Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (6370)

How do you handle understanding the enterprise risks in a corporation where all of the risk management functions are dispersed in differential line management — General Counsel, Finance, Technology, Facilities? How do you define the participating functions? Yes, the ideal situation is having these groups housed under a Chief Risk Officer or Head of Operational Risk, but in the absence of organization structural shifts, here are some tips for you.

Be a Leader in bilateral conversations of risk partners
The most successful global security teams that I have been a part of were always leaders in collaboration and outreach to risk partners to pave the way for information sharing. Yes, there was the risk of the information flow being one way, and this is usually the case at the beginning, but as the interaction continues over time, the information flow gradually becomes two ways. For example, you may start with a monthly global meeting with Facilities, Business Continuity and quarterly meeting with Information Security and Compliance.


Hands up how many people were surprised to learn that US security authorities have access to the phone records and the server traffic of the biggest telecom and internet companies in the world?

The “revelations” in the Washington Post and Guardian this week that the National Security Agency is trawling data relating to non-US citizens on the systems of giants like Microsoft, Google, YouTube and others may have made for strong headlines.

But in reality, it’s likely that many people would be more surprised to learn that the type of trawling carried out by operation PRISM was not going on. Following 9/11, the rules of engagement of counter-terrorism in the US changed utterly. Law enforcement officials secured significant new formal powers, and it is certainly fair to assume that levels of unofficial monitoring of internet and phone based chatter and records jumped too.


IT managers believe that the fragmentation of corporate data across their IT infrastructure and an emerging ‘Shadow IT’ network of user devices or consumer cloud services outside their control, are putting their organizations at risk.

New research from Freeform Dynamics shows over 80 percent of respondents believe effective business decision making is hampered by data availability and inconsistency issues. 83 percent are concerned about the security of their corporate data as it is increasingly dispersed across their network and outside. Getting the situation under control is also proving difficult with 93 percent saying that tracking and managing critical corporate data is now a big challenge, with the associated costs highlighted by 84 percent as being a further concern.

The survey report ‘Storage Anywhere and Everywhere – dealing with the challenges of data fragmentation’ is the result of interviews with 300 IT professionals in mid-sized organizations across the US and UK completed in April 2013. The independent report was sponsored by Mimecast. An infographic best practice guide and the full report can be found at


As individuals get better access to the technology that enables their participation in the information age, so privacy has to be considered and regulation applied to raise standards to those that are acceptable across that society. It was interesting, therefore, to note the cultural recoil that occurred in response to the NSA’s recently discovered, and rather widespread, caller record collection (not to mention other 'PRISM' related data!) - it’s clear that this has crossed a boundary of acceptability.

This isn’t however, just a US problem. A news story recently broke in India highlighting that local law enforcement agencies had, over the past six months, compelled mobile phone companies to hand over call detail records for almost 100,000 subscribers. The requisitions originated from different sources and levels within the police force and their targets included many senior police officers and bureaucrats.


Friday, 07 June 2013 14:51

Humans cause data breaches. Fact.

Human errors and system problems caused two-thirds of data breaches during 2012, with employee behaviour one of the most alarming issues facing companies today.

A recent study by Symantec and the Ponemon Institute claims issues included employee mishandling of confidential data, lack of system controls and violations of industry and government regulations.

Heavily regulated fields – including healthcare, finance and pharmaceutical – incurred breach costs 70% higher than other industries according to the report.


The image of someone having their computer hacked is often of a grandmother who has had her identity stolen or a family that has had its bank accounts fraudulently accessed online. However, for criminals who carry out these cyber attacks, businesses are often their preferred targets.

2012 was a banner year for cyber criminals who steal data from businesses. Numerous large corporations suffered high-profile data breaches, but many smaller firms experienced devastating data breaches as well.


Recovering from a flood or fire is hard for a business. But dealing with problems caused by a lack of business continuity plans or inadequate insurance can make it worse.

“The better you can plan for how to deal with an incident, the better off you’ll be,” says Lawrence J. Newell, CISA, CBRM, QSA, CBRM, manager of Risk Advisory Services at Brown Smith Wallace. “I say ‘incident’ because it could be something not always thought about in typical disaster terms, such as a breach of credit card information.”

Smart Business spoke with Newell and William M. Goddard, CPCU, a principal in the firm’s Insurance Advisory Services, about developing business recovery plans and the insurance options available to reduce risk.


Friday, 07 June 2013 14:48

3 Roles For Tape In The Cloud

Questions about the usefulness of tape come up often in conversations with users and vendors. The general theory, especially by cloud storage vendors, is that tape has outlived its usefulness.

The reality is that it has not; in fact, I often make the case that tape is actually more useful than it has ever been, especially in the cloud.

Here are three uses for tape in the cloud today.

1. Cloud Seeding.

Tape is an ideal way to "seed" a cloud. Seeding is getting the initial data to the cloud storage facility. Instead of transferring data across an Internet connection for days or weeks, it can be copied to tape and sent to the cloud provider via an overnight truck. If it will take you longer than 24 hours to seed a cloud via WAN transfer, then tape should be considered.


When the Ontario Volunteer Emergency Response Team (OVERT) was started about 20 years ago, it focused on providing a traditional search-and-rescue team to aid operations in the greater Toronto area. The group of unpaid professionals embraced its mission of providing well trained searchers to assist law enforcement looking for lost or missing persons. But then the severe acute respiratory syndrome (SARS) epidemic hit Canada in 2003 — 800 people were killed worldwide including 44 in Canada — marking the first big community incident that OVERT was involved in.

“Our public health department found themselves without the manpower or resources to deal with a lot of the problems,” said OVERT Coordinator Glen Turpin. “And it was solving basic issues, things such as delivering food to quarantined homes and assisting with triage at hospitals.”


When terrorist suspects Tamerlan and Dzhokhar Tsarnaev set off two bombs near the finish line of the Boston Marathon in April, those immersed in the science of homeland security pondered a handful of obvious questions: What had authorities done to secure the route, and was securing all 26.2 miles of the course even possible? Had local law enforcement picked up any chatter related to a possible attack in advance of the incident? And were the brothers homegrown terrorists or connected with some foreign group?

Those are the kinds of questions that routinely get examined though an extensive intelligence infrastructure in place in the form of nationwide “fusion centers.” They were set up by the Department of Homeland Security (DHS) after the Sept. 11, 2001, terror attacks as a way to improve information gathering and intelligence surveillance among the country’s various law enforcement agencies.


WASHINGTON - Recent twisters in Oklahoma are a reminder that preparation is critical, because bad weather can strike just about anywhere.

Hurricane season also is officially here, and Tropical Storm Andrea has prompted a warning for a swath of the East Coast, all the way to Cape Charles Light in Virginia.

To help you prepare for the possibility of bad weather, WTOP's David Burd recently sat down with Seamus Mooney, director of the Department of Emergency Preparedness for Frederick County, Md.


A business had no excuse for not being prepared for hurricanes a decade ago. After Hurricane Katrina and Hurricane (and then Superstorm) Sandy, there is even less rationale to not take the necessary steps, especially if the business is located in the area most likely to be pounded. Unfortunately, that area seems to be getting bigger.

Last Saturday was the beginning of hurricane season, and May 26 to June 1 was National Hurricane Preparedness Week. Unlike some crises, such as fires and power outages, hurricanes and other weather-related challenges are vaguely predictable. That’s a good thing. The other good news is that a tremendous amount of information is available on hurricane preparedness and, more generally, on business continuity/disaster recovery.


As part of my ongoing research into data privacy laws in Asia Pacific (AP), I spoke with chief information security officers (CISOs), consultants, lawyers, and governance, risk, and compliance (GRC) professionals. This is critical to gauge key decision-makers’ awareness and understanding of the ever-evolving data privacy regulations and policies across 15 different jurisdictions in the region.

Some senior people have admitted to me that their organizations have not traditionally taken data privacy issues terribly seriously within their AP operations. However, in a clear sign that this is beginning to change, GRC practitioners are starting to see increased demand for their compliance-related services from both government and business sectors, particularly since late 2012. Regardless of where you stand on this spectrum, the reality is that the awareness levels of data-related regulations – and the level of compliance required to abide by these regulations – varies widely across the region.


Thursday, 06 June 2013 14:24

5 Disaster Recovery Misconceptions

Do you know how your business technology would fare if a true disaster were to hit? With the rate technology and your applications change and evolve, your DR plan may need a dusting off and updating. If your plan is outdated or relies on older assumptions, you may have gaps in your protection.

Don’t leave your infrastructure vulnerable. Assess your plan for the most common misconceptions of disaster recovery.

Misconception #1: Backup-as-a-Service and Recovery-as-a-Service are the same.

A good DR plan is not about backups, but rather it’s about getting back up and running as quickly and efficiently as possible. The placement of that one space makes a big difference.

Thursday, 06 June 2013 14:22

Determining a Tornado's Path-Width, etc.

The following is from an email sharing how the National Weather Service (NWS) measures a tornado's direction, path, width, etc.

For the most part tornado path width is determined by the measurable damage observed during the storm survey. Our WFOs will integrated into that assessment any additional evidence they can get (e.g., video, photos, radar data, survivor accounts) to make their best determination. That goes for all the characteristics of the tornado - path length, path width, EF-Scale rating, etc - that they report. Here is our Norman WFO's El Reno event web page -

Below is the NWS policy guidance for our storm survey teams to utilize with regard to determining tornado path length and width. The full NWS Storm Data policy can be accessed here:


Thursday, 06 June 2013 14:21

Practitioner’s Requirements

Selecting a candidate to protect the organization

The perennial question is once again causing clutter in the ether. The question:

Must a practitioner be an IT expert?

In a word: No.

Perhaps the practitioner should be an MBA to handle the business side? Is a degree even necessary?

Maybe an SPHR to understand the human relations concerns?

How about a CompTIA Security+ certification for security issues?

Is a PMI or Six Sigma black belt necessary to manage the project or program?

Same answer. No, No, No, and No again.

So what qualifications should a practitioner possess?


Most companies would describe responding to e-Discovery requests as time-consuming, expensive and something they would rather avoid altogether if at all possible. But if that’s not enough to make it a leading cause of indigestion among corporate executives, there are potential compliance risks that can result from responding to e-Discovery requests that are potentially as great or greater than the risk of mishandling the e-Discovery obligations themselves.

Executives cannot address the risk without first understanding the key ingredients in this recipe:


Wednesday, 05 June 2013 15:33

IT Basics 5: Business continuity

How to keep your IT systems working when the worst happens, by IT consultant John Dryden


IT is the life blood of any modern charity, linking its head, heart and essential organs. If it stops flowing, things will instantly seize up.

This is especially true for international charities, for whom email is the most practical way to communicate with far-flung colleagues. Where staff are operating in different time zones and remote locations across the developing world, it can sometimes be the only way to communicate regularly.

For example, an international medical charity we work with has 1,400 staff spread across the globe. On an average day its London-based team send and receive more than 11,000 emails – some of them involving life-or-death medical decisions.


Most small and medium-sized enterprises (SMEs) are experiencing difficulties with data backup and recovery, a study has shown.

A poll of 500 SMEs in Europe and the US shows that 85% are experiencing cost-related challenges with backup and recovery, 83% with lack of capabilities and 80% with complexity.

Other problems include high ongoing management costs (51%), expensive licensing models (48%) and backups either requiring or using too much storage (44%).

This means there is a maximum of 15% of SMEs that currently have no issues with data protection, said backup, replication and virtualisation management firm Veeam Software, which commissioned the survey.


Preliminary results from a joint CII, London School of Economics and University of Plymouth research project on how financial organisations approach risk culture, revealed that firms were becoming increasingly conservative and it could damage their profitability.

The research project was designed to deliver practical guidance for firms to improve the cultures and behaviours associated with risk-taking and control activities.

Interviews were carried out at nine financial institutions with risk management professionals and the study also included the findings from a survey of 2258 CII members.


As the security industry continues to grapple with a shortage in skilled professionals, particularly within very specific niches like application security, the state of security professional development continues to keep the industry locked up in a number of hotly contested debates. Beyond the most obvious argument over the value of security certifications, some security pundits have stepped up to argue about a more fundamental impediment to rising the tide for all boats in the industry: the cost of paid training.

"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It's just not possible to take a group of 50 people out of your company, if you have a large one, and pay the amounts of money that are being asked to sufficiently bootstrap your employees."


Dozens of government agencies have no idea whether their websites or public kiosks are a security risk.

The widespread failing has been revealed in a review of 70 government departments and ministries that was able to identify 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches.


KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes.

The offenders included the Ministries of Social Development, Education and Justice, as well as the Earthquake Commission and the MidCentral District Health Board.


Why would you need a Policy once you have Business impact analysis, Business continuity strategy and Business continuity plan? This is probably a question many experienced business continuity/disaster recovery practitioners are asking themselves, so here’s why ISO 22301 (a leading business continuity management standard) says it’s mandatory.

Main purpose

The main purpose of Business continuity policy is that the top management defines what it wants to achieve with business continuity. Now why would that be important? Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company.


Wednesday, 05 June 2013 15:19

The Time is Right for an 'IT Petting Zoo'

Computerworld — SAN FRANCISCO - Bringing consumer technology into the enterprise doesn't mean corporate data will be at risk or that money spent on failed projects was wasted. Just ask NASA, which regularly brings shiny toys into its "IT petting zoo" to play with and test, many of which have gone on to be venerated products.

Tom Soderstrom, CTO of IT at NASA's Jet Propulsion Laboratory, regularly brings consumer tech into his shop to see if it will result in an increase in productivity and innovation.

"I'm often called chief toy officer ... and I'm proud of that title," Soderstrom told an audience at the CITE Conference and Expo here. "Ideas come from everywhere. Productize them and dare to fail. The ones that make sense go into pilot mode and then become products and typically last for years."


Federal agencies are grappling with an unprecedented growth in data at the same time that backup solutions are nearing capacity, a situation that could hamper efforts to recover data in the event of an emergency.

Moreover, agency officials are not testing their disaster recovery solutions as often as they should, raising questions about their preparedness for a natural disaster or man-made incident, according to a survey of 150 federal defense and civilian IT managers in a new MeriTalk report.


Reducing data at the source is the smart way to do backup. That is the conclusion I came to in my last post, If files were bricks, you'd change your backup strategy.  But I also left off by saying “there are technologically different ways to do this, which have their own smart and dumb aspects.” Let’s take a look at them. 

There are two common ways of reducing data at the host (as I mentioned last time, I am only considering traditional backup from servers, not disk-array snapshots). Since terminology can be used in different ways, I’ll define the terms as I use them.


Wednesday, 05 June 2013 15:15

Disaster Recovery: Test, Invest and Educate

Amidst internal and external security threats, natural disasters, hacking attempts and technological changes, banks and service providers today are constantly faced with the possibilities of data loss, security breaches and breaks in business continuity. These institutions are being asked more frequently than ever what plans they have in place for speedy recovery should systems be compromised. Following a number of hard-hitting storms in the United States, including Hurricane Sandy and the devastation wrought on the Midwest following recent tornadoes, attention is focused on preparing for a recovery after natural disasters. Though preparing for natural impact is important, it becomes easy to forget there is just as much, if not more, potential for malicious manmade threats from a security and technology perspective.

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability. While banks across the board conduct regular tests, the way in which these tests are conducted is crucial to determining a bank’s true ability to recover in the event of a disaster. In most instances, testing can be considered either static or dynamic. Most disaster recovery tests currently conducted are static in nature, meaning they are crafted to be sterile and built for success, to allow banks to ‘prove’ they have the ability and tools needed to succeed in the event of disruption. In these instances, banks and service providers are able to conduct tests and prove they have a perfect fail-over recovery system in place. The issue here is that these tests are rarely built to actually mimic any real disaster.


