weapons for cybercriminals and political adversaries. And Prolexic CEO Scott Hammack says any organization with an online presence should brace itself for attacks.

"As the world becomes more chaotic - which I do believe it will be - there will be more and more disenfranchised countries or people," Hammack says during an interview with Information Security Media Group [transcript below]. "This is a perfect weapon," he says.

And as the attacks get more sophisticated, defending against them gets more challenging, Hammack says. Today's attacks are increasingly using standard Internet security mechanisms, such as secure sockets layer protocol, to defeat online-outage defenses, he says.


Wednesday, 26 June 2013 18:02

An Executive's Guide To Security Risks

The following guest post is by Dwayne Melancon, CISA, chief technology officer, Tripwire, an IT security software company.

The SEC is getting pretty explicit about information security risk. You have to identify it, you have to declare it, and you have to manage it.  The problem is, a lot of the CEOs I talk with have no clue what they are accepting when they sign off on information security risk.

Sometimes, they blindly accept the cryptic recommendations from their chief information security officers (a.k.a., CISO).  Sometimes, their guts tell them there may be a problem, but they don’t know which questions to ask to figure out what’s really going on.  In both cases, I think it’s a problem that senior business managers are accepting risks they don’t fully understand.  How can this represent the best interests of your stakeholders?


Wednesday, 26 June 2013 17:58

Resilience Lessons from Hurricane Sandy

Yesterday I spent the day with a number of people from across the nation looking at what lessons can be learned from the Hurricane Sandy Experience.  The key person putting this event together was Steven Flynn.  Because he was able to get grant funding to support the work he could sponsor the travel for a variety of people to attend.  Generally he drew on people from other major metropolitan areas that have been doing catastrophic planning and also have significant risks.  I liked the mix of attendees.  Due to the significant business interruptions to the NY/NJ ports there was a number of other port authority representatives in attendance.  

The first panel of the day was a federal one that spoke to what they learned from the Hurricane Sandy Experience.  See my notes below.  Please note that this is what I could capture, certainly not a verbatim record for what was said.


When it comes to compliance risk, board members know the drill all too well. Every six months or so, they receive a new report indicating that everything is mostly under control.  So it’s no wonder they’re surprised when a compliance issue blows up – and it’s no wonder they’re asking tougher questions of compliance executives with every passing quarter.

As regulatory oversight continues to grow, the challenge of dealing with compliance risk will only become more pressing.  It’s not just an item on the agenda – compliance is its own agenda these days.  Given the pace and scale of change, both compliance executives and boards are increasingly concerned that old, reactive ways of managing compliance may cause them to fall behind the competition — or leave them exposed to new regulatory and reputational risks.

If your organization is looking to increase its Risk Intelligence quotient through full-spectrum compliance, three broad areas will command your attention:  Environment, execution, and evaluation.


Wednesday, 26 June 2013 16:50

Wading through a PR crisis

So, what do you do when the sky caves in, as it has in the last week for Savannah culinary personality Paula Deen? What do you do when the past comes knocking in a most unfavorable way? What are the steps for digging out from under a public relations disaster?

Without speaking directly to the still-unfolding Deen contretemps, Jennifer Abshire, of the Savannah public relations firm that bears her name, said there are three basic rules for dealing your way out of any PR crisis.

“If you’re looking at a crisis, I think dealing with it directly is extremely important,” Abshire said Monday. “I do, however, believe that a simple statement is sufficient. And I think the most important thing for anyone who has dealt in crisis PR is to immediately get as much good news out as possible of the wonderful things the client or person has done to help the community.”


This was only an exercise.

Police, firefighters and medical technicians swarmed onto the grounds of Canopy Oaks Elementary on a cloudy Friday morning.

They lined up stretchers and plastic kiddie pools in the parking lot behind the school. They set up washing stations to rinse hazardous chemicals off the 15 high school students who spilled into the breezeway in the middle of the school grounds, and doused the students with fire hoses.

Sheriff's deputies interviewed the students one at a time, and one of them admitted there was a bomb in a car parked out front.

The Big Bend Regional Bomb Squad arrived and deployed remote-control robots with mechanical arms that shattered windows and ripped doors off a beat-up Dodge Stratus parked out front.

Friday’s “chemical chaos” drill involved 10 agencies — from Leon County Schools to the Florida Department of Law Enforcement and the hazardous materials unit of the Tallahassee Fire Department. Evaluators followed them every step of the way, taking notes and film that will help them analyze their performance and look for ways they could respond better in the event of a real disaster.


LAFAYETTE — Sussex County amateur radio operators recently concluded a 24-hour emergency preparedness drill that saw them contact more than 2,600 other operators throughout North America and overseas.

The annual exercise, conducted this past weekend in Lafayette, afforded members of the Sussex County Amateur Radio Club an opportunity to showcase their craft to the public and, just as importantly, contributed to the group's ongoing partnership with the Sussex County Office of Emergency Management.

"We want the community to know that in the event of an emergency, we will be ready to assist in any way we can," said John Santillo, the group's president. "While people often think that cell phones or other communications technologies have replaced ham radio, we can provide vital communications in an emergency that others can't."


The day you need business continuity planning isn’t the day to start thinking about implementing a program.

In the wake of devastating flood waters that hit Calgary and parts of southern Alberta, many organizations in Wild Rose Country have had to flip the switch on their continuity plans to ensure operations continue on as close to normal as possible.

That’s not easy, given the scope of the damage. How bad is the flooding? One need look no further than the city’s iconic Saddledome, home of the Calgary Flames, which filled with water like a giant bathtub up to row 10.

According to estimates from the Calgary Chamber of Commerce, somewhere between 150,000 and 180,000 people work in the city’s downtown core, and the city has a $120-million a day economy. That’s a huge number of displaced employees with a giant price tag, and Calgary Mayor Naheed Nenshi says it will likely be mid-week before most employees can return downtown. It’s hard to imagine the city returning to business as usual this week at all.

- See more at:


In my career as an asset manager, and as a manager of financial risk, I have learned that all good risk management is done upfront, before the first purchase is made or product is sold.  Secondarily, good risk management relies on the concept of feedback, i. e., are the results expected at inception happening?  If not, are they happening in a way that makes us doubt the margin of safety that we thought we had?


Technology problems at the state level last Thursday prevented effective town participation in the 2013 Statewide Severe Weather Exercise, which was executed over two days last week.

The Department of Emergency Services & Public Protection (DESPP) simulated a severe ice storm affecting the west and northwest portion of the state, Region 5 of the Division of Emergency Management and Homeland Security (DEMHS). This was the second year for the drill, which was enacted as part of Governor Dannel P. Malloy’s emergency preparedness and planning initiatives after the severe storms that impacted the region during the previous year.

Towns could elect to participate either Thursday, June 20 or Saturday, June 22.

According to a notice provided to the towns by DESPP, the simulation was supposed to give the region, “an opportunity to exercise DEMHS Region 5’s Regional Emergency Support Plan with the other 4 DEMHS Regions participating in support roles.”


To control costs and optimize insurance availability an overwhelming number of risk managers feel their organization must conduct deeper research into their risk to reap the full benefits of analytics, according to an online survey taken by insurance broker Marsh.

Nearly 80 percent of risk managers attending a Marsh webinar, "Using Data and Analytics for Optimal Risk Management," says their companies need to take a closer examination of risk-related data.

Of companies employing a risk manager, close to 44 percent say they do not have a set dollar-amount threshold for unexpected losses and 29 percent do not know if their company is aware of how much risk they can take on—about the same number that do quantify and share risk information with their insurance managers.


When I left off last time, I mentioned that the 60/40 principle is an effective one for business continuity and disaster recovery planning. First, I set out an ambitious goal of a comprehensive, organization-wide program built around industry standards and best practices, leveraging the right automation tools and the right vendors and suppliers…and that would also be able to kill any audit. And then I took 40% off the top and made that our end-goal. Then, a funny thing happened…


Aligning to strategic objectives and assessment of BCMS performance

London - June 19, 2013 - Attenda Limited, the Business Critical IT company, today announced that it has been accredited with the new ISO 22301 International Standard for Business Continuity Management.

Published in 2012, the new ISO 22301 standard replaces the equivalent British Standard, BS 25999; introducing important changes including the role of top management in Business Continuity, the alignment to the strategic objectives of the organisation and the assessment of performance of the Business Continuity Management System (BCMS).

Attenda has been working for the past twelve months to align its business to the ISO 22301 standard, carrying out detailed assessments of the organisation and technology elements and processes, including a number of scenario based exercises with the Crisis Management Team.

As Matt Gordon-Smith, Director of Security, Attenda says, "We have a well-developed and mature approach to crisis management; the intention being to reduce the risk of an incident affecting our ability to do business and to allow faster recovery in the event that something does happen."

The ISO 22301 accreditation is an important component in Attenda's managed services and cloud delivery, further endorsing its business critical IT capability. All Attenda Clients will benefit from the assurance provided by this certification; and additionally, they will be able to access a range of Business Continuity and Disaster Recovery Consulting Services from Attenda, based upon this standard.

