DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

Industry Hot News

Industry Hot News (390)

You may say to yourself, “We don’t have earthquakes in my area, so why should we participate?” The truth of the matter is that everyone, everywhere should know how to protect themselves during earthquakes – at home, at work, at school, or while traveling where earthquakes occur. If your school, hospital or university is in an area where earthquakes are rare, consider how often your students and staff may visit earthquake regions for conferences, sports, research or vacation. Also, others may one day move to earthquake-prone areas.

By participating in the Great ShakeOut, you can make sure they will be ready to respond appropriately.

Great ShakeOut Earthquake Drills are an opportunity for your campus community to learn and practice what to do during earthquakes (“Drop, Cover, and Hold On”), and to learn about your overall preparedness plans.

Millions of people worldwide participate each year by registering at www.ShakeOut.org/register, including many from K-12 schools, colleges or universities, hospitals and other large organizations. Participation can take less than 10 minutes.



Earlier this summer the GDPR, or General Data Protection Regulation, superseded the European Data Protection Directive (EDPD) to become the new keystone of data protection in Europe. Its broader scope includes consumer information from personal identifiers such as social security numbers, to data on a person’s race, politics, web browsing history, and even biometrics. GDPR’s expanded reach covers not only the data of citizens in all 28 EU member states, but also the data collected on EU citizens by any company worldwide – even if they don’t have a business presence in the EU.

Buildings and blue sky

Sungard AS introduced XRS to Cloud Recovery – Amazon Web Services with an SLA-backed service for disaster recovery, assuring availability and recoverability of service.

Companies in the business of automated debt collection know that having access to a person’s most private financial information, credit card balances and debt load is highly sensitive. Industry regulations are already in place to protect individuals. But companies like Ireland-based Expert Revenue Systems (XRS) – which specializes in credit control, collections, debt recovery and litigation solutions – are under the gun to make sure they protect clients even further.



Tuesday, 16 October 2018 14:11

XRS Embraces New Data Protection Law

Corporate social responsibility in crisis management is more important than ever. Whether it’s looking after clients or taking the right steps to protect employees, organizations have a legal and moral duty to look after their people when a crisis happens. Dr Liz Royle explores this subject, explaining how organizations can prepare for and respond to a ‘Psychological Critical Incident.’

In the age of social media, an organization that doesn’t prioritise the wellbeing of staff and customers will quickly find itself the next viral scandal – whether it’s a data breach that puts customers’ financial lives at risk or a violent incident that has left staff traumatised.

The new ISO 22330 guidance for managing the people aspects of business continuity, states the importance of putting people first during a workplace crisis.

This can be broken down into four key stages:

  1. Preparation through awareness, analysis of needs, and learning and development;
  2. Coping with the immediate effects of the incident (respond);
  3. Managing people during the period of disruption (recover);
  4. Continuing to support the workforce after returning to business as usual (restore).

ISO 22330 states that ‘An employer can be deemed to have breached their duty of care by failing to do everything that was reasonable in the circumstances to keep the employee safe from harm.’



(TNS) - Avoidance is a great way to mitigate risk. As in, get out of trouble’s way, or don’t be there to begin with.

When it comes to hurricanes, that good advice is getting harder to heed. In Florida, we continue to build along our coasts, often just a few feet above sea level. New homes spring up on barrier islands. Condo towers rise where mangroves once grew.

Since 1970, the state has added nearly 15 million residents, most of them flowing into storm-prone counties that border the Gulf or the Atlantic.

We aren’t alone. The other Gulf states including Texas have peppered their waterfronts with development. So have Georgia and the Carolinas. Some inland states allow construction in flood plains, and then rebuild each time the rivers overflow.



Why Business Continuity Must Be Part of Your Strategy

Carrying insurance, having a plan, limiting liability… these are all important steps to minimize risk associated with a disruptive event. But without a dynamic business continuity management program, brand equity could suffer significantly. David Nolan, CEO and founder of Fusion Risk Management, rebuts seven common misconceptions about business continuity.

Imagine a runner on a treadmill following a preset workout program. Even as the treadmill speeds up during the higher-intensity phases, as long as the runner is prepared for changing conditions, she will stay in sync with the machine. But if the runner falters or stops and the treadmill keeps going, she’ll stumble, fall and may even end up injured.

A business trying to remain competitive and profitable in today’s world is like the runner trying to keep pace with the machine. If a business is prepared for whatever adverse circumstances come up, the organization can take it in stride and keep moving forward. If a business is not prepared, then it will experience disruptions – and, like a runner who gets injured, the business may find it difficult to recover.

To keep the business running and revenue flowing, executives must include business continuity in their overarching company strategy, and that requires a fundamental understanding of what business continuity is and what it means for the organization.



Tuesday, 16 October 2018 14:06

Is Your Company Prepared For The Worst?

Our guest blogger, Lynne McChristian, is an I.I.I. representative based in Tallahassee, about 100 miles from where Hurricane Michael came to shore.

 By Lynne McChristian

After a major natural disaster, there are various levels of survivor conditions – ranging from total devastation to mild inconvenience. In comparison to what people are experiencing in Mexico Beach and the Panama City areas of Florida, my inconveniences are extremely inconsequential. I was asked for a first-person account, and here’s where things stand on a Sunday afternoon.

In my Tallahassee neighborhood, we have been without power since about 2:20 p.m. on Wednesday. This is Day 5 of powerlessness. The air conditioners are silent in the 88-degree heat, but the rumble of portable generators is a bit overbearing, especially at night. The choice is to keep the refrigerator contents cool, or sleep.



Tuesday, 16 October 2018 14:05


(TNS) -  On Sept. 2, 2017,volunteer firefighter Chris Martin spread the word to his neighbors. The Jolly Mountain fire was raging nearby. Pack up important possessions and prepare to leave at a moment’s notice

The flames never made it to town. People stayed put, but many now live with a new sense of vulnerability.

“This was a game changer for us,” said Martin, a Roslyn volunteer firefighter who handed out the evacuation notices.

This month, on a crisp fall day, Martin once again was trying to protect the town. But this time, instead of warning of a fire, he joined 30 other men and women in setting fire to 32 ridge-top acres he owns above Roslyn.



(TNS) - Nassau County's Amateur Radio Emergency Services (NCARES) team is helping state emergency management authorities with communications networking and technical expertise in Panhandle counties hard hit by Hurricane Michael.

The hurricane destroyed critical infrastructure throughout several counties west of Tallahassee. Many are relying on volunteer Ham Radio operators utilizing the State Amateur Radio Network (SARnet) to relay information about structural damage, supply shortages and requests for assistance from the Panhandle to Northeast Florida. Those needs can be put directly into Emergency Management's web-based disaster information and mission request system, said Martha Oberdorfer, spokeswoman for Nassau County Emergency Management.

A nonprofit, NCARES pays for all of its equipment and operations through donations and two annual barbecue fundraisers. Volunteers donate their time and resources to Nassau County Emergency Management staffing the County Watch Office, Oberdorfer said.



IBM Services has released the results of a global Ponemon Institute study exploring the impact that business continuity management can have on the cost and frequency of data breaches; it shows 10 ways in which BCM provides quantifiable benefits.

The ‘2018 Cost of Data Breach Study: Impact of Business Continuity Management’, survey report sponsored by IBM and conducted by the Ponemon Institute, reinforces the call for new solutions to combat evolving cyber threats around the world. The longer it takes to identify, contain, and recover from a data breach, the more it consumes significant time, money, and resources throughout an organization.

According to the research, BCM programs can reduce the per capita cost of data breach, the mean time to identify (MTTI) and the mean time to contain (MTTC) a data breach and the likelihood of experiencing such an incident over the next two years.

On average, responding companies that prioritize business continuity management saved 44 days in the identification of the incident and 38 days in the containment of the data breach.



(TNS) - Cleanup continues from Hurricane Michael, which struck South Georgia Wednesday evening through early Thursday morning.

In a Saturday afternoon Facebook post, the City of Moultrie reported about 60 downed trees in the city and more than 300 county-wide.

On the Colquitt County Board of Commissioners Facebook page, the county listed 19 roads as still being closed about 2 p.m. Saturday.



In a survey report released by Deloitte, almost all (96 percent) of CEOs and board members say that they expect their organizations will face serious threats or disruptions to their growth prospects in the next two to three years. Despite that, many are not adequately prioritizing the strategic planning and investment needed to identify, respond to and mitigate critical risks.

‘Illuminating a path forward on strategic risk’, a survey of 400 CEOs and board members from US organizations with $1 billion or more in annual revenue, explores the leaders' posture on four critical and interconnected strategic risks:

  • Brand and reputation;
  • Culture;
  • Cyber;
  • Extended enterprise.

"This survey validates what we're seeing in the marketplace - that many CEOs and board members are risk-aware but not adequately risk-prepared," said Chuck Saia, CEO, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP. "Leaders know there are threats on the horizon, but many are not viewing or managing them strategically or understanding how threats are interconnected. Many are still using traditional approaches, tools, and technologies to detect and manage threats. Today's risk environment requires leaders to challenge the status quo, prioritize investments and identify and analyze threats before they emerge. Simply put, accelerating performance and growth requires a different way of thinking about risk."  



One of the biggest areas of unmitigated risk we see across all industries is supply-chain risk. Most organizations are not adequately protected against the loss of critical third-party suppliers

In today’s post, I’ll share some thoughts about the pervasive supply-chain risk problem, as well as some ideas on what you can do about it.

From Mandatory Requirement to Valuable Business Enabler

Just because you have prohibited employees from communicating about business matters via any channel apart from email doesn’t mean your bases are covered. Mike Pagani explains how prohibition is not prevention, and why, for organizations in highly regulated fields, more concrete steps must be taken to mitigate risks and potential violations.

When it comes to archiving electronic communications used for business, the traditional drivers have been ensuring regulatory compliance for email and being prepared for legal events when they arise. Today however, there are new drivers that are causing organizations to invest in implementing advanced archiving technology and expanding its scope beyond simply email.

The reality is that businesses of all sizes and types are seeking to leverage the productivity gains and expanded reach newer and emerging non-email communications methods and channels offer – think social media, text messaging and collaboration platforms like Slack, Microsoft Teams and others. In many cases, compliance and legal teams are playing catch up, as despite policies that prohibit the use of channels other than email, employees will use them when the need outweighs the risk in their minds – even if they have attested to adhering to the usage policies. In short, prohibition does not equal prevention.

Compliance and legal professionals within regulated businesses have been in a tough spot in recent years. Prohibiting the use of the new channels has been their typical response to limit risks and potential violations by restricting the number of channels allowed for business. Regulators have also stepped up their guidance and enforcement, being very clear that if a channel is used for business, it must be properly retained and supervised – just like email. The problem is that the approach of prohibiting or restricting usage does not enable the business to leverage the benefits of the newer channels and still leaves the organization vulnerable when employees use them anyway.

Ungoverned text messaging is especially problematic, as nearly every employee has an ability to use it, and it is the undisputed channel of choice when time-sensitive responses are needed. According to CTIA, the average response time for a text message is just 90 seconds, while the average response time for an email is 90 minutes.



Were you well-prepared for Hurricane Michael? Good. Hurricanes are extremely dangerous.

But if you’re not careful, what happens after the storm can be just as harmful as the hurricane itself.

Beware the shady contractor. It’s a terrible story: someone’s home is damaged from a hurricane. A contractor shows up at their property and offers to complete immediate emergency repairs. All the homeowner needs to do is sign some paperwork and, the contractor assures them, their insurance company will pay for the repairs – easy as that!

Wrong. Shady contractors are not your friend. If you live in Florida, then the paperwork they want you to sign is often an “assignment of benefits” (AOB), a document that gives the contractor the right to receive payouts from your insurance company directly for repairs. (You can read all about how it works – or doesn’t work, as the case may be – on the Florida state website.)



A recent Continuity Central survey looked at business continuity plan success rates and asked for thoughts on the best ways to debrief after an incident. The survey has now been closed and the results are available, providing some interesting insights. Responses were received from around the world, with the most responses being from people based in the United States (34 percent), the United Kingdom (34 percent) and Australia (8 percent). The survey was conducted online using Survey Monkey.

An initial question ‘Does your company have business continuity plans?’ was asked to qualify survey respondents, with the results being compiled only from those who stated that their company did have business continuity plans.



(TNS) - The Florida Panhandle woke up to harrowing scenes of destruction Thursday in the wake of monster Hurricane Michael, the worst storm on record to ever hit the area and the fourth most powerful to strike U.S. shores.

After carving an agonizing path of destruction across the Florida Panhandle, Georgia and southeastern Alabama for nearly 10 hours and killing at least two people, the fierce storm finally slowed from top sustained winds of 155 mph to a tropical storm at midnight and continued to weaken early Thursday.

By 8 a.m.,winds had slowed to 50 mph as Michael crossed South Carolina, about 40 miles west of Columbia, The storm had picked up speed to a fast 21 mph and should continue weakening. But it could regain some strength when it emerges over the Atlantic and becomes a post-tropical storm, National Hurricane Center forecasters said.



4 Steps to Prepare Your Business for Winter

Winter may conjure up imagery suitable for a Norman Rockwell painting: sitting by the fire with a hot drink in hand, enjoying the twinkling lights and decorations, and watching through the window as snowflakes drift lazily through the air. But the reality is that the business impact of winter weather is anything but idyllic.

The economic impact of a simple snowstorm can be upwards of $1 billion. And it’s not just companies in the path of those epic nor’easters that need to take heed. Last winter, unusually cold weather as far south as Florida even caused several theme parks to close.

Every business faces changing risks as winter approaches—whether winter brings rain, snow, or plummeting temperatures. But being prepared for the many hazards of winter weather can help you better manage the impact of such incidents on your employees, your customers, and your bottom line.

Here are four steps you should take now to prepare your business for the winter months ahead:



Friday, 12 October 2018 16:01


The Power of Location: How to Use Your Employee Data to Protect

Organizations have tons of data: customer data, market data, financial data, product data, and of course, employee data. Outside of common HR functions, however, much of this employee data is untapped or disconnected. When it comes to protecting employees, integrating various data points is critical, particularly when it comes to emergency communications.

There are 4 types of employee data at the fingertips of organizations that they often overlook. When combined, these pieces of data give security leaders everything they need to continually monitor and protect employees.



We are living in a digital age where the traditional boundaries between the physical and virtual spheres are becoming increasingly blurred. This has given rise to the Fourth Industrial Revolution, which is characterized by disruptive technologies such as artificial intelligence, robotics, nanotechnology and the Internet of Things. On World Standards Day, we highlight the crucial role of International Standards.

The Fourth Industrial Revolution affects almost every industry in every country as innovative cyber-physical systems evolve. The convergence of technologies holds immense opportunities, but also presents an array of ethical, economic and scientific challenges. The rapid pace of change has no historical precedent and society cannot help but question the issues related to long-term sustainability.

International Standards can help shape our future. Not only do standards support the development of tailor-made solutions for all industries, they are also the tools to spread best practices, knowledge and innovation globally. International Standards have always had a pivotal role in enabling the smooth adoption of technologies.



The Federal Emergency Management Agency (FEMA) developed IPAWS to alert the public across multiple channels, including radio, television, wireless devices and other communication platforms.

It was designed to be deployed when an emergency threatens life and property and getting information to as many people as possible is urgent. Frequently, IPAWS is used to alert the public when a child is missing, but it can also be used to alert citizens about impending natural disasters or man-made incidents such as chemical spills.

During the last year, IPAWS has come under increased scrutiny, due to perceived mishandling of situations such as the California wildfires and a false alarm that took place in Hawaii. In response, to remind users how important and reliable the system is, FEMA will issue a new set of guidelines for IPAWS users in the coming months and into 2019.

Let’s take a closer look at IPAWS updates you can expect through 2019.



In business continuity, we have a tendency to focus on what’s wrong with our programs or organizations. However, it’s important that we also take time to recognize what we’re doing right.

Today’s post explains why this is worthwhile—and will also help you get started on identifying which parts of your business continuity management (BCM) program are actually in pretty good shape.



At a Glance
  • Hurricane Michael carved swaths of devastation as it made landfall on the Florida Panhandle.
  • Two deaths have been confirmed – one in Florida and one in Georgia.
  • Flooding was reported Thursday morning in western North Carolina.
  • More than 900,000 homes and businesses have lost power in the South.


When Hurricane Michael made landfall as a high-end Category 4 storm on the Florida Panhandle Wednesday, buildings along the coast were smashed to pieces, storm-surge flooding lapped at the eaves of beach houses and an Air Force base sustained extensive damage. Two people have died in the storm, which continued to zip across Georgia and the Carolinas Thursday morning.

One death was reported in the Panhandle. A Greensboro man was killed when a tree crashed on his home, Gadsden County Sheriff's Office spokeswoman Anglie Hightower told the Associated Press. In southern Georgia, an 11-year-old girl was killed when a carport hit her home in Seminole County.

In Florida, from Panama City through Mexico Beach — where the storm made landfall — and into Apalachicola, houses were swamped or blown apart, roofs were ripped off, boats sank and trees toppled in the high winds.

"We are deploying a massive wave of response and those efforts are already underway," Florida Gov. Rick Scott said during a Thursday morning press conference. "Help is coming by air, land and sea."




(TNS) - Guzzling the superheated waters of the Gulf of Mexico and tempted by a slack atmosphere, Hurricane Michael powered to a record-shattering Category 4 goliath Wednesday with an intensity that trounced some of the most elite cyclones in history.

Its growth from an unassuming tropical storm on Sunday to a 155-mph beast flirting with Cat 5 status was unexpected by meteorologists who watched astonished as Michael’s minimum sea level pressure ticked down to a mind-blowing 919 millibars at landfall.

That’s lower than 1992’s Hurricane Andrew and 2005’s Hurricane Katrina, ranking Michael 3rd in records dating to the 1800s for lowest minimum pressure at landfall, according to Colorado State University hurricane expert Phil Klotzbach.



Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure

The pros and cons of cloud storage are, to be sure, debated with great enthusiasm. For every advocate of public cloud storage, there appears to be a naysayer ready to run it down. For every dream migration of data to the cloud there appears to be a cloud nightmare lurking.

So what’s the real story? Is the cloud all bad or all good?

Like actual clouds, the answer is seldom black and white. Plenty of shades of gray are apparent when you look up to the sky or view the murky world of cloud storage. So let’s take a look at some of the primary cloud storage pros and cons.



Thursday, 11 October 2018 14:20

Cloud Storage Pros and Cons

(TNS) - After transforming from a major to a mighty storm in a matter of hours, a ferocious Hurricane Michael roared ashore east of Panama City on Wednesday with pounding 155 mph winds.

The storm, the first-ever powerful Category 4 hurricane to hit the Panhandle, made landfall at 1 p.m. Central Daylight Time, five miles northwest of Mexico Beach, a quiet beach town with a population of about 1,200. The wind speed fell just 2 mph short of a more dangerous Category 5.

As it churns inland, National Hurricane Center forecasters warn that the back half of the hurricane will continue to spread dangerous storm surge and winds. Flood waters could reach as high as 14 feet in some places.



In recent weeks, we’ve seen several IT failures that left thousands of customers frustrated across the country.

First, Cisco Webex experienced a complete outage, and users were still experiencing intermittent issues 24 hours later. The interruption was apparently caused by a rogue script that began deleting the virtual machines hosting the service. As Cisco put it, “This was a process issue, not a technical issue.”

Then Verizon experienced voice, text, and data service interruptions for several hours affecting states across the South and Midwest, while also stretching into the northeast. The outage appeared to last about three hours.

To cap it off, a “technology issue” temporarily grounded Delta aircraft nationwide in the latest airline outage. Tweets from the company said the “computer tracking system” was down, and that the issues were system-wide. The outage lasted for at least an hour.

For all three companies, customer complaints spread quickly on social media, reinforced by media coverage. As we evolve with various technologies in a super-fast technology world, we expect and demand zero interruption and 100 percent connectivity.



Making Your Workplace a Harassment-Free Zone

Too many workplaces have allowed sexual harassment to continue unchecked for years. In some cases, company executives have been the worst perpetrators of these toxic cultures. Companies that fail to take notice and make changes have set themselves up for internal upheaval and legal claims that may threaten the business. Fortunately, employers can turn toxic cultures around by following four simple steps.

What started in July 2016 with Gretchen Carlson’s sexual harassment lawsuit against Fox News CEO Roger Ailes has snowballed over the last two years into hundreds of similar allegations against politicians, entertainers, media personalities and corporate executives. Recent admissions have revealed that some organizations’ leaders knowingly allowed workplace harassment to continue unchecked for years. Only now – as terminations and calls for resignations reverberate – have these workplaces begun re-evaluating their policies and training to effect an overall change in workplace culture.

If your company has not already begun examining its organizational environment and policies to ensure a harassment-free workplace, the time is now.



Wednesday, 10 October 2018 15:01

Dump The Toxic Culture

One Identity has released new global research findings that uncover a widespread inability to implement basic best practices across identity and access management (IAM) and privileged access management (PAM) security disciplines. These failures will be exposing organizations to data breaches and other significant security risks.

Conducted by Dimensional Research, One Identity’s ‘Assessment of Identity and Access Management in 2018’ study polled more than 1,000 IT security professionals from mid-size to large enterprises on their approaches, challenges, biggest fears and technology deployments related to IAM and PAM.

Among the survey’s most surprising findings are that nearly one-third of organizations are using manual methods or spreadsheets to manage privileged account credentials, and one in 20 IT security professionals admit they have no way of knowing if a user is fully deprovisioned when they leave the company or change their role. Additionally, a single password reset takes more than 30 minutes to complete in nearly 1 in 10 IT environments.

These and other findings paint a bleak picture of how many organizations approach IAM and PAM programs, indicating that critical and highly sensitive systems and data are not properly protected; user productivity is hindered; and potential threats from mismanaged access remain a major challenge.



Hurricane Michael is headed for a catastrophic, unprecedented Category 4 strike on the Florida Panhandle and Big Bend with a massive storm surge and over 100 mph winds possible not just near the coast, but also inland that could leave some areas without power for over a week.

If Michael makes landfall as a Category 4 storm, as expected, it will be the strongest hurricane to ever come ashore along the Florida Panhandle in records dating to 1851, according to Dr. Phil Klotzbach, tropical scientist at Colorado State University. In fact, Florida's entire Gulf Coast north of Punta Gorda has never recorded a Category 4-plus hurricane landfall.



Backgrounders and fact sheets—background information and statistics on the insurance trends and conditions in selected hurricane-prone coastal states.

Via Insurance Information Institute ...


Wednesday, 10 October 2018 14:54

Hurricane Fact Files and Market Share by State

(TNS) — Both men died when they fell — one from a ladder, the other from a roof — while they were cleaning up after Hurricane Florence even as the storm was still causing rivers to rise in Eastern North Carolina.

Gov. Roy Cooper announced last Tuesday that they were the 38th and 39th people in North Carolina to lose their lives as a result of the storm. It had taken 10 days for the two men to officially be added to the storm’s death toll.

The lag time illustrates how difficult it can be to fully account for the number of deaths caused by a natural disaster as large and widespread as a hurricane. That they were added to the list at all shows how important that full accounting is.



If you live in the projected path of Hurricane Michael, you should be prepping your home and finalizing your emergency and evacuation plans. The storm has grown to Category 2 – and there are concerns that it’ll be a Category 3 by landfall. 

Here are some Dos and Don’ts to consider for prepping and riding out the storm. 



Wednesday, 10 October 2018 14:51


A Holistic Approach to Addressing Harassment


As cultural movements continue to raise awareness about misconduct, compliance and ethics programs are putting more power behind training their employees on how to identify and report harassment in the workplace. Despite this increased emphasis, less than half of employees who observed harassment reported it last year, sending a signal that there’s more organizations must do to reduce this risk.