I can’t stop thinking about the Oklahoma tornado tragedy and the families who suffered from loss of life and property. The images of the wreckage have been burned into my brain and I feel that I need to do something about it. Which is why I want to talk about safe rooms, and why it is important to have a disaster recovery planning checklist for those people and organizations who are located in tornado zones (or flood zones, or hurricane zones, or earthquake zones, or…).

If you live in an area with extreme weather conditions, I recommend that you look into building a safe room, which could include a properly designed and equipped storm cellar.


An industrial plant explodes in Texas. Bombs shut down the city of Boston. A hurricane floods the east coast with water. A tornado hits Oklahoma.

All those recent disasters caused tremendous human suffering. All of them, too, brought devastation to businesses large and small. From damaged buildings to wrecked inventory to disrupted supply lines, natural and man made disasters can tear a huge hole through profitability. In many cases businesses close their doors for good.

Plan for recovery

What lessons can we learn from all this? Here’s one: Business owners must design and implement disaster recovery plans designed to mitigate harm when bad things happen. With that in mind, now would be a good time to revisit your own recovery plans with a fresh look. Are you taking the right actions to minimize damage if you are hit with a wind storm, a lightning strike, a flood or a power outage?


Wednesday, 05 June 2013 14:23

Active Shooter and Mass Casualty Incidents

An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area.

Overview of the FBI’s Role

When an active shooter incident takes place, local and state law enforcement are always the first on the scene. The FBI, however, has played a role in supporting the response to virtually every major incident in recent years and has much to offer in terms of expertise and resources.

Shortly after the tragic shootings at Sandy Hook Elementary School in Newtown, Connecticut in December 2012, the FBI sought ways its personnel could better assist its law enforcement partners. Two actions enhanced these efforts.

First, the Investigative Assistance for Violent Crimes Act of 2012, signed into law by the President in January 2013, permits the U.S. attorney general—at the request of appropriate state or local law enforcement personnel—to provide federal assistance after active shooter incidents and mass killings (defined by the law as three or more people) in public places. The attorney general delegated this responsibility to the FBI.


PC sales continue to decline, mobile sales continue to climb, people work at home, and the notion of strict work/life separation for equipment is on its way out for many information workers. Yet most IT organizations and security vendors insist on applying legacy thinking for information security that simply cannot work in the modern world of heterogeneous, anywhere, and mixed personal/business computing. They keep trying to build mobile prisons, extending perimeter defenses across the digital world or creating satellite fortresses on every device. No one willingly enters a prison, and the gulag and straitjacket approaches favored by IT and security vendors simply will be bypassed by business users, who've been doing so for years on the desktop.

It's time to stop the madness and protect what really matters: the information that moves among all the devices. To do so, the industry needs to stop trying to turn smartphones into fortresses that people can't use and forcing the use of proprietary app containers that can't scale a heterogeneous, interconnected digital environment or that provide read-only access (what's the point, then, of having the file?). Instead, it's time we focus on protection at the information level, essentially using the notion of digital rights management (DRM) that travels with the data itself. The only way to make that work is through an industry standard.


Tuesday, 04 June 2013 16:15

BYOD: Banks Need to Stay Ahead of Risk

The evolving mobile landscape, including the bring-your-own-device trend, is requiring banking institutions to be mindful of emerging risks, says Jim Pitts, who oversees mobile financial services and vendor management for BITS, the technology policy division of The Financial Services Roundtable. Pitts says financial institutions are more at risk when it comes to mobile services and practices than many other sectors because of the types of transactions and sensitive information they manage.

When it comes to their BYOD policies, banks must address data loss prevention, application security and exposure liability management, he says in an interview with Information Security Media Group [transcript below].


Cybercrime has become a national crisis, said South African Centre for Information Security CEO Beza Belayneh on Tuesday, equating the scale to that of South Africa’s prevalent HIV/Aids pandemic.

Speaking at a Neotel/Mail & Guardian business breakfast, he said that South Africa had ranked the third-most “fished” country in the world, and was open to attack in a well-connected society.

“Cybercrime is no longer a criminality, it is a national crisis,” he said, adding that this was an event that should bring together all the Cabinet Ministers, banks and consultants, besides others.

“Governments are hacked, police websites are hacked, banks are losing millions – the statistics are that South Africa loses R1-billion a year, and it now threatens human life,” he said.


The survey also indicated feds are facing unprecedented data growth and must address backup solutions nearing capacity.

Just 8 percent of federal IT executives are completely confident that their agency could recover 100 percent of its data in the event of a disaster, according to a report from MeriTalk, an online community and go-to resource for government IT. The study also revealed that while agencies might feel prepared, they are not testing their systems as often as they should and face challenges with data growth, mobile devices and on-site backup. Only one in four federal workers give their agency an "A" in data resilience and disaster recovery (DR2) preparedness.


Tuesday, 04 June 2013 16:10


On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback.


Don Schmidt is CEO of risk consulting company Preparedness LLC and a 20-year member and chair of the technical committee that writes the National Fire Protection Association (NFPA) 1600 standard. He also is the editor of the handbook Implementing NFPA 1600 National Preparedness Standards, which was published in 2007. NFPA 1600 was updated this year, and the U.S. Department of Homeland Security adopted it as a voluntary consensus standard for preparedness.

In this Q&A, Schmidt reflects on the evolution of standards in emergency management and business continuity.

Question: What is the background on the creation of the NFPA 1600 standard? How did it become established?


As illustrated by the devastation of Hurricane Sandy in 2012 when countless businesses were without power and data centers went down, it’s becoming increasingly important to have a well-conceived business continuity and disaster recovery (BC/DR) program in place.

Remember, there is a difference between a BC/DR program and a BC/DR plan. A program is a set of policies, practices and responsibilities that provide the structure for management, governance and sustainability to accomplish the goals. A plan is a documented set of action-oriented tasks and procedures to be followed when a disruptive event occurs or is imminent. In this article, we are going to discuss the key success factors of a successful BC/DR program.

There are four key components that stand out. A successful BC/DR program should be:


Computerworld — I recently misinterpreted some CEO cost-speak. The enormous gap between what I thought I was hearing and what the CEOs were actually saying is tremendously illustrative and well worth looking at.

I was involved, albeit tangentially, in a dozen executive searches for new CIOs. All of these searches were being led by CEOs of global, brand-name, Fortune 300 companies. In fact, nine of the companies were in the Fortune 100. In my experience, such leaders are enlightened and appreciative of the value of IT.

That's why I was surprised -- shocked, actually -- to find that every one of these CEOs ranked IT cost management among the top three capabilities they were looking for in their next CIO. I couldn't understand it. How could that be when just about everything one reads in the business press and from subscription research firms claims that growth is the primary focus for top companies' leaders? What was going on?


Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.

For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.


In the good old days, protecting your assets was all about making sure you have a big enough lock or thick enough walls. Today however the locks are digital and firewalls have replaced concrete as businesses seek to protect data from the prying eyes of cyber-criminals around the world.

Data is the new gold, as cyber-criminals look to steal everything from your identity to your credit card information. But they are not going after you directly, they are looking to pilfer this information from the companies you deal with online and who hold huge hoards of such information, all of which can potentially be accessed from anywhere in the world, simply by clicking a few buttons.


In seven years the information security industry will see more cloud delivery and no central IT.

According to recent predictions by Forrester on ‘The CIO's World in 2020', 90 per cent of the 325-strong audience said that central IT would not exist in the future, as IT will be directly embedded in business units such as marketing, product development and customer service.

The audience also said that most technology would be delivered via the public cloud, according to 85 per cent, who agreed that companies will architect and deploy business solutions from a growing pool of external as-a-service resources, with IT playing the role of orchestrator.


Monday, 03 June 2013 17:16

When Big Data Doesn’t Work

With few exceptions, articles about Big Data start off with promises to be smarter, run more efficiently, or make more money.  As proof, each article cites standard examples of how data analytics and robotics have transformed warehouse operations, IBM’s Watson’s mastery over Jeopardy, the game show, and how firms will make decisions more effectively.

Examples of success may be far fewer than we realize given the context of a future state as opposed to the few actual case studies cited above.  Real or not we may learn more from stories of failure to gauge how much progress we have yet to achieve.


Monday, 03 June 2013 17:15

The Demise Of The Player/Manager CISO

The role of the CISO is changing.

For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.

These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in.


Monday, 03 June 2013 17:13

Big Data: The future of info security?

According to IBM, 90 percent of the data in the world today has been created in the last two years. From social media, mobile devices and digital sensors to e-mails, images and videos, these vast sources of data create a potential goldmine of valuable information about people and their activities. 

Whilst the promise of actionable insight from data is not new — business intelligence and other analysis capabilities have long been present in many organizations — what is new is the rate at which the data is growing, the way the data is changing and the demands being placed upon it.


The Oklahoma tornado and start of hurricane season are throwing up red flags for business owners.

And while Mother Nature often acts as a reminder for creating business continuity plans, it’s the downtime when businesses should be preparing.

“It’s the time when there’s nothing happening that they should be thinking about this,” said Gail Moraton, business resiliency manager for the Insurance Institute for Business & Home Safety based in Tampa.

The Oklahoma tornado hit Moore, Okla., on May 20 as an EF5 storm causing destruction along a 17-mile path. In addition, the National Oceanic and Atmospheric Administration said there’s a 70 percent likelihood of 13 to 20 named storms this hurricane season — with the possibility of seven to 11 becoming hurricanes.


June 1 is the official beginning of hurricane season in the U.S. There are steps you can take now to protect your business and your employees should a natural disaster hit.

The Atlantic coastline of the U.S. is expected to have an above-average level of hurricane activity in 2013, according to Gerry Bell, the lead scientist of the National Oceanic and Atmospheric Administration long-range hurricane outlook team. Many states in the Northeast are still struggling to recover from Hurricane Sandy, which hit seven months ago. This week, President Obama visited the Jersey Shore where he assessed the damage and pledging continued support to the region.

“If there’s one thing that we learned last year, it’s that when a storm hits, we’ve got to be ready. Education, preparation -- that's what makes a difference. That's what saves lives,” Obama said Tuesday. “Make a plan. It’s never too early,” he said, encouraging people to visit, a federal web site with instructions and plans on how to prepare for a hurricane.


Recovering from a flood or fire is hard for a business. But dealing with problems caused by a lack of business continuity plans or inadequate insurance can make it worse.

“The better you can plan for how to deal with an incident, the better off you’ll be,” says Lawrence J. Newell, CISA, CBRM, QSA, CBRM, manager of Risk Advisory Services at Brown Smith Wallace. “I say ‘incident’ because it could be something not always thought about in typical disaster terms, such as a breach of credit card information.”

Smart Business spoke with Newell and William M. Goddard, CPCU, a principal in the firm’s Insurance Advisory Services, about developing business recovery plans and the insurance options available to reduce risk.


A quarter of UK small to medium-sized businesses (SMEs) are risking significant data loss by storing data on-site instead of embracing cloud technology.

The findings are revealed in a new survey by Onyx Group which shows that although most businesses understand the cost effectiveness, resilience, scalability and flexibility of cloud, nearly 40 per cent have no plans to adopt cloud as part of their IT management.

The survey, which questioned SME IT managers, also revealed that many businesses are still using and relying on traditional methods of data backup despite research showing that 50 per cent of all tape backups fail to restore.*


MONSON, Mass. — Two years ago Saturday, a tornado wreaked havoc on a 39-mile stretch of western and central Massachusetts — destroying buildings, toppling trees, and causing injury and death. A full 24 months later, recovery efforts are still ongoing.

Driving along the wooded roads into Monson, you would never guess a tornado hit here two years ago. Then you come to the center of town, and the destruction is abundantly clear. On a hill overlooking new houses and a few damaged buildings is a wide swath of treeless land.

Owners of the First Church of Monson -- seen here in 2011 after the tornado hit -- are still working to replace the toppled steeple. (Robin Lubbock/WBUR)

Owners of the First Church of Monson — seen here in 2011 after the tornado hit — are still working to replace the toppled steeple. (Robin Lubbock/WBUR)

“If you notice driving through downtown that pretty much all the roofs on all the buildings are brand new,” says Dan LaRoche, Monson’s disaster recovery manager.


Monday, 03 June 2013 17:00

DIY Risk Management

I recently saw a report on consultant compensation for business continuity practitioners.

According to a post on LinkedIn’s BC-COOP group, Cheyene Marling, founder of BC Management, reports that

BC Management’s 11th Annual BCM Study assesses not only compensations for those who are permanently employed, but also for those who work as independent contractors.

The attached data graph highlights the average low and high billing rates for independent contractors. The data was collected in BC Management's 11th Annual BCM Study between July - December 2012. All currencies were converted to United States Dollar (USD) for comparison purposes. The study received over 2,200 participants with 100 noting “independent contractor”.


The 2013 National Preparedness Report (NPR), released May 30, outlined areas of “national strength” in the United States’ progress toward delivering the 31 core capabilities outlined in the National Preparedness Goal, part of Presidential Policy Directive 8.

Planning, operational coordination, intelligence and information sharing and operational communications were highlighted as strengths, while infrastructure systems and public-private partnerships were areas tabbed as needing national improvement.


Recognizing the world needs less space for retail and more to store data, Sears (SHLD) plans to turn some of Sears and Kmart locations into data centers and disaster recovery spaces.

A new Sears subsidiary will be tasked with converting some of the more than 2,500 Sears and Kmart properties to data storage facilities equipped with servers, chillers and backup generators. It also plans to top many of its buildings with telecommunications towers.


No matter how safe, secure, and well-equipped  your office and laboratory is, unexpected events can still cause costly setbacks. Major storms, utility work, or problems at your facility can cause your  operations to come to a halt..  And as you can imagine these kinds of events can cause damaging impact to meeting milestones and deadlines. Disasters come in many forms, but some of the most common and consequential ways that they affect startup biotech companies is in the area of information technology. From short brown outs in your buildings power, a small fire that causes damage or sets off sprinkler systems, water main breaks can leak water into your office and labs or extended power events and complete building disasters can cause real problems. Even problems with your IT equipment can cause these issues even if you have proper support on them. I have seen instances when the hardware vendor cannot get you a replacement part on time causing hours or even days of downtime. When power is lost or internet connections fail, the IT systems that your experiments and business communications rely on can become completely ineffective. Every biotech startup business needs to have a plan in place for when the unexpected happens. Being prepared for any possible contingency is the most reliable way to ensure that you are meeting all of the goals that you have established in your business plan. Developing a backup and disaster recovery (BDR) along with a Recovery Time Objective (RTO) plan with your expert IT service provider can help you keep your company running at near or full capacity, no matter what is going on around you.


Monday, 03 June 2013 15:19

What We're Watching: 5/31/13

fema administrator fugate at podium Miami, Fla., May 31, 2013 -- FEMA Administrator Craig Fugate speaks at NOAA's annual Atlantic Hurricane press event discussing the upcoming hurricane season.

Kicking off the Atlantic hurricane season
We are coming to the end of National Hurricane Preparedness Week, which means the official start of the Atlantic hurricane season (June 1) is almost here. All week long we’ve been sharing hurricane safety tips on our website, Facebook and Twitter accounts.  There are lots of ways you can get prepared for hurricane season at – especially important if you live in a coastal area – but I will share two things you can do in the next five minutes to make sure your phone is ready for the start of hurricane season:


Monday, 03 June 2013 15:17

Rethinking business continuity

Business continuity and disaster recovery need to become “Facebook easy”.

So says Steve Kokol, VP of international sales at SunGard Availability Services. “You never had to go to a class or a three-day course to learn how to use Facebook,” says Kokol, adding that businesses need to incorporate this usability into their continuity and disaster recovery strategies.

