DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Disaster recovery plan, disaster readiness, contingency planning, continuity planning, continuous processing plan. These terms are extremely confusing and, although there are subtle differences in the meaning, they are often used interchangeably when referencing the planning process for mitigating the impact of catastrophic events.

It’s like the terms statistical process control and statistical quality control. I contend the only real difference in these two terms has to do with the age of the person utilizing them.

The so-called DR function is a prime example of a process that has undergone a major evolution with the passage of time (the classic paradigm shift).

Only a few short years ago, the vast majority of disastrous events were driven by nature, i.e.:
• Tornadoes
• Earthquakes
• Floods
• Forest and brush fires
• Etc.

Sure there have always been a spattering of manmade events, some accidental and some intentional, but contingency planning requirements were almost totally driven by those events initiated as a result of natural phenomena.

Although sabotage, with the possible exception of government protection agencies, has been of limited concern in the past, it is now swiftly becoming a major consideration in corporate mitigation planning.

The pendulum has swung and intentional, man-made acts directed toward business disruption and annihilation must be recognized as the predominant concern facing us in the contingency planning profession of the future.

This represents good news and bad news:

The good news is the vast majority of all effort and money invested in mitigating the affects of manmade events will be directly applicable to those initiated as a result of natural catastrophes.

The bad news is the reverse is not always applicable i.e. all of the contingency planning based on the requirements of so called “natural events” severely lacks fundamental considerations necessary to combat those designed by man.
This new era can be looked upon as that of the “smart disasters.”
We humans can now create a devastating event almost tantamount to that of Mother Nature. In some ways anticipating and mitigating the manmade events is more difficult because we cannot rely on such basic logic as probability or predictability.

By studying past data of natural disasters, future probability of recurrence and likely geographical impact could be established and that predictability assisted in establishing recovery strategy commensurate with the potential vulnerability.

Since a basic premise of manmade events is unpredictability, it becomes, for the most part, impossible to establish a projection of type, timeframe, or geographic impact of potential future events.

In the event of natural disasters, we can, at least, rely on some geographic distinctions, i.e. major earthquakes primarily affect specific areas and tornadoes are normally limited in geographic scope.

If you agree with my premise – that our real future disasters will come primarily at the hands of unscrupulous humans – this new line of thinking implies all existing contingency plans must be reviewed and updated. You must take into consideration not only the multitude of new technology currently available but also the vast array of technological and ulterior motive driven events we can expect in the future … the very near future.

I recently read an article where the author was in dismay about our inability to stop computer hackers. The important thing to extract from this author’s naivety is the realization that fighting computer crime is not an activity that will ever be completed.

It has been said that, in the 1930s a motion was introduced in Congress to close all patent-related offices in the United States. The logic behind the bill stemmed from the perception that all possible things had been invented and the supporting organizations were of no further value. Even if it might have been a fabrication, it emphasizes the point that nothing remains constant.

In the early days of information technology organizations, many executives believed that once all programs had been designed, tested and implemented, the organization would no longer be required.

The same logic is appropriate for planning defense against computer crime. As long as there are people designing and implementing functions to be performed by computers, people will always be able to subvert them.

The obvious tools likely to be employed by these delusional bottom feeders in the future will undoubtedly exploit the corporation’s (or individual’s) ubiquitous, high-tech, computer-controlled vulnerabilities.

The catastrophic 9/11 terrorists demonstrated that “smart” disasters are something that must be guarded against, not only now, but for all eternity. I believe this type of despicable event, in one form or another, was inevitable and necessary. It took an extreme, man-made catastrophe to wake up both the citizens and the sleeping corporate giants. This event alone demonstrated the need for continuity professionals to lead our companies into the next important phase of preparation and planning.

Protecting against events such as the attacks at the World Trade Center and Oklahoma’s federal building, and others (like natural disasters), will be a walk in the park when compared with the identification and continuing programming and infrastructure activity that will be necessary to withstand the constant bombardment of malicious sabotage that will be waged through our newfound, ubiquitous computers and networks.

As established above, the “disaster deju`re” will be at the hands of men, most of which will believe their actions are just and necessary, much like the crusades of the biblical era.

These crusaders of tomorrow, however, will not be riding horses and armed with swords, rifles, or heavy artillery; they will be wielding a keyboard, mouse, and network interface.

The time has passed for corporate officials to recognize the eminent dangers.
In these times of financial uncertainties, many companies have reduced their contingency planning expenditures when, in fact, they should be allocating additional financial resources and recruiting qualified staff to address this new multi-headed monster.

Although larger corporations have, in one form or another, implemented contingency plans for the obvious “business critical” functions, most have not recognized this activity as a corporate function. Most have inadequately funded spur groups in several departments (normally facilities and information technology).

Obviously any contingency planning is good but may still leave your company extremely vulnerable in many crucial business functions.

Disastrous events orchestrated by individuals (smart disasters) will obviously be designed to attack the contingency planning deficiencies and specifically exploit them to the fullest.

If you accept my premise, you can understand that the contingency planning function must be funded and directed at a corporate level, independent from departmental management bias and well-intentioned budgetary control.

This, much like auditing, will allow response to any event with the entire corporation in mind. Personnel, sales, facilities, manufacturing, and information requirements will be coordinated simultaneously.

Outside of personnel safety, the obvious priority of mitigating activity is to protect the corporation’s assets and, in the event of a disaster, quickly restore a semblance of the various business critical activities with recovery priorities commensurate with those of the stakeholders’ interest.

Many years ago, I was employed in Mobil Oil’s credit card accounting organization referred to as data processing. Disaster recovery? Back then, I don’t think the term had even been uttered.

At that time, no one was at all concerned with the future availability of oil products or the unbelievable reliance the world would ultimately have on it.

Hindsight shows us that the country and the world had made some enormous blunders in allowing our country to become so dependent on a single industry with such a geographically restricted supply.

Apparently we, as a people and a world, have not learned very much, in that, this same type of rampant, uncontrolled evolution is also becoming evident in the eminent development of computer-directed activity in every segment of civilization.

This computer revolution has been predicated not only by the simple passage of time but by society’s willingness to blindly allow it to permeate every aspect of our personal and business infrastructure.

We are not only willing, but anxious to relegate every aspect of our lives to “The Computer.” Maybe the fictional R2D2 (Star Wars) and HAL-9000 of the 1968 film “2001: Space Odyssey” were visions of the future and, perhaps, warnings that we should have taken note of 35 years ago.

There was a story of one of the developers of the original computers who resigned from Univac with his opinion being, given the ability to evolve, “Computers would eventually rule the world.” He didn’t want to personally carry that burden.

It was always a joke that, at least, we could un-plug them. In today’s world, I’m no longer sure that will always be an option.

All of these issues that are imminently developing in the corporate environment are only a few years removed from your household.

Let your mind run just a bit and imagine a criminal element taking control of your house’s temperature, alarm, electrical, water, media, kitchen appliances, voice and data communication, banking systems, and who knows what else. These fundamental utilities, not even mentioning robotic domestic chores, will eventually be totally under residential computer control and linked with numerous services.

Hopefully you understand what I am trying to convey. If we, not only as corporations but as individuals, are not adamant and persistent with evolving our contingency planning capabilities commensurate with that of the “bad guys” we can lose this battle of the “smart disasters.”

Then what will we do?

Dan Perry, CBCP, has managed computer systems support organizations (applications, systems, and operations) for more than 20 years. He had been in management with AMD for about 15 years and most recently held the position of senior IT staff responsible for IT disaster readiness worldwide. Perry has been published four times in the Disaster Recovery Journal and possesses a Business Continuity Professional Certification (CBCP).