While harassment has been one of the most commonly observed types of misconduct for employees over the past decade,[i] recent, high-profile leaks of sexual harassment has increased the attention this type of misconduct receives. As a result, it has renewed public discourse on the topic and created greater urgency to address the issue at the CEO and board level.

To mitigate the risk harassment can present to the organization, and to stay in front of reputational failures, compliance and ethics programs are putting more power behind training their employees on how to identify and report harassment in the workplace, with over half of compliance and ethics programs already requiring most of their employees to complete anti-harassment training annually[ii]. However, despite this increased attention and training, only 46 percent of employees who observed harassment reported it in 2017[iii]  – an indication that there is much more compliance and ethics programs can do to reduce this risk to their organizations.



Wednesday, 10 October 2018 14:49

Beyond Anti-Harassment Training

Organizations often make a false assumption as they approach the start of a Business Impact Analysis (BIA) or recovery plan building: they assume that staff members can define the business processes that they are engaged in as part of normal operations.  The truth is that many people struggle to define the processes that they are regularly engaged in at the proper level, despite being part of an organization for many years and performing in the same role for a long period of time.  A process inventory is an essential prerequisite for a BIA or for plan building.   Failing to define processes at the appropriate level will yield inaccurate BIA results and could result in the creation of ineffective recovery plans.

The most common error in defining processes is the elevation of the individual tasks that are involved in performing a process to the level of a process.  If tasks are defined as processes, subject matter experts will have challenges identifying impacts at such a micro level of activity.  When processes are defined at excessively high levels of operation, the impact of a disruption can be exaggerated as all activity at such elevated levels is inflated.

Plan building is similarly problematic when processes are not properly defined.  Plans scoped at task level may fail to account for the complexity of operations and risk not identifying critical aspects of the recovery.   Planning at upper levels of the organization can result in over-sized plans that are difficult to execute and impossible to exercise effectively.



Wednesday, 10 October 2018 14:47

Step One


In the wake of the recent Facebook and Cambridge Analytica scandal, data and personal privacy matters have come to the forefront of consumer’s minds. When an organization like Facebook falls into trouble, big data is often blamed, but IS big data actually at fault? When tech companies utilize and contract with third party data mining companies aren’t these data collection firms doing exactly what they were designed to do?

IBM markets its Watson as a way to get closer to knowing about consumers; however, when it does just that, it is perceived as an infringement on privacy. In lieu of data privacy and security violations, companies have become notorious for pointing the finger elsewhere. Like any other scapegoat, big data has become an easy way out; a chance for the company to appear to side with, and support the consumer. Yet, many are long overdue in making changes that actually do protect and support the customer and now find themselves needing to attempt to earn back lost consumer trust. Companies looking to please their customers, publicly agree that big data is the issue but behind the scenes may be doing little or nothing to change how they interact with these organizations. By pushing the blame to these data companies, they redirect the problem, holding their company and consumers as victims of something beyond their control.

For years, data mining has been used to help companies better understand their customers and market environment. Data mining is a means to offer insights from business to buyer or potential buyer. Before companies and resources like Facebook, Google, and IBM’s Watson existed, customers knew very little about their personal data. More recently, the general public has begun to understand what data mining actually is, how it is used, and be aware of the data trail they leave through their online activities.

Hundreds of articles have been written surrounding data privacy, additional regulations to protect individual’s data rights have been proposed, and some even signed into law. With the passing of new legislation pertaining to data, customers are going as far as to file law suits against companies that may have been storing personal identifiable information against their knowledge or without proper consent.

State regulations have increasingly propelled the data privacy interest, calling for what some believe might develop into national privacy law. Because of this, organizations are starting to take notice and thus have begun implementing policy changes to protect their organization from scrutiny. Businesses are taking a closer look at the changing trends within the marketplace, as well as the growing awareness from the public around how their data is being used. Direct consumer-facing brands need to be most mindful of the fact that they need to have appropriate security frameworks in place. Perhaps the issue amongst consumers is not the data collected, but how it is presented back to them or shared with others.

Generally speaking, consumers like content and products that are tailored to them. Many customers don’t mind data collection, marketing retargeting, or even promotional advertisements if they know that they are benefiting from them. We as consumers and online users often times willingly give up our information in exchange for free access and convenience, but have we thoroughly considered how that information is being used, brokered and shared? If we did, would we pay more attention to who and what we share online?

Many customers have expressed their unease when their data is incorrectly interpreted and relayed. Understandably so, they are irritated by irrelevant communications and become fearful when they lack trust in the organization behind the message. Is their sensitive information now in a databank with heightened risk for breach? When a breach or alarming infraction occurs, the customer, including prospective, has more concern.

The general public has become acquainted with the positive aspects of big data, to the point where they expect retargeted ads and customized communications. On the other hand, even when in agreeance to the terms and conditions, the consumer is quick to blame big data in a negative occurrence rather than the core brand they chose to trust their information to.

About Greg Sparrow:

GregSparrowGreg Sparrow, Senior Vice President and General Manger at CompliancePoint has over 15 years of experience with Information Security, Cyber Security, and Risk Management. His knowledge spans across multiple industries and entities including healthcare, government, card issuers, banks, ATMs, acquirers, merchants, hardware vendors, encryption technologies, and key management.


About CompliancePoint:

CompliancePoint is a leading provider of information security and risk management services focused on privacy, data security, compliance and vendor risk management. The company’s mission is to help clients interact responsibly with their customers and the marketplace. CompliancePoint provides a full suite of services across the entire life cycle of risk management using a FIND, FIX & MANAGE approach. CompliancePoint can help organizations prepare for critical need such as GDPR with project initiation and buy-in, strategic consulting, data inventory and mapping, readiness assessments, PIMS & ISMS framework design and implementation, and ongoing program management and monitoring. The company’s history of dealing with both privacy and data security, inside knowledge of regulatory actions and combination of services and technology solutions makes CompliancePoint uniquely qualified to help our clients achieve both a secure and compliant framework.

As cultural movements continue to raise awareness about misconduct, compliance and ethics programs are putting more power behind training their employees on how to identify and report harassment in the workplace. Despite this increased emphasis, less than half of employees who observed harassment reported it last year, sending a signal that there’s more organizations must do to reduce this risk.

While harassment has been one of the most commonly observed types of misconduct for employees over the past decade, recent, high-profile leaks of sexual harassment has increased the attention this type of misconduct receives. As a result, it has renewed public discourse on the topic and created greater urgency to address the issue at the CEO and board level.

To mitigate the risk harassment can present to the organization, and to stay in front of reputational failures, compliance and ethics programs are putting more power behind training their employees on how to identify and report harassment in the workplace, with over half of compliance and ethics programs already requiring most of their employees to complete anti-harassment training annually. However, despite this increased attention and training, only 46 percent of employees who observed harassment reported it in 2017 – an indication that there is much more compliance and ethics programs can do to reduce this risk to their organizations.



Tuesday, 09 October 2018 14:24

A Holistic Approach to Addressing Harassment

Adesh Rampat explains why he believes that the definition of operational risk needs updating to take into account the development of cyber security related risks, and including aspects of internal controls and user awareness.

The definition of operational risk varies but generally covers the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. However, I want to take a fresh look at this general definition and present what I believe operational risk should reflect, taking into account all the cyber security related risks that are currently plaguing organizations.

We know that operational risk exists in every organization and size does not matter. What matters however are two critical areas that need to be included in the operational risk definition:

  • Internal controls
  • User awareness.



(TNS) — Nearly a month after Hurricane Florence created unprecedented flooding, the Grand Strand in South Carolina is in another storm's path.

Hurricane Michael — which was upgraded from tropical storm Monday — is in the Gulf of Mexico and expected to hit the Florida Panhandle on Wednesday. The effects of the storm will reach Horry County, S.C., most likely on Wednesday or Thursday of this week.

Predictions from the National Weather Service say the area can expect 2 to 4 inches of rain and it has a good chance of seeing tropical storm wind speeds. There is also a threat of tornadoes, especially if the storm moves to the west of Myrtle Beach.

Once the storm moves onto land, it will start to slow down and will most likely be significantly weaker than it is now, Steve Pfaff, warning coordination meteorologist with the National Weather Service in Wilmington, said.



2018 marks the 100-year anniversary of the 1918 influenza pandemic, which killed ~50 million people worldwide. The severity of this pandemic resulted from a complex interplay between viral, host, and societal factors. Here, we review the viral, genetic and immune factors that contributed to the severity of the 1918 pandemic and discuss the implications for modern pandemic preparedness. We address unresolved questions of why the 1918 influenza H1N1 virus was more virulent than other influenza pandemics and why some people survived the 1918 pandemic and others succumbed to the infection. While current studies suggest that viral factors such as haemagglutinin and polymerase gene segments most likely contributed to a potent, dysregulated pro-inflammatory cytokine storm in victims of the pandemic, a shift in case-fatality for the 1918 pandemic toward young adults was most likely associated with the host's immune status. Lack of pre-existing virus-specific and/or cross-reactive antibodies and cellular immunity in children and young adults likely contributed to the high attack rate and rapid spread of the 1918 H1N1 virus. In contrast, lower mortality rate in in the older (>30 years) adult population points toward the beneficial effects of pre-existing cross-reactive immunity. In addition to the role of humoral and cellular immunity, there is a growing body of evidence to suggest that individual genetic differences, especially involving single-nucleotide polymorphisms (SNPs), contribute to differences in the severity of influenza virus infections. Co-infections with bacterial pathogens, and possibly measles and malaria, co-morbidities, malnutrition or obesity are also known to affect the severity of influenza disease, and likely influenced 1918 H1N1 disease severity and outcomes. Additionally, we also discuss the new challenges, such as changing population demographics, antibiotic resistance and climate change, which we will face in the context of any future influenza virus pandemic. In the last decade there has been a dramatic increase in the number of severe influenza virus strains entering the human population from animal reservoirs (including highly pathogenic H7N9 and H5N1 viruses). An understanding of past influenza virus pandemics and the lessons that we have learnt from them has therefore never been more pertinent.



What to Do When a Deal Falls Apart

What happens after a planned deal falls apart? In the process of seeking approval, a wealth of sensitive company information is transferred between entities – from financials to intellectual property. This article explores how a company can properly recover following the dissolution of a merger.

For a company closing an acquisition, it’s a heady time. Months of due diligence, back-and-forth negotiations and organizational strategy gives way to the challenges of integration. But for every company celebrating the next chapter for their business, dozens more are sent back to the drawing board after a potential deal falls apart. This is more common than one might think – if 200 companies hit the deal pipeline, only about 40 will reach the letter of intent stage. Of that 40, just 15 might reach the deal finish line, leaving everyone else trying to put the genie back in the bottle.

Those who are back at the drawing board – whether the deal would’ve been industry-changing or one that simply furthered a company’s goals – all face the same problem. The former buyer – possibly a direct competitor – has just seen a lot of proprietary information. You can’t erase memories, but how can you ensure that they no longer have access to the spreadsheets, financial statements and internal knowledge that are all part of the due diligence process? Data security becomes critical for both the buyer and sellers. The risk of information leaks must be immediately mitigated, particularly if your deal has reached the letter of intent stage – a point in time when vast amounts of sensitive information has been exchanged.

Of course, everyone has signed non-disclosure agreements, but the information is out there and it’s time to eliminate the exposure as quickly as feasible.



Tuesday, 09 October 2018 14:13

Mitigating Data Risk In M&A Transactions

Emergency notification systems (ENS) are not just for government. You most likely already know that organizations can implement systems to send alerts and notifications to their employees, both in emergencies or even in the course of their day-to-day work.

In today’s post, I’ll discuss some of the types of electronic alert systems that are available to business, sketch out their benefits, and point out some of the things to be cautious about in using such platforms.



One of my favorite George Carlin quotes is, “I never worry that ALL hell will break loose. My concerns is that a PART of hell will break loose. It’ll be much harder to detect.”

I have always loved that quote because it’s true in the lives of crisis management professionals.

Many times, we write our plans and develop our procedures for unmistakable crises (ALL hell breaking loose). But it’s been my experience that when only a PART of hell breaks loose, it can really challenge our overall readiness. Our plans and procedures tend to be binary – on or off, black or white. But what about those grey areas? Are you ready for half a crisis?




IT cartoon, machine learning

Successful companies understand they have to innovate to remain relevant in their industry. Few innovations are more buzzworthy than machine learning (ML).

The Accenture Institute for High Performance found that at least 40 percent of the companies surveyed were already employing ML to increase sales and marketing performance. Organizations are using ML to raise ecommerce conversion rates, improve patient diagnoses, boost data security, execute financial trades, detect fraud, increase manufacturing efficiency and more.

When asked which IT technology trends will define 2018, Alex Ough, CTO Architect at Sungard AS, noted that ML “will continue to be an area of focus for enterprises, and will start to dramatically change business processes in almost all industries.”

Of course, it’s important to remember that implementing ML in your business isn’t as simple as sticking an educator in front of a classroom of computers – particularly when companies are discovering they lack the skills to actually build machine learning systems that work at scale.

Machine learning, like many aspects of digital transformation, requires a shift in people, processes and technology to succeed. While that kind of change can be tough to stomach at some organizations, the alternative is getting left behind.

Check out more IT cartoons.


Big data analytics projects are ubiquitous. According to one survey, 37.2% of executives report their organizations have invested more than $100MM on big data analytics initiatives within the last several years, with 6.5% of organizations investing over $1B. While 81% of executives qualify these efforts as successful, there is less certainty about these projects achieving measurable business value and widespread adoption. The same survey finds that only 37% of respondents report success in creating data-driven cultures. Other findings are less optimistic – Gartner estimates the failure rate of similar initiatives is closer to 85%.

Why do big data analytics projects fail so often? Although there are likely many causes, perhaps the largest factor is a poor understanding of the business use case. All too often, the tendency, when ramping up big data analytics projects, is to sift through the data to uncover problems. This approach may yield interesting results, but rarely produces a robust business case.

Instead of starting with a technology project and trying to produce business results, a better approach starts with the business problem and uses technology to solve it. This type of customer-centric approach, where you define the business problem up-front, allows you to understand how users will interact with and use the data insights. Only then can your data scientists design and develop a targeted solution.



The first 24 hours is the critical period when it comes to responding effectively to a crisis at any organization.

In today’s post, we’ll lay out some of the things you can do, from the business continuity standpoint, to enable you to “win” this critical period, when and if disaster strikes the company you work for.

Today’s post is inspired by a presentation called “The Two-Minute Drill,” which MHA Consulting and BCMMETRICS CEO Michael Herrera gave at the Disaster Recovery Journal Conference in Phoenix last weekend.



It’s October – and that means it’s National Cybersecurity Awareness Month.

The National Cyber Security Alliance has dedicated the first week to making homes safe from hacking. And for good reason. Families are increasingly living connected lives: on social media, in video games, and through “smart” home technology like connected thermostats or burglar alarms.

So-called “smart tech” (otherwise known as the Internet of Things) is only getting more popular: three out of five Americans have connected technology in their homes, according to a recent Insurance Information Institute and J.D. Power 2018 Consumer Cyber Insurance and Security Spotlight SurveySM.

Smart tech is convenient and efficient. Why not buy a thermostat that can automatically adjust the temperature to save you money?



Wednesday, 03 October 2018 19:59


The Impact of BPM on Organizations

Regulations and compliance are some of the most important topics of discussion in the marketplace today, yet dozens of companies are hit with fines simply because they are unable to prove they are in compliance. Business process management (BPM) is enabling companies to more adequately manage their vendors, employees and C-suite, and it assists with cost avoidance, efficiency, risk management and compliance – all of which are topics that belong in the boardroom.

If you talk to any process management or BPM vendor, they are likely to tell you that one of their biggest challenges is access to the C-Suite. This is partly due to the way vendors historically pitch their solutions as technology and features, leading them to be seen as just another IT solution for management to consider. However, it is also because many executives still fail to understand that process management is actually a valuable tool to help them and their organization perform better and mitigate risk.

A number of media publications have reported that regulators across the globe are becoming more aggressive in their inquiries and are further increasing fines. In the United States alone, Wells Fargo was fined over $1 billion for failed compliance and Bancorp fined an additional $600 million for systemic deficiencies in its anti-money laundering monitoring systems, which resulted in gaps and “a significant amount of unreported suspicious activity.” Meanwhile, a U.K.-based utility company was fined simply because they were unable to prove that they were operating in a compliant manner. Of course, the automotive industry is also impacted, as many manufacturers are facing actions against them for emissions failings.



Wednesday, 03 October 2018 15:02

Why Process Management Is A Boardroom Issue

(TNS) - Tens of thousands of phones throughout Colorado will buzz almost simultaneously Wednesday as national emergency officials test a system that allows the president to contact the nation through cell phones in case of an emergency.

The Federal Emergency Management Agency will send a text to all cell phones connected to the Wireless Emergency Alert system at 12:18 p.m. Wednesday. The nationwide test is the first of its kind for the program that will allow the president to contact tens of millions of people across the country.

Officials in Vail conducted a local test of the system in May, one of a handful of locations to do so. Denver emergency management staff also tested the system on Sept. 5, and they expected to reach about a million people.



The recent data breach at British Airways and the airline’s widely praised response provides a timely reminder of the importance of effective crisis management from a public relations point of view, particularly with your communication in a crisis.

Using the BA situation as a springboard, in today’s post I’ll share my 4 Tips for Effective Crisis Communication.



Wednesday, 03 October 2018 14:58

4 Rules for Effective Communication in a Crisis

Disaster Recovery as a Service (DRaaS) is no longer an unproven new idea with a lot of question marks attached. It is now all grown up and has a lot to offer almost all organizations that have data to protect, no matter how much use they are making of the cloud currently.

In today’s post, we’ll remind you of what DRaaS is all about, sketch out how different organizations can benefit from it, and share some of the special considerations involved in using it.



Wednesday, 03 October 2018 14:34

Disaster Recovery as a Service Comes of Age

The immediate reaction to a cyber-security incident is the FUD factor (Fear, Uncertainty and Doubt); more like ‘chickens running around with their head cut off’.

An agile response requires tested and documented Incident Response Plans – including Crisis Management, Business Continuity and IT Disaster Recovery Plans. Automating the workflow facilitates seamless collaboration and the ability to Monitor, Measure & Manage the activities that are critical to effective Cyber Security Incident Response.

As presented at the DRJ Fall World 2018, participants learned about the various program components that will help build an effective CSIRP. #DRJFall



Wednesday, 03 October 2018 14:32

Aligning BC/DR to CSIRP Challenges

As September’s National Preparedness Month comes to a close, it’s a good time to reflect on the lessons learned throughout the month and how these lessons can evolve into helpful preparedness strategies throughout the year.

In September alone, there was a major hurricane that threatened the east coast of the United States, the effects of which are still being felt, as well as other manmade threats of violence and active shooters. On a daily basis, we are reminded of the need for clear communication that will help your residents know how to react when your community faces a threat.

National Preparedness Month Message Templates

One way you can prepare for community emergencies is to pre-create message templates. These messages should contain blueprints for various scenarios that you know could be a possible threat to your community. In addition, you can use these messages to send out training calls and event notices to internal and external publics as a training exercise.

Audiences need to know where emergency alerts and updates will be coming from, so getting them comfortable with receiving these alerts now will pay off in the long run. Here are several examples of templates that can be helpful as you create your own messaging.



Micromanagement muzzles motivation and poisons productivity, says Matthew Jenkin. There are better ways of engaging employees, and it starts with trust…

Before Apple co-founder Steve Jobs led a tech revolution, he was a notorious micromanager. His inability to delegate famously contributed to the commercial failure of NeXT – a computer company he launched after leaving Apple in 1985. But he learned his lesson and a new hands-off approach resulted in success for his next venture, Pixar. When he returned to Apple in 1997, he was a much more capable executive.

Now, thanks to smart technology – which Jobs played a crucial role in pioneering – employees have more freedom to choose when, where and how they work, without a boss breathing down their neck. Without realizing it, Jobs had helped hammer another nail in the coffin of micromanagement.

Why, though, does micromanagement sound the death knell for business and why do more autonomous ways of working boost productivity?



Wednesday, 03 October 2018 14:28

The death of the micromanager

Data breaches and cyberattacks are an increasing threat to businesses, but flexible working offers some surprising advantages to keeping data safe on the move


Has your business been compromised by a data breach? If you answered no, you’re one of the lucky ones. With more than 50% of US businesses experiencing a cyberattack in the past year, for many, a breach is a matter of when, not if.

In the first half of 2017 alone, there were nearly two billion records lost or stolen in data breaches – a 164% increase from the previous six-month period. And, according to technology startup Dashlane, these numbers could be even higher. “Nearly 60%of the total breaches include an unknown or unreported number of compromised records,” says the company’s growth marketing manager Eitan Katz.

Data breaches may involve financial information such as credit card or bank details, personal health information, personally identifiable information, trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents and sensitive information.



Wednesday, 03 October 2018 14:27

Is your data safe in a co‑working space?

When a business’ administrators are communicating with their employees during a crisis, it’s important they have all the tools necessary to ensure quick, accurate, and easy transmission of alerts. One of the most powerful tools included in modern mass communication systems is location-based services, which include GPS tracking, map views, and functions like geofencing. Location is a primary factor in determining who is at risk in an emergency. So being able to receive and send that information is critical in a wide variety of events.

What Are Location Based Services?

Location services are, simply, tools that allow you to see something (or someone’s) location. They include any method used to help track the location of a person or thing. Smartphone apps can figure out a person’s location using GPS and cellular signal technology. For example, popular map apps employ these services to show you where you are and where you’re going. There are also standalone GPS sensors that you can buy and attach to objects for easy tracking, no smartphone required. Location can also be determined by more low-tech methods, such as a simple list of employee addresses. Modern emergency notification systems should be able to use all of these techniques.



In a recent blog post, we discussed what “duty of care” means in the workplace. But when it comes to duty of care, there isn’t just a box to check. Preparedness and readiness come on a spectrum. The most successful companies are those that go above and beyond when it comes to their employees’ health and safety.

Which Type of Employer are You?

When considering duty of care, there are three categories of employers: the uninformed employer, the bare minimum employer, and the employee-first employer. Take a look at the graphic below and decide which category your organization currently falls within:



Wednesday, 03 October 2018 14:25


IT security cartoon

What is the price of network security? If your company understands we live in an interconnected world where cyber threats are continuously growing and developing, no cost is too great to ensure the protection of your crown jewels.

However, no matter how many resources you put into safeguarding your most prized “passwords,” the biggest threat to your company’s security is often the toughest to control – the human element.

It’s not that your employees are intentionally trying to sabotage the company. But, even if you’ve locked away critical information that can only be accessed by passing security measures in the vein of “Mission Impossible,” mistakes happen. After all, humans are only human.

The best course of action is to educate employees on the importance of having good cybersecurity hygiene. Inform them of the potential impacts of a cybersecurity incident, train them with mock phishing emails and other security scenarios, and hold employees accountable.

Retina scanners, complex laser grids and passwords stored in secure glass displays seem like adequate enough security measures. Unfortunately, employees don’t always get the memo that sensitive information shouldn’t be shouted across the office. Then again, they’re only human.

Check out more IT cartoons.


Complex system provided by Russelectric pioneers microgrid concept

By Steve Dunn, Aftermarket Product Line Manager, Russelectric Inc.

PV RooftopA unique power control system for Quinnipiac University’s York Hill Campus, located in Hamden, Connecticut, ties together a range of green energy power generation sources with utility and emergency power sources. The powerful supervisory control and data acquisition (SCADA) system gives campus facilities personnel complete information on every aspect of the complex system. Initially constructed when the term microgrid had barely entered our consciousness, the system continues to grow as the master plan’s vision of sustainability comes into fruition.