In an interview with ITWeb, Kokol noted that making the recovery planning process simple is becoming more and more important as business continuity and disaster recovery are extended, encompassing more individuals in an organisation. “What this is highlighting is that business is acknowledging that, at the end of the day, it is the people who sit at the coalface who need to be in charge of business continuity and disaster recovery. In short, the people who are responsible for building these plans need to be in the field themselves.”


Saturday, June 1, marks the beginning of the 2013 Atlantic hurricane season. Forecasters from Colorado State University predict 18 named storms for the 2013 season, with nine of those forecasted to become hurricanes and four expected to be major hurricanes. The National Oceanic and Atmospheric Administration’s Climate Prediction Center warns there could be even more storms to hit the Sunshine State — up to 20, in fact, compared to the average of 12. If these and other predictions are right, Florida will see its share of storms this season.


By Jacque Rupert

One of the most common question questions asked by business continuity managers is “How can my organization increase coordination between different groups performing preparedness activities, specifically ‘the business’ and IT?”

In my consulting activities I have seen many organizations’ business and IT teams struggle to come to an agreement on common requirements, such as application recovery time objectives (RTOs) and data loss tolerances (RPOs). The business tends to complain that IT does not listen to their recovery requirements, while IT tends to complain that the business is far too aggressive and unrealistic on recovery requirements.

This article seeks to address these issues, providing five tips to bridge the business – IT gap.


A combination of replication and erasure coding is the future for data protection in cloud storage and big data systems says Paul Carpentier.

In the course of IT history, many schemes have been devised and deployed to protect data against storage system failure, especially disk drive hardware. These protection mechanisms have nearly always been variants on two themes: duplication of files or objects (backup, archiving, synchronization, remote replication come to mind); or parity-based schemes at disk level (RAID) or at object level (erasure coding, often also referred to as Reed-Solomon coding). Regardless of implementation details, the latter always consists of the computation and storage of parity information over a number of data entities (whether disks, blocks or objects). Many different parity schemes exist, offering a wide range of protection trade-offs between capacity overhead and protection level - hence their interest.


The potential for collaboration took a huge step forwards with the rise of BYOD; but the reality of secure collaboration took a huge step backwards. A new State of the Enterprise Information Landscape report shows a ticking time bomb in the enterprise.

Staff get paid to do their job, and they do that as efficiently as they can. Security is something often seen as a hindrance to efficiency; so it is frequently ignored. A new survey by Huddle shows the extent to which security is often bypassed for simplicity in the name of personal efficiency.


Computerworld - If the question about tornadoes comes up at his Oklahoma City data center, as it sometimes does, Todd Currie, vice president of operations and general manager at Perimeter Technology, has answers. He even has a cutout sample of his roof to show how it is built.

Perimeter's data center was constructed to withstand an EF3 tornado, or winds up to 165 miles per hour on the Enhanced Fujita scale.

To protect against an EF3, Perimeter surrounded the raised floor portion of the data center with 8.5-in. concrete, reinforced walls. The data center is in the middle of the building, and around it are offices protected by another 8.5-in. exterior wall.


Friday, 31 May 2013 14:55

Before the Flood

Batteries, flashlights, bottled water. Now more jumbo-mortgage borrowers will be required to add another item to their storm-preparedness checklist: flood insurance.

The Federal Emergency Management Administration is currently re-evaluating flood maps, requiring more jumbo-mortgage holders with homes in high-hazard areas to buy flood insurance. Also, changes to federal law enacted in July are expected to jack up premiums.


The devastation caused by the multiple global crises over the last three decades has exposed the fragility of modern-day risk management practices. The Wall Street crash of 1987, the Asian financial crisis of 1997 and the banking sector collapse of 2007 left several global companies in a state of disarray.

Similarly, the safety-system failures at Japan's Fukushima Daiichi nuclear plant, structural compromise of the New Orleans leevees and the Mumbai terror attacks led to unprecedented economic losses for many organizations. In retrospect, while each of the above events - referred to as Black Swans by some observers - was possible, none was adequately anticipated. These events highlight the shortcomings of our knowledge, perspectives and risk models.


Friday, 31 May 2013 14:52

Getting outside expertise

No practitioner is an island

Enterprise risk management should be what the name clearly states:

  • Enterprise: Covers the enterprise
  • Risk: Considers all risks/threats to the enterprise
  • Management: Deals with risk avoidance/mitigation and dealing with risks if they occur, both during the crisis stage and the following recovery stages.

Most organizations have some insurance coverage, if only Property and Casualty (P&C). Many have Directors and Officers insurance and some have Business Interruption insurance.

These coverages are only the tip of the proverbial ice berg.

The problem is, insurance also is a risk.


Operator: Welcome.  I'd like to thank you all for holding.  An inform you that your lines are in listen-only for the conference until the question-and-answer session.  After that you will press star-1 on your touch tone phone.  I would like to turn to tom skinner. 

Tom Skinner: Thank you, Ed.  Thank you all for joining us today for this update on influenza a H3N2 variant virus.  We're having this telebriefing today, because as many of you know, we've had a rise in the number of cases that are -- that have been reported to CDC.  These are -- this increase is the result, and a change somewhat in what constitutes a positive case of H3N2 for surveillance purposes.  And Dr. Joseph Bresee from the CDC is here to help put this into perspective and context for you.  He'll also go over some things we talked about last week in regards to preventive steps people can take to protect themselves, especially those who will be and are attending agricultural fairs.  I've got Dr. Bresee to speak for three to five minutes.  And then we'll open it up for your questions and answers.  So Dr. Bresee. 


A 2010 American Red Cross survey found that an alarming 75 percent of 1,058 respondents expected help to arrive within an hour if they posted a request on a social media site. Hold that thought.

The public, and by that I mean the average Joe and Sally, doesn’t know that much about emergency and disaster response, and even less about disaster recovery and what is involved with getting federal assistance. What little they do know often comes from disaster movies.

There was a made-for-TV movie, 10.5, which had the FEMA director being lowered into a hole to personally set off an atomic bomb to stop a devastating series of earthquakes from continuing. I could think of a couple of past FEMA directors who I’d volunteer for the task — and no, not Craig Fugate, the current one.


No one at the Credit Union of New Jersey remembers when local device networking cables were first connected to a telephone junction block in the data center. Nor did anyone know how the tangled mess grew to span two such boxes and eight feet of wall space before finally reaching CUNJ’s core networking switches at its Trenton offices.

Fortunately, thanks to a recent remediation project, the crisscrossing thicket is no more.

Let’s face it: Many data centers could use some form of spring cleanup. Whether it’s cable management, consolidation, virtualization or just making better use of an existing footprint, initiatives that transform cluttered server rooms into efficient spaces can pay big dividends.


We've all seen enough news stories to know what can happen when a business doesn't get compliance right or falls foul of data protection legislation.

No organisation wants the negative exposure that results – exposure that reduces public trust, puts brand and reputation at risk, incurs financial penalties and invites customer churn. However, it's not just the fear of negative exposure and financial loss that is putting organisations under pressure – it is the changing nature of the laws and regulations surrounding data protection.

Critical changes are in the works to certification requirements for the Payment Card Industry Data Security Standard (PCI DSS), to legal compliance with the European Data Protection Regulation and to enforcement of data protection requirements from the UK Information Commissioner's Office (ICO).


A large US supermarket chain has implemented an innovative endpoint security technology to secure point of sales systems running legacy applications to save additional development or patching costs.

Bromium’s vSentry endpoint security software applies virtualisation expertise to isolate and secure every untrusted network task within its own tiny virtual machine or microVM.

According to Bromium, it is impossible to detect all the possible attacks or monitor all the possible forms of suspicious behaviour.

However, the firm maintains it is possible to protect endpoints using highly granular virtualisation in combination with hardware-enforced isolation.


“Why should we have a critical communications business continuity and disaster recovery plan?” It’s one of the most common questions asked in our business. The answer is simple for companies in certain industries. Often a variety of laws and regulations require or imply the need for a recovery plan to protect critical communications. Healthcare, financial, utility and government are just a few.

The answer for others is less defined. Common objections include cost, having a second facility with backup capabilities or outsourcing of print-to-mail operations. But the consequences of not having a proven recovery plan in place can be severe. They can range from loss of revenue and critical cash flow to service level penalties and fines or corporate image issues. Consider these five reasons your company should have a business continuity and disaster recovery plan in place:


Social sign-in has become a powerful force for marketers and consumers, validating the notion of federated identity in consumer-facing contexts. (Ironic that consumerization of IT is successfully tackling even the single sign-on problem that has bedeviled IT, showing how identity for the top line of the business can overcome resistance in ways that business-to-employee scenarios typically can't.)

But not all consumer-facing federated SSO is social. When I was with PayPal, our team worked on the underpinnings of what eventually turned into Log In with PayPal, which is strictly about federated identity flows for commercial purposes. And today Amazon has come out with Login with Amazon, a powerful statement of Amazon-as-identity-provider. They've been testing this with their own web properties Zappos and Woot; now they're enabling third-party merchants and other sites to use Amazon for authentication of people who already have active Amazon accounts, along with learning a few selected user attributes: name, email, and optionally the zip code of the default shipping addresses. No huge social graphs here, just data that partner eCommerce sites need to function (and make money).


CIO — Companies with strong relationships between the CIO and other C-suite executives are four times as likely as less-collaborative teams to achieve business results such as revenue growth and high profit margins, according to PricewaterhouseCoopers' fifth annual Digital IQ study.

PwC polled 1,108 business and technology leaders globally and split their responses into two groups: the 13 percent of respondents who rated themselves as "strong collaborators" in the C-suite, and the rest who didn't.

The study found a big correlation between strong C-suite collaboration and top business performers, which PwC defined as companies reporting revenue growth of 5 percent or more in the previous year and high levels of profitability, revenue and innovation.


Computerworld - Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed to fight back on their own, security experts say.

Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing U.S. companies to retaliatory strikes.

"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."


The United Nations cautioned global businesses that economic losses due to natural disasters are at a high level, and the threat of profit loss will rise until risk assessment procedures become a core component of company strategies. 

"We have carried out a thorough review of disaster losses at a national level, and it is clear that direct losses from floods, earthquakes and drought have been underestimated by at least 50 percent," said Ban Ki-moon, secretary general of the UN. "So far this century, direct losses from disasters are in the range of $2.5 trillion." He added that risk management should receive more focus in business schools.


Thursday, 30 May 2013 18:05

Hurricane Sandy: What Have We Learned?

Categories: General, Natural Disasters, Preparedness

Image of structures destroyed following Hurricane SandyBy Maggie Silver

Superstorm Sandy

Long Beach is your typical northeastern city nestled on Long Island. A mix of apartments, homes and buildings set on the water with an idyllic boardwalk that draws in plenty of tourists during the summer months. And like many other cities in the tri-state area, it was hit hard by Superstorm Sandy.

As we gear up for the 2013 hurricane season, which starts June 1, we thought it would be practical tospeak with some of the people who survived the biggest storm of last year and one of the most devastating to ever hit the area. That’s how we landed in Long Beach, talking to Alex Feygis about his experience and the lessons he learned about preparedness. 

Alex and his wife were living in a fourth floor apartment overlooking the water last October when Sandy hit. When the weather reports started predicting the storm that would eventual shatter the east coast, Alex, along with many others, thought it would be nothing more than what Irene had brought that previous summer. A few flooded streets and maybe some scattered, but short lived power outages.

So when the police drove down their street Sunday evening ordering a mandatory evacuation, Alex understandably found the situation, “a bit unnerving.”

Car damaged during Hurricane SandyTime to Evacuate

Alex and his wife moved their cars to what they thought was higher ground, packed a few days worth of clothes and headed to his in-laws that lived nearby in Oceanside. Unfortunately their in-laws’ one-story ranch was quickly overwhelmed with flood waters once Sandy hit. Relocating for the second time wasn’t that easy though, power was out across the city and cell service was spotty at best, not to mention battery life was draining quickly.

“I hadn’t considered communication being a problem; I guess I’m just so used to always having a cell phone.” Alex and Farrah had to stay put for the next 24 hours until they could communicate with his parents who lived farther in-land and the whole clan packed up and moved in…for three weeks! That’s how long it took for things to start to resemble normalcy.

A Slow Recovery

Although Alex’s actual apartment hadn’t flooded on the 4th floor, the lobby was under 5 feet of water and the plumbing and electrical system was totally shot. That was the case for the entire city of Long Beach who had no clean water for two weeks thanks to the sewage plant flooding. Even after potable water was restored, the apartment building had to replace boilers and electrical systems.

Needless to say, Alex and Farrah’s two day supply of clothes and necessities ran out quickly and they had to make a trip back to their apartment amid all the wreckage to re-up on supplies. When they returned, they realized their cars had been totaled due to the flood waters, which posed a whole new set of problems for them. It wasn’t an option to buy a car so they had to try and rent one to get to and from work (oh yeah, just because Sandy wreaks havoc on your life doesn’t mean you get a free pass from work). So Alex, along with hundreds of other newly car-less residents tried to rent a car. A shortage of vehicles wasn’t the only problem the couple faced though; the gas shortage also compounded things.

“It made returning to normal that much harder,” Alex recalls “Even the smallest trips made you think, is it worth wasting the gas on?”

On the plus side, Alex and Farrah had a strong family network they could lean on. Alex’s parents lived far enough inland that they had power restored quickly in their temporary home and there was access to grocery stores and other supplies. Although his in-laws sustained significant damage to their house and had to rebuild, they were properly insured and the money to rebuild has been slowly trickling in. 

Damage outside of an apartment building following Hurricane Sandy
Did we learn anything?



After talking to Alex though, I began wondering, did we learn anything from this event? Was it so catastrophic that people will go back to their complacency and assume nothing that big will ever happen again? It seems to be a common theme I hear when talking to people who lived through this. But even if another Superstorm doesn’t hit, aren’t there things learned from Sandy we can apply to even the more “mundane” storms.

Take for instance the gas shortage, sure chances of a massive run on gasoline that lasts for days isn’t that likely to happen again, but what if you had to evacuate and you had trouble finding gas for just that one day? Wouldn’t you give yourself a pat on the back for having the foresight to have tucked away an extra gallon in the garage, or stopped by the gas station on your way home from work when you heard the weather report?

Same goes for having an evacuation plan. Where would you go if you were told to leave your house and what would you bring with you? This doesn’t cost any money, all you have to do is sit down and think about what your plan would be and what you would take with you (think: important documents like birth certificates, passports, and deeds).

This is not to say that Alex didn’t learn anything from his experience. His first thought was reconsidering his evacuation plan. They’d make his parent’s house or a hotel even further inland their first choice for evacuation instead of the in-laws. They’d also have a few more supplies on hand and keep their phones well charged if an impending storm was approaching.

New Year Resolutions

As this year’s hurricane season approaches I hope you’ll take a moment to consider what you would do, not just in the extreme situations of Superstorm Sandy, but even in the more common thunderstorm or one of the possible 20 named storms that are predicted for this year. They may not be as extreme as Sandy but they can still bring with them destruction, flooding, evacuations, and any number of interruptions to everyday life.

Thursday, 30 May 2013 18:04

Social Media: Who Are You Dealing With?

Know thy audience, young crisis managers

Social media crisis management can be confusing to navigate, especially if you’re not sure which stakeholder groups you’re dealing with. Although each comment obviously comes from an individual, there are discernible groups that you see emerge again and again to join in online debates and dramatics.

In a post discussing online issues management tactics, social media pro Chris Syme defined four of the most common:


The Business Continuity Institute

Professionals in Shanghai Gain “BCM Awareness” at the BCI China Conference 2013

About 100 professionals in Shanghai and other parts of Asia are now more knowledgeable in Business Continuity Management (BCM) for having participated in the successfully held BCI China Conference 2013 from 16-17 May.