Dave Austin, Director, Operational Resilience (Oprel), who has led the international team developing the new standard and has acted as an advisor to Attenda, comments "Attenda has not only ensured that it has stringent measures in place for disaster recovery, but it has also given detailed consideration to the key information that could prevent access to the primary information sources during and after a crisis, to ensure that it can recover faster and more effectively."

In addition to ISO 22301, Attenda has been working closely with BSI on an on-going basis, to attain re-accreditation of all of its other ISO certifications including ISO 9001, ISO 27001 and ISO 20000.

Matt Gordon-Smith adds, "As an integral part of our Business Critical IT approach, we understand that Business Continuity reaches into all parts of the organisation, and must be embedded into our culture. The addition of this new ISO standard to our portfolio of accreditations reinforces our commitment to delivering Peace of Mind for our clients."

- See more at:

Aligning to strategic objectives and assessment of BCMS performance

London - June 19, 2013 - Attenda Limited, the Business Critical IT company, today announced that it has been accredited with the new ISO 22301 International Standard for Business Continuity Management.

Published in 2012, the new ISO 22301 standard replaces the equivalent British Standard, BS 25999; introducing important changes including the role of top management in Business Continuity, the alignment to the strategic objectives of the organisation and the assessment of performance of the Business Continuity Management System (BCMS).

Attenda has been working for the past twelve months to align its business to the ISO 22301 standard, carrying out detailed assessments of the organisation and technology elements and processes, including a number of scenario based exercises with the Crisis Management Team.

As Matt Gordon-Smith, Director of Security, Attenda says, "We have a well-developed and mature approach to crisis management; the intention being to reduce the risk of an incident affecting our ability to do business and to allow faster recovery in the event that something does happen."

The ISO 22301 accreditation is an important component in Attenda's managed services and cloud delivery, further endorsing its business critical IT capability. All Attenda Clients will benefit from the assurance provided by this certification; and additionally, they will be able to access a range of Business Continuity and Disaster Recovery Consulting Services from Attenda, based upon this standard.

Dave Austin, Director, Operational Resilience (Oprel), who has led the international team developing the new standard and has acted as an advisor to Attenda, comments "Attenda has not only ensured that it has stringent measures in place for disaster recovery, but it has also given detailed consideration to the key information that could prevent access to the primary information sources during and after a crisis, to ensure that it can recover faster and more effectively."

In addition to ISO 22301, Attenda has been working closely with BSI on an on-going basis, to attain re-accreditation of all of its other ISO certifications including ISO 9001, ISO 27001 and ISO 20000.

Matt Gordon-Smith adds, "As an integral part of our Business Critical IT approach, we understand that Business Continuity reaches into all parts of the organisation, and must be embedded into our culture. The addition of this new ISO standard to our portfolio of accreditations reinforces our commitment to delivering Peace of Mind for our clients."

- See more at:

Sgt. Jesus M. Villahermosa Jr. has been a deputy sheriff with the Pierce County, Wash., Sheriff’s Department since 1981. Villahermosa served 15 months as the director of campus safety at Pacific Lutheran University in a contract partnership where he worked on all security aspects related to staff and student safety. He has been on the Pierce County Sheriff’s SWAT Team since 1983, and he currently serves as the point man on the entry team.

In 1986, Villahermosa began his own consulting business, Crisis Reality Training. He has primarily focused on the issues of school and workplace violence.

In this Q&A, Villahermosa addresses how schools can be better prepared and secure for an active shooter emergency.


IDG News Service - The French government's accounts payable system, Chorus, is back online after a four-day outage, the French State Financial Computing Agency (AIFE) said Monday.

An accident at a data center operated by French servers and services company Bull on Wednesday affected Chorus's storage systems hosted there. That incident took the core of Chorus, an SAP system with 25,000 users, offline, although another application, Chorus forms, continued to serve its 30,000 users.

The server room's fire extinguishing system was accidentally triggered following an error by one of Bull's subcontractors, resulting in simultaneous damage to several major components of a storage bay holding Chorus data, the agency said.

Bull had little to say about the accident.


The Editor interviews Troy Dahlberg, Douglas Farrow and Ginger Menown, Advisory Services Forensic Partners with KPMG LLP.

Mr. Dahlberg is a Partner in New York with the firm’s Forensic Practice. Troy has more than 30 years of experience providing accounting, auditing and consulting services to companies in many industries. 

Mr. Farrow is a Partner in the firm’s Forensic Practice and has over 25 years of experience assisting corporations, attorneys and their clients with a wide spectrum of financial, economic and accounting matters.

Ms. Menown is a Partner in Houston with the firm’s Forensic Practice. She has over 20 years of experience providing services in dispute resolution, investigations, mergers and acquisitions, valuation, financial advisory and auditing.

Editor: Please give us an overview of disaster situations that you have helped clients manage.

Dahlberg: We have assisted clients affected by the 9/11 terrorist attack, Oklahoma bombing, Japanese earthquake, Hurricane Irene and more recently Superstorm Sandy. Our work primarily involves economic accounting or other financial assistance to the companies that have been impacted by the disaster.

Farrow: For instance, we are currently assisting organizations of a wide range of sizes and industries that have suffered losses and/or incurred extra costs as a result of Superstorm Sandy. We are coordinating claim programs with management’s recovery plan, compiling cost data and assisting with quantifying economic and financial losses that companies have sustained as a result of the storm. In the past, we have worked on insurance claims in the tens and hundreds of millions of dollars for companies in diversified industries as a result of natural disasters such as earthquakes, floods and hurricanes.


The European Commission is seeking leading lights in the arena of cloud services to help sketch out a contract framework so that customers don't get tied into murky deals.

At least, this is the principle that Steelie Neelie Kroes, vice president of the EC outlined in a blog today, ahead of the European Cloud Partnership Steering board in Estonia next month.

"One of the big barriers to using cloud computing is a lack of trust," she said. "People don't always understand what they're paying for, and what they can expect."

"I think you should be able to know what you're getting and what it means - and it should be easy to ensure that the terms in your contract are reasonable: open, transparent, safe and fair."


Here, we are going to talk about with regards to the fact that business interruption insurance and exactly why every business ought to be ready for this surprising.

Business interruption insurance must be a crucial part of any enterprise owner’s strategy. Business interruption insurance behaves as a assisting technique for your organization when it is closed down resulting from unpredicted situations like rental destruction, accidents or maybe just about any unanticipated challenges.

Business interruption insurance provides satisfactory insurance plan whenever your customers are certainly not for action and definitely will help you spend on-going costs. Like this, you’ll get some time throughout fixing your organization. Smaller businesses that don’t invest in the following insurance might endure closure in the near future because spending regarding growing is past their own fiscal total capacity.


Monday, 24 June 2013 16:05

The Supply Chain After the Disaster

When disaster planning for the supply chain, people rarely talk about what happens when parts and devices are damaged but not ruined. However, in the aftermath of the Japanese earthquake and tsunami, the Thailand floods, and the hurricanes and tornadoes in the US, it's high time for this conversation to start happening in a big way.

Reverse logistics and repair are crucial parts of disaster recovery efforts. Fortune 500 electronics manufacturers will have to rebuild production equipment. Individual consumers will want their under-warranty cars, laptops, and phone replaced. Third-party vendors will be salvaging and reselling scrapped parts.

Let's take Hurricane Sandy, just because it's still fresh in many people's minds. In February, the National Insurance Crime Bureau raised its estimate for the number of vehicles damaged by the storm to 250,500. That number is still based on preliminary figures and could change as more insurance claims are processed. Many of those cars have been cleaned up and may be back on the market under the "good but previously damaged" label. Many others have turned up without such a label.


The result is included in a recent survey of more than 3,000 employers by Zywave, a provider of software as a service technology solutions for the insurance and financial services industry. It was conducted during the first quarter of 2013.

The survey showed 53 percent of employers are very or somewhat concerned about post-accident cost control while 50 percent are concerned about risk control in the form of accident prevention. However, when asked for the most effective measure they take to control workers' comp costs, having a safety-minded culture was mentioned by 69 percent of respondents, although only 26 percent rank safety incentives as effective or highly effective. Also, 34 percent say they do not have a written safety manual.


Monday, 24 June 2013 16:00

Keeping in step with regulation

The arrival of outcomes-focused regulation in October 2011 was greeted with howls of concern by the solicitors’ profession as a whole. A new and uncertain regulatory landscape lay ahead of a profession that has a strong desire for certainty and clarity at the very heart of its culture, training and service offerings. Commentators at the time noted that the new regime offered plenty of negatives and few positives. Eighteen months on, though, the landscape feels very different. Those that have embraced the changes can feel empowered by them and are able to drive risk management into their business as a key part of the business process, rather than simply a compliance burden.