Hilltop campus focuses on energy efficiency and sustainability

In 2006, Quinnipiac University began construction on its New York Hill campus, perched high on a hilltop with stunning views of Long Island Sound. Of course, the campus master plan included signature athletic, residence, parking, and activity buildings that take maximum advantage of the site. But of equal importance, it incorporated innovative electrical and thermal distribution systems designed to make the new campus energy efficient, easy to maintain, and sustainable. Electrical distribution requirements, including primary electrical distribution, emergency power distribution, campus-wide load shedding, and cogeneration were considered, along with the thermal energy components of heating, hot water, and chilled water.

The final design includes a central high-efficiency boiler plant, a high-efficiency chiller plant, and a campus-wide primary electric distribution system with automatic load shed and backup power. The design also incorporates a microturbine trigeneration system to provide electrical power while recovering waste heat to help heat and cool the campus. Solar and wind power sources are integrated into the design. The York Hill campus design engineer was BVH Integrated Services, PC, and Centerbrook Architects & Planners served as the architect. The overall campus project won an award for Best Sustainable Design from The Real Estate Exchange in 2011.

Implementation challenges for the complex system

The ambitious project includes numerous energy components and systems. In effect, it was a microgrid before the term was widely used. Some years after initial construction began, Horton Electric, the electrical contractor, brought in Russelectric to provide assistance and recommendations for all aspects of protection, coordination of control, and utility integration – especially protection and control of the solar, wind and combined heating and power (CHP) components. Russelectric also provided project engineering for the actual equipment and coordination between its system and equipment, the utility service, the emergency power sources, and the renewable sources. Alan Vangas, current VP at BVH Integrated Services, said that “Russelectric was critical to the project as they served as the integrator and bridge for communications between building systems and the equipment.”

Startup and implementation was a complex process. The power structure system infrastructure, including the underground utilities, had been installed before all the energy system components had been fully developed. This made the development of an effective control system more challenging. Some of the challenges arose from utility integration with existing on-site equipment, in particular the utility entrance medium voltage (MV) equipment that had been installed with the first buildings. Because it was motor-operated, rather than breaker-operated, paralleling of generator sets with the utility (upon return of the utility source after power interruption) was not possible in one direction. They could parallel the natural gas generator to the utility, but the generator was also used for emergency power, so they could not parallel from the utility back to their microgrid.

Unique system controls all power distribution throughout the campus

In response to the unique challenges, Russelectric designed, delivered, and provided startup for a unique power control system, and has continued to service the system since startup. The system controls all power distribution throughout the campus, including all source breakers – utility (15kV and CHP), wind, solar, generators, MV loop bus substations, automatic transfer switches (ATSs), and load controls.

As might be expected, this complex system requires a very complex load control system. For example, it has to allow the hockey rink chillers to run in the summer during an outage but maintain power to the campus. 

Here is the complete power control system lineup:

  • 15 kilovolt (kV) utility source that feeds a ring bus with 8 medium voltage/low voltage (MV/LV) loop switching substations for each building. Russelectric controls the open and close of the utility main switch and monitor’s the utility main’s health and protection of the utility main.
  • 15kV natural gas 2 megawatt (MW) Caterpillar CAT generator with switchgear for continuous parallel to the 15kV loop bus. Russelectric supplied the switchgear for full engine control and breaker operations to parallel with the utility and for emergency island operations.
  • One natural gas 750kW Caterpillar generator used for emergency backup only.
  • One gas-fired FlexEnergy micro turbine (Ingersoll Rand MT250 microturbine) for CHP distributed energy and utility tie to the LV substations. 
  • Control and distribution switchgear that controls the emergency, CHP, and utility. 
  • 12 ATSs for emergency power of 4 natural gas engines in each building. 
  • 25 vertical-axis wind turbines that generate 32,000 kilowatt-hours of renewable electricity annually. The wind turbines are connected to each of the LV substations. Russelectric controls the breaker output of the wind turbines and instructs the wind turbines when to come on or go off.
  • 721 rooftop photovoltaic panels gathering power from the sun, saving another 235,000 kilowatt-hours (kWh) per year. These are connected to each of the 3 dormitory LV substations. Russelectric controls the solar arrays’ breaker output and instructs the solar arrays when to come on or go off.

The system officially only parallels the onsite green energy generation components (solar, wind and micro turbine) with the utility, although they have run the natural gas engines in parallel with the solar in island mode for limited periods.

Since the initial installation, the system has been expanded to include additional equipment, including another natural gas generator, additional load controls, and several more ATSs.

SCADA displays complexity and detail of all the systems

Another feature of the Russelectric system for the project was the development of the Russelectric SCADA system, which takes the complexity and detail of all the systems and displays it for customer use. Other standard SCADA systems would not have been able to tie everything together – with one line diagrams and front views of equipment that provide the ability to visually see the entire system.

While the Russelectric products used are known for their quality and superior construction, what really made this project stand out is Russelectric’s ability to handle such an incredibly wide variety of equipment and sources without standardizing on the type of generator or power source used. Rather than requiring use of specific players in the market, the company supports any equipment the customer wishes to use – signing on to working through the challenges to make the microgrid work. This is critical to success when the task is controlling multiple traditional and renewable sources.


In the aftermath of 2017’s historic hurricanes and wildfires, Congress provided one-time funding of nearly  $140 billion. With the increasing severity and frequency of natural disasters, policymakers are looking for ways to control costs by investing in mitigation activities—actions that reduce risk to lives and property—before a disaster happens.

Research shows that mitigation investments reduce costs for disaster response and recovery: Taxpayers save an average of $6 for every $1 the federal government spends on activities such as elevating homes, strengthening or retrofitting infrastructure, and purchasing flood-prone properties for removal. In response to the 2017 hurricane season, Federal Emergency Management Agency (FEMA) Administrator Brock Long told the U.S. House Transportation and Infrastructure Committee, “I cannot overstate the importance of focusing on investing in mitigation before a disaster strikes,” and noted that “building more resilient communities is the best way to reduce risks to people, property, and taxpayer dollars.”

However, most federal mitigation investments are made after a disaster occurs, and very little data on state funding for such programs are publicly available. All levels of government need a more comprehensive understanding of federal and state investments if they are going to better target funding and decide whether new incentives are necessary to encourage mitigation activities.



Unless you were on the Appalachian Trail for a few weeks, you know what I’m talking about. I’ll start with this paragraph from our newly published analysis of Nike’s “Just Do It” campaign featuring Colin Kaepernick, called Nike Makes No Sacrifices:

Judging the Nike decision is difficult because there’s so much conflicting evidence. In concept, values-based appeals can payoff big – 52% of US online adults say they actively consider company values when making a purchase. In practice it’s not always obvious: Nike brand-related social media chatter grew by 8x within a day after the ad was released and 60% of that buzz was emotionally charged, compared to less than half the week before. That likely paid off in $163 million in free word of mouth marketing. But a majority of consumers were not in favor. A vocal minority — 33% — even feel “disgusted” at the campaign and 29% say they will stop engaging the Nike brand altogether. Conversely only 26% report a positive emotion in response and a mere 13% say they will start engaging with Nike more often. Yet short-term online sales spiked and in the days since the stock price has gone up, putting Nike at an all-time high market cap over $135 billion.

What’s a marketer to think? Is this the shortcut to rags or riches for Nike? To find out not what consumers will think today but how they are likely to feel — and act — toward Nike in the future we applied a new method called the consumer energy index. We have been cooking this all year long — some of you have seen sneak peeks of the method at our events this year — but we haven’t published it yet. And then Nike happened and we realized we had the perfect shot at testing the method. So excuse us for being so darn agile but this report lets some of our horses out of the barn. We think it’s worth it. We hope you read it and agree and finish wanting more information about the consumer energy index. Stay tuned!



Tuesday, 25 September 2018 15:36

Nike Scores A Customer-Values Touchdown

As a young Hollywood movie director, Martin Scorsese remembers the exact moment he decided to devote his time to historic film preservation and conservation. He had just walked out of a double-feature of the films “Niagara” and “The Seven-Year Itch,” both starring Marilyn Monroe and made just two years apart. “Niagara” was wonderfully intact and in fine condition, while “The Seven-Year Itch” was already badly faded. Since then, Scorsese and his nonprofit organization, The Film Foundation, have restored more than 800 films and made them available to movie-goers around the world, in addition to helping all people ensure their films, digital files and videos survive through careful backup and protection from catastrophes.

Managed Backup - AWS

Managed Backup – AWS is well suited to address the needs of organizations looking to update or refresh their in-house legacy backup solutions, as well as organizations starting their journey to cloud.

That’s a little what Managed Backup – Amazon Web Services(AWS) from Sungard Availability Services (“Sungard AS”) is like for today’s enterprises looking to protect and preserve their data in the cloud. Managed Backup – AWS is a fully managed, SLA backed data protection service, that allows companies to back up data from their premises to AWS, giving them a more agile backup solution than what they already have, enhancing their business resilience along the way.

Why take on the hassle of onboarding the appropriate skills, setting up and managing the process of backing up data to the public cloud when Sungard AS has the tools and expertise to do it for you more quickly, accurately and economically? Think of it as Martin Scorsese coming to your home to backup all your home movies, videos, and even your DVD collection to a secure and cost-effective, easily accessible hyperscale cloud.



Don’t Let Winter Hazards Chill Your Business

This Saturday is the first day of fall, but the proactive among us are already thinking ahead to winter and the impacts it will have on our businesses. Winter conjures up images of gently falling snow, cozy indoor gatherings, and a parade of holidays. But the advent of winter also brings up a more ominous association: the hazards that can trip up any business due to extreme winter weather. The CDC reports that winter cold kills more than twice as many Americans than summer heat.

So, slip on a sweater and let’s dive into a detailed list of what businesses need to watch out for once the temperature plummets. Spoiler alert: It’s not all icy roads and snow accumulation! Read on to identify the risks that cold weather brings so you can plan to prevent injuries and keep your employees and customers safe.



Do you know the main reasons that most Business Impact Analyses today are “Dead On Arrival”?  

I’ll tell you about bad BIAs in a moment. 

Before I do, however, I’d like to share two pieces of background information.


First, I want to remind you what a Business Impact Analysis (BIA) is and why it’s important. 

The Business Impact Analysis, you’ll recall, is when you as a member of the business continuity management (BCM) team reach out to the various units at your organization. Specifically, you conduct interviews and get them to fill in questionnaires about their operations. The object is to obtain information about the criticality of their various processes and responsibilities. This information is then used to develop recovery strategies and plans for the organization overall. 

The BIA is one of the key parts of a sound BCM program. It’s one of the organization’s main risk mitigation controls (i.e., risk reducers). It’s a foundation for everything that follows. The BIA is also one of the most visible activities the BCM team performs. It brings your team into close contact with other departments and affects what the organization thinks of you and your program. 

In short, the BIA is critical for you, your program, and your organization.



Tuesday, 25 September 2018 15:31

Top 5 Reasons Why Most BIAs Are DOA

With new IT projects coming from so many areas, it’s common to see legal IT teams struggle to implement and test an effective disaster recovery solution. To meet critical recovery requirements without having to take on addtional workload, more and more firms are turning to Disaster Recovery as a Service (DRaaS).

ILTA Peer to Peer Magazine recently featured Bluelock Solutions in the case study article, “Selecting DRaaS: Taylor Porter’s Journey to a Stronger IT Stance,” that highlights how we’ve solved some of our client’s most critical IT challenges with our fully-managed DRaaS solution.

Not only could DRaaS offload cumbersome testing and daily maintenance tasks for IT-DR, it could also ensure a smooth recovery to an offsite location during both likely and unlikely events, such as weather disasters or cyber-attacks. The robust managed service methodology from Bluelock Solutions aims to assist overburdened legal IT teams protect sensitive data and meet the availability demands of their firm.



In business continuity, risk is at the center of everything we do. Therefore, we thought it might be helpful to make today’s blog a primer on risk.

Most of this stuff you probably already learned at one time or another, but there’s no harm in a quick refresher course.

Read on for a quick summary of:

  • The 8 components of the Enterprise Risk Management framework
  • The 6 types of risk your business continuity management (BCM) program should consider
  • The 4 main risk mitigation strategies

As a bonus, we’ll discuss the issue of risk appetite vs. risk tolerance, and how organizations determine their risk profiles.

So keep reading to learn everything you always wanted to know about risk but were afraid to ask.



Data ops, data engineering, data development — oh my!

From new roles and teams to new skills and processes, the hot topic on everyone’s mind is data ops. I started to notice the data ops emergence back in 2015 as companies began to look at Agile development to spin up new data capabilities rapidly. Later, as data preparation entered the market, ETL developers were gravitating to these tools for quick data loading with transparency into newly formed analytics lakes. Step into today and running advanced analytics (or the sexier term today: machine learning) in real time, and there is a lot of talk about the challenge of moving and updating analytics models from lab environments into production settings.

There is no doubt that vendors such as DataKitchen, DataRobot, and Metis Machine are all messaging and offering workbenches and capabilities to support data ops needs. And there is certainly a lot of gray area in the data platform communities of Informatica and Talend or the data science workbenches such as CognitiveScale that position to help with the engineering and instrumentation of data pipelines and model deployments/refreshes, the goal being a one-click method to push models to production or ease the burden.



Tuesday, 25 September 2018 15:19

Is The Data Ops Workbench A Thing?

If you are thinking about investing in a modern notification system or have already implemented one as part of your emergency plan, you might be interested to know it can do much more than simply notify employees of impending danger. While many notifications may come in the form of an emergency, many may be more mundane, yet still important. There are so many uses for your notification system that it can be a versatile communication Swiss Army knife. 

The purpose of such a system is to reach all or a group of employees quickly, with real-time information, and on the channels they most use. Mass notification systems have come a long way from email and phone trees. Today, businesses can deliver messages via text message, push notifications, social media posts, and more, simultaneously. Businesses, schools, and other organizations have never been so equipped to deliver urgent messaging rapidly across every available communication channel.

As increasingly more organizations are tasked with doing more with less, eking out any cost savings can be difficult. One of the best ways to improve ROI is to extend the use of a technology beyond its original intent. Finding different uses for new systems and applications is an excellent way to get the most bang for your buck.





While many would consider a discussion about disaster recovery policies and procedures boring (I certainly don’t), in reality, policies and procedures are 110% vital to a successful DR. Your organization could have the greatest technology in the world, but without a solid plan and policy guide in place, your disaster recovery efforts are doomed to fail.

A tad hyperbolic, perhaps. But the lack of properly updated documentation is one of the biggest flaws I see in most companies’ DR plans.

A disaster recovery plan is a master plan of a company’s approach to disaster recovery. It includes or references items like runbooks, test plans, communications plan, and more. These plans detail the steps an organization will take before, during, and after a disaster, and are usually related specifically to technology or information. Having it all written down ahead of time helps streamline complex scenarios, ensures no steps are missing from each process, and provides guidance around all elements associated with the DR plan (e.g. runbooks and test plans).

Creating a plan also provides the opportunity for discussion around topics that have likely not been considered before or are assumed to be generally understood.

*Which applications or hardware should be protected?
*When, specifically, should a disaster be declared, who can make that declaration, and who needs to be notified?
*Have response-tiers been identified depending on the type of disaster?

*Which applications correspond to each tier?

The most critical condition of a successful DR plan is that it be kept updated and current—frequently. An outdated DR plan is a weak DR plan. Applications change. Hardware changes. And organizations change, both in terms of people and locations. Dealing with a disaster is hard enough, but no one needs the added pressure of trying to correlate an outdated organization chart with a current one. Or trying to map old server names and locations to existing ones. Pick a time-metric and a change-metric for when your DR plan will be update (e.g. every six months, every year, upon a major application update to a mission-critical system). Pick some conditions and stick to them.

1) Runbooks
Runbooks are step-by-step procedure guides for select tasks within an IT organization. These reference guides are tailored to describe how your organization configured and implemented a specific technology or software and focuses on the tasks the relevant teams would need to perform in the event of a disaster.

*How to startup or shutdown an application/database/server.
*How to fail-over a server/database/storage array to another site.
*How check if an application/database has started-up correctly.

The goal is to make your runbooks detailed enough that any proficient IT professional could successfully execute the instructions, regardless of their association with your organization. A runbook can consist one big book, or several smaller ones. They can be physical or electronic (or both). Ideally, they are stored in multiple locations.

Nobody likes documentation. But in a disaster, emotions and stress can run very high. So why leave it all up to memory? Having it all documented gives you a reliable back-up option.

Depending on the type of disaster, it’s possible the necessary staff members wouldn’t be able to get online, specifically the person who specializes in Server X, Y, or Z. Perhaps the entire regional team is offline, and a server/application has failed. A Linux admin is available, but he doesn’t support this server day in and day out. Now suddenly, he’s tasked with starting up the server and applications. Providing this admin with guide on what to do, what scripts to call, and in what order, might just be the thing that literally saves your company.

And if your startup is automated—first off, great. But how do you check to be sure everything started up correctly? Which processes should be running? Or what log to check for errors? Is there a status code that can referenced? Maybe this is a failover scenario: the server is no longer located in Philadelphia, and as such, certain configuration values need to be changed. Which values are they and what should they be changed to?

Runbooks leave nothing to memory or chance. They are the ultimate reference guide and as such should detail each detail of your organization’s DR plan.

2) Test Plans
Test Plans are documents that detail the objects, resources, and processes necessary to test a specific piece of software or hardware. Like runbooks, they serve as a framework or guideline to aide in testing, and can help eliminate the unreliable memory-factor from the disaster equation. Usually, test plans are synonymous with Quality Assurance departments. But in a disaster, they can be a massive help in organization and accuracy.

Test Plans catalog the test’s objectives, and the steps needed to test those objectives. They also define acceptable pass/fail criteria, and provide a means of documenting any deviations or issues encountered during testing. They are generally not as detailed as runbooks, and in many cases will reference the runbooks required for a specific step. 

3) Crisis Communication Plan
A Crisis Communication Plan outlines the basics of who, what, where, when, and how information gets communicated in a crisis. As with the above, the goal of a Crisis Communication Plan is to get many items sorted out beforehand, so they don’t need to be made up and/or decided upon in the midst of a trying situation. Information should be communicated accurately and consistently, and made available to everyone who needs it. This includes not only technical engineers but also your Marketing or Public Relations teams.

Pre-defined roles and responsibilities help alleviate the pressure on engineers to work in many different directions at once and can allow them to focus on fixing the problems while providing a nexus for higher-level managers to gather information and make decisions.
Remember, the best DR plans prepare your organization before, during and after a disaster,  are focused equally on people as well as data and computers, and its creators have taken the time to and money to test, implement, and update it over time – engaging the entire company for a holistic approach.

Hank YeeAs an Anexinet Delivery Manager in Hybrid IT & Cloud Services, Hank Yee helps design, implement and deliver quality solutions to clients. Hank has over a decade of experience with Oracle database technologies and Data Center Operations for the Pharmaceutical industry, with a focus on disaster recovery, and datacenter and enterprise data migrations.



Disaster Recovery (DR) is a simple concept that unfortunately gets quite complex real quick. At a high level, disaster recovery ensures the persistence of critical aspects of your business during or following a disaster, whether natural or man-made. How does one achieve this persistence? That’s where things can become very complex.

With regard to DR Infrastructure, when most people talk DR they want to get right into the specific nitty-gritty: what are the most optimal data protection parameters? What’s the most ideal configuration for a database management/monitoring solution? And that’s all well and good, but let’s worry about the cake first, and the frosting later.

So, let’s take it up a few levels. Within Infrastructure, you have the systems, the connectivity, and the data.

1. Systems
Production Systems
These include servers, compute power, and non-human workhorses. You use these to process your orders, make decisions, and process your business-critical data. They may be physical, virtual, or in the cloud, but you know each one by name. You start your day by logging into one and every step of your workday involves some server doing something to assist you. Without it, you lose your customer-facing website, you lose your applications, and you lose everything else that makes your business an efficient organization.

Disaster Recovery Systems
If your production systems had a twin, the DR Systems would be it. These are duplicate, regularly tested, and fully capable systems, able to take over all the work you depend on your production systems for, the moment a failure occurs. Ideally, your DR Systems are housed in a different facility than the production system and are able to run at full capacity with no assistance from the production systems.

2. Connectivity
This is how everything talks to one another. Your production systems are connected by at least two separate network switches. If you use a SAN, you will have two separate fabrics. If you use the cloud, your connection to the cloud will also be redundant. Any secondary offices, remote data centers, or remote locations also use redundant network connections. Any replication flows over these lines. Your network provides connectivity to all your production and DR systems, such that end users can access their data, systems, and applications seamlessly, regardless of the state of your environment.

3. Data
The Hot Copy
This is the data your business depends on the active dataset that your applications, users, and databases read and write-to each day. Typically, this data is raid-protected, but further protections are necessary to ensure the data is safe.

The Backup Copy
This data set can exist in many forms, including backup storage array, replicated storage, checkpoints, journaled file systems, etc. It is meant as a low Recovery Point Objective option you can quickly use to restore data to handle non-catastrophic recoveries.

The Offsite Copy
This data is for long-term storage and is usually kept on a different medium than the Hot Copy and Backup Copy, including on tape, on removable media, in the cloud, or on a dedicated backup array. This data should be stored offsite and tested regularly. Additionally, this copy should be able to restore the data independent of any existing infrastructure and can be used to recover from a full disaster.

With those three areas identified, your business may begin holding strategic planning sessions to determine exactly which technologies and DR path are most appropriate for your organization and applications.

Bob GriesBob Gries is a Senior Storage Consultant at Anexinet. Bob has specialized in Enterprise Storage/Backup Design and Implementation Services for over 13 years, utilizing technologies from Dell EMC, HPE, CommVault, Veeam and more.



A “disaster” is defined as a sudden, unexpected event that causes great damage and disruption to the functioning of a community and results in material, economic and environmental loss that strains that community’s resources. Disasters may occur naturally or be man-made. They may range in damage, from trivial—causing only brief delays and minimal loss—to catastrophic, costing hundreds of thousands to fully recover from.

The Insurance Information Institute asserts that in 2016 alone, natural catastrophes accounted for $46 billion in insured losses worldwide, while man-made disasters resulted in additional losses of approximately $8 billion.

At some point, we all experience a disaster: car accidents, fires, floods, tornados, job loss, etc. When it comes to routine or common disasters, we generally have a good idea what our recovery plan should be. If a pipe breaks, causing a flood, you call a plumber to fix the pipe and maybe a cleaning service to mop up. When disaster strikes a business, standard plans should be in place to quickly recover critical assets so as not to interrupt essential computer systems and production.

Meanwhile, the typical enterprise IT team is constantly on guard for the standard sources of disaster: power outages, electrical surges, and water damage that has the potential to cripple data centers, destroy records, halt revenue-generating apps, and cause business activities to freeze. Since these types of disasters are so common, we’ve developed ways to recover from them quickly, we developed plans of action. But what about disasters we’ve never encountered or haven’t prepared for? Are we sure our recovery plans will save us from incurring huge costs, especially in the case of disasters we can’t predict?

In the last two decades, unforeseen disasters have hit 29 states, causing catastrophic problems for companies. Two planes crash into buildings in lower Manhattan, wiping out major data centers. Multi-day city-wide blackouts result in massive data loss. Hurricanes force cities to impose a mandatory closure of all non-essential work. These disasters not only created IT nightmares, they also exposed a whole host of DR-related issues companies had not yet even considered.

Business leaders forget how hard it is to think clearly under the stress and pressure of a sudden and unexpected event. Often, a sense of immunity or an indifference to disasters prevails— specifically catastrophic events, since these types of disasters, tend to be rare or unpredictable, so no sense in pouring money into a one-off DR plan for a disaster that has a slim chance of ever occurring, right? Wrong.

A standard DR plan provides for after a disaster has occurred. The best disaster recovery plan takes a holistic approach, preparing your company before, during, and after disaster strikes. Disaster recovery is as much about your people as it is about your data and computers. It’s about having a crisis communication plan (and about having plans, period). It’s about taking the time and spending the money, to test and implement your DR plans. From dedicated DR personal and DR checks to plan updates and documentation, an effective DR plan needs to engage the entire company.