The two-day event, which was most appropriately themed “International Standard and BCM Practice in China,” provided the venue for various industry representatives to gain valuable information on relevant topics such as Risk Management, the new international BCM standard ISO22301 and Social Media Crisis from some of the most accomplished BCM experts today.

Highlights of the event include presentations made by Steve Mellish, Chairman of the Business Continuity Institute (BCI), on the latest industry trend “Horizon Scanning.” Also, BCI Vice Chairman David James-Brown presented on the very interesting “Managing Crisis of a Case Study from Australia, Brisbane Flooding Crisis.” BCI Asia Regional Director Henry Ee provided information on the BCI certification and membership system which served as an “interactive survey” with event participants.

Another important part of the event was when the Director of the China National Institute of Standardization announced that China’s “National BCM Standard” will be ready by fourth quarter of this year.

A very educational “Interactive BCM Simulation” was also conducted during the event which allowed participants to gain awareness on various BCM principles and concepts. The said activity was well-received by participants as it was based on realistic scenarios relevant to a pandemic crisis.

The BCI China Conference 2013 was co-organized by BCI and Business Continuity Planning Asia Pte Ltd (BCP Asia).

Based in Caversham, United Kingdom, the Business Continuity Institute (BCI) was established in 1994 to promote the art and science of business continuity worldwide and to assist organizations in preparing for and surviving minor and large-scale man-made and natural disasters.  The Institute enables members to obtain guidance and support from their fellow practitioners and offers professional training and certification programmes to disseminate and validate the highest standards of competence and ethics.  It has circa 8,000 members in more than 100 countries, who are active in an estimated 3,000 organizations in private, public and third sectors.

For more information go to:

Wednesday, 29 May 2013 14:41

PCI Compliance: What You Need to Know

If your business accepts credit cards of any type, then you are automatically responsible for complying with the Payment Card Industry Data Security Standard (PCI DSS). This standard was developed by the five major credit card brands in order to create and maintain a consistent information security standard for all credit card processors  The ultimate goals is to prevent credit card fraud that occurs when cardholder data is left unsecured.

If your business isn’t PCI compliant, not only are you at risk of incurring fines and penalties from your merchant account provider – you’re also more likely to become a victim of credit card fraud.


CIO — CAMBRIDGE, Mass.—The role of the CIO is constantly in flux, but the rapid emergence of big data, analytics and cloud technology--and the accompanying proliferation of data itself--has further strained IT innovation and added complexity. All this comes at a time when companies expect IT to do more with less and the balance of IT services spending is poised to tilt away from the CIO.

With that at stake, the leading CIOs and CEOs who spoke at last week's MIT Sloan CIO Symposium gave the senior IT and business executives in the audience food for thought about how to use data analytics and cloud technologies to improve businesses processes without putting additional strain on IT resources.


Considering the critical role of depositories in the functioning of contemporary capital markets and more so as custodian of public investments, attention to security and reliability of its operations have been an essential area for all such organisations alike world-wide. Safeguarding the data and IT resiliency at CDC has always been an integral part of its IT operations since inception.

However, after enhancing its role deeper into the industry and diversification of its services portfolio, the specific need for business continuity planning became more sensitive for CDC. Recognising the importance of ensuring its ability to continue its critical business processes even in worst of situations, CDC being a key infrastructure company decided to plan its course on international standards. CDC in consultation with IBM embarked its journey on Business Continuity Management System (BCMS) in 2006. CDC developed and implemented action plan to deal with changing circumstances that may interrupt its services to clients as early as 1998. However, the plan continued to mature and the understanding kept sinking in the organisation over time. Over the last year, the organisation decided to give a final touch to its Business Continuity program following the international best practices.


With hurricane season just around the corner, now is the optimal time to put all your ducks in a row when it comes to securing your client’s data, mitigating downtime and keeping their business afloat in the wake or aftermath of a disaster. According to the United States government, one in four businesses do not survive a disaster, which makes your commitment to protecting your client even more important. But times are changing and so too is disaster recovery, thanks in part to the cloud.

Historically, traditional disaster recovery methods have been costly, time-consuming and prone to blunders. In the past, businesses would backup their data on tapes, which have a 40 percent chance of failing when read from different drives and can take weeks to recover. Now with advances in cloud technology, the face of disaster recovery is changing – which can only mean great things for businesses and managed service providers (MSPs) alike.



Wednesday, 29 May 2013 14:25

When Disaster Strikes

It happened during Super Storm Sandy. It happened during the recent tornadoes in Oklahoma. It happens to someone every day. Disasters happen with alarming regularity, but they don't have to be catastrophic natural disasters to be disasters for your business. A fire, a broken water main, a burglary, or even just a minor power surge can take your branch office off-line in a matter of seconds. We all have disaster recovery plans in place to deal with such unexpected events, but really, if it happens, how much down-time are you willing to live with?

If you've still got local servers and storage in your branch office, you could be looking at significant down-time in the event of a disaster. There's the initial response time, and then there's the rebuilding. The rebuilding of servers, of operating systems, of applications, and the recovery from backup of local branch office data. Even with the best disaster recovery plans in place the downtime can be a few days before all the branch office servers and services are back up and running. 


Last week, an oversized truck traveling on a bridge over the Skagit River north of Seattle in Washington state reportedly hit an overhead girder, causing the bridge to collapse into the rushing waters below. Fortunately, neither the truck driver nor anyone else died in the accident.

But now the locals need to come up with a solution, both temporary and long term, to fix the throughway so that the area can resume commerce and travel as normal. They have a plan for short-term fix, according to Washington Governor  Jay Inslee in a press conference. “We’re going to get this project done as fast as humanly possible,” said Inslee. “There’s no more important issue right now, to the economy, to the state of Washington frankly, than getting this bridge up and running.”

This may not have just been some freak accident, however.


Craig Fugate took over as FEMA’s administrator in May 2009, and has instituted many approaches to emergency management that have taken hold and helped push the U.S. to become better able to respond to and mitigate hazards. We talked with Fugate about those efforts and where improvements need to be made to develop more resilient communities.

Question: What are some of the biggest leaps that FEMA has made since you have been the administrator?

Answer: If anything, when I arrived at FEMA, we were still very much reactive to issues and not being proactive. My approach is that it doesn’t get better with time. I would rather get the bad news out first and let people know where they are and move forward. It was almost as if our culture was that we didn’t want to give people bad news so we oftentimes would delay answers. I would say, “Look, we owe people honest answers, and if the answer is yes, tell them yes. If the answer is no, tell them no, [and] if the answer is maybe, let’s get to the right answer quickly — speed not haste.”


Oceanic and atmospheric conditions in the Atlantic basin are expected to produce more and stronger hurricanes during the 2013 Atlantic hurricane season which starts this Saturday June 1 and lasts until November 30, according to the National Oceanic and Atmospheric Administration (NOAA).

In its 2013 Atlantic hurricane season outlook, NOAA’s Climate Prediction Center is forecasting an active or extremely active season this year.

This means there is a 70 percent chance of 13 to 20 named storms (winds of 39 mph or higher), of which 7 to 11 could become hurricanes (winds of 74 mph or higher), including three to six major hurricanes (Category 3, 4 or 5; winds of 111 mph or higher).


Tuesday, 28 May 2013 19:05

NOAA issues hurricane season forecasts

NOAA has issued its forecasts for the 2013 hurricane season. It is predicting an active or extremely active Atlantic season, with a below-normal season being predicted in other areas. Forecast summaries are below:

Atlantic hurricane season

For the six-month hurricane season, which begins June 1, NOAA’s Atlantic Hurricane Season Outlook says there is a 70 percent likelihood of 13 to 20 named storms (winds of 39 mph or higher), of which 7 to 11 could become hurricanes (winds of 74 mph or higher), including 3 to 6 major hurricanes (Category 3, 4 or 5; winds of 111 mph or higher).

These ranges are well above the seasonal average of 12 named storms, 6 hurricanes and 3 major hurricanes.


Just over one in every ten dollars spent on dealing with disasters is spent on preparing for and preventing them according to new research from the Overseas Development Institute (ODI) and the Global Facility for Disaster Reduction and Recovery.

Over the past 10 years, disasters and disaster risk has attracted much attention, with the international community experiencing some of the largest impacts ever seen (Haiti Earthquake 2010, Asian-Indian Tsunami of 2004, Cyclone Nargis in 2008). However, global commitment to supporting developing countries in managing their disaster risk has barely increased.

Despite increased rhetoric about disaster risk over recent years, financing for disaster prevention and preparedness remains low.


This week, we’re kicking off National Hurricane Preparedness Week! Once again, we’ve teamed up with our partners at the National Oceanic and Atmospheric Administration (NOAA) to encourage all Americans to prepare for the upcoming hurricane season, which officially starts this Saturday, June 1 and lasts until November 30. Above all, hurricanes are powerful forces of nature that not only cause damage to coastlines, but also hundreds of miles inland as well because of flooding.


CIO — The phrase "all roads lead to Rome" describes the importance of a city at the heart of an empire. When it comes to modern litigation, all roads lead to the CIO's desk, because information is the lifeblood of litigation.

Just as CIOs should have contingency plans for a network crash, they need a litigation-readiness plan for responding to legal requests for electronically stored information, a process called ediscovery.

Timeliness is critical. Responding inefficiently after notice of a triggering event often results in the loss of data, which can lead to legal sanctions against the company and avoidable costs.


With 24x7 connectivity and business demanding constant availability of data wherever and whenever needed, today the banking sector faces new challenges, even as customers have come to expect that their information and money are accessible at the click of a button. Going forward, these demands for instant access are only going to intensify. Meeting these ever-growing requirements can become impossible in the event of a disaster, unless a well-considered disaster recovery (DR) plan, based on flexible and highly-responsive infrastructure, is put in place.

The primary objective of a disaster recovery plan for a bank is to recover from disruptions and to return to a normal operating state as quickly as possible. A sound DR plan will minimize the length of disruption and its impact on business operations. In most organizations, all data is not created equal. So the prioritization and restoration of data and service availability are key components to a successful DR plan.


Tuesday, 28 May 2013 18:56

Avoiding the Next Disaster

As we pick up the pieces after the Moore, Oklahoma, tornado -- and honor the deceased -- we're getting figures now that this tornado, while not the most powerful recorded, may possibly be the most expensive in U.S. history. We at Architecture for Humanity, like many, pause and wonder at how much damage could have been prevented -- a consideration that is becoming more relevant to more cities as our climate continues to change.

There's nothing we can do to stop tornadoes, hurricanes and earthquakes from happening. They are natural events. What makes them natural "disasters" is the effect they have on our homes, lives and communities. That's something we can affect -- and work is already underway.


"The rapidly changing healthcare landscape demands a disciplined approach to risk assessment," said Matt Weekley, leader of the national healthcare industry practice at Plante Moran, during a May 23 webinar hosted by the accounting and consulting firm.

During the webinar, panelists Mr. Weekley and Plante Moran Partner Anthony V. Colarossi, along with moderator and Plante Moran Partner Betsy Rust, explained that hospitals need quantitative risk assessment to prepare for coming changes in the industry, such as the move to value-based purchasing and the impending insurance exchanges.

The panelists agreed that having a risk assessment plan in place aids in the development of a strategic plan, is effective in creating mitigation or contingency plans, encourages outside-of-the-box thinking and, most importantly, turns risk management into a proactive rather than reactive activity.


When companies perform qualitative risk assessments, they often fail to consider the potential disruption from a sophisticated cyberattack. The frequency and complexity of cyberattacks is increasing, and hackers are more able to breach a company's security detection system, according to a recent study from Frost & Sullivan. Next-generation intrusion prevention systems (NGIPS) are becoming more widely adopted to mitigate the risk of a cyberattack.

Organizations have experienced a rise in long-term, targeted advanced persistent threats, which indicates hackers are better organized and more skilled. Many enterprises continue to install intrusion prevention systems to detect traditional malware, but some are upgrading protection measures as the threats to data security increase. However, the high cost of software upgrades can deter some businesses from investing in new systems.


The CISO's today need to manage risks instead of locking down things, said Bharti Airtel's Senior Vice President and Chief Information Security Officer, Felix Mohan, while delivering a keynote at the recently held India Computer Security Officer at Kovalum, Kerala.

During the keynote Felix highlighted that CISOs need to evolve from the traditional role that they had been entrusted till date, because today the Nexus of Forces is pushing the CISOs to step up as business enablers who are accountable to the company’s profitability. Elaborating on this he said, “For the enterprises to obtain competitive advantage from these disruptive forces, the businesses today needs that their CISOs upgrade their mental attitude from locking down thing to managing risks. Business wants the CISOs to say yes to the Nexus of forces and facilitate the adoption of these by solving the security puzzle, so that the business can benefit from it.”


TULSA, Oklahoma – The video of two Moore elementary schools ravaged by Monday's tornadoes brings a powerful reaction from parents: What if that were my child's school? How would rescuers know where to find my child? Would they have the resources to get to them quickly when every second counts?

It turns out lawmakers acted on those fears after the 2003 tornado that hit Moore and Southeast Oklahoma City, with the Oklahoma Emergency Management Act of 2003.

Part of that law requires all schools to write up a disaster and emergency preparedness plan and keep it on file with their local emergency management office, and update it each year.


It’s great to have many continuity plans and strategies to prepare for and respond to, disasters. However, if they aren’t validated they don’t carry any weight and there’s no way of knowing if they would be any good – useful – when a real situation occurs.

BCM practitioners may make the case for exercising plans but sometimes management may not want to provide the resources – physical & financial – available to validate the plans. There are a few questions that can be posed to executive management to possibly allow for the right kind of commitment and support to validate continuity strategies and plans.


Friday, 24 May 2013 13:35

Stress Testing and Data Collection

In the wake of the most recent financial crisis, considerable emphasis has been placed on financial institutions performing reasonable stress testing procedures as part of their risk management and capital planning processes. While the focus primarily has been on the largest financial institutions with measures like the introduction of the Supervisory Capital Assessment Program, or SCAP, in early 2009, additional and more recent guidance seems to indicate that this will be something that all financial institutions, regardless of size, will be asked to do.

Sourcing and updating adequate data is one of the most crucial aspects of developing and maintaining a reliable stress testing process. The ability to incorporate updated and relevant data for the stress tests will provide financial institutions, regardless of size, with significant benefits as they strive to identify and mitigate potential risks in their loan portfolio over time.


Friday, 24 May 2013 13:33

Give job to best person

I’m a fan of the comics.

Dilbert for May 23, 2013 triggered the thought that a risk management practitioner needs to try to match personnel to processes as an organization (a) tries to maintain a minimum level of service and (b) restore the operation to “business as usual.”

Politics and egos can make this a difficult task, but when it can be accomplished, the results are worthwhile.

There are those people, including practitioners, who are excellent workers under normal conditions. These same people may fall apart under event and post-event demands. On the other side of the coin, there are those who “get by” when everything is proceeding normally but shine when the pressure is greatest.


Even for an epidemiologist who works in public health preparedness and response, being asked to explain to the public what we do at CDC can be difficult.  

That said, sometimes opportunities to talk about public health drop into your lap.   A few months ago I was catching up with my friend Austin, an engineer for a large corporation.  It turned out that while on long-term assignments he and his team had recently taken to playing the board game, “PandemicExternal Web Site Icon.”   One might think that an infectious disease would make for a strange game premise, but to my surprise it’s been gaining a loyal fan base. Of note, the game has recently profiled by Wil Wheaton on his “Geeks and Sundry” tabletop videocastExternal Web Site Icon seen by more than 350,000 viewers and positively reviewed on many board game sites.