There are things that firms need to be aware of, principally that the change in regulatory structure has moved responsibility away from the regulator to the regulated, with a consequent need to apply sufficient resource to risk-management activities. But there are also opportunities to be exploited. Not opportunities to play fast and loose in the face of broader, less prescriptive, regulatory rules, but instead opportunities to focus on making regulatory, compliance and risk management a more central part of any business and to construct it in a way that fits with your business needs rather than regulatory strictures.


So you need to do some Business Continuity/Disaster Recovery (BC/DR) Planning, but aren’t sure how to start? Depending on the size of the task and the level of prior focus on BC/DR planning within your organization, this could involve anything from simply sprucing up your existing BC/DR plans to the overwhelming feat of creating new plan designs and implementations. If the latter is your situation, don’t feel alone. There are many data center managers, IT executives, and application owners that feel like they’re behind the 8-ball on their business continuity and disaster planning efforts. Rest easy and know that with the right steps, you can get things moving forward in the right direction.

Business Continuity and Disaster Recovery Planning: The 60/40 Rule

One of my best mentors was an extremely successful leader in risk and resilience programming in both the federal government and commercial industry sector. He taught me early on (much to my initial chagrin) that the best programs start out with the 60/40 rule, meaning that you should start out and “sell” goals and objectives that are only 60% of where you would ideally wish to see the end-state. The “60/40 rule”??? As a devoted and overly ambitious “Business Continuity Professional,” I could conceivably accept the classic 80/20 Perato Principle, but 60/40 was difficult to swallow. But he was “the Boss,” so I figured I might as well go with the flow, accept his guidance, and ensure that all my programs targeted getting “60% there.” So how would this work?


The word “disaster” can be used to describe a broad range of events, such as violent weather, a catastrophic accident, or a natural event that causes great damage or loss of life. Disaster recovery is an equally broad term that encompasses both the planning and preparation prior to a catastrophic event, as well as the recovery and recuperation of those affected.


A seminal moment in disaster recovery occurred in 1988 when a fire destroyed a central office operated by Illinois Bell in the suburbs of Chicago. The Hinsdale Central Office handled 40,000 local phone lines, which supported the O’Hare International Airport and numerous businesses. Service wasn’t restored for weeks and, one by one, thriving businesses failed and were liquidated. Network planners and architects came to realize that there are a multitude of things that can negatively impact network operations in addition to natural disasters.

While disaster recovery and business continuity are similar in many ways and share many overlapping concerns, they are different subjects. Disaster recovery deals with the aftermath of a catastrophic event that affects an area or region. Business continuity involves the safeguarding of critical business functions.


Monday, 24 June 2013 15:54

3 Business Safety Tips for Summertime

Whether you operate a seasonal business or sales pick up during the summer months, summertime can be full of risks for small business owners.

From on the job injuries to extreme weather, there’s a host of things that can go wrong to hurt sales or worse yet derail the entire operation.

“Summer is a busy time for certain businesses, particularly those along the coasts,” says Judy Coblentz, VICe president and chief underwriting officer at Travelers. “In certain parts of the country the summer season brings more business and pretty big exposures for small businesses.”

To prevent your business from taking a hit this summer, Travelers put together a list of the biggest seasonal risks and ways to avoid them.


Monday, 24 June 2013 15:53

Big Data and GRC

The following is CCI Publisher Maurice Gilbert’s interview with John Verver, VP, Strategy at ACL. Mr. Verver is a Chartered Accountant, Certified Management Consultant, and Certified Information System Auditor, as well as a member of the Center for Continuous Auditing’s advisory board.

Big Data is a hot topic right now – how does it relate to GRC and the practical issues of risk management and compliance?

The term Big Data is used in a wide range of contexts, but it generally refers to the gathering and integration of data from various sources, both traditional and non-traditional, in order to obtain better insights into customers, prospects, market opportunities, and corporate performance. Although it is not often used in reference to risk management, controls, and compliance, it’s interesting to note that analysis of very large volumes of data from disparate sources has played a significant role in GRC for at least the past 10 years.


CSO — Richard Ramirez is remembered all across southern California for the terror he invoked during the early 80's. The serial killer, who died in prison earlier this month, was nicknamed the 'Night Stalker' and was known for the ease with which he entered his victim's homes. He did not break and enter, he didn't shatter windows or climb down the chimneys. For the most part, Richard 'walked' into homes either through screen doors left unlocked or windows left open. Many of his crimes I've been told, were committed close to freeway ramps to facilitate a fast getaway.

What was very interesting to note about Ramirez's victims is that even though the city was aware of a serial killer on the loose, people still left their windows open or the screen doors open. I know I would batten down the hatches and take extra precautions until I heard the killer had been caught. So what makes people be lax and laissez-faire, in the face of a known and omnipresent danger?


2012 was the second-worst year on record for extreme weather events, both in number and in cost, according to a tally released this morning by the National Oceanic and Atmospheric Administration. Eleven major events—including tornadoes, wildfires, droughts, and hurricanes—racked up a collective bill of over $110 billion, with cropland damage from drought in the Midwest ($17.36 billion in crop insurance payments alone) and Hurricane Sandy, with a $60 billion price tag, as the most expensive items.


More than half of mid-sized businesses across Europe would refuse to do business with an organisation which has suffered a data breach, despite the fact many see data loss as just another part of everyday business.

That is according to the second annual pan-European Information Risk Maturity Index by global information management firm Iron Mountain and professional services provider PwC, which examined how companies expect to respond to information risk.

It found that companies are experiencing up to a 50 per cent increase in data breaches per year. The report suggests European firms' approach to data management is marred by confusion, inconsistency and double standards.

The study reveals that despite the risks to business revenue and credibility associated with data loss, more than 60 per cent of organisations surveyed believe cutting costs is more important than investing in proper protection against the loss of data. Many of the businesses told Iron Mountain and PwC that they do not have a proper risk information strategy in place.



While knowing the latest IT security measures or top marketing strategies are important, they aren't the skills that are going to pay off in the long run for today's college graduates, new research shows.

A study by Kaplan University's College of Business and Technology discovered that critical thinking and written communications are the most important skills college graduates majoring in business or information technology programs will need to succeed in the work force.

"Technology becomes obsolete quite rapidly," said Kaplan University professor Lynne Williams. "Good communication skills remain with you throughout your working life."


Friday, 21 June 2013 15:36

Improving Security for USB Drives

A new inspector general report criticizing a government contractor's USB drive security practices is an important reminder of why all healthcare organizations need to control the use of mobile storage media and ports.

"Because USB devices connect directly into computers and can store large amounts of data, they can potentially cause serious harm to computers and networks or compromise sensitive data if their use is not properly controlled," says the report from the Department of Health and Human Services' Office of Inspector General.

Among the risks posed by USBs are the spread of malware and the inappropriate download, storage and removal of data by users, resulting in breaches or possible fraud.

Security weaknesses such as those identified by the OIG are common throughout healthcare and need to be addressed to help protect patient privacy, says independent IT security consultant Tom Walsh.


Friday, 21 June 2013 15:35

Powering backup and DR with cloud

Cloud came as blessing in disguise for back-up and disaster recovery services. Traditionally, we have depended on tapes and data centres for the both which required huge investments. The paradigm shift brought by the cloud has made it possible SMB sector to explore these services.

"It won't happen to me", is some kind of self-assuring myth which mostly people feel comfortable with. I was going through a document from Texas University which tells us that only six per cent of the smaller business survives the catastrophic data losses.

University of Minnesota found that "93 percent of business that lost their data centre for 10 days or more filed bankruptcy". If these facts are true, DR and backups acts as life line for our business as bad times cannot be completely avoided. Disasters just don't happen; they are chain of critical events. Not having a robust DR could be one of them.


Friday, 21 June 2013 15:31

Risk Management, Military Style

Especially in military operations, it's impossible to eliminate risk, but it can be minimized. Many of their risk-management techniques can apply to your flying.

No matter what we do in an aircraft, we cannot eliminate risk entirely. Instead, we can manage that risk and take positive steps to mitigate or reduce it; in rare cases, we may even be able to eliminate it. An example of the latter might be canceling a trip for poor weather, or because of a mechanical issue. But we should be mostly concerned with mitigating and reducing the risks our flying poses.

Of course, there are many ways to accomplish these goals. I believe most of us in general aviation have sat through a presentation or seminar discussing risk management. While serving in the U.S. Marine Corps, I sat through those classes as well as taught them, and I always came away with the same question, "How will this reduce the mishap rate?" Given the resources available, along with the missions, the military's way of managing risk can't be implemented by the average GA pilot. But it's worthwhile to examine the military's risk-management process. Using it as a template, then taking some simple steps and applying its techniques over time, on our own, can help reduce the GA mishap rate, before someone does it for us.


Good news for managed services providers (MSPs) offering backup and disaster recovery (BDR) solutions. Storage software revenue increased in the first quarter this year led by strength in data protection and recovery software, according to a report from International Data Corp. (IDC). Here are the details.

The worldwide storage software market grew by 3.2 percent during the first quarter of 2013 compared to the same quarter of 2012. Revenue during the quarter climbed to $3.6 billion.