So what should your DR plan look like? How will you know when it’s ready? How do you keep your DR plan from failing? Proper planning, design, and implementation of a solid DR plan can mean the difference between a downtime that lasts for days to one that’s resolved in under an hour.

Sarah YoungAs an Anexinet Project Manager in Cloud & Hybrid IT Services, Sarah Young partners with clients and engineers to ensure projects are delivered effectively and efficiently while meeting all shareholder expectations. Having deftly handled complex client issues for over a decade, Sarah excels at translating technical requirements for audiences who may not be as technically fluent.



These days, organizations must be prepared for everything and anything: from cyber-threats to natural disasters. A BC/DR plan is your detailed process foundation, focused on resuming critical business functionality while minimizing losses in revenue (or other business operations).
Business leaders forget how hard it is to think clearly under the intense pressure of a sudden and unexpected disaster event, especially one that has the potential to severely impact the success of an organization. With the number of threat vectors looming today, it’s critical to protect your organization against future threats and prepare for recovery from the worst. Below are six best practice tips for creating a BC/DR plan that encompasses all areas of your business.

1. Devise a consistent plan, and ensure all plan components are fully accessible in the event of a major disaster.
You may prepare for weeks or even months, creating the best documentation and establishing resources to run to in a time of crisis. However, if those resources are useless if they’re unavailable when most needed. Many companies document their BC/DR plan in Excel, Visio, Word, or as PDFs. And while this isn’t a bad approach, the files need to be stored in a consistently available location—whether that’s in the cloud, on physical paper, or in a DR planning system. Ensuring unhindered access should be a top priority; an inaccessible BC/DR plan is just as bad as not having a plan at all.

2. Maintain full copies of critical data OUTSIDE your production region.
If your organization keeps its primary data center in Houston, don’t build a secondary backup data center 30 miles down the road. Recent events have taught us that closely located data centers are all severely impacted by disaster, and business services and data availability are hindered across nearby locations.
A general rule for maintaining a full copy of critical data and services is to keep it at least 150 miles from the primary data center. Of course, cases may exist where keeping a secondary data center close to its primary is recommended. However, these cases should be assessed by an expert consultant prior to pursuing this approach.

3. Keep your BC/DR plan up to date and ensure any production changes are reflected.
A lot may change between the inception of your BC/DR plan and the moment disaster strikes. For this reason, it should be a priority for your organization to maintain an up-to-date plan as production changes come into play.

Consider: your organization has successfully implemented a new plan, with recovery points and time all proven to work. Six months later, you’ve deployed a new application system that runs in the cloud instead of on-premise. Without an updated BC/DR plan, all your hard work would have been for nothing since you wouldn’t be able to quickly recover anything. Keeping your plan in alignment with the production environment, and practicing change management are important methods for staying on top of your latest additions.

4. Test your plan in a realistic way to make sure it works.
Without testing, a plan will never have successful execution to back itself up. In the chaos of a crisis, your untested plan will likely fail since people won’t know which parts of the plan work and which don’t. Your testing should encompass all possibilities—from a small process failing, to the entire facility being wiped out by a tornado. Included with these tests should be detailed explanations describing what’s working in the plan and what isn’t. These will develop and mature your plan over time, until business continuity is maintained even if something small is failing, and your organization doesn’t suffer any losses in revenue or customer trust. Testing also allows for recovery practice training, which will also reduce recovery time when real chaos occurs.

5. Leverage the use of virtualization
Load-balancing and failover systems are becoming more popular in the technology sector as cyber threats and natural disasters continue to affect business operations. Ensuring users are seamlessly transferred to a secondary environment creates the illusion that nothing is actually happening to your environment, allowing users to continue enjoying your services without disruption.

6. Create your plan with the mentality that anything can happen.
Regardless of how many times you test your plan, review each recovery process, or go over the points of failure, something may still go awry when the real thing happens. Always have a trusted team or experienced partner who can assist you in covering any gaps, and swiftly pull your organization out of a jam. Be sure to compose a list of priorities and, for each one, ask yourself: if this fails, what will we need to do to recover? Assume necessary personnel are not available and even make your team trade roles during the recovery period in order to spread awareness. Keep your team innovative and sharp for when something goes wrong so at least one person is aware of the right steps to take in each specific area.

Steve SilvestriSteve Silvestri is a Consultant of Anexinet's ISG team, focusing on Cyber Security issues, including Data Loss Prevention, Digital Forensics, Penetration Testing, and Incident Response.

With the ever-growing amount of social media platforms, it’s inevitable that you find yourself using at least one form of social media throughout the day. As of 2017, 77% of US adults are on social media; odds are, you are using one of them. In the professional world, social media is a great way to network, build B2B partner relationships and form avenues of communication between other individuals in your industry. Here are some interesting facts about the platform that may boost your professionalism the most, LinkedIn.

As of 2018, LinkedIn has over 500 million members. Of those members, 260 million log-in monthly, and of those monthly users, 40% are daily users. That makes for a great tool to utilize in building beneficial business relationships with others in the business continuity and disaster recovery industry. In fact, amongst Fortune 500 Companies, LinkedIn is the most used social media platform.  Most users of LinkedIn are high-level decision makers who leverage the platform to accomplish a variety of business tasks. Whether its gathering news, marketing, networking, or hiring, the opportunities are endless. Ninety-one percent of executives rated LinkedIn as their number one choice for professionally relevant content. Content consumption has jumped tremendously over recent years, so it’s no longer just person-to-person interaction, it is also useful for reading and sharing business content amongst a large set of people, across many different industries, including business continuity and disaster recovery.



Wednesday, 19 September 2018 16:31

The Power of LinkedIn for BC/DR

In a recent video with DoubleHorn, InterVision’s SVP of Product Development & Strategic Alliances, Jeff Ton, explains common misconceptions that companies have surrounding security in the cloud, and struggles usually experienced when trying to match an IT disaster recovery (IT-DR) plan to the needs of business.

Ton explains that companies must take a two-pronged approach to fully protect their business against threats. Disaster Recovery as a Service (DRaaS) is one solution that establishes this holistic data protection strategy, which is why Bluelock Solutions sees so many clients approaching them. The biggest mistake he says Bluelock Solutions sees is when organizations try to adopt DRaaS without proper planning and additional perspectives in key areas. Since IT-DR isn’t a one-size-fits-all solution, Bluelock Solutions takes a holistic and tailored approach to ensure success during any given disaster scenario.



(TNS) - Rivers continued to rise out of their banks across the Carolinas on Tuesday, frustrating rescue efforts and residents hoping to return home.

North Carolina Gov. Roy Cooper and Brock Long, administrator of the Federal Emergency Management Agency, acknowledged the difficulties following a tour of flooded areas in the Tar Heel State.

“It’s really important for me to get out of D.C. and make sure we’re doing a good job,” Long said, adding that he’s pleased with what he’s seen but “the next 48 hours are going to be incredibly critical.”

“We realize there’s a lot of displaced folks and we’re doing what we can to make life better,” Long said. “It’s going to take some time for these waters to recede.”

The FEMA chief said floodwaters have hampered repair crews trying to reopen roads and restore power.



What You Need to Know

In response to widespread data privacy concerns, legislators have just passed the California Consumer Privacy Act of 2018. Here’s an overview of the new data privacy rights the law provides and what it all means for your business.

Much of the political drive behind the passage of the California Consumer Privacy Act of 2018 (CaCPA) came from major privacy scandals that have raised consumer awareness of their privacy rights and the privacy violations major businesses have made against their data. The Cambridge Analytica incident involving Facebook user data.

When the legislation goes into effect in January 2020, California will be building a path that will lead the nation regarding privacy and consumer protection issues. Its residents will be given control over their personal data. This law is not as extensive as the EU’s GDPR, but the requirements could impinge on established business models throughout the digital sector.

To prepare, organizations will need to adopt a new business strategy in which they weave privacy and security into their business model. They need to consider best practices for building trust between themselves and consumers to prepare for this and other new privacy requirements.



Wednesday, 19 September 2018 16:21

California’s New Data Protection Law

(TNS) - The sun burst through the storm clouds for the first time in days Monday, but the most terrifying threat from Hurricane Florence was yet to come.

The muddy Cape Fear River, thick with debris including entire trees, swelled to incredible heights through Fayetteville, coming uncomfortably close to bridges and inundating buildings and ravines along its banks. The river level was near 54 feet by afternoon, still shy of the peak from Hurricane Matthew in 2016 but well on its way to projected maximum of nearly 62 feet by 8 a.m. Tuesday.

How high the river would rise, and what that will mean for thousands of homes and businesses from Harnett County to the coast, was the biggest question Monday after the dangers from flooded creeks and tributaries appeared to diminish. A mandatory evacuation order is in place for anyone within a mile of the Cape Fear in Cumberland County, a distance that comes within two blocks of the Market House.



Combining business continuity and risk management into a single operational process is the most effective way to prepare for the worst.


Bowtie infographicCombining two seemingly unrelated entities to make a better, more useful creation is a keystone of innovation. Think of products like the clock radio and the wheeled suitcase, or putting meat between two slices of bread to make a sandwich, and you can see how effective it can be to combine two outwardly disparate things.

This viewpoint is useful in many scenarios, including in the business realm, especially when it comes to protecting a business from risk. Many companies treat risk management and business continuity as different entities under the same workflows, and that is a mistake; to be optimally effective, the two must be combined and aligned.

Mistaken Approaches

Business continuity traditionally starts with a business impact assessment, but many companies don’t go beyond that, making no tactical plan or strategic decisions on how to reduce impact once they have identified what could go wrong. The risk management process has been more mature, identifying various ways to treat problems, assigning it to someone, and trying to reduce the likelihood of the event occurring, but not doing much to reduce the impact of the event.

Organizations must move beyond simplistic goals of creating a business continuity plan using legacy business continuity/disaster recovery tools, or demonstrating compliance to a standard or policy using legacy governance, risk management and compliance software tools. Those approaches incorrectly move the focus to, “do we have our plans done?” or create a checklist mentality of, “did we pass the audit?” 

In addition to legacy approaches, benchmarking must be avoided, because it can provide misleading conclusions about acceptable risk and appropriate investment, and create a false sense of having a competitive advantage over others in the industry. Even companies in the same industry should have their own ideas about what constitutes risk, because risks are driven by business strategy, process, how they support customers, what they do, and how they do it.

Take the retail industry. Two organizations may sell the same basic product – clothing – but one sells luxury brands and the other sells value brands. The latter store’s business processes and strategies will focus on discounts and sales as well as efficiencies in stocking and logistics. The former will focus on personalized service and in-store amenities for shoppers. These two stores may exist in the same industry and sell the same thing, but they have vastly different types of merchandise, prices and clientele, which means their shareholder value and business risks will look very different from each other.

Businesses need to understand levels of acceptable risk in their individual organization and map those risks to their business processes, measuring them based on how much the business is impacted if a process is disrupted. By determining what risks are acceptable, and what processes create a risk by being aligned too closely to an important strategy or resource, leadership can make rational decisions at the executive level on what extent they invest in resilience – based not on theory, but on reality.

Creating an Integrated Approach with the Bowtie Model

Using the bowtie model, organizations can appropriately marry business continuity and risk management practices.

The bowtie model – based on the preferred neckwear of high school science teachers and Winston Churchill – uses one half of the bow to represent the likelihood of risk events and the other half to represent mitigation measures. The middle – the knot – represents a disaster event, which may comprise disruptions like IT services going down, a warehouse fire, a workforce shortage or a supplier going out of business.

To use this model, first, determine every possible disruption to your organization through painstaking analysis of your businesses processes. Then determine the likelihood of each disruption (the left part of the bow), as well as mitigating measures one can take to reduce the impact of the disruption should it occur (the right part of the bowtie).

Consider as an example the disruptive event of a building fire – the “knot” in this case. How likely is it? Was the building built in the 1800s and made of flammable materials like wood, or is it newer steel construction? Are there other businesses in the same building that would create a higher risk of fire, such as a restaurant? Do employees who smoke appropriately dispose of cigarettes in the right receptacle?

On the other half of the bowtie are the measures that could reduce the impact of a building fire, such as ensuring water sources and fire extinguishers throughout the building, testing sprinkler systems, having an alternate workspace to move to if part or all of the office is damaged during a fire, and so on.

The mitigating measures are especially key here, as they aren’t always captured in traditional insurance- and compliance-minded risk assessments. Understanding mitigation measures as well as the likelihood of risk events can change perspectives on how much risk an organization can take, because the organization then will understand what its business continuity and response capabilities are. Mitigation methods like being ready to move to an alternate workspace are more realistic than trying to prevent events entirely; at some point, you can accept the risk because you know how to address the impact.

A Winning Combination

Bob Sibik Fusion HeadshotWhere risk management struggles is where business continuity can shine: understanding what creates shareholder value, what makes an organization unique in its industry among its competitors, and how it distinguishes itself. Alternately, risk management brings a new perspective to the idea of business continuity by focuses on types of disruptions, their likelihoods, and how to prevent them.

To create a panoramic view of where an organization can be harmed if something bad happens, businesses must merge the concepts of business resilience (dependencies, impacts, incident management, and recovery) and risk management (assessment, controls, and effectiveness) and optimize them.

Bringing the two views together and performing holistic dependency mapping of entire ecosystem allows an organization to treat both as a single operational process, bringing data together to create actionable info (based on the “information foundation” the company has created about impacts to business operations that can result from a wide variety of disruptions and risks) to empower decisive actions and positive results.

Using the bowtie method to create this holistic view, companies get the best of both worlds and ensure they understand the possibilities of various disruptions, are taking steps to mitigate the possibilities of disasters, and have prepared their responses to disasters should they strike. This approach to risk management will help keep a business up and running and ensure greater value for shareholders – this year and in years to come.


Robert Sibik is senior vice president at Fusion Risk Management. Sibik can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

(TNS) - As Onslow County communities turn to cleanup and recovery efforts, many areas will still be dealing with impacts of river flooding.

“Flooding is a main concern right now. We’re getting a lot of rain and it has nowhere to go,” said meteorologist Victoria Oliva with the National Weather Service in Wilmington.

Oliva said Wilmington was getting some of the heaviest rains Saturday night as Florence, downgraded from hurricane to tropical storm, has stuck around over the area with little movement.

“Florence is moving through really, really slow,” she said.



We talk a lot about flood insurance at I.I.I. for at least two good reasons:

  • It’s the most common and costly natural disaster in the United States, with billions of economic losses every year. According to the National Flood Insurance Program (NFIP), 90 percent of natural disasters in the U.S. involve flooding.
  • A 2016 I.I.I. survey found that 43 percent of US homeowners incorrectly think that heavy rain flooding is covered under their homeowners insurance – and only 12 percent had flood insurance.

Floods happen. Regularly. Even if you’re not in a flood zone – and even if you’re not usually in the path of a hurricane. If your home gets flooded, it will be a financial and emotional nightmare: FEMA argues that only 1 inch of water can cause $25,000 of damage to your home.



Monday, 17 September 2018 14:32


Everyone in business continuity knows about risk mitigation controls, but do you know which ones are most important, according to the experts? That’s the topic of today’s blog.


Before we get started, I’d like to give a pop quiz. Do you know which of the following pieces of home fire-safety equipment is the most important, according to firefighters?

  • Fire escape plan
  • Fire escape ladder
  • Class A fire extinguisher (for trash, wood, and paper)
  • Class B fire extinguisher (for liquids and grease)
  • Class C fire extinguisher (for electrical equipment)
  • Combination fire extinguisher
  • Bucket
  • Flashlight
  • Smoke detector

Which is the second most important? Which third? Which least? Don’t you agree it would be good to know?



Friday, 14 September 2018 16:08

The Top 7 Risk Mitigation Controls, in Order

Over the past several weeks, we have been discussing duty of care at work—what it is and what it means for your organization. We have hinted that there is a legal component to duty of care as well. In fact, duty of care originated as a legal concept, and there is a wealth of duty of care case law.

But the sheer amount of case law can be overwhelming. In this post, we will summarize the key concepts you need to understand to protect your company from liability—by covering the key cases in the development of duty of care law.

We will focus on US duty of care case law. But take care—if your company operates internationally or if your employees travel abroad, you need to know the legal expectations abroad as well. More often than not, European countries have even more stringent duty of care laws. So it is best (as always) to be over-informed and over-prepared.

With that said, let’s dig in to the key cases!



Friday, 14 September 2018 16:07


The most important thing you can do for your business when a hurricane is days away from landfall is evacuate. When faced with storm surges, torrential rains, and 100+ mph winds, the best advice is to get yourself, your family, and your employees as far away from the path of the storm as possible.

Ideally, hurricane preparedness for businesses should start months ahead of time, long before hurricane season even arrives.  For business-critical employees, it is important that you have access to alternate workplace facilities, ideally one that you have contracted for ahead of time in preparation for this type of situation.

But there are several things every business can do even if you haven’t fully prepared for the worst-case scenario.



Keep Your Mobile Employees Safe

Your employees depend on you for more than a paycheck. They put in their blood, sweat and hopefully no tears to earn that paycheck, but also have an inherent faith that the company to whom they devote so many of their hours has their best interest at heart. Providing for their safety while driving is part of your employer’s duty of care. 

There are several driving tips for employees who may be part of your mobile workforce. While they most often come to you with driving experience under their belts, ensuring their safety is a responsibility that lays squarely on the employer. The U.S. Department of Labor says it best:

“You need a driver safety program that must work to change driver attitudes, improve behavior, and increase skills to build a ‘be safe’ culture. By instructing your employees in basic driving practices and then rewarding safety-conscious behavior, you can help your employees and their families avoid tragedy. Employees are an employer’s most valuable asset. Workplace driver safety programs not only make good business sense but are also a good employee relations tool, demonstrating that employers care about their employees.”



Friday, 14 September 2018 16:04


Building an Effective TPRM Framework

The GDPR imposes new rules on organizations to protect EU individuals’ personal data. Banks are responsible for EU personal data managed by their third parties, but are they ready to manage their third-party risk and comply with the GDPR? This article discuss GDPR requirements to strengthen banks’ third-party risk management.

General Data Protection Regulation (GDPR) Overview

The GDPR is a European law that will act as the primary regulation on how companies protect European Union (EU) citizens’ personal data. This law became effective on May 25, 2018 and extends the data rights of individuals, requiring organizations to take more steps to protect citizens’ data with them or with their third parties by taking the following steps:

  • Developing privacy policies and procedures to protect personal data
  • Adopting appropriate technical and organizational safeguards to protect the individual’s right to privacy



Sometimes business continuity or BCM standards can go from making your program better to holding it back. This can happen if you use the wrong standard or take the wrong approach to aligning with it.

In today’s blog, we’ll talk about how your BCM standard can sometimes be more hindrance than a help. We’ll also share five questions you can ask yourself to see whether your approach to adopting a BC standard might be causing more problems than it solves.



When thinking about handling compliance at scale, creating a global framework can allow the organization to grow without limit.

How challenging is it to work in compliance these days? World-class compliance experts from TMF Group share their views. This is the second part of the series 5 truths about global compliance. Read the first part here and download the paper to read the full version. 

In 1956, the cognitive psychologist George A. Miller of Princeton University published a paper called “The Magical Number Seven, Plus or Minus Two.” It became one of the most cited scientific papers of all time. Miller’s idea was that the maximum number of objects a human can keep in short-term memory is seven, plus or minus two. Beyond this, the “working” category of memory struggles to retain the information. The Magic Number therefore can hold true for digits, playing cards, and potentially where golf balls are hit on a driving range.

The Magic Number exemplifies what we know, but beyond a certain degree of complexity we need a formal system to cope.

There is a close parallel with compliance. Above a threshold of complexity an improvised approach will collapse. The mind becomes overloaded and when this happens, errors can creep in. In a multinational organisation with dozens of entities to manage, each unique, the compliance function can be soon reduced to chaos.

When thinking about handling compliance at scale, and where possible, creating a global framework can allow the organization to grow without limit.



Thursday, 13 September 2018 14:55

Organizations Need A Global Compliance Framework

If you live in the projected path of Hurricane Florence, you should be prepping your home and finalizing your emergency and evacuation plans.

Here are some Dos and Don’ts to consider for prepping and riding out the storm. 



Wednesday, 12 September 2018 14:21


Engaging Training for Workplace Safety

Given the recent prevalence of gun violence, businesses and organizations should conduct training and practice emergency response procedures for an active shooter with the same frequency as fire drills or other emergencies. Compliance training should be engaging, and emergency procedures need to be second nature so that staff are equipped to respond effectively under stress.

According to Maslow’s Hierarchy of Needs, safety is at the bottom of the pyramid; it’s seen as a basic, standard need for every individual. More recently, however, it appears that safety has been compromised with active shooter situations across the United States and is continuously appearing across the news headlines. In fact, recent FBI data shows a dramatic increase in annual active shooter incidents, with 250 incidents occurring from 2000 to 2017. Moreover, according to the FBI, seven out of 10 active shootings take place in schools and businesses. These sobering statistics serve as proof points for why education institutions and businesses must be proactive and prepared for potential active shooter situations.

While the debate rages about what needs to be done at a macro level, I urge leaders across varying industries to work together to find common ground and take action – and to remember that even small steps eventually lead to significant changes. In the learning and development (L&D) industry, compliance training has always had the mission of keeping people safe, and part of that is helping your employees know what to do in the event of an emergency.

While it is never pleasant to think about worst-case scenarios, it is imperative that all businesses and organizations have an emergency action plan (EAP) in place. An EAP not only outlines the responsibilities and what to do in a high-stress situation, but also results in faster response times and gives employees a level of security because they know what to do and how to respond. Most employers have an EAP to cover fires, earthquakes and tornados, but few employers consider what to do if there is a violent attacker or active shooter in the office.



Wednesday, 12 September 2018 14:19

Preparing For An Active Shooter Scenario

No plan survives contact with the enemy says the old adage, but this is precisely what is often expected from business continuity plans. A new Continuity Central survey looks into business continuity plan success rates and attempts to uncover the best ways to debrief after an incident.

Please take part at https://www.surveymonkey.co.uk/r/BCPperformance - it should take you less than five minutes and the results will be published on Continuity Central for the benefit of the wider profession.

Since this survey is potentially sensitive, it is completely anonymous and IP addresses are not collected.

See interim results ...


Wednesday, 12 September 2018 14:17

Business continuity plan performance

(TNS) - The National Hurricane Center issued its first set of Hurricane and Storm Surge Watches Tuesday for the East Coast as Hurricane Florence continues its trek toward North Carolina.

The “extremely dangerous major hurricane” is predicted to hit the coast late Thursday or early Friday morning, dropping as much as 30 inches of rain in some areas and wind gusts in the 140 mph range, says the National Hurricane Center.

Part of the danger may come later in the week, due to increased fears Florence “will slow considerably or stall, leading to a prolonged and exceptionally heavy and dangerous rainfall event Friday-Sunday,” says the Center on Tuesday.

As of 11 a.m. Tuesday, Hurricane Florence had maximum sustained winds of about 130 mph, a slight weakening from earlier the morning.



Nearly three years after the official launch of the post-2015 agenda, which plots the path for a better world by 2030, people are still grappling with how to make the ambitious Sustainable Development Goals (SDGs) a reality. But perhaps the ambitious nature of the SDGs should give us some valuable clues on how to go about it. The new partnerships and collaborations encouraged by the goals represent a starting point for making the 2030 Agenda a truly global endeavour.

As a major operational hub of the international system, Geneva brings together many actors who play a key role in implementing the Sustainable Development Goals (SDGs). ISO’s long-established history of collaboration with the United Nations (UN) has been essential to tackling some of the world’s most global challenges and will continue to be a transformative force in the future, as we pursue the roadmap for 2030.