Even if some of your business solutions are ‘cloud based’ such as or Hubspot, you still likely have other servers in your office(s) that are used for other business critical functions like email, accounting, manufacturing, collaboration, file storage and the like.

Because of this, virtually all (sane) businesses have some type of backup solution.  Whether it be tapes, hard drives, or even with a cloud service like Carbonite or Mozy.  However, what many people don’t realize is that backup solutions are designed to allow you to retrieve you data in the event of a data loss, not to actually minimize your down time in anyway.

There are two types of backup models.  Files based, and image based.


Housing associations are braced for reform. Legislation, from housing benefit direct to tenants to the bedroom tax, is being driven through but scant consideration has been given to data security. Changing how and where data is held, accessed and transmitted can have profound implications and could see some housing associations breach regulations.

Securing personal data on the wide range of tenants which housing associations provide for is vitally important to protect their identities and to protect them from harm. Current data management is often out of date and incoming legislation threatens to disrupt processes further.

Housing associations can avoid falling foul of legislation and take the necessary steps to ensure future compliance by following a five-point action plan:


“Tone at the top” is an often-used term to describe how an organization’s leadership creates an environment that fosters ethical and responsible business behavior. While tone at the top is important and a vital foundation, is it enough?

The reality is that when leaders communicate the organization’s vision, mission, core values and commitment to appropriate ethical behavior, what really drives the culture and resonates with the organization’s employees is what they see and hear every day from the managers to whom they report. If the behavior of middle managers contradicts the messaging and values conveyed from the top, it won’t take long for lower-level employees to notice. Because the top-down emphasis on ethical and responsible business behavior in an organization is only as strong as its weakest link, it is vital that the organization’s tone at the top be translated into an effective tone in the middle before it can reach the rest of the organization.


Housing associations are braced for reform. Legislation, from housing benefit direct to tenants to the bedroom tax, is being driven through but scant consideration has been given to data security. Changing how and where data is held, accessed and transmitted can have profound implications and could see some housing associations breach regulations.

Securing personal data on the wide range of tenants which housing associations provide for is vitally important to protect their identities and to protect them from harm. Current data management is often out of date and incoming legislation threatens to disrupt processes further.


Wealth management firms process, consume, and produce massive amounts of digital data on a daily basis. Many types of wealth management firms are looking at Big Data solutions, including banks, full service and self-directed brokers, and RIAs. Celent believes banks and full service brokers are more likely to use Big Data solutions in the near term as they work to establish better consolidated or 360° views of their customers.

Celent defines Big Data on three dimensions (volume, velocity, and variety), and the process includes capturing and gathering data, analytics, and visualization. This has caught the attention of financial service firms because Big Data can help firms capture and combine diverse sets of internal and external data to improve their analytics. New Big Data analytics help firms process analyst queries and experiments faster, which improves analyst productivity and provides a competitive advantage. Improved visualization tools help in the exploration and presentation of data and analytics.


Thursday, 23 May 2013 14:46

Measuring Community Resilience

"Community resilience" is one of those things that we all agree is important but can't agree on just what it means, a situation not uncommon in emergency management. In very broad terms it is the ability of a community to survive and recovery from a significant event. But how do we measure resilience?

Jorn Birkmann's book Measuring Vulnerability to Natural Hazards: Towards Disaster Resilient Societies offers a number of perspectives on the difficulty in such measurements and the complexity involved. It also demonstrates that much of the data needed by current assessment models are either hard to obtain or non-existent, requiring the use of proxy data. This makes many of these research tools of limited utility to the emergency manager.


The storm that destroyed large swaths of Oklahoma was unfathomably destructive. It’s vast size was frightening, its energy enormous, its tragedy permanently unforgettable. Even with all the tornadoes to ravage the U.S. landscape in recent years, this one is uniquely disturbing. The images of flattened neighborhoods full of shattered-toothpick homes and mangled cars look make believe.

With at least 24 dead and more than 200 injured, the human toll has been massive.

In this video, Moore, Oklahoma, Mayor Glenn Lewis discusses the devastation.


The pricing of a backup and disaster recovery (BDR) offering can make or break the solution's profitability for managed services providers (MSP). To avoid beginner mistakes with BDR pricing, we did a little research and discovered five pricing tips that can help MSPs keep their head above water. Take a look at what we uncovered in this MSPmentor exclusive.

BlackPoint IT Services Managed Services Vice President Chris Butler told MSPmentor that his pricing practices have worked well for his company. His pricing strategy has been "developed over the past three years by listening to client feedback and what would be their ideal backup as a service solution."


The growing threat of cyber attacks has moved disaster recovery planning up the agenda for many law firms determined to protect their client’s data. But why pay every year for something you are never likely to use?

Secure data
Every business should have an IT disaster recovery plan, with step-by-step procedures for recovering disrupted systems. The plan identifies critical IT systems and networks, assess the required recovery time, whilst establishing the steps to restarting, reconfiguring and recovering them.
Certain businesses are required by law or regulation to have such plans in place, with some required to keep all data secure and retrievable regardless of what happens to the business.
Instead of outsourcing the entire responsibility for disaster recovery to external service providers, it’s possible for smaller firms to plan for the worst, protect their business and only pay if disaster strikes.


Making sure that people have access to the Internet in the wake of disasters has become crucially important since it gives disaster victims the ability to communicate and learn important information that could help save lives. But what happens if an ISP’s basic infrastructure in a given area gets completely wiped out by a hurricane without any hope of being rebuilt for months? In AT&T’s case, that’s when it’s time to start rolling out its fleet of network equipment trailers that are capable of replicating the functions of a 10-story office building in the space of a small parking lot.

BGR travelled to Hartford, Connecticut last week to get a first-hand look at how AT&T prepares its Network Disaster Recovery trailer fleet for situations where the carrier’s entire central infrastructure has been completely demolished. What makes the entire exercise so impressive is the fact that AT&T goes into an area assuming it will have no ability to connect to the Internet. At first the company will often roll in a satellite truck that will give its makeshift trailer park access to the Internet, albeit with limited bandwidth. From there, the carrier’s team of engineers works to replicate a fiber core capable of ideally providing service to an affected area within a day or two of arriving.


Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.

The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.

This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements.


Albert Ashwood, Oklahoma’s director of emergency management, was surveying last weekend’s tornado damage with Gov. Mary Fallin on Monday morning, when he told her they had to leave immediately. The weather, he said, was getting worse, and the two of them needed to get to the command center.

Two hours later, a tornado with winds reaching 190 mph cut a 17-mile swath through the metropolitan Oklahoma City area, leveling hundreds of homes and leaving dozens dead.


By Carol Laufer, ACE Excess Casualty, and Lori Brassell-Cicchini, ESIS Catastrophe Services

Business continuity is not just about protecting the supply chain. When a disaster strikes, how a company responds, and how the public perceives that response, can have a significant and lasting impact on its business. A poorly handled response can seriously damage a company’s reputation, lead to lost customers and sales and even spur new regulations. An effective response will help mitigate those very real threats to revenue and reputation. Planning makes all the difference.

A company that develops and tests a robust catastrophe management plan ahead of time can focus on executing the plan, helping the public and its customers through the crisis, while managing the media and government scrutiny. A disaster poses a serious challenge for any business while it is taking place, but an effective response can enhance the company’s reputation for the long term.


Thursday, 23 May 2013 14:37

When IT & Security Worlds Collide

No one involved in security today has failed to notice the rise of the term "converged security." There have been a number of articles published on this very forum about the worlds of physical security and IT coming together.

Typically, converged security marries physical, logical, and information security with risk management, business continuity, and disaster recovery on a common network enabled by IT on the IP network. As security professionals, whether we like it or not, this trend is not only here to stay but destined to grow -- and rightly so, if we are honest.

Cisco's Guido Jouret wrote in September 2012: "Analysts estimate that by 2013, more than 50 percent of all video surveillance deployments will be managed by IT on the IP network." There's no doubt this growth is being aided by society's adoption of the Internet, which has been faster than the adoption of any previous technology. A clear example easily associated with our industry is telecommunications, which has undergone a revolution since the emergence of the first VoIP solutions in 1992.


Engineering students at Oklahoma State University designed drones that may someday collect new data about tornadoes, helping public safety agencies more accurately predict and plan for disaster. A giant tornado, at least one mile wide, wiped out neighborhoods as it moved through Oklahoma on Monday, May 20. While the student designs are only in the preliminary planning stage, with no firm schedule to move forward, the university’s Department of Mechanical and Aerospace Engineering is negotiating with its partners to settle on a possible multi-year project that could change tornado science and ultimately save lives.

The project, whose partners include the University of Colorado at Boulder, the University of Kentucky, Virginia Tech and the University of Oklahoma, now has several active drone projects in addition to the tornado project. A lot of their drone research is funded by the Department of Defense, said Oklahoma State University Professor Jamey Jacob, but there are a lot of applications for the use of drones in civilian airspace, too.


When the main US federal emergency agency arrives at the scene of a disaster-hit area, one of the first places it turns to is the local Waffle House – and not just for its officials to grab a quick bite.

Craig Fugate, the head of the Federal Emergency Management Agency, came up with the idea of the "Waffle House index" as an informal way of measuring the impact of a disaster. The chain, which has a large number of branches in tornado-prone areas, has a robust emergency management plan.

The index has three levels. If the local Waffle House is up and running, serving a full menu, a disaster is classed as green. If it is running with an emergency generator and serving only a limited menu, it is a yellow. If it is closed, badly damaged or totally destroyed, as during hurricane Katrina, it is a red.


Wednesday, 22 May 2013 16:58

When IT & Security Worlds Collide

No one involved in security today has failed to notice the rise of the term "converged security." There have been a number of articles published on this very forum about the worlds of physical security and IT coming together.

Typically, converged security marries physical, logical, and information security with risk management, business continuity, and disaster recovery on a common network enabled by IT on the IP network. As security professionals, whether we like it or not, this trend is not only here to stay but destined to grow -- and rightly so, if we are honest.


The American Red Cross is urging residents in Nebraska and Iowa to make sure households, schools and business are prepared for possible severe weather including rain, strong winds and possible tornados.

"Listen to weather alerts and designate a safe space where people can gather for the duration of the storm," said Tina Labellarte, Region CEO. "The area should be a basement, storm cellar or an interior room on the lowest floor away from windows."

The American Red Cross Tornado App is available in English or Spanish and gives iPhone, iPad and Android smart phone and tablet users instant access to local and real-time information, so they know what to do before, during and after a tornado.


It’s a little ironic that in the weeks preceding the devastating May 20, 2013 Moore, Oklahoma tornado, there were numerous reports of how 2013 tornado activity was at a record low.

Unfortunately, these headlines may give the mistaken impression that the United States is in a period of lower risk for tornadoes, and/or that the costs from such events are declining.

Yet as we have seen repeatedly during hurricane, tornado and wildfire seasons, it only takes one storm, or event, to remind us of the dangers and ongoing risks.


How much do you know cloud-based disaster recovery? 

Recovery-as-a-Service, commonly referred to as RaaS, enables organizations to recover critical IT resources with increased efficiencies and complete effectiveness when an adverse situation strikes.  Cloud-based RaaS is nothing like traditional disaster recovery (DR) solutions of the past. Cloud-based RaaS users are able to install one piece of software (not an agent) which includes a control VM as well as an appliance on all participating VMware hosts. This increases self-service, testing and reliability of complete application protection. 

Even with all the changes in technology that have happened lately, there are still a lot of myths circulating that may have you confused about disaster recovery. Test your knowledge of what is fact and what is fiction with this short quiz, below.


Wednesday, 22 May 2013 16:54

Finding the time for cyber security

Possibly the most disturbing feature to emerge from the Federation of Small Businesses' (FSB) new cyber security report is that making computer systems secure can be a complex and time consuming process that a lot of small firms can't manage.

Cyber Security and Fraud: the impact on small business, makes it clear that too many companies are falling foul of online crime, with about three in 10 of its 2,667 survey respondents suffering from attacks over the past year, and the average annual cost coming in a just below £4,000.

But there's an acknowledgement that despite a growing awareness of the threats, small firms are not always taking preventative action if it's a complex process.


It is easy to think that your startup is too small or too new to face threats to your data security. But the simple fact is that in the current competitive climate of the biotech industry, when many companies of all sizes are rushing to develop innovations, the security of your data is more important than ever.

The best way to ensure that your data is secure from threats that come from both inside and outside of your company is to partner with an IT provider with expertise in both security and the unique needs of biotech startups. Such a partner can assist you in putting together the right mix of solutions now while thinking of where you company is going in the future so these solutions can be built on and used as your company grows. It is much simpler and cost effective to start with the right mentality around information security then trying to change these systems and procedures while your company is in growth mode. When developing the IT infrastructure for your biotech startup business, be sure that you keep the following security concerns in mind.


To rebuild or not to rebuild?

As recovery slowly begins after deadly tornadoes flattened subdivisions in Moore, Okla., and tore through nearby areas, the complex question has come up again for the disaster-prone region that sits within Tornado Alley.

Moore, a 55,000-resident city south of Oklahoma City, is no stranger to destruction. A 1999 tornado that wreaked havoc upon Moore had winds topping 300 miles per hour, and it was slammed by smaller tornadoes in 1998, 2003 and 2010. But each time, like dozens of other American communities prone to natural disaster, it has rebuilt.

Disaster recovery and urban planning experts say the tendency to rebuild American cities that have experienced tornadoes, hurricanes, earthquakes and flooding -- and are likely to see such trauma again -- can be attributed to a mixture of economics, politics, nationalism and spiritual views that often sets the U.S. apart from other nations.


Many of the small businesses battered by Hurricane Sandy are still waiting for U.S. government assistance, raising concerns among some about Midwest businesses hit by devastating tornadoes.

The U.S. Small Business Administration has approved loans to one out of every four business owners who applied for assistance after Sandy hammered the East Coast in October, according to analysis of data the agency submitted to Congress.

In addition to the low approval rate, which included employers who submitted but eventually withdrew their applications, the agency has been slower to process applications and disburse funds than in the aftermath of hurricanes Ike in 2008 and Irene in 2011. Rep. Nydia M. Velázquez (D-N.Y.) noted the comparison in a letter sent to the U.S. Government Accountability Office asking for further examination of the disaster loan program.


With the growing movement of enterprises to the cloud, it’s more important than ever that service providers demonstrate and prove good security practices to their customers, in good times and in bad. During an incident, how a cloud provider communicates to its customers says a lot about its commitment to security.

Sounds obvious, right? Well, three different times during the past seven months – and once while I was on a panel at the 2012 CSA Congress in Orlando – I’ve learned that it isn’t clear after all. As CSO at Okta, I work closely with our customers and they always ask, “What will you guys do if a breach occurs?”


In a large country with myriad natural threats, some responders are more experienced than others in handling certain types of disasters. Certain phenomena, such as earthquakes and hurricanes, typically don’t happen in some areas of the country.

But with a surge in the number of incidents declared as disasters by FEMA over the last 20 years, it’s become paramount for regions to plan for the unexpected, particularly when it comes to Mother Nature.

In 2011, tornado activity was observed in places that rarely see it, from Northern California to the East Coast and in between, leaving some residents in disbelief that the weather phenomena actually occurred there.


Wednesday, 22 May 2013 16:15

Risk Management’s Gender Pay Gap

Next month marks the 50th anniversary of the Equal Pay Act, which was signed into law by President John F. Kennedy on June 10, 1963. At the time, women earned about 59 cents for every dollar paid to their male counterparts. To correct this disparity, the law made it illegal for employers to pay women lower wages than men for doing the same job.