Eric Sheppard, research director for storage software at IDC pulled out the key areas of strength in the market. "Demand was strongest for data protection and recovery software as well as storage and device management software. This was driven by a broad need for data resiliency, improvements to operational efficiencies, and better insights into installed data center infrastructure."


The overall purpose of business continuity planning is to ensure the continuity of essential functions during an event that causes damage or loss to critical infrastructure. A continually changing threat environment, including severe weather, accidents, fires, technological emergencies, and terrorist-related incidents, coupled with a tightly intertwined supply chain, have increased the need for business continuity efforts.

To ensure long-term viability, companies should develop, maintain, conduct, and document a business continuity testing, training, and exercise (TT&E) program. The business continuity plan should document these training components, processes, and requirements to support the continued performance of critical business functions. Training documentation should include dates, type of event(s), and name(s) of participants. Documentation also includes test results, feedback forms, participant questionnaires, and other documents resulting from the event.


Although each business disruption is unique and many decisions will have to be made as situations unfold, a business continuity plan provides a framework and preparation to guide these decisions, as well as a clear indication of who will make them. A successful business continuity plan includes the following elements.

Define a team structure

  • Develop a clear decision-making hierarchy, so that in an emergency, people don’t wonder who has the responsibility or authority to make a given decision
  • Create a core business continuity team with personnel from throughout the organization, including executive leaders, IT, facilities and real estate, as well as physical security, communications, human resources, finance and other service departments
  • Create supporting teams devoted to related functions such as emergency response, communications, campus response and business readiness


The effectiveness of data classification and retention policies can have strong ripple effects across an organization's entire IT risk management framework. After all, how data is classified can determine what risk management priorities are placed on it and the less data that is retained long-term, the less volume the organization has to sift through to determine appropriate protection levels.

"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."


How can you prioritize various backup and disaster recovery (BDR) issues? Smart managed services providers (MSPs) focus on four potential scenarios. The idea is to understand each scenario and its correlation with time to recovery.

Strata Information Technology Inc. President Pete Robbins, a BDR specialist, uses these four scenarios to properly assess each situation:


Friday, 21 June 2013 15:22

Risks within risk

For want of a nail

The Atlantic hurricane season arrived June 1. The Pacific typhoon season arrived a little earlier and promptly sent a typhoon across Mexico.

Many organizations have “hurricane” plans. To my mind, that’s foolish. Any “threat specific” plan is, in my opinion, foolish.

The problem with a “hurricane” plan is that it can overlook a risk within a risk.

Consider a hurricane’s main components.



Storm surge (flood).

Wind is, for the most part, harmless. True, it can blow the roof off a building and that can lead to other damages to a property. And true, it can bring down power lines.

A wind’s main threat potential is carrying missiles – anything it can pick up and hurl along at high velocity.


The constant parade of new hardware and software that necessarily comes into a data center makes for a lot of moving parts that can be extremely difficult for IT managers to integrate into a business continuity plan.

It's a big, diverse IT world out there.  In any given data center, you can walk down the aisles and see racks of servers or storage from literally dozens of different companies, all doing their jobs—but not necessarily always in exact harmony. The coordination of proprietary, open-source and open-standards software that can clash is often a sore point for IT managers—and those are often found within the same data center environment. This all affects business continuity big time, because all those diverse components have to work together in order for a system to recover after being hit by an outage.


LONDON (Reuters) - For European insurers frustrated that "cyber crime" policies have so far failed to find a ready market among skeptical companies, hope may be at hand.

Not only has a huge data loss by Sony Corp dramatically illustrated the risks of hacking raids on corporate data, but the European Union is working on regulatory requirements which threaten heftier fines on unprepared companies.

The net effect for the insurance sector is that its efforts to establish cyber cover as a lucrative business line alongside risks such as weather catastrophes may be about to bear fruit.

In the United States, cyber cover has grown to be a market worth more than $1 billion in annual premiums, but Europe has not yet followed suit, perhaps surprising given a run of high profile, and costly, hacking incidents.


Thursday, 20 June 2013 15:27

Pound Foolish

Seven months after the second most costly hurricane in history, Mayor Bloomberg proposed investing $19.5 billion to make his city much more resilient to future extreme weather events. More than one-quarter of these resources will come from federal funds included in the Disaster Relief Appropriations Act, which provides aid to New York, New Jersey, and other affected states to help them recover from Superstorm Sandy. New Jersey is also investing significant portions of its Superstorm Sandy federal aid in resilience efforts, particularly along the Jersey Shore. These investments will make New York and New Jersey homes, businesses, infrastructure, and coastal areas more resistant to damage from future storms, sea-level rise, and other climate-change impacts.

Unlike New York City and New Jersey, many communities lack the financial resources to become more resilient to future extreme weather events, and the federal government woefully underfunds such resilience needs. This CAP analysis estimates that the federal government spent a total of only $22 billion on general resilience efforts from fiscal year 2011 to fiscal year 2013. The Obama administration requested an additional $13 billion for mitigation efforts in Connecticut, New Jersey, and New York after Superstorm Sandy, but it is difficult to determine the actual mitigation spending from this sum. The federal government does not have a comprehensive tally of its spending for community resilience and other pre-disaster mitigation programs.


Thursday, 20 June 2013 15:27

#2: Tropical Storm Barry

As Tropical Storm Barry, the second named storm of the 2013 Atlantic hurricane season, formed yesterday in the southern Gulf of Mexico, ahead of landfall early today near the city of Veracruz, Mexico, we can’t help but wonder isn’t it a bit early?

Fortunately, one of our favorite blogs has some interesting facts and stats on early season tropical storms.

Dr. Jeff Masters’ Wunderblog tells us that Barry’s formation date of June 19 is a full six weeks earlier than the usual August 1 date of formation of the season’s second storm.


“The Europeans won’t let this go. They want to know clearly what has really been going on.”

Sitting in one of the State apartments in Dublin Castle, the EU vice president and commissioner for justice, fundamental rights and citizenship, Viviane Reding, is polite, but clearly, deeply frustrated. At a joint press conference with US attorney general Eric Holder held earlier in the day last Friday, Reding had stated that the fundamental privacy and data protection rights of Europeans were “non-negotiable”.

Waiting media were eager to hear what her response would be to recent revelations by former Booz Allen Hamilton contractor Edward Snowden, on the existence of two secret schemes run by the US national Security Agency (NSA) for gathering vast amounts of personal phone and online data. One took in millions of phone call records over many years from operator Verizon; the other, named Prism, involved as yet unclear arrangements whereby nine large US technology companies, such as Skype, Apple, Facebook and Google, supplied data on request.


NORMAN — Barely a month since their occurrence, the tornadic events of May have joined the ranks of high-profile school emergencies as a source of heightened scrutiny on schools’ emergency preparedness.

Events like the Columbine High School and Sandy Hook Elementary shootings, or the more local April 2012 tornado in Norman, have dramatically altered priorities in school design and district procedures, with May making certified storm shelters in schools a new concern.

“What gets put in school facilities is reflective of priorities at the time,” Superintendent Joe Siano said. “In 1990, I was the principal of a brand new school and it didn’t have a secured vestibule entry or storm shelters — it just wasn’t a priority to communities at that time. For a new school now, that would be unthinkable.”


The daily process of treating patients has been compared more than once to a military operation—and with good reason. After all, everything of real importance takes place on the front lines, at the point of patient contact. All else is purely support.

That analogy extends to the flow of data. Information has to make it to the front lines in order to be effective. Trouble is, that imperative also makes data—especially patient data—vulnerable to attack from multiple sources.

Since September 2009, the US Department of Health and Human Services has maintained a database of breaches in unsecured, protected health information affecting 500 or more individuals. Of these, more than 60 percent have involved some kind of endpoint computing device—desktop PCs and laptops as well as USB drives, tablets, smartphones and other portable electronic devices. Millions of individual records have been compromised from these endpoints due to unauthorized access or disclosure, theft, loss, hacking or other incident.


Google filed a request with the U.S. Foreign Intelligence Surveillance Court on Tuesday to remove the gag order that prohibited it — and other technology companies — from disclosing information about data requests from the U.S. National Security Agency. Google defended its request citing the First Amendment.

When whistleblower Edward Snowden leaked classified information about the NSA’s practice (in place since 2008) of collecting information about the phone calls of all U.S. citizens and emails and electronic communications of foreign nationals, Google denied that it had even given the NSA unfiltered access to its data. Google said it only provided a subset of data whenever a request was made, and wrote a public letter to head of the Federal Bureau of Investigation Robert Mueller and Attorney General Eric Holder on June 11, asking permission to publish numbers about the frequency and scope of those requests. Facebook, Apple and Microsoft followed, asking the government to allow them to do the same. A week later, Google filed a formal request with FISC.


Thursday, 20 June 2013 15:19

Fears of Vanishing Terror Insurance Grow

With the Terrorism Risk Insurance Act (TRIA) set to expire at the end of 2014, corporate risk managers are worrying aloud about what would happen if there’s no property, casualty or workers’ compensation coverage available in connection with a terrorist act.