Today, we are facing more complex and interconnected global challenges. Often, even the most local problem has a wider dimension. This is why a multi-stakeholder approach to sustainable development is pivotal in guiding our collective work by 2030.

ISOfocus sits down with Michael Møller, Director-General of the United Nations Office at Geneva (UNOG), to address some of the key issues facing our world today, and how we should approach them, as well as the power of standards to make a difference.



Wednesday, 12 September 2018 14:14

Our common roadmap

The first official Post-Mortems are starting to come out of Microsoft in regards to the Azure Outage that happened last week. While this first post-mortem addresses the Azure DevOps outage specifically (previously known as Visual Studio Team Service, or VSTS), it gives us some additional insight into the breadth and depth of the outage, confirms the cause of the outage, and gives us some insight into the challenges Microsoft faced in getting things back online quickly. It also hints at some some features/functionality Microsoft may consider pursuing to handle this situation better in the future.

As I mentioned in my previous article, features such as the new Availability Zones being rolled out in Azure, might have minimized the impact of this outage. In the post-mortem, Microsoft confirms what I previously said.

The primary solution we are pursuing to improve handling datacenter failures is Availability Zones, and we are exploring the feasibility of asynchronous replication.

Until Availability Zones are rolled out across more regions the only disaster recovery options you have are cross-region, hybrid-cloud or even cross-cloud asynchronous replication. Software based #SANless clustering solutions available today will enable such configurations, providing a very robust RTO and RPO, even when replicating great distances.

When you use SaaS/PaaS solutions you are really depending on the Cloud Service Provider (CSPs) to have an iron clad HA/DR solution in place. In this case, it seems as if a pretty significant deficiency was exposed and we can only hope that it leads all CSPs to take a hard look at their SaaS/PaaS offerings and address any HA/DR gaps that might exist. Until then, it is incumbent upon the consumer to understand the risks and do what they can to mitigate the risks of extended outages, or just choose not to use PaaS/SaaS until the risks are addressed.



Wednesday, 12 September 2018 13:58


Recently, Security Magazine published an article discussing ways to address patient violence in healthcare facilities and hospitals.

The article draws on sobering statistics that reveal how violence that stems from patients and patient visitors produces both considerable risk and concern in the healthcare industry.

The American College of Physicians notes that healthcare workers are at an increased risk for workplace violence. From 2002 to 2013, workplace violence incidents that required days off for injured workers to recuperate were, on average, four times more common in healthcare than in private industry.

In a 2017 report, the ACP also notes that beyond the human toll, workplace violence in the hospital takes a financial toll. Hospitals spent approximately $1.1 billion in security and training costs to prevent violence within their facilities, plus $429 million in medical care, staffing, indemnity and other costs related to violence against hospital workers.

Communication about how to manage incidents



Cybersecurity can be a magnet for myths. Attacks emerge and cripple systems availability or swipe data quickly and unexpectedly. It happens so fast that the myths so many of us hold onto as facts are only apparent in the aftermath of an attack.

While many cybersecurity myths persist, some are more damaging than others. Let’s examine four common cybersecurity myths and their impact on risk.



Technology Modeling – the eBRP Way

Technology modeling is a point-in-time snapshot of an Enterprise’s IT Services – including its dependencies on infrastructure – and interfaces to other services and Business Processes which depend on them.  This organizational Technology Model provides executives the critical decision support they need to understand the impacts of a service disruption.



Tuesday, 11 September 2018 14:48

Technology Modeling – the eBRP Way

Could It Have A Bigger Impact Than More Famous Legal Siblings?

The California Consumer Privacy Protection Act and the GDPR went into effect earlier this year, and New York state is following suit; last week marked the compliance deadline for the NY DFS cybersecurity regulations. Compared to the broad provisions of the GDPR and CPPA, the New York regulation makes clear that efforts to improve cybersecurity are not an option. James Lee, Executive Vice President of Waratek, discusses.

When the history of summer 2018 is written, the chapter on data protection and privacy will be dominated by the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CaCPA – aka California GDPR).  Both represent a seismic shift in how the business community manages and protects consumer information, and both – if you read the fine print – will ultimately force more action on cybersecurity.

Less attention has been paid to the September 4, 2018 compliance deadline for New York’s Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). Yet, in practical terms, the New York regulations have a far more immediate impact on businesses and greater potential to improve cybersecurity outcomes that will ultimately benefit consumers.



Tuesday, 11 September 2018 14:45

New York’s Bold Move To Improve Cybersecurity

When the topic of energy efficiency comes up, energy-efficient machine tools don’t immediately spring to mind. Yet machine tools contain motors and auxiliary components whose energy demand varies widely during machining operations. Happily, a new series of ISO standards can help measure energy supplied and improve machine design and performance.

Machine tools are complex power-driven industrial devices employed to manufacture ready-for-use parts or semi-finished products. Encompassing a whole array of tools for cutting and forming metal, wood and plastics, and all their accessories, machine tools are used by companies in a variety of sectors like the automotive industry, general machinery, precision engineering, the medical sector, transport, aerospace, and dies and mould.

Machine tools obviously use different forms of energy, such as electrical energy, compressed air, hydraulic energy, energy hidden in the cooling and lubrication system, etc. Therefore, the energy demand of a machine tool is considered as key data for investment, but does not stand alone. The performance of a machine tool is multidimensional regarding its economic value, its technical specification and its operating requirements, which are influenced by the specific application. Hence why the ecological footprint is a common challenge for all these products and, as natural resources become scarce, environmental performance criteria for machine tools need to be defined and the use of these criteria specified.

ISO has recently published the first two parts of a new International Standard for the environmental evaluation of machine tools, which proposes to analyse machine tools with regard to the delivered functions in order to highlight the commonalities in the huge variety of existing machine tool types.



Tuesday, 11 September 2018 14:43

New ISO standards for greener machine tools

Have you read or started to use the ISO 22330 business continuity management standard? Andrew Lawton explains what it is and why it is important that organizations take notice of it.

ISO 22330, a new business continuity management standard providing ‘Guidelines for people aspects of business continuity’ was launched in June 2018, filling a gap in existing standards.

ISO 22330 takes a huge step forward in business continuity standards and is a well thought out and well put together document giving guidance on managing people before, during and after a disaster.

The standard focuses on the duty of care that organizations have, to ensure staff wellbeing at these times. It emphasises that this duty extends to psychological, not just physical, safety.



Writing incident management objectives is an art that needs to be taught and practised and should be included as an aspect of business continuity exercises. In this article Charlie Maclean Bristol shares some advice on the subject.

During an incident, it is seemingly obvious that your objective is to solve the problem and return the organization back to normal as quickly as possible. This is possible in some incidents, but in many circumstances the organization may be changed by the incident and when the incident has been resolved, the organization may not be the same as it was before the incident began. Some incidents may be so catastrophic that the objective may just be for the organization to survive! 

If we look at the ongoing high-profile TSB incident, where the bank locked a large number of their customers out of their accounts during a botched upgrade, they have lost customers and their reputation has suffered greatly. When the incident is finally over, they will be a different organization with less customers, so the objective to return to where they were prior to the incident is not achievable for them. Success for them and their incident’s objective could be, for example to retain 70 percent of their customers and to minimise the regulatory fine after the event. 

For each incident, once the organization is able to understand the extent of the issue, top management or the strategic team should write an overall objective for what the organization is trying to achieve during their response. Another way to look at this is to try and determine ‘what success looks like’.



(TNS) - Just beyond the fence at John Vega’s house in the Evergreen Mobile Home Park lie rotting planks of wood, embedded firmly in the ground.

The boards were dumped in this neighborhood 50 miles northeast of Denver by torrents of water that surged from the Little Thompson River five years ago this week, during what is now deemed the state’s costliest natural disaster. The detritus behind his house reminds Vega each day of the struggle he endured trying to come back from the flood of 2013 — blamed for taking nine lives, destroying 1,852 homes and causing $4 billion in damage across two dozen Colorado counties.

“I made it,” the 63-year-old retired construction worker, who lives in Milliken with his wife and two grandchildren, said with conviction as tears welled in his eyes. “I feel happy because I made it.”

The interior of Vega’s home today betrays no sign of the storm, which dumped a year’s worth of precipitation in less than a week as summer came to a close in 2013. Creeks and rivers running east from the mountains swelled and widened, mercilessly plowing over roads and bridges, through neighborhoods and across farm fields — hitting Boulder, Weld and Larimer counties the hardest.



Yesterday morning I opened my Twitter feed to find that many people were impacted by an Azure outage. When I tried to access the resource page that described the outage and the current resources impacted even that page was unavailable. @AzureSupport was providing updates via Twitter.

The original update from @AzureSupport came in at 7:12 AM EDT

Azure Outage 2

Looking back on the Twitter feed it seems as if the problem initially began an hour or two before that.

Azure Support 10

It quickly became apparent that the outages had a wider spread impact than just the SOUTH CENTRAL US region as originally reported. It seems as if services that relied on Azure Active Directory could have been impacted as well and customers trying to provision new subscriptions were having issues.



Today’s post is the third in our three-part series on how chaos engineering might one day help us get better at business continuity and disaster recovery.

In the first post, “What Is Chaos Engineering and Why Should I Care?,” I gave a general introduction to CE. In the second, “Chaos Engineering and Business Continuity,” I talked about how CE could help companies test and strengthen the resiliency of their business processes.

To wrap things up, I’m going to talk about ways CE could potentially help organizations strengthen their Information Technology/Disaster Recovery (IT/DR) environments.

Before we get started discussing chaos engineering and disaster recovery, I’ll give a thumbnail sketch of CE, for the benefit of those who are just joining us.



Friday, 07 September 2018 14:01

Chaos Engineering and Disaster Recovery

As a company with remote and lone workers, it’s up to you to ensure their work environment is safe and their job does not put them in harm’s way. OSHA is clear about employer’s responsibilities:

  • Provide well-maintained tools and equipment, including appropriate personal protective equipment
  • Report to OSHA within 8 hours of accidents that result in fatalities
  • Provide medical examinations
  • Provide training required by OSHA standards
  • Report to OSHA within 8 hours accidents that result in hospitalization of three or more employees
  • Keep records of work-related accidents, injuries, illnesses, and other causes
  • Post prominently the OSHA poster informing employees of their rights and responsibilities
  • Provide employees with access to their medical and exposure records
  • Do not discriminate against employees who exercise their rights under the OSH Act
  • Post OSHA citations and abatement verification notices at or near the worksite
  • Abate cited violations within the prescribed period
  • Respond to survey requests for data from the Bureau of Labor Statistics, OSHA, or a designee of either agency



Friday, 07 September 2018 14:00


Shifting from Traditional to Digital Contract Terms

By leveraging digital technology, outsourcing providers … This is a fundamental change in outsourcing that will require fundamentally different contract terms. Brad Peterson discusses the difference between traditional and digital contract terms in this video. Here, Rebecca Eisner, Daniel Masur and Brad Peterson further explore the history – and future – of outsourcing.


The future of outsourcing is digital. Outsourcing providers will increasingly use digital systems to offer faster, smarter, better and cheaper services. Functions currently performed by people will increasingly be automated. Outsourcing contracts built on the traditional assumption that the services are provided by people supported by tools will be fundamentally changed to reflect that the services are provided by digital tools supported by people.

Traditional Outsourcing in the Rear View Mirror

Traditional outsourcing started with IT specialists running massive computing equipment in data centers in the 1960s using knowledge and skill developed from serving numerous customers. Later, outsourcing innovators found ways to use shared service centers to have teams of people deliver a wide range of business processes to many customers.

When low-cost global connectivity became available, outsourcing innovators created shared service centers using people in low-cost locations to share the benefits of those services across a global customer base. More recently, advances in grid computing and virtualization allowed outsourcing innovators to share use of standardized IT infrastructure in what has been called “cloud” and cloud-based software in one-to-many “Software as a Service” (SaaS) models.

Adoption cycles for new types of outsourcing have begun with  waves of small, innovative deals, including pilot projects and deals with previously unknown players. In the offshoring era, buyers were puzzled by, and later embraced, previously unknown Indian companies. The cloud era surprised buyers with new leadership from an online bookseller, a software company and a search engine provider, along with hundreds of venture-funded point-solution SaaS providers. As integration challenges increase and some providers develop winning solutions, leading providers have emerged.

Each new type of outsourcing has added a lane to outsourcing instead of fully replacing prior types of outsourcing. For example, customers continue to outsource data center management. With each new lane, the ecosystem of outsourcing providers and advisors have pivoted— successfully thus far—to find new ways to deliver the next 10 percent to 30 percent of customer savings and value using new processes and technologies, while outsourcing lawyers have found contractual and compliance solutions to address the new risks in the new lane.



Friday, 07 September 2018 13:58

The Future Of Outsourcing

The collapse of the Twin Towers on Sept. 11, 2001 claimed the lives of 2,763, including 343 firefighters and paramedics, 23 police officers and 37 Port Authority officers. But the carnage was long from over when the toxic dust had settled and been cleaned up.

Today, people who were around the World Trade Center buildings that day and the days that followed, are sick and dying, including many first responders.

According to the World Trade Center Health program, almost 10,000 people have gotten cancer from the dust and smoke on 9/11 and afterward until the area was cleaned up.



So what security features should we be asking and planning for to protect data that will become information that can be used for and against everyone, both today and in the future?

Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure

With IoT devices encompassing just about everything – refrigerators, washers, dryers, drones, security cameras and the like – the amount of data created by these devices is going to exceed the bandwidth of the internet. There is just not enough fiber and bandwidth between just about everywhere and cloud providers. This means we are going to have to start processing and storing data near its creation point and pushing what is needed or legally required to clouds of the future. So what security features should we be asking and planning for, at home and work or near your local repository data, to protect data which will become information that can be used for and against everyone, both today and in the future?



Do you know the book “Don’t Sweat the Small Stuff”? Today’s post is about sweating the big stuff.

It lays out the five things that matter most for the success of your organization’s business continuity management (BCM) program.


Most business continuity managers are extremely detail-oriented. They have to be to do their job. If BCM teams don’t sweat the details of what they do, then their work is probably not very good and whatever plans they have made can probably not be relied upon.

However, everyone has the defects of their good points. Sometimes, people who are very detail-oriented can become focused on the wrong or less impactful items.

Imagine that you have been in a fender bender caused by another driver. The detail-oriented person gets out and carefully takes pictures of all of the scrapes on their car caused by the collision. The overly detail-oriented person does the same thing while not realizing that the front half of their car is hanging off a cliff.

By this definition, there are a lot of overly detail-oriented people on BCM teams!

We at MHA have found over the years that many BCM programs are obsessing over minor dents and scrapes at the same time as their programs are hanging off a cliff, so to speak.

With all that in mind, we thought it would be worthwhile to remind you about what really matters when it comes to business continuity management.



Consumer reviews play an increasingly strong role in purchasing decisions, but with a plethora of platforms and opinions, whose view can you trust? A new standard just published aims to put some order into the process to restore back our faith.

Both a bane and a boon for companies, online reviews are often the first port of call for consumers and the Internet is now awash with Websites dedicated to the evaluation of everything from restaurants to lawyers. And we love them. A Forbes study showed that 90% of consumers read online reviews before visiting a business and those reviews impact 67% of purchasing decisions.

Yet, for as many reliable reviews, there are just as many that are less so, with controversies around fake reviews, customers with an axe to grind, companies modifying or screening notes to weed out bad testimonies, false negative reviews written by competitors and other “dodgy dealings” that erode trust in the whole process.

A new ISO standard just published aims to change all that by detailing requirements for organizations to effectively manage consumer review sites and featuring recommendations that will help increase consumer trust and protect suppliers from exploitation.



Thursday, 06 September 2018 14:09

Putting the trust back into online reviews

There’s no way around it: If your organization is based in a hurricane zone, you need an effective emergency communications plan.

Consider the fact that fallout from the 2017 hurricane season, with a staggering $282.16 billion in losses, still affects some communities. The 2018 season is poised to be above average.

Before a storm hits, assess your emergency communications plan. Hurricane preparedness is the best way to mitigate any storm-related losses. Create a process that extends timely, efficient communication from before a storm is detected all the way through recovery efforts.

Solidify and activate your plan before a storm

Evaluate your plan before a hurricane strikes; create a plan if you don’t have one. Even an average hurricane season has enormous potential for damage. Your plan should include a mass notification system that lets you quickly send messages via automated phone messages, emails and text messages. Prepare templates that are ready to go for each type of message.

Pre-storm activities include training and drills, so employees are familiar with your plan and your notifications. Practice minimizes confusion. Employees will know they can trust your notifications to provide clear, useful information at every phase of a storm.



Compliance Considerations when Obtaining Data from a Third Party


Companies obtain data from an increasing number of sources. Some of these sources are under contracts titled “data license agreements,” but most are under other types of agreements. Those other agreements might include subscription agreements, website terms of use, outsourcing agreements, purchase and sale agreements, alliance agreements and other commercial agreements.

Data acquired from third parties generally come with license and use restrictions and may come with restrictions that attach to personal data. In some cases, the license terms associated with the data are subject to significant negotiation. In other cases, however, a company accepts license terms with little thought as to whether they are aligned with the anticipated handling and use of the data.

To ensure compliance with applicable license terms, each item of licensed data must be linked to its source and to the specific terms on which the  data was obtained. Unfortunately, data is often not tracked at all, or the data provenance is lost when the data flows into a database or from one database into another. The danger, of course, is that data is used in ways and for purposes not contemplated by the license. This can result in license breaches, privacy law violations, intellectual property violations and regulatory compliance failures.



Wednesday, 05 September 2018 14:42

Data Licensing—Tips And Tactics

(TNS) - Tropical Storm Gordon should be the baptism for Mobile County's brand-new, state-of-the-art Emergency Operations Center -- but a snag being blamed on AT&T will keep it out of commission.

"The building itself is completed and operational," said Mike Evans, deputy director of the Mobile County Emergency Management Agency. "Our data and our phones are not up and running."

Consequently officials will once again work from the older facility that the new one was built to replace.

When county officials held a grand opening for the $10.5 million facility back on June 1, the first day of hurricane season, a common theme was that it had been a long time coming. County commissioners, EMA leaders and others have described the old EOC as being too small and lacking support for modern communications equipment.



Are the AI apps organizations have deployed actually delivering benefits? That’s a question Curt Hall has had for some time. The latest results from Cutter Consortium’s ongoing survey examining the adoption and application of AI technology in the enterprise holds some answers.

Our research has found that while most (45%) organizations report that it’s still too early to determine or measure any real benefits from their AI deployments, just under 30% are already realizing measurable benefits from their applications. Conversely, just under 20% say they are not currently benefiting from their AI application deployments.



Wednesday, 05 September 2018 14:40

Are AI Apps Delivering Benefits?

(TNS) - As part of National Preparedness Month, West Virginians are encouraged to become prepared in case of an emergency.

The American Red Cross West Virginia Region urges everyone not to wait until an emergency occurs and it’s too late.

“We strongly encourage you to take steps now to prepare,” said Courtney Clark, Executive Director for Southeast West Virginia. “We see disasters often this time of year, so it is vital for you and every member of your household to have a plan.”

Whether the emergency is a home fire or a hurricane, the situation may force you to leave your home. The Red Cross offers the following 10 steps to be prepared if the emergency makes it unsafe to remain at home:



New IFRS 16 legislation could make long-term office space lessees look for more flexible solutions, says Alexander Garrett

Ships and planes, oil rigs and trains, shops and hotels – they all have one thing in common. Businesses have snapped up these valuable holdings in recent years through operating leases, as part of a massive spending splurge that has allowed companies to get their hands on the asset without having to put it on their balance sheet. Starting January next year, that will come to a halt when the introduction of a new international accounting standard – IFRS 16 – means that lease contracts will have to be reported as liabilities in company accounts and can no longer be hidden.

And, in case you’re wondering what this has to do with you, here’s another item that can be added to that list: offices. If your organization (as with most) doesn’t own the majority of its workspaces but leases them on a long-term contract, then you’ll have to declare those liabilities in full starting next year. For companies where corporate real estate is one of the biggest outlays, that’s going to make waves on the balance sheet – in some cases dramatically increasing the company’s level of borrowing.

What it will mean, in short, is that it’s time for a reappraisal of your leasing portfolio. Many believe that the innocuously named IFRS 16 will be the catalyst for a move away from long-term leases, and will accelerate the trend towards short-term, flexible workspaces that aren’t covered by the new standard.



Are voice assistants intelligent enough to work in an office environment? Not quite, says Sam Shead. But it won’t be long…


“Alexa, email John in HR and ask him if he’s free to discuss my promotion next Tuesday.”

“Siri, please can you print this page for me?”

“Cortana, open a new Excel spreadsheet and work out the standard deviation of my latest sales figures.”

“Hey Google, ask our T-shirt manufacturing machine to make 20 large unicorn T-shirts.”

These are just some of the demands people could soon be making of artificially intelligent (AI) voice assistants, which have advanced rapidly in recent years thanks to breakthroughs in machine learning and natural language understanding, alongside the proliferation of cloud computing.

The idea of talking to voice assistants so casually at work may give some people the creeps, but research suggests these smart assistants could start to become as commonplace in the office as a kettle or a stapler in the next 12 months.

In April 2018, a survey by Spiceworks, a social network for IT professionals, found that 40% of large businesses (those with 500 staff or more) expect to implement AI voice assistants in their offices in some way by 2019. The study, which surveyed more than 500 IT workers in organizations across North America and Europe, also found that 29% of organizations have deployed one or more AI assistants for work-related tasks, or plan to deploy one or more in the next 12 months.

US tech giants such as Google, Microsoft, Apple and Amazon have developed some of the most sophisticated voice assistants on the market – Google Assistant, Cortana, Siri and Alexa, respectively. The "Big Five" as they’re collectively known when Facebook is included, are investing billions of dollars in AI, hiring the brightest minds in the field as they go. Firms such as Cisco and IBM are also taking steps to ensure they can compete.



Tuesday, 04 September 2018 14:42

How will voice assistants change the workplace?

mind the skills gap match made in it heavenThe hiring process would be so much easier if finding IT personnel was like matching on a dating website. Unfortunately, many candidates and employees lack the technical skills needed to make them “Mr. Right.”

Thanks to shifts in technology, including the implementation of machine learning, new cybersecurity challenges and more, IT decision-makers are realizing the biggest roadblock to achieving digital transformation is the lack of qualified candidates with the right skills to do the job. Luckily, organizations have found several ways to address this dilemma.

Nurturing and developing the skills of your existing employees is one way to deal with the shortage of qualified candidates. By creating a positive work environment that empowers employees to test new technologies and learn new skillsets, organizations are crafting opportunities from within, developing the skills they need and retaining talent through a commitment to education.

Finding a partner for consulting or to fully manage aspects of your IT also has its advantages. Instead of struggling to find candidates that can do the job, you can save time and resources by working with an organization that already possesses the talents you’re searching for. That frees up time for your IT team to focus on more strategic projects.

Whether it’s molding talent from within or cultivating a relationship with a partner, that perfect IT “match” may be closer than you think.


Tuesday, 04 September 2018 14:38

Mind the Skills Gap: Match Made in IT Heaven?

The fascinating new discipline known as Chaos Engineering (CE) has the potential to bring big changes to business continuity.

A couple of weeks ago, I wrote a post called, What Is Chaos Engineering and Why Should I Care? where I gave a brief introduction to CE. I also mentioned that Chaos Engineering potentially has the ability to shake up the fields of both Business Continuity (BC) and Information Technology/Disaster Recovery (IT/DR).

In today’s post, I want to give a quick refresher on the basics of CE. Then I’ll sketch out some of the ways Chaos Engineering might one day be used by organizations like yours to strengthen their ability to recover from disruptions to their business processes. Such improvements would make the company safer and stronger overall.