Today, the gender pay gap has narrowed, but as we reported in the May issue of Risk Management, it still exists. According to the Bureau of Labor Statistics, in 2011, women were paid 82 cents for every dollar paid to men. While a 23% gain is certainly progress, there is still significant ground to be made up before full equality can be achieved.


There’s plenty of talk about security threats from internal employees—but what about the threats associated with outsourcing?

The stats may (or may not) surprise you. Forty-six percent of organizations do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information, according to a recent study conducted by the Ponemon Institute. The survey polled nearly 750 individuals in organizations that transfer consumer data to third-party vendors.

“Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” says Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.”


Very few business owners would dispute the wisdom behind having a Disaster Recovery plan.  This doesn’t stop many (if not most) businesses from having an outdated,  ineffective, incomplete or untested plan.

One reason for this is, like insurance, folks like the peace of mind knowing they have a Disaster Recovery plan, but they never really expect to use it.  As a result the plans are frequently slipshod in design, and execution.    A Disaster Recovery plan should have these elements, at a minimum:


Tuesday, 21 May 2013 15:58

Creating a disaster recovery plan

As a financial advisor, you are aware of the importance of being properly insured. But are you prepared for the disruption your business would suffer in the event of a disaster — such as a flood, a hurricane or a tornado?

"I am often struck by how few [organizations] have actually gone through the exercise of developing a proper disaster recovery plan," says Dean Tremblay, manager of professional services in Ottawa with Toronto-based Blackiron Data. "In the wake of events such as Hurricane Sandy and others, it is something that every practitioner should have."

Tremblay offers the following advice on how you can begin to ensure your business is prepared for the unexpected:


CIO — IT executives continually evaluate the technology trends that will impact their business in 2013 and beyond. Some simply deploy technology to advance the goals spelled out in business plans. Others take on the role of chief innovation officer and introduce different models of using existing data to generate new revenue and gain insight into who clients are and what they want.

Buzz has certainly surrounded big data for some time, but many IT executives still and wonder how they can begin to leverage the three "V's" of big data—volume, variety and velocity, or the frequency at which data is generated and captured—and augment the value of data for their organization.


If you're a managed services provider (MSP) looking to dive into the backup and disaster recovery (BDR) pool this summer, we've compiled a few swimming lessons for you to keep your head above the water. We've connected with CCNS Consulting owner Karl Bickmore to discover how three simple BDR lessons would have relieved a lot of tension in the beginning for him. So slip-on your sandals and swim trunks, and head down to the pool for three swimming lessons that will make you better than your competition in this MSPmentor exclusive.

Bickmore promoted three initial areas of focus for those MSPs starting with BDR: vendor selection, the value of standardization of backup, and the cost of initial seeding.


MOORE, Okla. — A giant tornado, a mile wide or more, killed at least 91 people, 20 of them children, as it tore across parts of Oklahoma City and its suburbs Monday afternoon, flattening homes, flinging cars through the air and crushing at least two schools.

The injured flooded into hospitals, and the authorities said many people remained trapped, even as rescue workers struggled to make their way through debris-clogged streets to the devastated suburb of Moore, where much of the damage occurred.

Amy Elliott, the spokeswoman for the Oklahoma City medical examiner, said at least 91 people had died, including the children, and officials said that toll was likely to climb. Hospitals reported at least 145 people injured, 70 of them children.


In a previous post on making suggestions for updating NIMS, I suggested that social media monitoring should go into the ICS structure rather than be considered a part of the JIC or PIO responsibilities. This prompted some thoughtful responses from readers of this blog--I encourage you to read them at the bottom of that post.

I wanted to respond in particular to the comments of Ed McDonough who raises some very important objections to my suggestion. Here is the crux of his concerns:

If we move social media monitoring to planning, then should we also move tradition media monitoring to plans? How about the monitoring of public query lines? Furthermore, what sense would it make to move the monitoring of social media away from the same group of people that are pushing out the social media messaging?


Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Disaster recovery plans and the usual mix of uninterrupted power supplies (UPSs), co-location services, data mirroring and hot-standby technologies theoretically make it possible to weather any storm. But are backup systems, replication rules and fast failover solutions enough?

Any data center manager that has implemented a DR solution understands there are always compromises. To save costs, for example, the generators and co-lo facilities are typically designed to support only a subset of the services being provided during times of normal operation. Here are some considerations meant to ensure the compromises are based on the right facts, and that the DR plan stays aligned with the dynamic requirements of the business it protects.


Tuesday, 21 May 2013 15:51

Business continuity fundamentals

Business continuity management has evolved into a specialized discipline, but you don’t need a team of specialists to create and manage your BCM program. With a little help, and an understanding of these 14 fundamentals, you can build and manage your BCM program easier than you thought, and at a much lower cost.

1. BCM is risk management, not insurance: BCM ensures that business processes are appropriately resilient to disruptions, or are recoverable at an appropriate time. Insurance is a grudge purchase. You buy as little as you need and accept as many risks as tolerable. If nothing goes wrong, you feel like you wasted your money. Don’t “sell” your BCM program as insurance. Nobody wants to buy that. Sell the ancillary benefits of BCM, i.e., service delivery, compliance. Seek strategic partners and leverage their resources.


While Bloomberg‘s data terminals, which serve up volumes of intricately detailed financial information to Wall Street pros on a daily basis, have enjoyed a reputation as must-have tools, a privacy breach scandal has landed the company in a threatening crisis.

Last week, it was revealed that Bloomberg reporters have had special access to data on how customers used their terminals for DECADES, and actively sought to use it in order to break stories first. Customers ranging from JPMorgan and Goldman Sachs to the U.S. Federal Reserve have all expressed extreme dismay, and the legal letters demanding further information are already starting to pour in.


A United Nations group and consultancy PwC warned businesses that they are exposed more than ever to billions of dollars worth of economic losses linked to natural disaster risks.

According to a report by the UN International Strategy for Disaster Reduction (UNISDR) and PwC, it warns large multinationals' dependencies on international supply chains, infrastructure and markets poses a systemic risk to 'business as usual.'


On May 13, California government officials and private-sector leaders met behind closed doors to discuss a comprehensive cybersecurity plan for the state -- it was the beginning of the California Cybersecurity Task Force, the first state-led collaboration of its kind.

Because of the interconnectedness of government and private-sector IT assets, collaboration has become crucial, said Michele Robinson, acting director for the Office of Information Security.

“Those working relationships need to be strong in order to really affect this area,” she said. “We all own a piece of that infrastructure, so it’s a shared responsibility."


VARs and MSPs assume a number of responsibilities when they take on a new client, or sign a long-term contract with a current customer. In addition to providing disaster recovery and other IT services, this relationship offers the opportunity to become the go-to consultant for a number of issues that their customers experience, including those that appear unrelated to IT systems.

While consultants or service providers in other industries may consider questions outside their “sphere of influence” as nuisances, most IT professionals understand that those queries present a real business opportunity. When clients are willing to seek their VARs’ advice on a business-related subject not directly associated with their computer or network systems, it should be considered a sign of respect and an opening for forging a closer relationship.


Tuesday, 21 May 2013 15:26

IT's New Concern: The Personal Cloud

Computerworld — Bring your own device is so 2012. The next big push in the consumerization of IT is bring your own cloud. And just as when consumer devices poured into the enterprise, many IT organizations have already responded with a list of do's and don'ts.

The standard approach has been to forbid the use of personal cloud applications for business use, by offering official alternatives -- the "use this, not that" approach -- and to carve out separate cloud storage workspaces for business documents that can be walled off, managed and audited. But personal cloud services are difficult to control, and users are adept at going around IT if the productivity tools in their personal cloud can do the job easier, faster and better. IT wants a bifurcated approach to consumer and professional cloud apps and storage. But users don't work that way anymore.


Monday, 20 May 2013 15:17

What is a Disaster?

Many commercial contracts include specific definitions of what a 'disaster' is. Generally speaking, however, in a contractual context a 'disaster' refers to an unplanned interruption of, or inaccessibility to, a service, product or system. For example, the most frequent disasters are component failure, human errors and longer term data centre electrical failures.

Organisations should analyse and manage the risk applicable to its business in the event of a disaster. A commonly used preventative and reactive management technique is the inclusion of a business continuity disaster recovery (BCDR) plan as part of the organisation's risk strategy and within its key commercial contracts.


In many periods of downtime, any service outages cause only minor disturbances for businesses. But in the wake of natural disasters, such as Hurricane Sandy, the impact of extended downtime could be far more consequential

Fewer than a quarter of East Coast companies had comprehensive disaster recovery and business continuity plans in place when Sandy struck in late October, according to a release from On Hold Company. 

"Many businesses treat their disaster plans like casual readers treat a copy of War and Peace: They like having it on the shelf, but aren't interested in reading it," said Bryant Wilson, CEO of On Hold Company.


This cloud is definitely getting cloudy and has been for the last few weeks. I can't help it, as the conversation I'm having with customers is all about the cloud.

Many organizations are exporting certain workloads -- like messaging and collaboration -- to the cloud. You can throw disaster recovery in with them. Many of my clients tell me that they cannot justify paying a hefty price for a secondary DR site to protect against disasters that may never happen. For those clients, DR is a workload that is well suited for the cloud.

As with any other "as a service" offering, there are tons of providers out there offering these services. So, this week I offer a few considerations when choosing the best provider to meet your company's expectations:


Monday, 20 May 2013 15:12

ERM: 5 Steps to Success

Most agree that working from the top down, meaning to first identify corporate objectives, then focus on the details of how to achieve them is what most managers wish they could be doing more of. However, the reality is most managers are so busy with day-to-day activities that little time is left over to work on the big picture. Everyone agrees the role of ERM is for risk management to be involved in the "key business decisions," however, some misinterpret this as interviewing only the senior executives in "big picture" assessments. In reality, aligning day-to-day activities of all managers to the strategic objectives set senior leadership, and then aggregating and analyzing this information is the winning approach.

So how is this accomplished?


Monday, 20 May 2013 15:11

How to Prevent IT Department Overload

Computerworld — Not long ago, IT consultant Mark A. Gilmore was called in to help an IT department that was struggling with project overload. "They'd gotten this kind of attitude -- the executive vice president calls it 'Burger King Syndrome,'" he recalls. "Their approach was, 'You can have it your way.'"

The business executives believed IT could supply whatever they wanted, whenever they wanted it. Salespeople had gotten into the habit of asking the development team to create applications within a week to fulfill promises they'd made to customers. As a result, IT employees were spending about 80% of their time reacting to crises or struggling to meet impossible deadlines rather than calmly planning their workloads, says Gilmore, president of Wired Integrations in San Jose.


Network World — When the moderator of a panel discussion at the recent RSA conference asked the audience how many thought their risk management programs were successful, only a handful raised their hands. So Network World Editor in Chief John Dix asked two of the experts on that panel to hash out in an email exchange why these programs don't tend to work.

Alexander Hutton is director of operations risk and governance at a financial services firm (that he can't name) in the Greater Salt Lake City area, and Jack Jones is principal and Co-Founder of CXOWARE, Inc., a SaaS company that specializes in risk analysis and risk management.


CLUSTERS of corporate techies hunched over their laptops one recent evening in Mountain View, California, feverishly trying to figure out how RK Industries hacked into and stole critical information from its rival, EntraDyn.

It’s a common occurrence, but in this case the firms were fictitious, and the event—a simulated exercise put on by security firm Symantec—featured rock music, a buffet and an open bar for the participants. Even so, it had a serious purpose: Increasingly under Internet attack, more and more businesses are using “cyberwar games” to learn how to spot and counter the tricky tactics used by hackers.


BC shares common goals and objectives with other management activities. When
John Bartlett CBCI, DBCI

implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.

The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.

That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one.


Monday, 20 May 2013 15:05

Are we ready for hurricane season?

The official hurricane season is June 1 through Nov. 30, and every year there are named storms and predictions. Each of us has a personal responsibility to have our homes and businesses prepared.

Disasters can hit the economy hard and with tourism being the number one industry in Manatee County we must embrace the concept of year-round preparedness and be able to jump back quickly for the good of our community.

If you think about it, we are focused on preparations for hurricane season, but emergency preparedness can help a business survive when any kind of disaster strikes.


Let’s face it. We are always online in one form or another. If I am not watching television, checking mail, or using one of the 44 apps I have on my smartphone, then I am probably sleeping. Because of these use patterns, the demands on application availability are on the rise, and data is exploding. So let’s think about these two forces and how they impact disaster recovery (DR) planning for your businesses. These forces increase the DR workload for IT staff. As a result, your IT staff may be spending more time on DR instead of supporting strategic and revenue-generating projects. In other words, IT is only helping to maintain the business, not grow the business.

Cloud disaster recovery may be the answer

How do you overcome tight budgets and leaner IT staff when you are constantly being asked to do more with less? Well, you might consider “out-tasking” DR management by using cloud-based disaster recovery services.


Every managed services provider (MSP) has had a question or two on backup and disaster recovery (BDR). To help answer some of the top questions we reached out to disaster recovery (DR) and business continuity (IC) solutions vendor Datto  to find out what MSPs have been asking them. Take a seat, grab a pen and paper, and pay attention to what we've learned in this MSPmentor exclusive. But don't worry, there won't be a test.

Datto Sales Manager Hallett Nichol helped us with his insights on this topic. His answers focused on costs, bandwidth and local recovery capabilities.


The highly regulated health care industry has long generated attendant compliance risks. However, a recent spate of legislation and updated regulations, a new Office of Inspector General (OIG) Special Fraud Alert, and increased government enforcement actions are shining a bright light on some of the top compliance risks facing today’s health care professionals. This article reviews the risk areas of strategic relationships and patient information and offers smart steps to consider for health care organizations seeking to mitigate such risks.

Risk areas: strategic relationships, patient information

Federal and state government mandates calling for improved reporting of patient outcomes are among factors driving the formation of strategic relationships between hospitals (providers) and physician groups, providers and health plans, and providers and pharma/medical device manufacturers. The increasing proliferation of risk-/gain-sharing partnerships such as Accountable Care Organizations (ACOs) and other physician-owned entities (aka physician-owned distributorships, or “PODs”) generates numerous compliance risks. Of particular note are risks associated with provisions and regulations such as the following:


Getting people to think about business continuity and include it in their daily lives is one ofthe most difficult and underestimated aspects of a business continuity programme, yet it can make or break the perception of how successful the programme is. It doesn’t matter how good your resilience and continuity are, if people do not know about it, what to do in an incident or how to maintain it, then you have failed to achieve some of the fundamental principles of implementing business continuity.
This requires communication in the form of education, training and awareness on your organisations business continuity at all levels: staff, management, Directors and key suppliers. Embedding business continuity in the organisation requires an organisational culture change. Organisational culture is often described as ‘the way we do things’, which can be broken down into a collection of shared values, working styles and patterns of behaviour, typically enforced by a set of strong social controls which establish behaviour and control the behavioural patterns. Industry experience has shown that behaviour change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected. One such attitude which occurs frequently as a barrier to BCM is: ‘it will never happen here’ or ‘it will never happen to us’. In 2003, when embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks relating to Cyclones, Hurricanes, floods, industrial disputes and civil disorder/strikes.


For years now, the risk management gurus of the world have lamented the scourge of check-box compliance, urging organizations to make more security decisions based on sound risk management. The philosophy is that risk-based decisions generally yield more compliant environments: if an organization manages its risks, then compliance will naturally fall into place.

It's a sound idea, but when organizations flip their world view from check-box compliance to risk-first decision-making, there's bound to be times when an organization may be managing most risks well but still falls short of compliance requirements. In some cases, the organization has not documented mitigation measures well enough for the auditors yet and in others they are not quite totally compliant yet.