The anxieties include the possible unraveling of funding for future construction projects, as financiers get cold feet contemplating the total loss that could transpire in the event of an attack. For existing multi-year projects, the risk managers fear that loan covenants could break apart if their companies can’t provide proof of coverage.

Such occurrences are more likely in the real estate industry and in densely populated urban areas. In the wake of the Boston Marathon bombings, however, the sports and entertainment industries are now seen to be at risk. The transportation and petrochemical industries have long been considered vulnerable to attack.


While the bombings at the Boston Marathon reminded responders and emergency managers about the importance to continue to train and plan for natural and man-made disasters, Cleveland and Cuyahoga County, Ohio, had already been planning a full-scale exercise with the city’s Major League Baseball team. Approached by representatives from the Cleveland Indians about testing their ability to respond to a terrorist attack during a major game at Progressive Field, such as a playoff game, the city reached out to Cuyahoga County to help develop the full-scale exercise.

"The Department of Homeland Security recommends preparation as the No. 1 priority in dealing with emergency situations,” said Bob DiBiasio, the Indians’ senior vice president of public affairs, in a statement. “While our safety and security policies and procedures always have maintained the highest standards, we know it is very important to be well prepared in the event of any major emergency situation."


A recent study conducted by Ipsos Reid on behalf of Toronto-based information security company Shred-it revealed that small businesses do not fully comprehend the impact of a data security breach and, as a result, are not safeguarding sensitive information thoroughly. 
An independent survey conducted by Ipsos Reid and commissioned by Shred-it was conducted April 16-23, 2013, with two distinct sample groups: small business owners in the United States (1,008), which have fewer than 100 employees, and C-suite executives in the United States (100), who have executives that work for companies with a minimum of 500 employees in the United States.
The 2013 Shred-it Information Security Tracker indicates that an alarming number of small businesses (69 percent) are not aware of or don’t believe lost or stolen data would result in financial impact and harm to their businesses credibility.

Protecting a company's critical information is a value proposition. Trade secrets, confidential business plans, and operational security depend on it. Losing that kind of information can mean a plunge in stock price and market share. So who's responsible for information security in your company?

To find out, I like to ask questions. But when I put the question to top management, well, they're busy — not their problem, that's for sure — and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security? They refer me to the chief information security officer, but she works for the CIO, who doesn't much like to hear what's wrong with the system he built. Besides, she says, I have nothing to do with who gets access to the system. I don't write the rules. And (she looks around nervously: you won't quote me on this, will you?) my budget is a joke.


Wednesday, 19 June 2013 20:19

Security ROI: 5 Practices Analyzed

Traditionally, enterprise data security has relied on a "fortress defense" approach: keep all assets within a corporate castle and build towering walls to keep out the enemy. However, with an evolving threat landscape that includes targeted attacks, social engineering and spear phishing, the model leaves plenty of vulnerable attack points.

With increasing employee mobility, IT professionals are challenged to expand their security practices to "armor" employees individually in addition to the fortress. As a result, IT budgets are stretched thinner, resulting in the need to examine the return of investment of popular security practices. In the battle against data breaches, which practices - "fortress defense" or "armored defense" – provide the greatest ROI?


The federal government spends six times more on disaster recovery than helping communities become resilient to extreme weather that’s predicted to become more intense and frequent in a warming world, a new study shows.

The analysis by the Center for American Progress (CAP), a prominent liberal think tank, labels the approach “pound foolish” and calls for a dedicated fund for “community resilience” fed by higher levies on fossil fuel production.

“We must help communities enhance their ability to withstand the high winds, flood waters, scorching heat, searing wild fires, and parched earth from extreme weather,” states the CAP analysis released Wednesday, which alleges the federal government “woefully underfunds” such efforts.

Wednesday, 19 June 2013 20:16

Is Your Business Prepared For Disaster?

Most organizations understand the importance of keeping critical data safe from both manual and natural disasters. It is surprising, however, to hear just how many companies are not prepared for the day their system goes down and data is lost. And yes, the day will come that data is lost, usually due to a manual user error. Beyond the compromised data, the loss of productivity can immobilize an entire business for hours or even days. Even with the best-laid plans, disaster can strike. Those who are prepared suffer the least.

The current backup and disaster recovery environment is leaning toward solutions that offer integrated and simplified next-generation approaches. These include faster recovery times, easier rebuilds, hardware-independent recovery, bootable backups and bare-metal restore. Successful solutions will require integration with legacy and current data, scale to handle big data, span virtualized and cloud environments, and implement automation while integrating the functions of backup protection and disaster recovery. As priority grows for these solutions, so should IT budgets.


Wednesday, 19 June 2013 20:15

Warning – Not all data is created equal

IT organizations can drive up the cost of storage unnecessarily by treating all data the same and storing it all on the same media. Let’s face the fact: my resume is not as important as the payroll database or even the email database. So, why are you using the same storage policy for both?

Stop using one policy to rule all of your data. It might be simple, but it is killing your bottom line. When looking for a data protection solution, find one that allows you to use policies to treat data differently.

Important data should be prioritized as tier one data that gets backed up most often and most quickly. Perhaps that data can stay on disk for fast restore.


Wednesday, 19 June 2013 20:14

15 great crisis management songs

When you're in the midst of the next crisis, imagine a movie soundtrack playing while you deal with the incident.

What songs would play?

Members of the Crisis Communications LinkedIn group came up with a clever list of more than 30 songs. Below are the top 15 songs from that list.

Play some of these songs in your crisis command center and you might elicit much-needed smiles in the midst of a serious situation:


CIO — Despite the challenges of the budget sequestration that went into effect on March 1, federal agencies are pressing forward with big data initiatives, hoping to squeeze big savings out of more efficient use of their data.

In fact, based on the federal government's FY12 budget actual expenditures of $3.538 trillion, federal IT managers could potentially recognize nearly $500 billion in savings across the federal government via big data initiatives, according to a new study by MeriTalk. MeriTalk is a community network for government IT developed as a partnership by the Federal Business Council, Federal Employee Defense Services, Federal Managers Association, GovLoop, National Treasury Employees Union, USO and WTOP/WFED radio.

MeriTalk surveyed 150 federal IT executives for the report, Smarter Uncle Sam: The Big Data Forecast. Forty-eight percent of the respondents were from the U.S. Department of Defense. The remaining 52 percent were from civilian agencies.


Sacramento, Calif., Mayor Kevin Johnson helped launch the Resilient Communities for America campaign this week offering a pledge, along with 44 other mayors, to create a movement to develop communities resilient to extreme weather, faltering infrastructure and other hazards.

Johnson, on the steps of Sacramento’s City Hall, said a goal is to get 200 mayors to sign a pledge by the end of this year and then a thousand by 2015. He said it’s critical for mayors to leverage their numbers to secure federal and state funding to support local initiatives for infrastructure and energy security and economic uncertainty.


I reconnected with Mark Challender, a former employee back in my business magazine publishing days, and discovered his passion for amateur radio, particularly in supporting emergency management. I confessed to him I didn't see that much of a role for it given all the other options. He soundly corrected me and I asked him to inform the rest of you as he did me. Thanks Mark! Here is his guest post:

Is Use of Amateur Radio in an Emergency Still Valid?

The answer is YES, amateur radio can make your communications better during a crisis when “normal” modes of communication have failed.


Wednesday, 19 June 2013 20:08

Coping with Disasters

Storm Damage - tree down in the road

Whether you live in tornado alley or in a hurricane-prone coastal region, it’s important to include emotional wellness activities in your diaster plan. Severe weather and evacuations can cause emotional distress such as anxiety, worry, and fear in both adults and children. Although no one can plan for a disaster, you can practice healthy coping skills by following these tips.

Practice Preparedness!
By developing an emergency plan ahead of time you are more likely to feel calm and in control during a storm. Visit for a variety of plans to fit your specific needs. Preparedness is a year-round activity that everyone in the family can participate in, including kids. Involving children and teens in preparedness activities may help them feel less anxious during an emergency and provide reassurance.

Limit Exposure to Media
It’s important to be aware of weather forecasts and local news, but tuning in around- the-clock can trigger additional panic and anxiety. Limit your media exposure, whether that’s watching television, listening to the radio, reading newspapers, or using social media. It’s especially important to limit news coverage when you have children Familyat home because distressing images and sensationalized headlines can cause more confusion, fear and stress. Find a healthy balance that works for you and your family.

Be a Positive Role Model
Children look up to parents and caregivers for guidance during emergencies and stressful situations. Encourage your kids to ask questions about things they see or hear on the news. Answering their questions honestly can help minimize additional confusion and decrease their anxiety. During severe weather forecasts or after a disaster, younger children might need extra attention and may have trouble processing certain emotions. If your child or teen is acting out or seems withdrawn after a disaster, this may be a sign that you need to reach out to a licensed mental health professional for additional assistance. 