Friday, 31 August 2018 14:03

Chaos Engineering and Business Continuity

As the dog days of summer arrive and the cicadas conduct their annual concert series, we are reminded once again of the threat of hurricanes. And while the 2018 season has been quieter than 2017 – with the exception of Hurricane Lane in the central Pacific – the worst may be yet to come: mid-August through mid-October is often the most critical timespan.

One year after the costliest Atlantic hurricane season in history, many communities and businesses are still recovering from Hurricanes Harvey, Irma and Maria. Thousands of Puerto Rican residents still lack power or clean water, and the rebuilding efforts are ongoing. Yet slowly but surely, things are getting back to normal – businesses have re-opened, homes are being rebuilt, civil engineers are developing revised recovery plans and emergency responders have better plans and training in place.

Today, we know more about what happens when hurricanes hit – massive flooding, storm surge, downed trees and powerlines, coastal erosion. And we know what impact this can have on cities and communities, from home displacement to economic disruption to interruptions in fuel delivery to power outages and wastewater system damage.



Every organization has some level of responsibility for their employees’ wellbeing when they’re on the job. However, it’s not enough to just hope that your employees are safe. You must think about what actions your organization can take to ensure duty of care compliance and enhance employee safety.

The Need for a Duty of Care Policy

We have already discussed what duty of care is, but you still might be wondering: why do I need a duty of care policy?

The answer is: you can’t afford not to.

Just look at what happened at Virginia Tech, following the shooting that occurred there in 2007. The school was inadequately prepared, and it took them over two hours after the initial shots were fired to notify their students. As a result, many students went to class, unaware of the grave danger they were in. This contributed to raising the death toll to over 30 students by the time law enforcement had contained the shooter.



Friday, 31 August 2018 14:01


Poor mental health among workers is costing businesses billions in lost revenue, and flexible working could form part of the solution. Emily Reynolds explores the UK’s current landscape


The burden of mental illness in the workplace is not insignificant. According to the Mental Health Foundation(1), nearly one in seven of us have experience with it: 12.7% of all sick days in the UK can be attributed to mental illness, while it’s estimated that better mental-health support could save UK businesses £8 billion every year.

Interestingly, there’s a growing body of evidence suggesting that flexible working could help ease this burden. One 2010 study(2) from Durham University found that flexible working arrangements that “increase worker control and choice” had a positive effect on a plethora of health outcomes – sleep quality, tiredness and alertness, blood pressure and mental health – as well as "secondary" outcomes, including a sense of community and social support within a workplace.

Another study, conducted by Kingston University on behalf of the Chartered Institute of Personnel and Development (CIPD)(3), found that workers on flexible contracts tended to be more emotionally engaged, more satisfied with their work, more likely to speak positively about their organization and less likely to quit.

Even the UK government released a report(4) urging employers to offer flexible working for this precise reason, with the then Health Minister describing it as “crucial for wellbeing.” With these links between flexible working and mental health in mind, the question many UK businesses are asking is about how to implement flexible working practices within companies.



When a hurricane strikes and everyone else is moving to higher ground, facilities managers are headed the other way—planning when they can return and assess the damage. Once the storm moves offshore or loses steam, they will likely be the first ones back to the office. No matter how well you’ve prepared your business for a hurricane, things will be chaotic. If you’re a facility manager, you need to be taking the correct post-hurricane safety precautions to ensure the property is ready for a safe re-entry so everyone can get back to work.

According to the American Meteorological Society, the U.S. faces more extreme weather events than any other country on the planet. The National Oceanic and Atmospheric Association (NOAA) predicted that there will be 9-13 Atlantic named storms in 2018. That’s a lot of wind, water, and debris possibly headed straight to your facilities.

Here are the post-hurricane safety precautions you’ll need to be aware of as you inspect your buildings and what it takes to give the “all clear.”



A true digital transformation will impact every single person in an organization. This new, digitally-minded future is making organizations rethink how they operate. Even though the path to becoming a truly digital company is not clearly defined, one thing is certain: people are the driving force. Equipping your workforce with next-gen tools is important but improving communication and cultivating a modern mindset is crucial to leading your organization to the digital finish line.

“60% of employees cannot articulate their organization’s digital strategy” – The State of Digital in Houston 2018, Enaxis Consulting

Getting the right people on board

Initially, established companies may struggle when shifting their organization to a more dynamic, agile mindset. Often, they are held back by hierarchies and processes instituted more than a decade ago. Setting up new models and communications strategies can allow an organization to create a culture in which employees mobilize a grassroots transformation. Having people embrace the strategy and run with it by recommending or running projects and pilots makes it much easier to drive a successful digital transformation. This culture shift starts with visible and vocal leadership.

Building the right team of change partners is essential to foster an environment for change. The role of leaders should be refocused to initiate and lead the culture transformation. Leaders should openly describe the culture they envision and encourage employees to have a disruptors’ mindset, while providing an easily accessible feedback loop. Transparency is key; when employees have a clear understanding of what’s going on, they are more likely to be more involved and innovative during the digital journey.



Hope is a great quality for a baseball team in a pennant race to have, but it is not very good as a business continuity strategy. This is why it is critical that organizations are conducting regular disaster recovery tests of their information technology systems, otherwise known as DR tests, or IT/DR tests.

These tests can inform you whether you are actually capable of recovering your systems in the event of a disruption and what issues are likely to come up while you are trying to do so. They reveal capability and identify gaps.

In some industries, IT/DR tests might not simply be a good idea; they might be required. This is often the case, for example, with companies that must satisfy FDA requirements or meet SOX reporting mandates.

For all of these reasons, it’s well worth it for your team to learn how to conduct such tests properly and ensure they are well-designed and meet their goals. To help you do this, today we are sharing our “8 Dos and 1 Don’t for Conducting IT/DR Exercises.”



Kathy Schneider takes a look at the everyday heroes keeping businesses moving forwards. The article discusses the unique positions of the Resilience Leader, the IT Optimiser, the Hybrid IT Tamer, the Risk Eradicator and the IT Innovator. Besides explaining what they do to make sure the business will always run smoothly she also emphasises what unique vulnerabilities these positions hold and the importance of working together to tackle future challenges.


“No matter how many times you save the world, it always manages to get back in jeopardy again”

This quote from Mr. Incredible from the Incredibles 2 movie personifies the feeling we get in IT of always fighting battles but never winning the war. The Pixar superhero exemplifies the frustrations we often feel when we’re constantly moving from one problem to the next, with little choice but to keep moving on. If there’s one skill that every business needs, it’s resilience: the ability to predict, recover and withstand any business challenges to ensure that customers are happy, and businesses keep operating. This is not down to just one person – in every business there are every day resilience super heroes who do their part in making this happen. However, every hero has an Achilles heel – a particular skill or blind spot that needs to be looked after.

This article will take a deeper look at some of the every-day business resilience heroes in every organization, and how the wider business should be supporting them.



(TNS) — Free life-saving trauma kits were donated to a South Carolina school district before the 2016 shooting that killed a 6-year-old boy there, but the kits were never delivered to school employees, a lawsuit filed by the boy’s estate alleges.

The wrongful death lawsuit was filed in Anderson County Circuit Court by the estate of 6-year-old Jacob Hall, who died after the September 2016 shooting at Townville Elementary School that injured another student and a teacher. Named as defendants are Anderson School District 4 and the Anderson County Sheriff’s Office.

In early 2014, a company called Tactical Medical Solutions offered to provide bleeding-control trauma kits — also known as “Stop the Bleed” kits — along with training on how to use the kits, to each Anderson County school district, according to the complaint. The company’s co-owner presented the kits to the district superintendents and Taylor Jones, director of Anderson County Emergency Management.



(TNS) — When an emergency hits a town, whether a natural disaster or a major accident such as a chemical spill, first responders can sometimes become overwhelmed and need assistance themselves. That is when a Community Emergency Response Team can come in handy, to lend a hand to local fire, police and others.

This fall the Willmar, Minn., Police Department will be training its first Community Emergency Response Team, often referred to as CERT, with the long-term goal to train as many people as they can to help when needed.

"You can take care of yourself, your family and neighbors. Then you can respond and help out emergency responders," Willmar Police Chief Jim Felt said.

For many years Willmar had People on Watch, a neighborhood watch-style group. After years of declining membership, the Police Department closed the group down and started looking for another way to get the community involved.

"Transition POW into something that could be multi-generational, something good for the community," Felt said.





A Business Impact Analysis (BIA) is the cornerstone of creating a BCM program. Basically, a BIA helps prioritize restoration efforts in the initial response activities following an operational disruption. A secondary objective of a BIA is identification of all operational dependencies to enable successful business restoration.



Wednesday, 29 August 2018 15:10

eBIA – The eBRP Way

Thoughts on Increasing Cyber Resiliency


Companies’ adoption of new technologies is outpacing their ability to protect against evolving cybersecurity threats. It used to be said that it’s not a question of IF an organization will be breached, but WHEN. Jim DeLoach suggests that companies either know they’ve been breached or they’ve been breached and don’t know it. How then, do we move forward?


Without question, senior executives and their boards remain concerned with the security and availability of information systems and protection of confidential, sensitive data from the commercial cyber war in which their organizations are engaged. However, too many think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board and senior management engagement with cybersecurity.

A top-five risk for many organizations across many industries,[1] cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud computing adoption, increasing digitalization investments, advancing data and analytics sophistication and expanding mobile device usage to leverage exponential increases in computing power, all to achieve and sustain competitive advantage. As these innovative transformation initiatives grow the digital footprint constantly, they outpace the security protections companies have in place. This dilemma presents several sobering realities:



Wednesday, 29 August 2018 15:08

8 Realities In Managing Cyber Risk

(TNS) — Mark Williams, head dispatcher for Union County, Iowa, is partnering with Emergency Management Director Jo Anne Duckworth to upgrade the county’s emergency communication system.

With the current communication system, which was implemented more than 10 years ago, there are many points of failure.

“It’s needed because we can’t reliably page all of our departments,” said Williams.

Williams and Duckworth said the new communication system is necessary. One reason is that dispatch is unable to page Lorimor Fire Department. To do so, the Union County dispatcher has to call the Madison County dispatcher, who then pages the department. Additionally, Williams is unable to communicate with Afton firefighters the farther east they move in the county because the signal doesn’t reach that far.



Wednesday, 29 August 2018 15:07

EMS Communications: A 'Life or Death' Decision

Adding an IoT layer to legacy infrastructure can bring advantages to businesses, but security is a major consideration. James Sinton explains how edge computing can assist businesses move forward in this area without being hampered by security risks.


The Internet of Things (IoT) is creating opportunities for businesses across every industry. However, the big question for the C-suite is how do they ensure their business is taking full advantage? One significant consideration is whether or not to invest in IoT enabled equipment or instead look for a way to leverage the data that is sitting in an organization’s legacy devices.

Many businesses do not want the upfront costs associated with ripping out and replacing their existing infrastructure for IoT enabled devices and so adding an IoT layer to the equipment already in place offers an attractive alternative. How then, can businesses implement this securely?

Take the cold chain in the food retail industry as an example. The cost of replacing every in-store fridge, freezer or food delivery van is simply not of immediate appeal for a large retailer, though the addition of IoT technology can directly benefit its core business objectives of selling produce; by improving food quality, reducing waste and, ultimately, delivering a better customer experience. In addition, for the food retail industry and many others, the legacy infrastructure within organizations often has mounds of untapped data that can prove vital in ensuring IoT deployments serve to meet these goals.



The American Red Cross is urging Americans to celebrate National Preparedness Month (September) by getting their households ready for an emergency. The Red Cross says it’s critical to prepare ahead of time and not wait for a disaster to occur.

Fall is the time of year where a multitude of disasters — hurricanes, floods, wildfires and others — can occur, and citizens should have a plan and be ready to evacuate if necessary. There are three keys to getting prepared: having a plan; having a kit; and being informed.

Here are tips that can make a difference during a disaster:



Mental Health Support and Crisis Intervention for victims, survivors and families after an active assailant or hostile event looks different than a natural disaster response, because it is different.

Your company, agency, community or region is the victim of a horrific incident. Emotional trauma is high with strong and broad impact. Vicarious trauma follows with constant news coverage and social media posts. These events become regional and/or national tragedies. Result: People are emotionally and mentally dazed, drained and confused.

Historically, mental health crisis response is to setup support systems, advertise their existence and be available for anyone seeking help. Build it and they will come… But will they?

Las Vegas, 1 October 2017. We all know what happened that night… Active shooter with 58 dead, 851 injured and lives forever changed.

Bailey Schweitzer and her mother Crissy made a lady’s trip from California to the Route 91 Harvest Festival. A fun 3-day event. Country singer Jason Aldean begins his set at 9:40 PM as the final musical act of the festival. Somewhere between 10:05 PM and 10:15 PM, Bailey was shot in the collarbone. Crissy was carried away by bystanders as her daughter was laying on the ground calling out after her.

Their family in California received a call Bailey was alive but only to be notified two hours later she had died. Bailey died without her mother. A week later the family had yet to know where Bailey was when she actually died.



The Key to Increasing Decision-Making Influence

In this complex risk environment where senior executives are expected to make fast decisions, they need the most actionable information in a timely manner. However, most leadership teams feel the risk information they receive isn’t actionable from a business strategy or operations perspective. In this article, Gartner’s Matt Shinkman and Chris Matlock detail how risk managers can ensure executives will extract true value from risk reports and how risk teams can increase their decision influence.


Risk managers often provide deliverables that are designed to help senior managers execute strategy while maintaining an appropriate risk profile for their environment and resources. This means being more than “information aggregators” that record and deliver disparate silos of data. Risk leaders will need to become “strategic risk advisors” that influence decision-making at the organization’s highest levels. All of this against a backdrop of robust economic growth around the globe. This shift has pushed executives to make quicker decisions as the benefits of being a first mover in new products and services become clearer, with profits often aggregating to the top one or two competitors.

Meanwhile, conversations around risk are more challenging than ever, as official “risk managers” share the spotlight on risk with more and more assurance functions clamoring for ever-shrinking executive bandwidth.

So, how can risk managers deliver more value in a rising risk environment?



(TNS) — In a Wellington, Fla., home in early August, a woman in her 20s locked herself in a bathroom with her cellphone.

She began sending text messages to a 911 dispatcher, saying her ex-boyfriend had threatened her and her family. Moments later, when her ex left the home, she ran to safety at a nearby store, where she called police.

It was the kind of scenario that public-safety officials envisioned when Palm Beach County launched its text-to-911 system in June.



When you open a fresh Google browser, and type in the word “millennial,” you get prepopulated results such as, millennials are lazy, entitled, killing industries, and my personal favorite, the absolute worst. As a millennial and soon-to-graduate college student myself, this stereotype has left me disheartened and discouraged to enter a world where this is all “adults” will think of me. After spending my summer working at BC in the Cloud, a company a part of the rapidly growing industry of business continuity, I have come to learn a few things about breaking the stereotypes that my generation holds.



Tuesday, 28 August 2018 16:01

Breaking the Millennial Stereotype

(TNS) — The National Weather Service says the amount of rain dumped on Mountain View by Hurricane Lane is the third-highest rainfall total from a tropical cyclone in the country since 1950.

The preliminary total for Mountain View, subject to final quality control, is 51.53 inches of rain between noon Wednesday and 4 a.m. Sunday. That's more than 4 feet.

The highest total rainfall from a tropical cyclone in the United States is 60.58 inches measured at Nederland, Texas, in 2017 from Hurricane Harvey. The second highest is 52 inches recorded at the Kanalo­hu­luhulu Ranger Station on Kauai from Hurricane Hiki in 1950.



To reduce costs, businesses around the world are turning to free apps for texting and instant messaging.

These programs do serve the purpose of communicating in real-time. Yet, there are grave concerns when organizations turn to these apps and programs for their emergency notifications. By choosing a “free” app to provide communications during an emergency, organizations may be at risk of noncompliance with federal and international regulations. This blog explains how your organization may be in jeopardy when using these types of services for communicating with the public or internal teams in a crisis.



Using Master Data Management as Part of a Robust Compliance Program

Martin Samuel Nielsen discusses how leveraging master data management as part of your compliance arsenal will allow you to understand, manage and control information about your customers, products and more to safeguard how data is managed and maintained across your business.

As the world becomes more digital, the number of regulations designed to protect individuals, govern the products and services they purchase and monitor their related data “footprint” increases dramatically. According to an Ernst & Young survey, intensifying regulatory pressures are top of mind for business leaders, with 78 percent of respondents expressing increasing concern about data protection and data privacy compliance.

Organizations are faced with two unique challenges: first, to determine how they govern, use and protect data to comply with mandates such as the EU’s General Data Protection Regulation (GDPR); and second, how to manage the vast amounts of data needed to perform due diligence for mandates such as Know Your Customer (KYC). Whether your business sells B2B or B2C, the requirement for regulatory compliance is here to stay. In fact, it is likely to get more difficult as organizations struggle to understand the growing amounts of data found in their data lakes and other sources.



Would you find it useful to read a cheat sheet setting out some of the main themes in business continuity management now?

Well, here is my quick take on the main issues in our field right now—with my observations being informed by nineteen years leading a BC consulting firm that has worked with industry-leading organizations across a wide range of fields.

Why am I writing a guide to business continuity management now? Because as I’m sitting on this airliner at this moment, there is a Category 4 hurricane bearing down on Hawaii, much of California is on fire, Puerto Rico is still struggling to get back on its feet after Hurricane Harvey, and my own city of Phoenix was just hit by unusually heavy flooding following a monsoon storm. It seems like a good time to get back to basics!



Andy Cory discusses how the increase in Internet of Things (IoT) devices has caused identity and access management (IAM) systems to become smarter, opening up new ways to improved security, amongst many other advantages.

As more organizations embark on the journey that is digital transformation, the ability to manage digital identities is becoming more crucial — especially at a time when the Internet of Things (IoT) is redefining the concept of identity and access management (IAM). While traditional IAM was designed to manage employees’ information access authorization, organizations soon began to use IAM to understand the interactions between their customers or employees and the company.

The IoT world, however, challenges organizations to manage exponentially more identities beyond those of employees and customers; now they must manage also the millions of devices and connected ‘things’ — and the complex digital relationships between all of them.

With more than 20 billion IoT devices expected to be in use worldwide by 2020, according to Gartner, organizations require identity access management solutions to operate on a massive scale. Each connected ‘thing’, whether it’s a watch on a consumer’s wrist or a piece of connected manufacturing machinery, will need an identity, much in the same way that employees receive digital identities when they first join a company.



As organizations move growing  volumes of data to the cloud, cyber security strategies need to be augmented with next-generation machine learning technologies that boost threat-protection capabilities says Anurag Kahol.

The increasingly digital nature of modern business has had a marked impact on both the importance and difficulty of effective cyber security. Cloud computing technologies in particular, have seen explosive growth in recent years as businesses realise the pivotal role they can play in delivering anytime, anywhere, access to corporate information. However, their adoption can also significantly increase the risk of data leakage or theft unless effective security measures are put in place as well. Unfortunately, traditional cyber security tools weren’t built for this kind of dynamic environment, meaning they fall short of the protection required to keep cloud data safe. Modern security issues require modern solutions designed specifically for these new challenges.

Device management isn’t enough 

Mobile device management (MDM) forms the cornerstone of many businesses’ mobile data security programmes, but this can’t deliver the level of security needed for a modern cloud environment by itself. A major factor is the growth of bring your own device (BYOD) initiatives and mobile apps, which allow employees  to access company applications and information through personal devices. When implemented well, BYOD can improve business agility and lower IT costs, but when implemented badly, it can greatly increase vulnerability to cyber threats by introducing numerous unsecured devices to the network with direct access to the cloud. Perhaps unsurprisingly,  many cyber criminals are now focussing on vulnerabilities created through poorly managed BYOD programmes to infiltrate business networks and steal their cloud data. 

The recently introduced General Data Protection Regulation (GDPR) attempts to address this by placing significant obligations on organizations to make sure cloud data is properly protected. However, when users refuse or fail to properly insulate their personal devices from threats like malware, this can quickly become very difficult. If an infected BYO device is used to access corporate applications, malware can quickly spread throughout an entire enterprise. 



Where to Start

CCI’s Maurice Gilbert interviews Rick Schroeder about what constitutes a compliance “program” versus policies and procedures, and the pair discuss first steps for a company in need of a compliance program.

Maurice Gilbert: We hear a lot about the need for companies to have a state-of-the-art compliance program. Give the reader a framework for that.

Rick Schroeder: Sure. Because every company already has policies designed to ensure compliance with some regulation or law, is that enough? Put another way, the question is, when does a collection of policies and procedures become a “program?” The simplest answer is this: when those policies and procedures are developed, approved, communicated, implemented, enforced and monitored in a deliberate and coordinated manner.

Every company has various policies designed to ensure compliance with various regulations and laws, but they do not necessarily have a “program” at all. Like an old tool shed, they may have a collection of tools they have accumulated over time. Some are useful, some are not. Some are maintained, some are not. And you may not have a complete set.



It must be human nature to worry more about serious dangers that are unlikely to happen than moderate ones whose likelihood of happening is high.

This would explain why the term “shark attack” brings up 98 million results on Google and the word “sunburn” brings up only 22 million results, even though the odds of a beachgoer getting attacked by a shark are one in 11.5 million, according to Wikipedia, while the Centers for Disease Control says that half of all people under thirty report having gotten a sunburn in the past year.

The chances of a beachgoer’s getting bit by a shark are less than one in ten million and of someone getting a sunburn are one out of two, but we’re roughly three times more likely to write and post—and presumably talk, think, and worry—about shark attacks.

Sunburn is no joke since serious cases are associated with an increase in skin cancer later in life.

On the other hand, shark attacks are not only potentially catastrophic, they’re also perversely entertaining to think about. Sunburn, not so much.


We at MHA Consulting have noticed that a similar pattern prevails in business continuity management (BCM).

The BC community focuses a great deal of attention on such high-drama but low-probability scenarios as a hurricane wiping out a data center, a plane crashing into a facility, or an active shooter entering the workplace.

Obviously, all of these do happen, and they are very serious and potentially catastrophic. The responsible BCM program includes plans to handle all of these types of incidents. (Of course, they should focus on the type of impact rather than the particular scenario, as we’ve discussed before.)

But there are many BC problems which are more like a sunburn than shark attacks: they aren’t especially dramatic, but they do bring pain and discomfort and sometimes worse, and they happen almost constantly.

In today’s post, we’ll set forth some of the most common “sunburn problems.”

It’s essential to conduct enterprise risk assessments that look at the most serious potential impacts to the organization. But don’t forget to also consider these more modest but highly likely problems.



The Enterprise Storage Forum survey uncovered the biggest challenges storage professionals have with their existing storage infrastructure: aging gear, lack of capacity, high operations cost, security, maintenance burden. We’ll discuss which storage technologies available or coming soon might serve to ease those pain points.

Data storage has been around as long as computing, but based on the Enterprise Storage Forum survey, we have yet to solve all the problems. Entitled Data Storage Trends 2018, the survey reveals that storage professionals face no lack of serious concerns.

One of the interesting charts that jumped out at me is about the biggest challenge in operating current storage infrastructure. In essence, this is the   “select your biggest pain” question. Let's dive in.

Top Five Data Storage Challenges

Why are these ever-present data storage challenges? Why haven’t storage vendors researched technologies and nailed down solutions to solve them? This chart illustrates the leading pain points; we'll look at the top five:



(TNS) - Residents on Kauai’s north shore who have yet to recover from April’s rain and floods are nervous about Hurricane Lane.

Even if Lane does not hit Kauai as a hurricane later this week, struggling residents still worry that rain and wind could trigger landslides from hillsides made unstable by the flooding.

The state Department of Transportation was calling back crews who were repairing Kuhio Highway, a major artery whose damage in the flooding had initially caused the rural communities of Haena and Wainiha to be cut off from the rest of the island.

“We’re not going to have people out there during a hurricane watch, that’s for sure,” said DOT spokeswoman Shelly Kunishige. “The safety of the crews and the people traveling the roads, that’s tantamount.”