Friday, 17 May 2013 14:36

The five minute CIO: David Cahill

This week, the focus switches to security as AIB’s senior information security specialist talks about managing mobile devices, why real-world testing is important and user buy-in is essential.

As a percentage, how much of your annual IT budget goes on security?

That’s always a good question. To be honest, it’s nearly impossible to quantify as very often, security is taken out of several different budgets. For example, you could look at firewall admin, putting in new security rules – that would fall to the IT network guys rather than the information security team per se. Likewise, we have mainframe sec rules and that would come down to the mainframe team.


The advanced persistent threat is waging an all-out attack on enterprises’ intellectual property.

Yet most companies continue to try to protect themselves using approaches that are years out of date.

That is one of the conclusions in Responding to Targeted Cyberattacks, a frank new how-to book published by global IT association ISACA and written by professionals at Ernst & Young LLP.

The threat landscape has progressed from unsophisticated “script kiddies” to hackers to insiders to today’s state-sponsored attacks, where enterprises are attacked because of who they are, what they do and the value of their intellectual property (IP).


Friday, 17 May 2013 14:34

How to Customize IT Security Controls

Organizations in and out of government can more easily tailor their information security plans to fit their specific business missions and operational environments by using overlays, new tools introduced in the latest revision of the National Institute of Standards and Technology's information security controls guidance.

"We realize that organizations have to be able to develop their security plans that really talk to their specific mission," says NIST Fellow Ron Ross, who oversaw the drafting of the latest catalogue of IT security and privacy controls. "The overlay concept is introduced to allow that specialization."


SAN FRANCISCO — No one can be certain when a natural disaster will strike, so to better prepare for such events, the city of San Francisco, outside agencies and organizations, and volunteers participated in the annual Golden Guardian statewide exercise on Wednesday, May 15. This year's functional exercise focused on carrying out policies, response and recovery after a magnitude 7.8 earthquake struck the San Andreas Fault near San Francisco. The city focused on what would be required in its response for up to 48 hours after the earthquake hit.

During the exercise, San Francisco’s Department of Emergency Management practiced its response inside the EOC and worked with other agencies including FEMA, the U.S. Navy and the city’s Human Services Agency. The agencies worked together and practiced communicating about how they would help coordinate the city’s recovery to the earthquake scenario. Offsite from the EOC, shelter and feeding exercises were performed to get a better understanding of the response required when an emergency leaves nearly 1.2 million people stranded in the city.


We are pleased to announce the shortlist for the BCI Inaugural European Awards. The BCI European Awards recognise the outstanding contribution of business continuity professionals and organizations living in or operating in Europe.

The winners will be announced at an Awards Dinner that is taking place on the 12th June in Belgium as an integral part of the Executive Forum.

All winners from the BCI European Awards 2013 will be automatically entered into the BCI Global Awards 2013 that take place in November during the BCM World Conference and Exhibition 2013, 6th to 7th November 2013 in London.

And here are the finalists in no particular order:

Business Continuity Manager of the Year

  • John Gray MBCI
    Global BCM Programme Manager
    Hewlett Packward
  • Dave Clarke
    Business Continuity Manager
    Telefónica UK Limited
  • Elaine Tomlin MBCI
    Business Continuity Manager
  • Lesley Grimes MBCI
    Business Resilience Manager

Most Effective Recovery of the Year

  • NHS Blood and Transplant
  • Vodafone Libertel BV
  • Telefónica UK Limited & DHL Supply Chain Ltd (Joint submission)

Business Continuity Team of the Year

  • European Commission
  • BT

BCM Newcomer of the Year

  • Adele Lock AMBCI
    BCM Relationship Manager
    HSBC Bank Plc
  • Andrew MacLeod AMBCI
    Business Continuity Consultant
    Needhams 1834 Ltd
  • Louise Taylor AMBCI
    Service Delivery Consultant
    Hewlett Packard

Public Sector BC Manager of the Year

  • James McAlister MBCI
    Business Continuity Manager
    Merseyside Police
  • Mary-Ellen Lang MBCI
    Corporate Resilience Manager
    The City of Edinburgh Council
  • Alan Jones MBCI
    Head of Resilience & Emergencies
    West Sussex County Council and West Sussex Fire & Rescue

Business Continuity Provider of the Year (Service)

  • Deloitte LLP
  • PlanB Consulting
  • Continuity Shop

Business Continuity Provider of the Year (Product)

  • Vocal Ltd
  • eBRP Solutions Network, Inc.
  • ClearView Continuity

Business Continuity Innovation of the Year

  • HI CARE Association
  • PwC
  • Easy Continuity Ltd
  • xMatters

Based in Caversham, United Kingdom, the Business Continuity Institute (BCI) was established in 1994 to promote the art and science of business continuity worldwide and to assist organizations in preparing for and surviving minor and large-scale man-made and natural disasters.  The Institute enables members to obtain guidance and support from their fellow practitioners and offers professional training and certification programmes to disseminate and validate the highest standards of competence and ethics.  It has circa 8,000 members in more than 100 countries, who are active in an estimated 3,000 organizations in private, public and third sectors.

For more information go to:

When Adobe was hit with a break-in to one of its code-signing servers last September, chief security officer (CSO) Brad Arkin used the crisis to drive security change and improvement.

Attackers exploited an insecure configuration on a server in the company and initiate code-signing requests for malicious software to infiltrate the corporate network.

The attack was quickly detected and shut down, but it revealed weaknesses in the security processes which Arkin set about changing, using a five-step plan.


Increased awareness of the need to prepare for risk and risk of disaster does not always translate into action. One of the reasons businesses choose not to become more actively involved in planning for increased preparedness is that they feel prior events are not likely to recur or that the effects if they were to occur would not be overly severe.[1] Interestingly, while the Asia-Pacific Economic Cooperation (APEC) region accounts for 40 percent of the world’s population and half of global gross domestic product, the area sustains almost 70 percent of the world’s natural disasters.[2] A 2011 survey among APEC member economies found that only 15.9 percent of small and medium-sized enterprises and 52 percent of large company respondents have a business continuity plan.


Thursday, 16 May 2013 15:29

How to prevent (or fix) a crisis

The way Salomon “Samy” and Amy Bouzaglo acted during the season-finale episode of Fox’s “Kitchen Nightmares” was a big enough public-relations mess. But all the post-show insults posted online — whether authentic or not — turned an ugly situation into a social-media disaster that could have been prevented.

On the show, which aired Friday, the Bouzaglos, owners of Amy’s Baking Company in Scottsdale, are seen yelling at and pushing customers. Patrons are unaware that the tips they leave for the servers end up with the owners. The couple refuse to listen to chef Gordon Ramsay’s criticism, prompting him to walk away from the restaurant before his job was done, a first for the British host, who has a surly reputation himself.

What happened on social media after the show aired elevated the restaurant’s problems to a full-blown crisis.


A cottage industry is growing up around virtual padlocks that consumers can place on cloud services so that the vendors themselves can't get to the information -- even if the government requests access.

And in recent years there have been a lot of those government requests for access from storage-as-a-service providers.

For example, Google regularly receives requests from governments and courts around the world to hand over user data. Last year, it received 21,389 government requests for information affecting 33,634 user accounts. Sixty-six percent of the time, Google said it provided at least some data in response.


Where are the most dangerous places in the world to run a business? The geography of risk changed significantly in the last year, according to the 2013 Risk Map released today by the risk management business of Aon, a London-based insurance and business services company.  But some parts also stayed the same: Central Africa remains a no-go zone, while the Middle East and Central Asia are still very risky.

The whole map can be seen here (PDF).

Countries were evaluated for overall risk, and also given special mention for particular risks in six categories: exchange transfers, sovereign non-payment of debts, political interference, supply chain disruption, legal and regulatory risk and political violence. Nine Middle Eastern countries and 23 African countries were said to be particularly risky in all six of them.


For quite some time, business continuity professionals have been associating Cyber Security as an important Business Continuity Planning (BCP) concern, but, like so many other issues in the world of BCP, without full buy-in from upper management (or the Board of Directors), it will be almost impossible to truly implement effective Cyber Security policies, plans and procedures throughout any organization.

With that point in mind, and to assist the process of increasing cyber security awareness in your company’s upper management, our staff recommends reading an article written by Edward B. (Ted) Brown III, CBCP CBCV MBCI, where Brown not only stresses the importance and need for awareness of how Cyber Security relates to your organization, but primarily presents a logical argument for what an organization needs to do to heighten that awareness and develop proactive and preventive action plans to mitigate those potential cybersecurity related risks and threats against your organization.


Thursday, 16 May 2013 15:25

IT Security: Meeting Future Needs

What's it going to take to attract individuals to information security and develop the right skills required to tackle the profession's future needs? ISACA's Allan Boardman offers his insights on growing the field.

The current cybersecurity climate looks like this: Organizations struggle to find qualified staff to fill all the roles open in information security and risk management, and within the existing talent pool there's a lack of skills necessary to succeed in those roles, says Boardman, international vice president of ISACA.


How much can a flawed disaster recovery and business continuity plan cost you? Try an average of $90,000 for every hour of downtime among corporations, according to Strategic Research. Whether we're talking a hurricane, flood, terrorism or simply a loss of power, CIOs must consider every worst-case scenario and come up with a comprehensive failover and response strategy. In fact, the survival rate for companies without a disaster recovery plan is less than 10 percent, according to a study from Touche Ross. To lend proper guidance, Janco Associates has come up with the following "Ten Commandments of Disaster Recovery and Business Continuity" list of best practices. They cover a comprehensive range of needs, including proper documentation, information accountability and multiple-testing processes. In other research from Janco in which more than 180 enterprises were surveyed, nearly 67 percent reported that errors in planning accounted for disaster-recovery failures—the top reason cited. The next highest are outdated plans (51 percent), inability to find passwords (37 percent) and insufficient backup power (24 percent).


Pamela Jenkins is a research professor of sociology at the University of New Orleans. After Hurricane Katrina, she expanded her focus to the human and community impact of disasters. She spoke with Emergency Management recently about the lingering effects of Katrina and lessons learned for long-term planners as they consider the social toll of major events.


One day something large and very bad will happen in Los Angeles. That’s a given. With training and preparation, emergency managers will be ready to respond on that day. What comes next, however, is a topic seldom discussed.

Whether in advance of a crisis or in the wake of a disaster, long-term planning is both vital and often overlooked. How will the community survive and thrive 10 years down the road, or 20 years?


Thursday, 16 May 2013 15:14

Developing a response for the unexpected

A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an incident, the “it will never happen to me” attitude. More often than not, they are wrong. No organisation wants to be affected by an incident or expects it, but that does not mean that they should not consider and plan a response in case it does happen. 
Developing and implementing a response to incidents and disruptions is at the core of Business Continuity. It can determine how your organisation is perceived and whether your business survives. It consists of ensuring the appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support the plans; and completing the necessary risk treatments to achieve the desired Business Continuity strategy defined and agreed (see previous article).

With the start of the Atlantic hurricane season only two weeks away, experts across the board are predicting another active season. Today, released its findings calling for 16 named tropical storms, eight hurricanes and four major hurricanes. They expect three hurricanes to make landfall in the United States. These numbers are all slight increases over the average numbers recorded by NOAA from 1981-2010 and are comparable to last year’s activity.

According to AccuWeather, the season should begin quickly after June 1, but isn’t anticipated to start as early as 2012 when two named storms appeared in May. However, 2013 could see stronger storms than last year due to the reduced amount of Saharan dust in the air, which can inhibit a storm’s severity.


MENLO PARK, Calif.  – Demand for added attention to high-risk processes, growing costs and the increasing role of IT controls and testing reports are some of the key changes and challenges companies faced over the last year as they worked to meet Sarbanes-Oxley (SOX) requirements, according to findings in the 2013 Sarbanes-Oxley Compliance Survey ( by global consulting firm Protiviti (

 When executives and professionals involved in SOX compliance were asked what was driving the most change in their SOX compliance processes, 66 percent said there was at least moderate change due to demand for increasing process and control documentation for high-risk processes. Additionally, 60 percent of respondents indicated that the increased amount of time required for walkthroughs and documentation around processes was also driving moderate change.


Increased awareness of the need to prepare for risk and risk of disaster does not always translate into action. One of the reasons businesses choose not to become more actively involved in planning for increased preparedness is that they feel prior events are not likely to recur or that the effects if they were to occur would not be overly severe.[1] Interestingly, while the Asia-Pacific Economic Cooperation (APEC) region accounts for 40 percent of the world’s population and half of global gross domestic product, the area sustains almost 70 percent of the world’s natural disasters.[2] A 2011 survey among APEC member economies found that only 15.9 percent of small and medium-sized enterprises and 52 percent of large company respondents have a business continuity plan.


The information security job market continues to expand. In fact, according to a report by Burning Glass Technologies, over the past five years demand for cybersecurity professionals grew 3.5 times faster than that for other IT jobs.

To make things even more interesting for those looking to pursue a career in information security, the InformationWeek 2013 Salary Survey reports that 63% of IT security staffers are satisfied or very satisfied with all aspects of their jobs, while nearly two-thirds of IT security managers are similarly content. The demand for security pros is booming, so much so that the gender gap has nearly closed when it comes to pay.



New regulations are driving significant changes in risk management systems and processes - and financial institutions need to ensure their technology is flexible enough to respond, according to Tony Webb, director of analytics at Fincad, at British Columbia, Canada-headquartered risk analytics and derivatives risk management software provider.

Regulators across the globe are working to implement a Group-of-20 pledge to clear all standardised over-the-counter derivatives through a central counterparty and to report transaction-level data to repositories. Meanwhile, several countries implemented Basel III on schedule from the start of 2013, which - among other things - requires banks to meet a credit valuation adjustment capital charge and comply with new liquidity ratios. Other jurisdictions - US and Europe among them - have not yet implemented the new Basel framework, but have pledged they will.


Wednesday, 15 May 2013 15:53

11 Tips for Deploying ERP Applications

CIO — As companies become increasingly complex, finding an enterprise resource planning (ERP) solution that meets all needs may be as likely as finding a unicorn. Indeed, in today's global mobile environment, organizations are looking for an ERP system that does more than integrate with a legacy system.

However, with so many solutions on the market, how do you choose the software system that's right for your enterprise, that your different business groups will actually use?

To help you increase your odds of finding and deploying an ERP solution that will benefit your organization (and to help you cut through all the marketing hype), queried dozens of ERP experts. Their top 11 suggestions on how to choose and deploy an ERP system successfully appear below.


CIO — WASHINGTON -- For IT managers in the federal government to wring more value out of the enormous stores of data they oversee, they must develop deeper partnerships with service providers in the private sector, according to a panel of experts speaking here at the annual FOSE government IT conference.

"The reason why government is hesitant towards a lot of the private sector is the private sector would push solutions looking for problems."

Federal IT workers from the CIO on down are dealing with the challenges of big data, but they're doing so amid the various pressures of contracting budgets, exponential growth in data volumes and a mounting expectation for higher-level, technology-enabled citizen services.


When looking in the face of a disaster, the last thing your enterprise needs is to scramble to achieve business continuity. Many businesses are strapped for cash after a prolonged period of economic hardship. New standards are emerging to help align business continuity initiatives and provide guidelines to follow. Certifications can even serve to review standards-based internal programs, so your teams know they are going forward with a plan based on established criteria.

Recent years have shown enterprises are vulnerable to events in the outside world, including the September 11, 2001 terrorist attacks and Hurricane Sandy in 2012. The Department of Homeland Security was not only formed to deter terrorist attacks, but to help people and businesses be most prepared for the unknown. To establish more effective standards, it created the Private Sector Preparedness (PS-Prep) initiative. Standards related to the initiative include:


Enterprises spend billions every year maintaining (and powering) duplicate racks and even entire data centers, solely for occasional potential use (in the event of an unforeseen outage or disaster). Required by law in many cases, it is probably one of the largest IT investments with among the lowest returns on investment. The money invested in disaster recovery isn’t wasted; it simply represents money well spent ensuring that applications will be highly available to users.