Help Others Prepare
A great way to help neighbors, family and friends cope with severe weather is to help them create an emergency plan. Show an older adult or family member how to text their emergency contact or use social media to check in with loved ones. A simple “I’m OK” message can go a long way in easing additional anxiety and stress. Adults with special needs may be particularly vulnerable to feelings of isolation, anxiety and other depression during severe weather. Try to check in on people who may be vulnerable after a disaster or major storm.

Maintain Normal Routines and Practice Self-Care
Even during chaotic or stressful times, it’s important to try to maintain your normal routine. In the face of severe weather, you may need to stay indoors. Avoid “cabin fever” by cooking a favorite meal, playing a board game with the family, or watching a funny movie. This is also an opportunity to do some self-care activities you might not normally have time for, such as meditation, yoga, relaxation techniques, or breathing exercises. Maintaining normal routines is especially important if you have children. It can help ease any anxiety that they may have about the unpredictable nature of severe weather.

Know When to Reach Out for Help

Even after you’ve tried these tips for coping, you may still find yourself struggling with difficult emotions, and that’s common- you’re not alone. After experiencing a severe weather event or a disaster, it may take time to bounce back. With time and support you can continue to move forward and resume every day routines. Learn more about common distress symptoms and what signs to look for so you can help yourself and loved ones better cope. If you need immediate emotional support or want to talk to a caring counselor about what you’re feeling, you can always call the Disaster Distress Helpline at 1-800-985-5990 (TTY 1-800-846-8517) or SMS (text “TalkWithUs” to 66746) anytime, day or night.

Distress Line LogoThe Disaster Distress Helpline is a program of SAMHSA administered by Link2Health Solutions, Inc. and is the first national hotline dedicated to providing year-round crisis counseling for anyone in distress before, during or after natural or human-caused disasters. This toll-free, multilingual, crisis support service is available 24/7 via telephone (1-800-985-5990) and SMS (text ‘TalkWithUs’ to 66746; Spanish-speakers text ‘Hablanos’ to 66746) to residents in the U.S. and territories. Calls and texts are answered by trained, caring counselors from a network of crisis call centers across the country.

John F. Kennedy once said, "There are risks and costs to a programme of action, but they are far less than the long-range risks and costs of comfortable inaction".

When making any business decision, there are risks that must be measured. Risk management is a key element for any successful business. It starts with identifying, assessing and quantifying business risks, then taking measures to control or reduce them. The risks are then reassessed and business decisions are made based on the remaining risk vs. reward. Having a clear understanding of all risks allows an organisation to measure and prioritise them, then take the appropriate actions to reduce losses. The same also stands true for government departments, small businesses and individuals.


There are more viable offshore outsourcing destinations than ever before -- a great boon for IT leaders seeking new sources of talent, language capabilities, nearshore support, and risk diversification. But IT organizations can no longer afford to take traditional view of outsourcing location assessment.

"The maturity of global delivery models also continues to increase, and given the demands of increasingly global businesses, this trend will only continue," says Charles Green, an analyst in the sourcing and vendor management practice of Forrester Research. "However while a geographically diverse portfolio of suppliers brings benefits it also requires clients to diligently manage the increased risk of such a portfolio."


It's 2am on Christmas Day. You are woken by a phone call informing you that a police raid in central London has uncovered documentation suggesting that your company has been targeted by a group with links to terrorist and state organisations. These groups are renowned for attacking commercial organisations. What would you do?

Sadly, in my experience this is when most companies realise they are ill-prepared to deal with a cyber-attack. I have seen companies struggle to come to terms with the loss of intellectual property (IP), funds, a fall in share value, and their reputation damaged by information that now finds itself on the web.

So how prepared are you to deal with a cyber-attack? Lets start by simplifying this subject. The risk around cyber is simply an issue of information security, the way a company values and protects the precious data it is entrusted with. Too often, information security is viewed as an impediment to a company's operations, and if it is too prohibitive, can indeed damage its effectiveness. It has to be proportionate. We can't remove risk, but we can manage it.


Today, many government agencies – civilian and defense – find themselves in a technology quandary: the volume of data that must be stored is growing rapidly, while shrinking budgets are limiting capital expenditures (i.e. – servers, storage devices, etc.) required to store all of this data.

Government agencies are not only eyeing existing storage demands, but anticipated storage requirements as well. Gartner estimates the external controller based (ECB) disk storage market will grow from $22.2 billion in 2012 to $31.1 billion in 2016 (a compound annual growth rate of 7.9 percent).

As a result, storage optimization becomes critical for agencies seeking to boost IT performance while improving utilization and infrastructure efficiency. For agency decision makers seeking to improve storage efficiency as a way to address growing data volumes and shrinking budgets, there are a handful of key strategies to consider.


In 2012, according to the Symantec Internet Security Threat Report 2013, there was a 42 percent increase in targeted attacks on the internet, and 31 percent of those attacks were aimed at businesses with fewer than 250 employees. In short, security risks are continuing to grow at incredible rates, and the standard MSP customer is certainly not immune to the threat. For many small businesses, the initial cost and complexity of acquiring the necessary tools to provide security services can seem daunting. As such, selling security services can be a key part of the managed service provider’s portfolio. So, it’s important to take a look at some of the strategies and opportunities for MSPs to boost revenue and build lasting client relationships through security offerings.


There are more viable offshore outsourcing destinations than ever before -- a great boon for IT leaders seeking new sources of talent, language capabilities, nearshore support, and risk diversification. But IT organizations can no longer afford to take traditional view of outsourcing location assessment.

"The maturity of global delivery models also continues to increase, and given the demands of increasingly global businesses, this trend will only continue," says Charles Green, an analyst in the sourcing and vendor management practice of Forrester Research. "However while a geographically diverse portfolio of suppliers brings benefits it also requires clients to diligently manage the increased risk of such a portfolio."


A new report named ‘Disaster Unpreparedness’ has been published by MeriTalk which is an online community and go-to resource for government IT. The report which was underwritten by NetApp and SwishData details how confident IT professionals working for federal agencies are with their current data backup and disaster recovery solutions.

In December 2012, MeriTalk surveyed 150 Federal Department of Defence and civilian IT professionals to see how confident they are with their current disaster recovery strategy, how resilient they deem their strategy to be and how often they test their strategy.

The federal IT professionals who participated in the survey scored themselves very highly for their data backup and disaster recovery preparedness with 70% giving their agency a grade of ‘A’ or ‘B’. Despite the IT professionals awarding their agency such high marks for their data backup and disaster recovery preparedness, only 8% believed that they would be able to recover all the data in the event of a natural or man-made incident.


Tuesday, 18 June 2013 15:59

A new approach to risk management

The role of risk management changes at each level of an organisation in the mining industry. The criteria used to evaluate results will therefore be extremely varied. Corporate management will be interested in risks that are vastly different to those that keep general managers at minesites awake at night. But what effective corporate and minesite risk management has in common is that it should primarily be concerned about removing surprises.

Everyone in the business should be focused on the following simple questions:

  • What are the real, material risks?
  • What are we doing about them?
  • Is it actually working?


The Centers for Disease Control and Prevention’s free app, Solve the Outbreak, may help public health officials educate Americans about massive sickness and treatment.

The app is an interactive, question-and-answer game that educates players about how medical professionals identify mysterious illnesses that strike large populations. Though Solve the Outbreak doesn’t have much replay value, it’s still an informative experience.

People play as disease detectives in three missions and investigate clues to discover what’s happened to make people sick in scenario. Each clue offers information about the outbreak and asks players what to do next.


Tuesday, 18 June 2013 15:57

Creating a workable plan before a crisis

This article is the first in a four-part series addressing the four fundmental principles of crisis management: creating a workable plan, preparing for a crisis, managing the occurance of a crisis and how to successfully regain business continuity and traction after a crisis strikes.

The tragic events that have taken place over the last few months, including natural disasters and terrorist attacks, should serve as a reminder that we can never be sure when or where a crisis may next occur. As business leaders, it is our responsibility to ensure our people and properties are protected as much as possible.

The first principle in crisis management is to establish a plan. If you already have one, now is a great time to dust it off and re-evalutate it. A well-designed crisis-management plan will be the end result of three steps. First, you will want to identify probable risks. Second, you must determine procedures and protocols to follow in the event of each scenario. Lastly, you must assemble the plan in an organized fashion and make it accessible to all of your associates.


Each calendar year can be easily associated with a “tech meme.” 2011’s Cloud gave way to 2012’s Big Data. 2013 is nearly halfway over and it’s clear that this year’s meme is “Software-Defined”—specifically in my line of work, the “Software-Defined” Data Center.

I’m not suggesting that these secular trends aren’t / weren’t valid. Nor am I saying that these are not transformational forces that will radically alter the way we conceive, design, build, and run IT for the next several decades. They’ve already started to have a significant impact in companies large and small.


Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.


Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at:

Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at:

Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at:

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.


Monday, 17 June 2013 15:49

Cyber crime: Is it on your radar?