Residents who continue to rebuild their homes in Haena and Wainiha know that there’s little county officials can do to protect property, roads, bridges and mountain slopes from hurricane-force wind and the rain.



Thursday, 23 August 2018 14:02

Kauai Keeps a Wary Eye on Storm's Approach

The Necessity of Proactive Management

Experts at applied behavioral science technology company Starling offer insights into the failures of current approaches to managing conduct risk and explore an alternative – more proactive – solution. This would mark a paradigm shift in management science – one in which culture is viewed as an emergent property of group dynamics.


Despite punitive regulatory fines levied against banks over the last decade, which are estimated to exceed $320 billion, conduct-driven scandals continue to plague the industry. Regulators are under pressure to address persistent and seemingly systemic failures of conduct risk management even as banks struggle to contend with increased regulatory burdens, reporting requirements, capital charges to underwrite operational risk and mushrooming governance, risk and compliance (GRC) costs. These overheads are now said to make up some 20 percent of the day-to-day operational cost base at most financial services firms.

Businesses and regulators alike are eager to identify more cost-efficient and effective means by which to manage — and supervise — conduct risk. Organisational culture is at the centre of their current focus.



Enterprise Storage Forum recently administered a major survey of IT and business leaders to gauge their data storage plans. The answers have implications for both IT and business units, as companies of all sizes struggle to strategically plan storage purchases in a fast-changing tech landscape.

Entitled Data Storage Trends 2018, the survey provides the most comprehensive portrait of today's data storage landscape, from technology to hiring trends to budget decisions. At the end of this article, we discuss the five key takeaways from the survey.



Q&A with Valerie Charles, Chief Strategy Officer at GAN

CCI’s Maurice Gilbert interviews Valerie Charles, GAN’s Chief Strategy Officer. Valerie discusses her background, the state of compliance today and where she sees the profession headed.

Maurice Gilbert: How did you get started on a career in compliance?

Valerie Charles: I spent the majority of my career working on white-collar criminal defense matters, with a focus on anti-corruption investigations. When I made the decision to shift to in-house compliance, I had the unique opportunity to build an anti-corruption compliance program from the ground up. I began to think about compliance as preventative criminal work, and I discovered that it was a fascinating challenge to protect the company while maintaining the efficiency of business operations. The best compliance professionals partner with the business to really understand how to place gates and controls that mitigate risk while still allowing the business to operate at maximum speed.



Reducing energy consumption and improving energy efficiency are at the forefront of the global climate change agenda. ISO 50001, the flagship International Standard for improving energy performance, has just been updated.

Energy consumption is on the rise, despite the fact that it contributes to nearly 60 % of the world’s greenhouse gas emissions. At the same time, more than one billion people still lack access to electricity and many more rely on harmful, polluting energy sources.  It is no surprise, then, that addressing energy efficiency and climate change challenges make up a key part of the 17 Sustainable Development Goals in the United Nations 2030 Agenda.

ISO 50001:2018, Energy management systems – Requirements with guidance for use, transformed the energy performance of organizations worldwide when it was first published in 2011, giving them a strategic tool to use their energy more efficiently and effectively. It provides a framework for managing energy performance and addressing energy costs, while helping companies reduce their environmental impact to meet emissions reduction targets.



(TNS) - Drive through Meyerland, the established Houston neighborhood of well-kept ranch homes on inviting lots, and you’d be forgiven for thinking business has been good for Dan Bawden since Hurricane Harvey swept through town a year ago.

Construction vans like his line the calm residential streets not far from the Brays Bayou. Workers painted one house while chain link fenced off a home not far away that was still just wood frame.

But Bawden, a longtime Houstonian and owner of a general contracting firm specializing in remodel jobs that keep older residents in their homes, said the storm has been the opposite of the financial boon people seemed to expect.



Resilience is a simple thing that is often complicated by the attitude to and size of the task ahead says Paul Kudray. To assist both business and individual resilience, Paul suggests that a simple methodology of ‘Be it, Build it, Stay it’ can help create resilient attitudes and outcomes.

When it comes to trying to educate others (and ourselves), firstly we have to make sense of something; putting it into context in relation to everything else around the issue. What it does, why it does it and how it achieves its effect?

We have passionate, credible professionals across the resilience industry who champion the cause and work hard, every day, to communicate the value and contribution that business continuity management (BCM) provides.

Ahead of the forthcoming BCI Education Month, and for me, every day is an education not just once a year, there is an opportunity to provide a methodology to help promote resilience across wider audiences. Be it, Build it, Stay it. In the context of promoting and communicating a resilient attitude, it does exactly what it says on the tin.



(TNS) - Halfway through the summer, at least 1,585 wildfires have torched more than 431,600 acres of Colorado forest and grasslands and destroyed or damaged about 450 homes, making 2018 one of the most destructive fire seasons in history — and it isn’t over yet.

The only larger wildfire season in Colorado in terms of acres burned was in 2002, when 926,502 acres were destroyed, according to statistics kept by the Rocky Mountain Coordination Center in Lakewood.

“It’s a pretty intense year,” RMCC spokesman Larry Helmerick said. “The acres consumed is real high this year, almost as much as a whole year for a lot of years … and it’s not over by a long shot.”

Helmerick said that relatively speaking, 2018 hasn’t had as many wildfires as some past years in Colorado. For example, there were 4,600 wildfires in Colorado in 2002.



No one expects to have a fire or other disaster at work, but they happen every day in office buildings across the country. We like to think of our workplaces as predictable outposts full of copiers, Keurig machines, and maybe a few too many meetings. But the truth is that when a fire breaks out, employees’ lives can be on the line. You and your company’s leaders need to be familiar with how to conduct a fire drill at work. By scheduling regular fire drills, your company can plan for a potential fire and prepare employees to exit the building safely.

Why fire drills at work are important

The National Fire Protection Association reports that there were an average of 3,340 fires per year in U.S. office properties from 2007-2011. Armed with stats like this, your company would be wise to plan regular fire drills. In fact, many landlords and office management companies require this in their leases.



Tuesday, 21 August 2018 14:22


Are you familiar with the term “chaos engineering?” If this is the first time, you’ve heard it, it probably won’t be the last time.

Chaos engineering (CE) is a new approach to resiliency testing that might end up having a big impact on how we business continuity professionals carry out our work of ensuring the recoverability of our organizations’ business processes and IT environments.

In today’s post, I’ll give you a quick introduction to the movement and methodology of chaos engineering.

Future posts will look at the potential impacts of CE on business continuity and IT/Disaster Recovery (IT/DR).



It is a strange irony that the changes organizations make to remain competitive frequently open them up to risk in their DR/BCM program and recovery capability.

But when it comes to business continuity, the IT change management (CM) process at most organizations is integrated in name only.

Many organizations are ambitious about making changes that will drive the business forward and are careful regarding the implementation of those changes. But the need to keep the recovery plans and environment in sync with the production environment is frequently an afterthought.

In the event of a disruption, this can have impacts on the business ranging from inconvenient to calamitous.

In today’s post, we’ll discuss some of the main issues with CM from a business continuity perspective. We’ll also share some tips on what business continuity professionals can do to make sure that routine system and process changes do not leave the organization vulnerable to major impacts.



Network management can sometimes be a neglected afterthought, yet the availability and reliability of the network is essential for a whole host of mission-critical activities. Kevin Drinkall challenges organizations to consider whether they are giving enough attention to their network.

Technology expectations of businesses and employees are growing and changing every day. But the underlying network which enables us to use this tech properly, can’t always keep up. Instead of being the power behind it, networks can often prove inflexible when it comes to getting the most out of technology in the working environment.

This is a huge problem for businesses of all shapes and sizes, who need to adopt new technology to support its staff and processes, and for those wanting to embrace IoT and future innovations to stay ahead of the curve and attract a ‘tech-savvy’ workforce.

‘The whole is only as good as the sum of its parts’ has never been more appropriate in this scenario. With much excitement around the role of technology in the workplace; the connectivity, speed, security and indeed management of the supporting network to make it work is often an afterthought.



The Business Case for a Strong Culture of Ethics

Culture and ethics are all the rage in management theory and compliance discussions, but we never see them discussed as absolutely dependent on one another. If the ethics of the organization aren’t right, the culture will never be right. We explore this new way of thinking about this critical component of business strategy.

“If culture eats strategy for breakfast, ethics are the fork and knife.” – Snyderman Law Group

If you’ve been paying attention to any of the management theories that have been introduced within the past 10 years, you’ve no doubt been hit over the head with the notion that company culture drives an organization forward. Culture affects employee engagement and retention and can therefore boost profits. We now know that culture is a company’s personality and that it shows not only your employees, but also the rest of the world what kind of organization you really are.

Cultivating a company culture is no longer an option; it’s a necessary part of doing business. We are seeing more and more that a company’s culture is more important than salary for many employees. This epiphany came thanks to the millennials’ entrance into the workforce. Going to work every day to a place you love is not a new idea, but as Simon Sinek told us, millennials are the first ones to have the guts to expect it. We are now in the age of “whenever, wherever, whatever.” People no longer want to work a 9-to-5 job in an office for the rest of their career. They want to work whenever they want, wherever it’s convenient for them and for whatever length of time they decide.



Managing the challenge of data management, retention and availability is an ongoing issue for most organizations. In this article, Gordon Cullum explains where data virtualization can help; and where it won’t.

Data virtualization has often been heralded as the answer to enterprises caught in a vicious circle in a world riddled with data, both online and offline. However, it is important to remember that no technical solution is a silver bullet and data virtualization should not be thought of as a one stop solution for all an enterprise’s needs.

Businesses want to act and improve their decision-making in real time whilst containing costs and supporting business-as-usual activities, which can leave CIOs struggling to navigate through an array of complex applications and systems.

To get the most out of data virtualization, and when deployed with the right capabilities and methodology to achieve the desired result, businesses can leverage existing investment to solve current and future analytic needs without compromising on quality, budget and time.



(TNS) — The summer of seemingly endless rainfall took its toll again on the Berks County, Pa., region Monday, dumping several inches of precipitation that led to widespread flooding on areas already inundated in recent weeks.

And if the rain doesn't let up, meteorologists are predicting this August could prove to be the wettest ever recorded.

AccuWeather meteorologist Danielle Knittle said that 9.06 inches of rain has been recorded this month at Reading Regional Airport in Bern Township, the official site for Berks County rainfall totals.



Talk about your one-in-a-million situations. On June 13th, an EF-2 tornado struck the township of Wilkes-Barre, Pa. in the dark of night. For a city of approximately 40,000, this was an unusually powerful tornado, given how briefly it stayed on the ground. Once it struck, the tornado took a death-defying trip through the Wilkes-Barre Township business district, then ravaged the local mall before heading down a major thoroughfare, Interstate 81.

Tammac Holdings Corporation, a local financial services company that specializes in programs for the manufactured housing industry, sat directly in the path of this unusual twister. What’s more, it prides itself on its responsiveness to customer needs, so being in an exposed location was particularly dangerous.In the northeast, nighttime tornadoes are practically unheard of. In fact, since 1950, only 2.2 percent of the more than 850 tornadoes recorded in the Keystone State have occurred between 10 p.m. and midnight. Nighttime tornadoes are especially dangerous because you can’t see them coming, and they strike at a time when people are less focused on the weather.

Tammac Holdings Corporation, a local financial services company that specializes in programs for the manufactured housing industry, sat directly in the path of this unusual twister. What’s more, it prides itself on its responsiveness to customer needs, so being in an exposed location was particularly dangerous.



In 2017 Continuity Central published the results of a survey looking at whether the increasing focus on information security is having an effect on the traditional demarcation lines between business continuity and information security management (ISM). In 2018 we repeated that survey to monitor how things have developed and the results of the survey are now available.

Is information security a business continuity issue?

62 percent (64.5 percent in the 2017 survey) of respondents believe that information security is definitely a business continuity issue, with a further 29 percent (32 percent*) saying that it was partially a business continuity issue. 9 percent (3.5 percent*) said that information security is not a business continuity issue at all.

It seems clear from both the 2018 and the 2017 versions of the survey that information security is viewed as a business continuity issue; but to what extend do business continuity teams actually get involved in preventing and managing information security incidents? The remainder of the survey examined these areas:



(TNS) — Before the flames appeared, Sandie Freeman thought the sky above her Redding home looked especially beautiful.

The evening was golden hued and still; pretty enough that she took a picture. Minutes later, a light wind picked up and leaves from her oak tree began falling like rain, she said.

It was the only warning she received that something was amiss.



This spring, Bluelock Solutions from InterVision conducted a survey titled “2018 Legal Data Protection & Recovery,” focusing on the legal industry. The results found an overconfidence and mismatched expectations toward IT disaster recovery (IT-DR) within law firms. Here are a few responses that stuck out to us:



Airline outages are all too common – we’ve documented the many issues major U.S. airlines have faced on this timeline.

Airline Outages Cartoon

When IT fails and airline workers can’t check in passengers or issue tickets, out come the pencils, pens and paper.



Wednesday, 15 August 2018 15:27

Airline Outage? Pick up a Pencil

Over the course of an implementation, it’s inevitable that almost every customer asks us, “What’s the best way to do this?”  We always have an answer, but the real answer is highly dependent on your organization and its unique context as it relates to continuity. Each one of our customers are unique and have different needs based on their vertical market, size, structure, and program maturity, among other things.

Everyone’s gotten those (typically free) t-shirts and hats marked “one size fits all”.  The truth is, they seldom do. They’re either, too big, too small, or just not right. They might be close, but usually something is a little off. Similarly, there is no single “right” approach to building a business continuity program. It should be flexible and malleable, able to change and grow as your organization inevitably does.

Given the variation among our customers’ businesses, BC in the Cloud has worked to create plan templates that are specific enough to capture the heart of ISO and DRI standards, but generic enough to be able to be adapted to particular needs.



Wednesday, 15 August 2018 15:16

One Size Fits All

Campus communications for colleges and universities are necessary not only to keep day-to-day operation flowing, but also for the safety of your students and stakeholders.

This has become increasingly important as some campuses have become targets for violence rather than havens for students. With so many threats – from severe weather to active shooters – school officials must have a plan for communicating with their students, faculty, staff and stakeholders in a variety of critical situations.

Follow these tips to improving your campus communications as the new semester begins.



(TNS) - When Aledo and Joshua students head back to class, they’ll find police officers on their campus full time.

Weatherford students will know that some teachers and school employees likely are carrying concealed handguns.

And Fort Worth students will know police are monitoring school safety cameras in real time — and that school nurses are getting trained to treat victims of active shooters.

“We are consistently looking out for our kids,” said Susan Bohn, superintendent of Aledo schools, adding that teaching students in a safe environment is an everyday concern. “It’s never something that is out of our minds.”



(TNS) - With a “fire tornado” racing toward Redding neighborhoods on July 26, emergency officials in Shasta County started issuing mandatory evacuation orders.

They used reverse 911 calls, emergency announcements on TV and radio, opt-in text message systems and Amber alert-style cellphone warnings to get the word out.

And, as in Sonoma County in October, first responders went door to door, urging people to flee.

Three people perished, but thousands escaped as flames engulfed their neighborhoods, with authorities turning some two-way streets into one-way streets to facilitate traffic.

Credit lessons learned in October, when Sonoma County authorities, fearing panic, failed to use all of the tools at their disposal to warn residents about a ferocious wildfire that burned thousands of homes and took more than 20 lives.



GDPR essentially forces companies to go public with any cyber attack they suffer, which poses further challenges when it comes to protecting their reputation. However, a quick and effective response to a cyber attack is impossible without thorough planning and forethought. Jonathan Hemus offers some points to consider ...

The Global Data Protection Regulation (GDPR), which came into force in May this year, has fundamentally changed how organizations must respond to a cyber attack. The onus is on organizations to report any cyber attack to the authorities within 72 hours or face hefty fines.

GDPR essentially forces companies to go public with any cyber attack they suffer, which poses further challenges when it comes to protecting their reputation.

The short-term financial cost of a cyber attack can be significant but of equal concern is the damage it can do to an organization’s reputation and its stakeholders. For example, in November last year, the world’s largest shipping container line, AP Moller-Maersk, said the cost of the cyber-attack it suffered amounted to $300m, forcing it to cut its profit guidance and sending its share price down seven percent.

But for many organizations, cyber attacks can often tempt bosses to focus on the short-term financial impact at the expense of focusing on the longer-term reputational implications.



This is part 1 of a 3-part series on Digital Innovation Management. This blog series is intended to help a digital transformation team take a structured and measured approach to building enterprise scalable Digital Innovation Management capabilities.  

Digital transformation is leveraging new technologies that redefine the ways people live and work.  With economic benefits over the next decade estimated at $100 trillion, it is no surprise that half of all corporate boards have elevated digital to the CEO agenda.

An organization that has formulated its digital strategy needs to launch it by enabling key elements of the Digital Operating Model:

  • Digital Innovation Management
  • Digital Product Management
  • Digital Workforce Enablement



(TNS) - Fresno Police Department’s dispatchers answer every type of 911 call made within city limits — among other responsibilities.

They answer calls for medical aid, reports of fire, or when people report violent crimes like shootings and homicides. They take non-emergency calls, like when people call 911 looking for police detectives or to check a pending case.

They take the call when a suicidal person asks for an officer to arrive before their family finds their body. They answer the call when rape victims report the crime — sometimes as it’s happening.



Some people who hire business continuity consultants think of them as being like waiters: they expect the consultant to serve them at their leisure then quietly go away, allowing them to enjoy an excellent meal.

However, in my experience—I have been the CEO of a business continuity consulting and SaaS (software as a service) firm for 19 years—companies with this attitude do not get very much out of their consulting engagements, and their programs are the weaker for it.

The best business continuity managers and corporate leaders recognize that working with a BC consultant is, at its best, a lot like dancing the tango.



Duty of care—you might have heard the phrase tossed around by companies touting their dedication to their employees. You might just associate it with liability lawsuits and big payouts. But what exactly is it?

According to Collins Dictionary, duty of care is “the legal obligation to safeguard others from harm while they are in your care, using your services, or exposed to your activities.”

Its clear from this definition that duty of care applies to all kinds of organizations, from churches and Boy Scout groups, to hospitals and schools.



Friday, 10 August 2018 14:30


From coast to coast, severe weather is a problem for every community.

To better protect your constituents during storms and other forms of severe weather, consider ways you can get better prepared, including evaluating your communication methods.

Inclement Weather Alerting

Throughout the US, predominant weather patterns vary from region to region. From mudslides, earthquakes, and droughts to hurricanes, tornadoes, and floods—no region is untouched by severe weather. In order to best protect your community, focus on how to provide mass notification before, during, and after such natural disasters.

Long before severe weather becomes a real threat, your organization must already have plans in place and ready to be activated – especially when it comes to sending mass notifications. At the first indicator of inclement weather, you need to put your organization’s communication and response strategies into action. Be sure a reliable method for communication set up, tested, and fully prepared for such emergencies.



Has your organization ever been attacked by zombies? We don’t know any companies that have been, although we do know some that have used this as a scenario in their disaster recovery exercises.

In today’s post, we will discuss the pros and cons of using zombie attacks and similarly imaginative scenarios in your mock disaster exercises and also share some general tips on how to make the most of such exercises.

To begin, we will provide you with a quick refresher on the different types of DR exercises that businesses commonly conduct to assess and improve their capability to respond to emergencies.



An organization’s greatest asset is its employees, but the impact that new recruits have on a company’s success is sometimes less clear. Or is it? New international guidelines have just been published that give recruiters a metric to measure just how well they have done.

When it comes to recruitment, finding the right person for the job not only fills an employment gap, it can have a significant impact on the organization as a whole. Recognizing this, HR departments are now often strategic partners within a company, so measuring the impact of their expertise not only demonstrates their value, but allows for continuous improvement as well.

Measuring the “quality of hire”, or the benefit that newly employed staff bring to a company, is therefore essential to determine the effectiveness of the recruitment process.

Recently published, ISO technical specification ISO/TS 30411:2018, Human resource management – Quality of hire metric, outlines international best practice to do just that. It identifies metrics that can be used to evaluate the link between the new person’s work and the success of the organization.  



Steps to Improve Forensic Analytics

Thanks to advances in forensic analytics, we can spot emerging risks long before they come to fruition. But predictions frequently lead to false positives. Satish Lalchand discusses how to prevent them in this third installment of a series on the future of forensics, following articles on the application of data-driven analytics and how the uses and quality of data drive analytics insights.

Forensic analytics — the combination of advanced analytics, forensic accounting and investigative techniques — is making breakthroughs every day in identifying rare events of fraud, corruption and other schemes. To meet rising regulatory and customer demand for fraud mitigation, forensic analytics can reveal signals of emerging risks months — or sometimes even years — before they happen. Of course, predicting anomalous events can also create false positives.

In an effort to reduce false positives in fraud investigations, careful attention should be spent on steps including:



(TNS) - When a special legislative committee held its first public hearing in response to the North Bay wildfires two weeks ago in Sacramento, there were eight major wildfires burning across California.

When the 10-member bipartisan panel met again Tuesday, the number of conflagrations had doubled, and the marauding Mendocino Complex fires had scorched more than 292,000 acres in three counties or more than 450 square miles.

The hearing, however, was decidedly low key, as representatives from the state’s big three investor-owned utilities and two public power providers, including Healdsburg’s municipal utility, recited the steps they have taken and plan to take to mitigate future wildland blazes.



How to Prevent the Risk of Crypto-Jacking

New cryptomining malware uses an NSA-exploit to spread to Windows machines while disabling security software and opening the door to future attacks on infected computers. Now is the time for enterprise IT to fortify their defences. Chris Olson, CEO at The Media Trust, provides background on cryptomining and discusses best practices to prevent related incidents.

Cryptomining is the new jackpot for cybercriminals. As cryptocurrencies have grown in popularity and value, cryptocurrency mining has turned into a lucrative business. Around the globe, thousands of websites operated by some of the world’s most recognized companies and government agencies have been compromised by malicious actors anxious to harvest web visitors’ CPU power for their mining operations.

However, when it comes to cryptomining, the industry’s focus is on the attacks and compromised devices rather than the root cause. These attacks are but a symptom of a deeper problem within the digital ecosystem. Most enterprises do not have full visibility into the third-party code rendering on their websites and mobile apps. These third parties make ideal targets for malicious actors, who are continuously probing for ways to make money and secure greater returns on their efforts.



Wednesday, 08 August 2018 15:55

Cryptomining Malware On The Rise

(TNS) - It’s day 11 for Omar Estorga on the front lines of California’s firestorm.

Some nights, the captain and his crew have slept — sitting up — in the seats of their fire engine as the Carr fire raged. Other nights, they’ve stayed at the base camp in Shasta County. On their days off, they’ve snagged dorm rooms at Shasta College or, if they’re lucky, a hotel room when another fire crew has checked out.

As some 14,000 firefighters wrap up their second week battling more than a dozen destructive wildfires across the state, fatigue is setting but the fires show few signs of letting up.

To the south, the sprawling Mendocino Complex inferno on Monday became the largest fire ever recorded in California, burning more than 283,000 acres in just 11 days. The Ferguson fire has closed parts of Yosemite National Park indefinitely. Large swaths of the Sacramento Valley have been choked by smoke for days.



The UK consumer response to the General Data Protection Regulation (GDPR) is shifting. New research by SAS, ‘GDPR: The right to remain private’, reveals that more people are activating their new personal data rights, and faster, than expected. At the same time, the Facebook/Cambridge Analytica data scandal has made the majority of consumers either activate their rights, or at least reassess the information they share and how organizations use it.  

In 2017, SAS surveyed UK consumers for their views on the regulation, revealing that 42 percent planned to exercise their rights within a year of GDPR coming into force. However, the new research shows that 31 percent have already activated their rights over personal data, and 55 percent will have done so within a year.