In the financial community (and others responsible for handling massive amounts of transactions and critical supply chain data), the cost of downtime has been well documented and more than justifies the DR investment. Outages are often more costly in terms of lost revenue, brand erosion and employee productivity. So DR is like a kind of insurance policy, except instead of a policy-holder getting compensated for a loss the policy-holder instead maintains two (or more) of everything. That is perhaps not the most efficient use of high cost IT assets as well as the energy used to power them.


Lean manufacturing practices can create efficiency and reduce waste, but smaller inventories put companies at risk for major supply chain disruptions. Many organizations are reconsidering their procurement strategies for emergency preparedness after discovering their operational vulnerability in the aftermath of the 2011 earthquake and tsunami in Japan, as well as the flooding in Thailand, according to Lloyd's.


Eighty five percent of companies with global supply chains experienced at least one supply chain disruption in the previous 12 months.1 Risk is inherently unpredictable. Fortunately, the current workforce is undergoing its own transformation to be able to identify and manage risk on a global basis.

For more than 35 years I have worked with companies and manufacturers around the world on supply chain related business opportunities. One thing senior executives of those firms all had in common was a relentless, positive perspective and motivation for improvements in the global supply chain. Risk management has become the pervasive mantra throughout the supply chain world, but as technology evolves the need for increased business agility is at an all-time high. As manufacturers continue to adopt more technology and become more sophisticated and global, not only do they become more vulnerable to risk, they also have more opportunities to manage risk.


I've devoted my last two columns to the issue of education for emergency managers. However, I don't want to give the impression that education alone is sufficient for success as an emergency manager. As several of my colleagues have pointed out, success is determined by a combination of education, training, and experience. The mix can change depending on the environment and the position but all three are essential.

The question, though, is what constitutes "training?" Where education teaches concepts, training provides the general and specific skills needed to do the job. Education tells us why we do something; training tells us how we do it.


Wednesday, 15 May 2013 15:45

Securing Hadoop Data: 10 Best Practices

Storing data in Hadoop has become a common practice in IT these days. However, there are some concerns about securing sensitive data in Hadoop. Dataguise, a maker of data security intelligence and protection solutions, has provided us with 10 security best practices for organizations considering or implementing Hadoop. By following these procedures to provide privacy risk, data and security management, enterprises can prevent costly exposure of sensitive data, reduce their risk profile and better adhere to compliance mandates. These practices and procedures come from Dataguise's experience in securing large and diverse environments. The explosion in information technology tools and capabilities has enabled advanced analytics using big data. However, the benefits of this new technology area are often coupled with data privacy issues. In these large information repositories, personally identifiable information (PII) such as names, addresses and social security numbers may exist. Financial data such as credit card and account numbers might also be found in large volumes across these environments and pose serious concerns related to access. Through careful planning, testing, pre-production preparation and the appropriate use of technology, much of these concerns can be alleviated.


A survey of 506 data professionals working in UK businesses, carried out by London Economics on behalf of the UK Information Commissioner’s Office (ICO), reveals today that 87 per cent of them don’t know what it will cost to implement the EU’s General Data Protection Regulation.

Worse still, accurate understanding of the new regulation, likely to come into force in 2016, is very scant indeed. The survey interviewees were asked questions about the 10 main provisions proposed by the new law and 40 per cent failed to give a fully accurate description of any of them. Not one. And these are data specialists.


In recent years, companies—public companies in particular, but private companies as well—have increasingly created standalone compliance functions to guide, monitor, and measure adherence to company ethics policies, as well as myriad laws and regulations, including those relating to fraud and corruption. As compliance offices expand globally and take on more authority, personnel, and responsibility, they also become more visible cost centers in the organization. A question that may be increasingly asked of compliance officers is how they are defining and measuring value. In short: what is the return on investment (ROI) of their departments?

Capturing this ROI in a detailed and effective manner can be elusive. It is self-evident that compliance functions exist for the purpose of preventing and detecting violations of law and company policy and promoting a culture of compliance, but how can that be measured with any degree of reliability? Specifically, there is the difficulty of proving a negative: how does a company quantify what might go wrong—or would have gone wrong—had the company not invested in compliance initiatives?


Companies are playing it safe when developing new products and services, research shows.

A new study by Accenture revealed that nearly half of executives feel their businesses have become more risk averse when considering new ideas. Instead of inventing new products and services, 64 percent of companies focus more on product-line extensions.


In the summer of 1968, a new strain of influenza appeared in Hong Kong. This strain, known as H3N2, spread around the globe and eventually killed an estimated 1 million people.

A new study from MIT reveals that there are many strains of H3N2 circulating in birds and pigs that are genetically similar to the 1968 strain and have the potential to generate a pandemic if they leap to humans. The researchers, led by Ram Sasisekharan, the Alfred H. Caspary Professor of Biological Engineering at MIT, also found that current flu vaccines might not offer protection against these strains.

“There are indeed examples of H3N2 that we need to be concerned about,” says Sasisekharan, who is also a member of MIT’s Koch Institute for Integrative Cancer Research. “From a pandemic-preparedness point of view, we should potentially start including some of these H3 strains as part of influenza vaccines.”


Security and technology heads at top Australian organisations say the impact of a mandatory data breach reporting scheme on businesses will largely depend on what the Federal Government determines are 'reasonable' security controls.

Plans for a data breach notification scheme were shared with a small number of stakeholders as the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, obtained by SC.

The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Federal Privacy Commissioner, affected consumers and on occasion the media when data breaches occur.


Tuesday, 14 May 2013 14:59

Not what it seems

I was walking my dog, Barney recently when someone stopped to say hello. To him, not me – he’s always the first one that people talk to, I can’t think why. “I love Springer Spaniels,” she said, when she eventually acknowledged my presence, “in fact I have two myself.” 

"Actually he's a Field Spaniel" I replied, to which she asked "are you sure? He looks like a Springer."
I pointed out that whilst his markings are quite Springer-like, Field Spaniels are generally a bit shorter, a bit stockier and a bit squarer-faced than Springers (and a tad more expensive, but I kept that one to myself as I thought she might take it the wrong way).

Business continuity is a big deal. Having your infrastructure up and running in the case of an outage, a disaster, or some other unforeseen event can make the difference between generating more revenue (based in large part on your consistency as a business) and losing untold dollars and credibility.

One of the hallmarks of the new, distributed and mobile workforce is BYOD, a movement that is increasingly enabled by innovative cloud technologies. BYOD has great virtues for an organization, especially in the instances where business continuity planning comes into play. If your workforce can still access their communication and collaboration tools, any disruption to business as usual can be mitigated.


Tuesday, 14 May 2013 14:58

Preparing SMBs when disaster strikes

Determining an organization’s tolerance for loss is a key first step in preparing for disaster recovery. The cost a business incurs to maintain a suitable disaster recovery plan depends largely on how closely it relies on IT for its revenue.

This is true for any sized business from the large online vendors such as or to SMEs with a small online cart.

For example, companies like Amazon or Google depend so heavily on its IT infrastructure that its tolerance for outages is zero, whereas a factory in rural Malaysia might have a higher tolerance for outages or even data loss.


India has made encouraging progress in recent years to put in place mechanisms for disaster prevention and mitigation, but there is still a long way to go and local communities must be involved in the effort, Prime Minister Manmohan Singh said Monday.

Addressing the first session of the National Platform for Disaster Risk Reduction (NPDRR) here, the prime minister called for greater attention to arrangements for providing funds to people to cope with losses suffered in the wake of natural disasters.

"Disaster management is an area of vital national importance to our country, and I believe that the integration of disaster risk reduction strategies into our development initiatives must necessarily involve local communities. We must make full use of our Panchayat Raj institutions to achieve this objective," the prime minister said.


If somebody asked you to do the exact same work over and over again, would you think that was a smart thing to do? Of course not. But that’s exactly what many of us are doing in our backup environments.

There are a lot of technology approaches to backup, and all of them have to deal with ever increasing amounts of data.  But they are not all equally smart. In fact, when you look at them a certain way they can be downright stupid. And while “Dumb and Dumber” may have been quite popular as a movie, it shouldn’t serve as an approach to backup.


Emergency medical technology (EMT) students at San Jacinto College in Houston were plenty busy recently learning proper procedures for a rescue demonstration all the while dodging flying paintballs.

It was part of a training exercise that points to the importance of communication and teamwork, even during the heat of a scenario like a shooting or bombing. San Jacinto College North (there are two programs, North and Central) instructor and Army veteran, Ali Shah said the paintball exercise is a “watered down” version of the Tactical Combat Casualty Care course that soldiers experience in the military.


As the current Terrorism Risk Insurance Act (TRIA) moves closer to its scheduled expiration date of December 31, 2014, the debate is heating up over whether the federal backstop remains necessary and whether the market demand for terrorism coverage still exists. According to the Marsh 2013 Terrorism Risk Insurance Report, released April 30, demand for coverage has remained both steady and strong. These results only reinforce the need for a long-term extension of the terrorism backstop.

During the first full year of TRIA, only 27% of organizations obtained terrorism coverage as the market was still adjusting to the TRIA program and the fallout from the 9/11 attacks. Since that time, take-up rates have grown steadily. By 2005 the take-up rate for terrorism insurance was 58%. Today the rate is more than 60%—where it has been since 2009. The take-up rates are highest among companies with total insured value (TIV) over $500 million, but even those companies with less than $100 million in TIV obtained terrorism insurance at a 59% rate in 2012.


Andras Cser probed a sore spot in IAM last week with his post, “XACML Is Dead.” It’s a necessary conversation (though I did see a glint in his eye at the Forrester BT Forum after he pressed Publish!). Our Q3 2012 Identity Standards TechRadar showed that XACML has already crested the peak of its moderate success trajectory, heading for decline. We haven’t seen its business value-add or ecosystem grow since then, despite the publication of XACML 3.0 and a few other bright spots, such as Axiomatics’ recent funding round.

It’s not that we don’t need an interoperable solution for finer-grained access control. But the world’s demands for loosely coupled identity and access systems have gotten...well, more demanding. The solution needs to be friendly to open web API security and management. It needs to be friendly to mobile developers. And it most certainly needs to be prepared to tackle the hard parts of integrating authorization with truly heterogeneous cloud services and applications, where business partners aren’t just enterprise clones, but may be tiny and resource-strapped. This admittedly gets into business rather than technical challenges, but every ounce of technical friction makes success in the business realm less likely.


Top executives within organizations are always thinking about how they expand beyond their role. For chief audit executives (CAEs) specifically, the demand and necessity to do so has ebbed and flowed over the past decade, but it has picked up steam in recent years because of the increased expectation on CAEs to deliver more value. The ways CAEs can do this include being more strategic, having more of a business risk mindset rather than pure audit, and bringing business acumen to the table. But right up there with those three mandates is increasing adoption of technology by internal audit departments.


Experts say employers can prevent many motor vehicle accidents among their workers, often at little expense. By focusing on the issue and including driving as part of a corporate safety culture, businesses can greatly mitigate the risks associated with motor vehicle incidents.

Latest trends. A preliminary estimate of motor vehicle fatalities for 2012 indicates an increase over 2011, according to the National Safety Council. The 36,200 deaths represent a 5 percent increase and the first since 2005. Crash injuries that required medical attention were also estimated to have increased by 5 percent to 3.9 million.


We can learn a lot about risk from academia. University environments embody the whole data privacy world in microcosm. Colleges and universities handle a broad range of personal information — from students, staff, alumni, donors, and other community members — with their functions in financial services, food services and housing, student stores, and medical services.

On average, educational institutions report 1.3 million records compromised per year, based on statistics from Privacy Rights Clearinghouse. (Check out this infographic from Open Site, for an overview of data breaches in higher education.)

Nobody understands the privacy and security risks in the academic world better than Grace Crickette, chief risk officer for the University of California, a sprawling system that includes ten campuses and five medical centers. She shared her insights, which can be translated into 3 lessons on risk:


Monday, 13 May 2013 15:19

Are you prepared for an incident?

Increased media attention on cyber incidents, strong data protection legislation and regulatory interest in security has brought increasing investment and progressive improvement in proactive security within companies.

This usually takes the form of a manager responsible for information security, and the introduction of technical security controls. However, I have seen companies struggle with optimising the use of these controls both in defending against attacks, and responding effectively to an incident when an attacker breaches these controls.


Monday, 13 May 2013 15:18

Active Data Vs. Active Archive

In my last column I discussed how what we used to consider active data is changing. We now have to look at the potential working set instead of the actual working set. Thanks to initiatives like real-time analytics, some data that we used to classify as archivable now needs to be at the ready. If this is the case, what is the role of archive? How do disk and tape archives participate in an increasingly active world?

The key to a balanced storage strategy, even with all this active data, is to change how we decide to archive a certain set of data. Under the current archive methodology the most common decision point was last modification date. In other words, data that is X days/years old can be archived, everything else has to stay on primary storage. The problem with this methodology is it is not compatible with real-time analytics and not even really compatible with the way users use data.


Monday, 13 May 2013 15:14

Top five tips to master BYOD security

Business owners are becoming increasingly concerned with the proliferation of technology in the workplace. Innovations such as BYOD, cloud, global access and social networking have many CIOs spinning their wheels on how to effectively secure their data and protect valuable intellectual property.

In this (n)ever-changing threat landscape, companies and governments are constantly battling organised cybercrime and hacktivism. With malware such as Flame, Stuxnet and Shamoon in the modern day cybercriminals’ arsenal, CIOs need to stay one-step ahead of the game and prepare for attacks accordingly.


Residual Risk: if you’re not familiar with the term, you should learn how it applies to your Business Continuity Management program.

In pulmonary science (the study of lungs) there’s something called ‘residual volume’.  That’s the amount of air that remains in your lungs after you forcefully exhale.  No matter how hard you try, there will always be residual volume.

In Business Continuity Management there’s something called ‘residual risk’.  It’s not much different: once you’ve mitigated identified risks, what’s left is residual risk.  No matter what you do, there will always be residual risks.  Business Continuity Plans are the primary tactic to deal with those residual risks.


Monday, 13 May 2013 15:11

7 Things That Can Ruin a BCM Program

When financial hardships strike an organization, the Business Continuity program usually takes a hit. In fact, often it will take a hit when times are good so that the corporation can focus on other initiatives; initiatives designed to build upon the good times and keep the company making money. Increase that revenue, YEAH!! When this occurs, resources get reassigned to other projects and the BCM program gets placed on the back burner or it will see resources funnelled away to support other initiatives.
What kind of things do organizations cut from their budgets that can undermine and slowly dismantle a BCM program? Here’s just a short list of some of the actions corporations will take in diverting BCM intended resources.

1. Training – Training is suspended because sending employees on courses to upgrade and keep skills current is deemed as being too costly, especially if travel and accommodation is required. This training also helps to bring new ideas to the organization on how to better their programs but at the same time many executives (or those that approve BCM training) will simply state that the corporation knows what it would do. Thus, additional training isn’t required. Or worse, they send BCM people on courses that have nothing to do with their role.


Are you a believer in serendipity, that magic moment when several disparate things come together to produce something marvelous that is greater than the sum of its parts? I am and I believe we could be on the cusp of such a moment if we can seize the opportunity.

Three things occurred this week that makes me feel this way. The first are the thoughtful comments of readers of last week's blog on emergency management education, particularly those that reminded me of the Emergency Management Institute's Emergency Management Professional Program. EMPP is intended to develop core competencies for emergency managers and does an excellent job of combining concepts and general and specific skills.