ACCORDING TO the government's 2013 Information Security Breaches Survey, an unprecedented number of cyber attacks are experienced by UK businesses. A staggering 93% of large organisations (employing 250 or more), and 87% of small businesses (under 50 staff) have fallen victim to cyber crime over the past year. 

While the proportion of large organisations reporting security breaches remains consistent with 2012, 11% more small businesses appear to have suffered third-party hacking. The increasing number of businesses failing to protect their data is a concern, as is the spiralling number of breaches each will experience.

The survey advises 50% more breaches, on average, have occurred. For large businesses, the median figure is 113, for their smaller counterparts it's 17; up from 71 and 11 a year ago. The associated costs are rising too - large companies can expect to pay between £450,000 - £850,000 for their security lapses; smaller companies face a £35,000 - £60,000 bill.


Cloud, cloud, cloud. If you’re in enterprise you probably hear the word ‘cloud’ multiple times every day. Most of the time, it doesn’t really mean much other than a datacenter that isn’t yours, but it does make you feel safe knowing that someone has your data in hand.

Unfortunately, even in the cloud, disaster recovery is still a necessary evil. Cloud companies that host your data still have outages. Things still break. Disasters do happen. Many companies think that the cloud provider will have their data covered, but they don’t stop to think that perhaps it’s better to consider a world where the cloud provider isn’t able to provide a service after a disaster. Not only that, but how does your business keep going when your local data and premises are gone? That’s often not even factored into the disaster recovery plan.


Monday, 17 June 2013 15:47

Updating Emergency Response Procedures

Question: We have employees working in an area of the country that has experienced a lot of natural disasters over the last couple of years; from earthquakes to flooding to snow storms. As a result, we are updating our company's emergency response procedures. We have some employees who are visibly disabled and others who we believe may have some medical disabilities they have not disclosed to the company. Are we legally permitted to ask our employees to disclose their medical information in order for us to assess what if any special emergency response accommodations we need to have at the ready for disabled employees (both those with visible disabilities and those without)?


South Africans have been hard at work for six years and are now putting the finishing touches on the first comprehensive data protection laws, aligned closely with those currently under debate in Europe.

The proposed European laws give online consumers the right to withhold personal information while using websites – which presents a challenge to the businesses who have based their revenue model on garnering exactly this kind of data.

These laws, if introduced in South Africa, could have far reaching implications for both individuals and businesses.

JJ Milner, founder and chief cloud architect at Global Micro, shares his answers to the burning questions about the implications for South Africa.


Computerworld — Internet pioneer Vinton Cerf is concerned that we're at risk of losing much of the data we've been creating in the digital age he helped usher in.

Speaking at the Computerworld Honors awards program earlier this month, the co-designer of the Internet's TCP/IP protocol said he's concerned that digital items we use today -- spreadsheets, documents and scientific data -- will one day be lost, perhaps one day soon.

To support his point, Cerf noted that the Microsoft Office 2011 software on his Macintosh computer can't read a 1997 PowerPoint file. "It doesn't know what it is," he said.


It is essential that all professional firms - however large or small - develop a disaster recovery plan. A disaster such as a flood, fire or computer virus attack can cripple your operations, meaning that your business’ resources could be limited for a significant period of time. During this time, projects can be delayed and the quality of work may suffer, which can lead to strained client relationships.

Without an effective disaster recovery plan in place, a short-term problem can rapidly evolve into a long-term financial disaster for your firm.

In spite of this, few companies take the time to put together an all-encompassing disaster recovery plan. The key is to have a tried and tested plan in place that will stop the disaster causing further issues for your firm. Here are five tips to develop a disaster recovery plan.


For the early history of computing, data tended to be kept locked down within isolated, local systems for security reasons. With the advent of the cloud however, the idea of accessing data from anywhere, using cost-effective on-demand services is now thoroughly mainstream. Indeed, the future of IT is the cloud.

As cloud computing continues its triumphant spread, one issue that has continued to get undeservedly little attention, though, is the geographical location of data. The ongoing NSA scandal is finally bringing to light just one aspect of how critically important the physical location of digital data has become.


Monday, 17 June 2013 15:41

Taking cover to protect your business

It is the stuff of nightmares for every small business owner: wake up one morning and the enterprise has been destroyed by fire. Or watch, powerless, as flood ruins a lifetime of work.

But there is a way to protect your business from disaster - business interruption insurance. With so many natural catastrophes happening in Australia in recent years, it's essential for small businesses to consider business interruption insurance, whether this means checking levels of cover or acquiring cover where none exists.

Mark Searles, chief executive of insurance broking business Austbrokers, says any business interruption could be a major setback that threatens the very survival of a business, particularly when margins are already tight, as is often the case these days.

''Research has shown that one in four small businesses would not recover if forced to close the doors for three months,'' he says.


Leadership in Resilience was the theme of this year's well-attended Executive Forum and the whole programme was set up to ensure a lively debate around resilience and how BC professionals can take the initiative and lead on this hot issue.   These two-days in Brussels made real progress in clearing the fog and providing some specific examples of where BC professionals can make a difference.  For me the five key learning points were:

1. The growth of the term Resilience in job titles is much more widespread than I had expected. In some cases BC Manager has been changed to Head of Business Resilience without any change of responsibilities. This change is not universally popular among those with the new title because "business continuity" is a strong, meaningful "internal brand" whereas "business resilience" is non-specific and aspirational.


What is disaster recovery?

In simple terms ‘disaster recovery’ is the process by which you resume business after a disruptive event, this can range from; power failures, IT system crashes, theft, fire or flood.   Protecting your Business Systems plays a large part in your ‘Disaster Recovery Plan’.

The implications of not having a ‘Disaster recovery plan’

Many businesses I see are unaware of the importance of a tried and tested plan because they see a potential disaster as an unlikely event but the implications are huge. Just imagine losing all your data for 24 hours, how would you manage to recreate your data to cover the work lost and how much revenue would you lose?


Monday, 17 June 2013 15:38

Taking cover to protect your business

It is the stuff of nightmares for every small business owner: wake up one morning and the enterprise has been destroyed by fire. Or watch, powerless, as flood ruins a lifetime of work.

But there is a way to protect your business from disaster - business interruption insurance. With so many natural catastrophes happening in Australia in recent years, it's essential for small businesses to consider business interruption insurance, whether this means checking levels of cover or acquiring cover where none exists.

Mark Searles, chief executive of insurance broking business Austbrokers, says any business interruption could be a major setback that threatens the very survival of a business, particularly when margins are already tight, as is often the case these days.

''Research has shown that one in four small businesses would not recover if forced to close the doors for three months,'' he says.

Monday, 17 June 2013 15:37

Natural disasters prove costly

The latest annual risk survey by global insurance brokerage Aon has shown a sharp rise in concerns over business grinding to a halt due to a natural disaster.

Indeed, the concern over business interruption has climbed two places to be the fourth most significant risk ranked by businesses this year.

Aon Australia says the change can be attributed to the floods and fires of recent years, with many businesses still feeling the effects of the disaster.

Events such as Queensland and NSW floods ''have left many organisations contemplating business interruption exposure from a vertical or supply chain perspective, due to the consequent impact on their customer base,'' Aon said in its latest Australasian Risk Survey.

The World Health Organization has published new interim guidance to replace the 2009 Pandemic Influenza Preparedness and Response advice. 'Pandemic Influenza Risk Management' includes the following:

  • Focus upon risk assessment at national level to guide national level actions
  • Revised approach to global phases
  • Flexibility through uncoupling of national actions from global phases
    Inclusion of principles of emergency risk management for health
  • New and updated annexes on planning assumptions, ethical considerations, whole-of-society approach, business continuity planning, representative parameters for core severity indicators, and containment measures.

Business continuity annex

Pandemic Influenza Risk Management includes a checklist of action items that should be contained in a business continuity plan in order to cover pandemic risks. These items are:

  • Identify the critical functions that need to be sustained.
  • Identify the personnel, supplies and equipment vital to maintain critical functions.
  • Consider how to deal with staff absenteeism to minimize its impact on critical functions.
  • Provide clear command structures, delegations of authority and orders of succession.
  • Assess the need to stockpile strategic reserves of supplies, material and equipment.
  • Identify units, departments or services that could be downsized or closed.
  • Assign and train alternative staff for critical posts.
  • Establish guidelines for priority of access to essential services.
  • Train staff in workplace infection prevention and control and communicate essential safety messages.
  • Consider and test ways of reducing social mixing (e.g. telecommuting or working from home and reducing the number of physical meetings and travel).
  • Consider the need for family and childcare support for essential workers.
  • Consider the need for psychosocial support services to help workers to remain effective.
  • Consider and plan for the recovery phase.

Read the document (PDF)

Last month, powerful tornadoes ripped through Oklahoma over a 12-day period, leveling buildings and killing more than 40 people in the process. Among the victims were 10 children, seven of whom were killed when a twister stuck an elementary school in the Oklahoma City suburb of Moore.  Last fall, Superstorm Sandy struck the northeastern U.S., destroying numerous homes and businesses. The storm also knocked out power and communications for thousands of residents in the region.