GDPR came into effect in May, making organizations accountable for personal data protection and giving consumers significant new powers over their personal data. These new powers include the rights to access, query and erase the data held about them by organisations.



The threat of slavery or unethical behaviour in a firm’s supply chain is not receiving the attention it should, particularly by those who work in crisis management.

Firms are judged by the company they keep, and if they employ or work with partners who are guilty of such practises, this represents a massive potential hit to an organisation’s reputation. Crisis managers are currently so obsessed with all things cyber that this major risk is being left unattended.

Companies or partners that form part of a firm’s supply chain need to adhere to its own high ethical standards, but this can be hard to police.

Lead paint

A few years ago, I was brought in to help extricate a client from an ethical crisis. One of their premium brands is a very well-known set of children’s toys. These they had made in China, only to discover that the manufacturers had swapped out the agreed paint, brought in a cheaper brand, which contained high levels of lead and used this in the manufacturing process. Young children put toys in their mouth and quite often chew! Parents are pretty resistant to their little darlings sucking on lead.

The company had agreed with the Chinese makers which lead-free paint should be used and even installed detectors in the factory that checked for lead contamination. These were left to gather dust. The brand went on to feature in the New York Times for all the wrong reasons.



Tuesday, 07 August 2018 14:27

Slavery in the supply chain

(TNS) - A tornado packing 110 mph winds hit Webster with “no warning at all,” tearing up Main Street, cutting off power and displacing 25 — with one driver injured by flying debris.

It swept into town as a line of powerful storms rolled through the state yesterday leaving flash flooding and broken tree limbs in its wake before heading out to sea.

“It’s horrible,” said Ann Lavallee, 25, of Webster. “It hit Main Street. It blew out the windows of some buildings. Some businesses were destroyed. There are fallen tree limbs ... flooding.



Monday, 06 August 2018 14:34

Tornado Rips through Webster, Mass.

(TNS) - Patience is wearing thin in Greenbrier County, W. Va., where some people continue to live in marginally habitable structures more than 25 months after the deadly flood that claimed nearly two dozen lives and caused millions of dollars of property damage across West Virginia.

Meanwhile, the state’s RISE program is in possession of nearly $150 million in HUD funding intended to assist low-income flood victims with their housing needs.

To date, the amount spent on home placement, construction and rehabilitation totals $784,407.75, according to the man who earlier this summer took charge of the RISE program, Maj. Gen. James Hoyer, adjutant general of the West Virginia National Guard. An additional $583,000 has been obligated for payment of outstanding invoices, he added.



(TNS) - Even as fires rage across California, thousands of new homes are being built deeper into our flammable foothills and forests, as lethal as they are lovely.

A recent surge in subdivisions in high-risk wildlands is putting more of us in harm’s way, say experts. For millennia, wildfires just burned trees; now they’re claiming homes, with heirlooms, pools, family photos, pets, cars and precious lives.

“It’s the ‘expanding bull’s eye’ effect,” said geographer Stephen M. Strader of Villanova University, who tracks population growth in high-risk areas. “Cities are moving into regions where there were no people before. People and wildfires are coming together more often.”



Daniel Perrin, Global Solutions Director, Workplace Recovery, IWG

With hurricanes and other natural disasters impacting the U.S., now, more than ever, companies are re-examining their business continuity plans. Traditional workplace recovery strategies haven’t kept pace with modern business needs though. Historically, companies built their strategy around IT. This meant that when disaster stuck, to keep critical staff working, businesses needed access to their data.

The solution was to keep offices near a recovery server ready for when a problem shut the office down. If that happened, businesses would send the 20 or so needed staff to work from space next to the server. That’s the model the industry has followed, but it is a model which is redundant.

Why? There are three main reasons:
  1. Technology has evolved dramatically since most large businesses first developed a workplace recovery strategy. The rise in cloud computing means that data is not housed in one particular place. It can be accessed from anywhere. This means a recovery plan no longer needs to be based entirely on the location of servers. It can be based on what works best for your business at a particular time.
  2. Recovering to one fixed location can be a logistical nightmare – if not ill-advised. Of course, if a small leak in an office has rendered it unusable, you can move staff to a specific, identified back-up office. But, what if your city is flooded or facing another equally significant impact event? Chances are one of two things will occur, if you are dependent for recovery on one specific location. Either your back-up location will also be hit or your people won’t be able to get there. In today’s world, a smart business needs to develop a workplace recovery strategy that is responsive and dynamic. One which can evolve to a live situation.
  3. The traditional financial model of making workplace recovery centers profitable revolves around oversubscribing each one – essentially selling the same “seat” to 10 or so different businesses. This makes sense based on the assumption that different businesses will not need recovery at the same time. But, in the example above – a major incident affecting large swathes of a city – chances are multiple companies will be impacted. Businesses therefore run the risk that at the one time they need the recovery seat they’ve been paying for, someone else may be sitting in it.


What makes a dynamic workplace recovery provider?

Primarily, one that offers a network of locations to choose from and offers flexibility to meet customers’ needs. And, a provider that will guarantee you space in any type of emergency, especially ones that impact entire cities.

For example, when Hurricane Harvey hit Texas in 2017, Regus, which provides flexible workspace and is owned by IWG, offered the capacity to ensure that customers could continue working because it had 70 locations in the area. For example, one of our customers wanted to recover to one of our offices in the Woodlands, outside of Houston. This seemed sensible, but as the storm approached it became clear that this client’s employees would not be able to reach the site. We were able, proactively, to contact the customer and adapt their plan in real time, by the minute, recovering them to another location that would not be affected.

Businesses are realizing that workplace recovery plans are critical and that their current plans may not be fit for purpose. It’s a good time for companies to evaluate their plans and ensure that they are working with dynamic partners that have the flexibility to meet their needs.

For more information, visit http://www.iwgplc.com/.

The Need for a Chief Privacy Officer

Nearly every day we hear about another data breach at a major corporation, making the case for a chief privacy officer (CPO) more compelling now than ever. Adams and Reese attorney Roy Hadley discusses the various reasons organizations should employ a CPO.

2.5 quintillion bytes of data — that’s the amount of data estimated by some to be created every day.

Yes, that is 2,500,000,000,000,000,000. Every day.

To put that number into perspective, the length of 1,000,000,000,000 (one trillion), $1 bills laid end to end measures approximately 96,906,656 miles. This would exceed the distance from the earth to the sun. A quintillion is equal to one million trillions. That is a long line of dollar bills!

While a mind-boggling number, it is estimated that due to the internet of things, this amount of data created will continue to grow. It is amazing how this data is created. According to Forbes.com, more than 3.7 billion humans use the internet every day. On average, Google processes more than 40,000 searches every second, which translates to 3.5 billion searches each day. Further, every minute of the day, Snapchat users share more than 500,000 photos.

In short, the amount of data we are creating is hard to fathom.



Friday, 03 August 2018 16:56

Data Here, Data There, Data Everywhere

This article by Clinton Jayne looks at individual organizations around the world and what their supply chain may have to endure during this period of geopolitical instability, where trade arrangements seem to change daily and the long term impact of potential arrangements such as Brexit are largely unknown and not transparent.

I am not an economist and make no attempt to look at national economies and their individual circumstances. I also do not consider myself a politician (a fact I am immensely happy about) and do not look at political imperatives that drive the trade uncertainties. The point of this article is to look at individual supply chain circumstances and what organizations may need to do to ensure their survival and longevity.

Those expressing concerns

So, having explained the context let’s consider some of the known outcomes (taken from news broadcasts) thus far.

Airbus recently completed a study of their UK circumstances and the possible impact of Brexit and the customs union. The factory (employing 14,000 people) that produces wings and relies on the supply of aluminum and other products, not all of which are produced in Britain. I have no idea what their detailed findings are but their warning to the politicians indicate that the impact could be very significant.



Congress this week temporarily extended the National Flood Insurance Program (NFIP) until November, avoiding a lapse of the program but also avoiding any needed reforms.

Up until Hurricane Katrina in 2005, the program was self-sustaining, for the most part, sometimes taking short-term loans to keep up. But Last year, the debt reached almost $25 billion, of which $16 billion was forgiven by Congress last November. The debt is now $20.5 billion.

Critics believe the program, in its current form, is unsustainable and needs reforming. Otherwise, another season like last season, with hurricanes Harvey, Irma and Maria, could require forgiving more debt.



King Neptune gets power from his three-pronged trident, and those of us who work in business continuity can gain power from what I call the BCM Trident. That is, the three key performance indicators (KPIs) that can help you understand and improve your business continuity program.

These 3 KPIs are soundness, risk, and value.

In today’s post, I’ll talk about each one and explain how you can leverage them to sharpen your BCM program.



The year 2018 continues to see big changes in the practice of IT/Disaster Recovery, but the core concepts for achieving an effective solution for IT and disaster recovery in 2018 remain the same as ever.

In today’s blog, we’ll take a helicopter tour of what has and hasn’t changed in IT/DR recently, then look at how you can determine what approach is best for your organization.

Cloudy Weather

The big trend in disaster recovery is the continued growth in the use of DR in the cloud, where organizations store their data and servers to a cloud computing environment and recover and process from there in the event of a disruption. Organizations use cloud-based infrastructure to recover virtual servers (and potentially physical servers via a physical to virtual migration process).

Also associated with cloud-based recovery, organizations use DR as a service where a third-party vendor keeps the company data and cloud environment in sync. When there’s a need, the service provider spins the replicated data up from the cloud.



A Bribe is a Bribe

Why do organizations use sanitized language rather than more direct verbiage? A new generation of business leaders and employees is beginning to question the need for corporate speak. Michael Volkov discusses the need for a new approach.

Language communicates more than just words – indeed, the use of language reflects much more than simple communication. Often, a person’s language reveals an attitude, a feeling, a perspective and much more. I am often struck by how language is used by corporations to mask a clear and distinct idea. Corporate speak is a language unto itself; it can reflect a company’s culture and its commitment to honesty, trust and integrity.

Forgive me for questioning the use of corporate language, but when I read phrases such as “improper payments,” “questionable payments” and other equally vague terms used to describe flat-out bribes, I question the need for companies to avoid using accurate language. My overriding question in these circumstances is, why can’t the company use straightforward language?

A bribe is a bribe, and no matter how you characterize the payment, it is still a bribe. Of course, I recognize that in order to violate the FCPA or domestic bribery laws, a payment must be made with “corrupt” intent. In the FCPA context, a payment must be made with intent to influence a foreign official to act contrary to his or her official duties. Assuming that a payment is made with the requisite intent, such a payment constitutes a bribe.



Thursday, 02 August 2018 14:34

Corporate Doublespeak

(TNS) - When the radio of a Bakersfield police officer breaks, the IT department doesn’t call the manufacturer for a replacement. They go to eBay to try to find extra parts.

The 20-year-old public safety radio system for both Bakersfield and Kern County is outdated. The manufacturer of the radios no longer services the devices nor produces parts for upgrades.

Agencies like the Bakersfield Police Department and the Kern County Sheriff's Office use their radio systems for officers and the dispatch centers to communicate with each other.

The city and county have begun formulating a strategy for updating the aging analog system to digital.



If your organization has a heavy focus on analytics as part of the digital wave affecting oil and gas companies today, you’re very likely to start hearing the Agile Scrum framework seeping its way into conversations; however, not every team can or should leverage Scrum, depending on their team structure and needs.  If your team wants to benefit from Agile principles without utilizing Scrum to do so, there is a path forward.

One good example of a team that may not benefit from defined, time-boxed sprint-cycles are data scientists.  In many cases, the business will reach out directly to these key resources who will subsequently build a model using their own methodology, store data and R/Python code on their laptops, and remain skeptical about collaborating effectively with others.  As a manager, this can be a frustrating prospect, since visibility around resource management and project progress can be limited.  By leveraging some best practices from Agile principles/values (rather than implementing full Scrum), analytics managers can determine where in a project a team member is, what work is being performed over what timeline for resource management, and where code will live, in case someone loses a laptop or wins the lottery.



Thursday, 02 August 2018 14:22


Acquisition Will Help Accelerate Cisco’s Intent-Based Networking Strategy, Allowing Customers to Securely Connect Users to Any Application on Any Network


SAN JOSE, Calif. – In a release issued earlier today by Cisco (NASDAQ:CSCO), the company is updating a link in the release.

Cisco Announces Intent to Acquire Duo Security
 From left to right: Duo Security co-founder and CEO Dug Song; Cisco security business SVP Gee Rittenhouse; and Duo Security co-founder and CTO Jon Oberheide.

Cisco (NASDAQ:CSCO) today announced its intent to acquire privately-held Duo Security, headquartered in Ann Arbor, Mich. Duo Security is the leading provider of unified access security and multi-factor authentication delivered through the cloud. Duo Security’s solution verifies the identity of users and the health of their devices before granting them access to applications – helping prevent cybersecurity breaches. Integration of Cisco’s network, device and cloud security platforms with Duo Security’s zero-trust authentication and access products will enable Cisco customers to easily and securely connect users to any application on any networked device.

Under the terms of the agreement, Cisco will pay $2.35 billion in cash and assumed equity awards for Duo Security’s outstanding shares, warrants and equity incentives on a fully-diluted basis.

“In today’s multicloud world, the modern workforce is connecting to critical business applications both on- and off-premise,” said David Goeckeler, executive vice president and general manager of Cisco’s networking and security business. “IT teams are responsible for protecting hundreds of different perimeters that span anywhere a user makes an access decision. Duo’s zero-trust authentication and access products integrated with our network, device and cloud security platforms will enable our customers to address the complexity and challenges that stem from multi-and hybrid-cloud environments.”

Business-critical data and applications today are accessed by customers, partners and employees from a multitude of locations and networks, both secure and open, using company-issued and personal devices. Attackers know that one of the most effective ways to access enterprise systems is through compromising user passwords or devices. According to the 2017 Verizon Data Breach Report, the majority of hacking related breaches involve stolen or weak passwords. Acknowledging this, Cisco and Duo Security are closely aligned in the approach of designing infrastructure for the extended enterprise where users, devices and applications are the center of the modern security architecture.

The acquisition of Duo Security will:

  • Extend intent-based networking into multicloud environments. Cisco currently provides on-premises network access control via its Identity Services Engine (ISE) product. Duo’s software as a service-based (SaaS) model will be integrated with Cisco ISE to extend ISE to provide cloud-delivered application access control.
  • Simplify policy for cloud security. By verifying user and device trust, Duo will add trusted identity awareness into Cisco’s Secure Internet Gateway, Cloud Access Security Broker, Enterprise Mobility Management, and several other cloud-delivered products.
  • Expands endpoint visibility coverage. Cisco’s in-depth visibility of over 180 million managed devices will be augmented by Duo’s broad visibility of mobile and unmanaged devices.

“Our partnership is the product of the rapid evolution of the IT landscape alongside a modernizing workforce, which has completely changed how organizations must think about security,” said Dug Song, Duo Security’s co-founder and chief executive officer. “Cisco created the modern IT infrastructure, and together we will rapidly accelerate our mission of securing access for all users, with any device, connecting to any application, on any network. By joining forces with the world’s largest networking and enterprise security company, we have a unique opportunity to drive change at a massive scale, and reshape the industry.”

The acquisition is expected to close during the first quarter of Cisco’s fiscal year 2019, subject to customary closing conditions and required regulatory approvals. Duo Security, which will continue to be led by Song, will join Cisco’s Networking and Security business led by EVP and GM David Goeckeler.

For more information about Cisco’s intent to acquire Duo Security, read the following blogs from:

Investor and Media Call

Cisco will host a joint investor, media and industry analyst call on Thursday, August 2, at 6:00 a.m. PDT/9:00 a.m. EDT to discuss the proposed transaction. The call will feature Rob Salvagno, vice president of corporate development at Cisco; David Goeckeler, executive vice president and general manager of Cisco’s networking and security business; and Duo Security CEO Dug Song. To join the webcast, visit https://investor.cisco.com. Toll-free dial-in number is 800-779-1185; or 1-312-470-7366; Passcode: 3862813.Conference call replay will be available approximately one hour after the conclusion of the event through Friday August 10, toll-free at 800-925-0258 or 203-369-3861 (no passcode required). The replay will be available on the Cisco Investor Relations website at http://investor.cisco.com, no password required.

About Cisco

Cisco (NASDAQ:CSCO) is the worldwide technology leader that has been making the Internet work since 1984. Our people, products, and partners help society securely connect and seize tomorrow's digital opportunity today. Discover more at newsroom.cisco.com and follow us on Twitter at @Cisco.

RSS Feed for Cisco: http://newsroom.cisco.com/rss-feeds

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to: www.cisco.com/go/trademarks. Third-party trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.  

About Duo Security

Duo Security helps defend organizations against data breaches by making security easy and effective. Duo Beyond, the company's category defining zero-trust security platform, enables organizations to provide trusted access to all of their critical applications, for any user, from anywhere, and with any device. The company is a trusted partner to more than 12,000 customers globally, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. Founded in Michigan, Duo has offices in Ann Arbor and Detroit, as well as growing hubs in Austin, Texas; San Mateo, California; and London, UK. Visit Duo.com to find out more.

Forward-Looking Statements
This press release may be deemed to contain forward-looking statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding the acquisition enabling Cisco customers to securely connect users to any application on any networked device, Duo's unified access security and multi-factor authentication helping Cisco accelerate priority areas across its networking and security portfolio, the expected benefits to Cisco and its customers from completing the acquisition, and plans regarding Duo personnel. Readers are cautioned that these forward-looking statements are only predictions and may differ materially from actual future events or results due a variety of factors, including, among other things, that conditions to the closing of the transaction may not be satisfied, the potential impact on the business of Duo due to the uncertainty about the acquisition, the retention of employees of Duo and the ability of Cisco to successfully integrate Duo and to achieve expected benefits, business and economic conditions and growth trends in the networking industry, customer markets and various geographic regions, global economic conditions and uncertainties in the geopolitical environment and other risk factors set forth in Cisco's most recent reports on Form 10-K and Form 10-Q. Any forward-looking statements in this release are based on limited information currently available to Cisco, which is subject to change, and Cisco will not necessarily update the information.

For more than three decades, millions of Americans across thousands of communities have gathered together on the first Tuesday in August to celebrate National Night Out, an event promoting police-community partnerships and fostering neighborhood connections.

When the first National Night Out was held in 1984, more than 2.5 million citizens organized to give recognition to their local police forces. By 2016, the annual event had grown to include more than 38 million Americans across 16,000 communities. National Night Out celebrates police officers and provides an opportunity to thank them for the critical protection and services they so bravely provide. It’s the perfect occasion for citizens to get to know members of their town’s police force on a first-name basis, and vice versa.

While festivities vary by community (and many Texas towns choose to celebrate on the first Tuesday of October), National Night Out events often include block parties, parades, concerts, and cookouts, making it a family-friendly event enjoyed by people of all ages.

Emergency personnel are on hand to give safety demonstrations, explain their jobs to children, and talk about drug prevention and anti-crime initiatives in a relaxed, casual environment.



The Value of a “Built In” vs. “Bolted On” E&C Program


Ethics and compliance are far too often neglected by boards of directors at big firms, even though it’s settled law and policy that boards of directors are required to oversee company compliance. In fact, a survey of 26 past and present Chief Ethics and Compliance Officers (CECOs) reveals that most CECOs feel their boards don’t fully understand the ethics and compliance programs they should be overseeing and that they ask too little of senior management when it comes to ethics.

It seems like ethical failures in major companies are in the headlines on an almost daily basis. Sexual harassment and abuse, toxic workplace cultures, retaliatory firings against those who speak up – the list goes on and on. And after each new case, one of the first and most crucial questions is, “Where was the board?”

While it’s settled law and policy that boards of directors are required to oversee company compliance with law and regulation, it seems that ethics and compliance are far too often neglected by the boards of big firms. The failure of proper E&C oversight can have far-reaching consequences, as the basic function of ethics and compliance can be tied directly to one of the central concerns of a board: value and reputation.

To foster an understanding of how boards engage with ethics and compliance, we at LRN turned to 26 past and present Chief Ethics and Compliance Officers (CECOs) of major global companies for in-depth interviews on the role and impact of boards. We learned most CECOs feel that boards do not fully understand the E&C programs they’re supposed to be overseeing and spend limited time on these programs while requiring too little from senior management when it comes to E&C.



(TNS) — When he was home for lunch Monday, Dennis Wagner, director of engineering for the town of Windsor, got a phone call from an unknown number so he decided not to answer.

When he checked his voicemail, he discovered it was a reminder from Weld County to sign up for emergency alerts, if he hadn't already. Of course, Wagner said, he has, because it's one of the best ways to learn if any harsh weather is expected to hit Windsor.

The old method — outdoor warning sirens — seems pretty outdated, he said.

Other Windsor officials agree, as do those in Greeley. After the mile-wide, 2008 tornado that hit Windsor and other parts of Weld County, Windsor residents have wondered on social media and at town events — like this year's commemoration of the 10-year anniversary of the tornado — why the town hasn't chosen to put sirens in place.



We’ve all been there at some point during our lives: locked out of the house or car because we’ve lost or forgotten our keys (and it always seems to happen when we’re already running behind!). But as frustrating as the situation is, the good news is it’s usually short-lived—once we have our spare key in hand, we’re back in business. But what happens when it’s a key member of your team who’s been lost or sidelined? Do your business continuity management plans account for that?

A strong and focused business operations plan includes the identification of key personnel as well a succession plan for those essential people. In addition, a successful Business Continuity/Disaster Recovery (BC/DR) plan must identify the key recovery personnel and critical responsibilities to be addressed in the event of a business disruption. If some of the key personnel cross over between business operations and the BC/DR team, then it’s even more important to be confident you have all your bases covered.



Where cybercrime is concerned, it’s not whether an organization will be attacked, it’s when.

Juniper Research reports that cybercrime costs globally will exceed $2.1 trillion by 2019. That is four times the cost of data breaches in 2015. By 2020, a single cybersecurity breach will cost more than $150 million.

How organizations respond to cyber-attacks and other emergencies can help mitigate any damage and make the recovery process more efficient.



I love metrics, as any regular reader of this blog knows. I think they are the only way to obtain a clear, objective view of the health of a business continuity management (BCM) program and the ability of an organization to recover from a disruption.

But metrics aren’t an end in themselves, obviously. They are a means to an end. Their real value lies in the fact that you can use them to improve the state of your BCM program.


I take it for granted that metrics can help you strengthen your BCM program because I have seen it happen so many times.

However, it occurred to me that a lot of business continuity professionals might have only a vague idea of how to go about leveraging metrics in this fashion.

For that reason, I decided to devote today’s blog to the topic.



With remote working on the rise, how do we ensure we’re communicating effectively with others, through good old-fashioned conversation? Alison Coleman reports

Digital technology has transformed the way that we communicate at the expense of face-to-face communication. As psychologist Susan Pinker says in her book, The Village Effect, “In a short evolutionary time, we have changed from group-living primates skilled at reading each other’s every gesture and intention, to a solitary species, each one of us preoccupied with our own screen.”

Nowhere is this more evident than in the modern workplace, where employees – particularly the growing numbers of remote and mobile workers – are increasingly reliant on email, texts and instant messaging to interact with their colleagues. And with a Cancer Research UK study revealing that Millennials (who will represent 75% of the workforce by 2030) are shunning face-to-face conversation in favor of chatting online, it’s a trend that looks set to continue.



Tuesday, 31 July 2018 14:36

Why it’s good to talk

We talk a lot about the need to mitigate the operational risks of a business disruption: what if your organization loses access to a key facility or suffers a ransomware attack or experiences the loss of a critical vendor?

Those of us who work in business continuity and IT/disaster recovery think about these kinds of problems night and day—and we work hard to create plans to mitigate the risks of them happening and to manage the impact if they do.

However, there is one kind of impact that is quite significant but frequently overlooked: the financial impacts which a business disruption can cause the company.



Page 1 of 2