The damage left behind in the aftermath of these acts of nature reinforces the need for organizations to incorporate comprehensive natural disaster management policies and procedures in their business continuity plans.  Often times, however, security managers become so bogged down in the minutiae of every day operations that their enterprise risk management plans are neglected, rarely ever being updated of practiced.


New York City is currently on pace to meet all of the long-term climate change and sustainability goals set by the mayor’s office back in 2007, Mayor Michael Bloomberg announced Tuesday. The city is simultaneously launching a $20 billion effort to prepare for the adverse effects of climate change.

The new plan incorporates more than 250 recommendations to improve the city's readiness for another storm like Hurricane Sandy, which caused $19 billion in damages and economic loss. New projections from city scientists also anticipate faster rising seas, hotter summers and more heavy rains, making it imperative that the city take action now, Bloomberg said in a speech announcing the new initiatives.


IT executives are growing more concerned with the potential of data outages from natural disasters. More companies are taking a proactive approach to data security as part of their disaster recovery planning, according to AT&T's annual Business Continuity Study. 

Recent natural disasters such as Superstorm Sandy and the tornado in Oklahoma have highlighted the risk of data security breaches. Eighty-eight percent of the IT executives surveyed understood the growing importance of data security, and most included wireless network capabilities in their disaster preparedness business solutions.


Despite the devastation caused by Superstorm Sandy and other recent natural disasters, small businesses aren’t getting the message. A new survey finds 70 percent don’t expect to experience a similar disaster and nearly half have no plan to ensure business continuity.

The survey of 200 small businesses, sponsored by FedEx and the American Red Cross, found that Superstorm Sandy inspired only 10 percent of respondents to take new steps to prepare for disasters, according to a press release on

“Developing an emergency preparedness plan is one of the most important strategic decisions a small business owner will make,” says Tom Heneghan, manager of preparedness for the Red Cross. And yet SMBs are more likely to rely on the bare minimum of disaster planning, hoping they’ll never have to use it. “People know they should do it, but it’s not always at the top of the list,” Heneghan says.


Thursday, 13 June 2013 13:06

10 Hot Big Data Startups to Watch

CIO — The Big Data market is heating up, and unlike some overhyped trends (social media), it's pretty easy to pinpoint ROI with these tools.

When we put out calls for nominees through the Story Source Newsletter, HARO, Twitter, and other channels, we received more than 100 recommendations. Usually, when we get that many, a good chunk of them can be dismissed out of hand. Some are clearly science projects; others have zero funding, no management pedigree and a dubious value proposition, while a few are clearly the product of malarial hallucinations.

Not so this time. Very few of the startups we looked at were whacky long shots. Most were decent ideas, backed by real VC money and seasoned management teams.


Thursday, 13 June 2013 13:05

Email Morphs into Corporate Espionage

An email just dropped into my electronic in-box with the subject “Should You Archive Email to the Cloud?

I suppose it’s a good question and I can think of many reasons to keep my emails “closer to home.”

But the query did trigger an off-the-wall thought, my forte’ it seems.

What about vendor security – all vendors, not just in the cloud.

When a person or organization signs up with a vendor, the vendor asks for, usually justifiably, a great deal of information. Granted, most of the information can be acquired from public resources, public records. But maybe not all, and some of the “not all” should be, at a minimum, “confidential.”


We regularly ask heads of Enterprise Risk Management (ERM) what stops them from having an impact on strategic decisions in their organization. The most common response we get is “we do not have a seat at the table.” In our recently conducted State of ERM survey, we asked heads of ERM about their team’s involvement and effectiveness in the strategic planning process. While 50% of ERM teams were involved in some capacity, only 20% thought they were highly effective. So, if it’s not about a seat at the table, what is at the root of the problem? Why are ERM teams not able to effectively partner in the planning process? Moreover, are you completely sure how your ERM team can add value if you had a seat at the table?


Wednesday, 12 June 2013 14:01

Lessons in Disaster Recovery

The EF-5 tornado that ripped through Moore, Oklahoma, left 24 fatalities, nine of them children. An estimated 12,000 homes and many businesses were destroyed or damaged along the estimated 17-mile-long, 1.3-mile-wide tornado path. It’s hard to get your head around that kind of devastation.

While the immediate concern is response and recovery, the residents of Moore will soon have to turn to the task of rebuilding. But among the first steps toward emotionally healing from the storm is removing the debris—that is, the physical vestiges of the storm. And that step needs to be taken quickly. 

The longer it takes to rebuild and reopen businesses, the less likely it is that communities will fully recover. Social scientists have been studying what has helped or hindered community recovery in the hopes that future communities—like Moore—can recover more rapidly and comprehensively.

Wednesday, 12 June 2013 13:59

Big Data: The future of info security?

According to IBM, 90 percent of the data in the world today has been created in the last two years. From social media, mobile devices and digital sensors to e-mails, images and videos, these vast sources of data create a potential goldmine of valuable information about people and their activities. 

Whilst the promise of actionable insight from data is not new — business intelligence and other analysis capabilities have long been present in many organizations — what is new is the rate at which the data is growing, the way the data is changing and the demands being placed upon it.


After 10 years of managing an IT audit function for an international energy company, I had the opportunity to head up their IT Strategy group that was charged with creating Organizational IT Security and Risk profiles and plans.

The charge of this function was to annually evaluate organization-wide internal and external risk as it relates to IT, and to communicate this information back to the CISO, CIO and CFO. To carry out the evaluation of organizational IT risk required not just working with IT personnel, but also business personnel all the way up the C-level business unit leaders.

The information gleaned from these annual assessments drove plans to improve and bolster our overall security posture based upon where we were at a point in time and where we anticipated being in the next several years. Ultimately this was a dynamic view of risk versus a point in time tactical view.


Wednesday, 12 June 2013 13:53

Supply Chain Complexity Expands Risk

Everyone talks about risk in the supply chain, but the increasing complexity of it makes identifying and mitigating risks difficult.

In fact, almost half of executives are afraid that their supply chain risk management is only somewhat effective or has no impact at all, according to a recent survey from Deloitte. Said Kelly Marchese, principal at Deloitte Consulting LLP, in a press release:

Supply chains are increasingly complex and their interlinked, global nature makes them vulnerable to a range of risks. This increased complexity, coupled with a greater frequency of disruptive events such as geopolitical events and natural disasters, presents a precarious situation for companies without solid risk management programs in place.

Decisions around risk mitigation in the supply chain can make the difference between success and failure, and organizations know it. In counting the costs of risk events, 71 percent of those surveyed for Deloitte's research said that supply chain is an important part of strategic decisions. Poor decisions are likely to erode already thin margins or make suppliers unable to address sudden changes in demand.


The power was out for 2 million electric customers in New York. Hospitals and nursing homes were evacuating patients and shutting down. Thousands of people were stranded in high-rise buildings, needing food and water. In Queens, houses were burning to the ground. Water rescues were taking place in New York City and on Long Island.

These events didn’t take place on different days. They all happened simultaneously when Hurricane Sandy struck New York on Oct. 29, 2012. They illustrate three key distinguishing aspects of a Type 1 disaster: scope and scale, velocity and ambiguity of information. Emergency managers responding to Hurricane Sandy in New York experienced all of these challenges.


Implementation of cloud services and mobile applications would assist in preparation for potential disasters.

Majority of organisations are adopting proactive approach to security by improving their business continuity and disaster recovery plans by incorporating adoption of wireless network capabilities, cloud services and mobile applications, a new report has found.

AT&T's Business Continuity Study revealed that 63% of executives surveyed believed the looming threat of security breaches was the main security concern for 2013.


Wednesday, 12 June 2013 13:35

Social Media Crisis Management Musts

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:


Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at:

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at:

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at:
Tuesday, 11 June 2013 14:15

How businesses prepare for disasters

With fears of potential security breaches and natural disasters like Superstorm Sandy and the recent Oklahoma tornado weighing heavily on IT executives, businesses nationwide have continued to grow and advance their business continuity and disaster recovery plans to incorporate the adoption of wireless network capabilities, cloud services and mobile applications.

The annual AT&T Business Continuity Study found that:

  • More than half of executives surveyed (63%) cite the looming threat of security breaches as their most important security concern for 2013.
  • 84 percent of executives are concerned about the use of mobile networks and devices and its impact on security threats.
  • 88 percent of those surveyed understand the increasing importance of security and indicate that their companies have a proactive strategy in place.
  • Nearly two-thirds (64%) of companies include their wireless network capabilities as part of their business continuity plan.
  • 87 percent of executives indicate their organizations have a business continuity plan in place in case of a disaster or threat – a slight uptick from last year (86%).


The scandal surrounding the National Security Agency's Prism data-gathering programme will impact all businesses that rely heavily on the processing and analysis of customer information, according to experts.

Technology giants including Apple, Facebook and Google have denied that they have participated in Prism and have said that they have not enabled the US government to access their systems through a "backdoor".