Scope of contingency programs needs to be expanded, execs say

Corporate officials need to consider disruptions from major information security failures when making business continuity and disaster recovery plans, security managers and analysts said last week.
Failure to do so, they added, could leave businesses dangerously underprepared to respond to infrastructure disruptions during a time of growing cyber-risks.

"Disaster recovery plans that take into account only the physical impact to the infrastructure are shortsighted and need to be remedied," said David Jordan, chief information security officer for Arlington County, Va.

The county now routinely incorporates cyberthreats and other potential technology-related calamities into its disaster recovery planning processes, according to Jordan.

21st Century Threats

It's important that the topic not get lost in the wake of hurricanes Katrina and Rita, said John Pironti, principal security consultant at Unisys Corp. in Blue Bell, Pa. He noted that such disasters prompt many IT operations to focus on traditional business continuity processes involving their physical assets only.

IT managers shouldn't overlook the threat that cybersecurity incidents and other electronic failures can also pose to critical infrastructure, Pironti said. Disaster recovery "is stuck in a 1970s to 1980s mind-set of a mainframe, a LAN and a glass house that need to be backed up," he added.

What is needed is an "expanded perspective of what constitutes a disaster," said Bob Palmer, a vice president in IT at Lenox Inc., a Lawrenceville, N.J.-based maker of tableware and giftware.

Disaster planning "traditionally required that firms work with a single vendor who provided physical facilities and equipment in case of an emergency," Palmer said. An infrastructure failure stemming from an electronic attack would force a company to deal with security firms, Internet service providers and law enforcement agencies, among others, he said.

Adding to the complexity is the unpredictable and evolving nature of electronic attacks and potential responses to them, thus creating a difficult environment in which to conduct tests, Palmer said. As a result, he noted, disaster recovery planning needs to become "broader and [more] dynamic in nature."

Information security teams need to undertake security-threat scenario planning with workers who are responsible for business continuity programs, suggested Roberta Witty, an analyst at Gartner Inc.

The team should identify threats that could take down a company's core infrastructure or parts of it, she said. "Clearly, e-mail is a prime target, so you've got to look at how your business can continue without e-mail," Witty said. Similarly, "if you have an internal or an external security breach, the first thing you've got to understand is whether you'll be replicating the problem when you try to recover at a recovery site," she added.

Disruptions resulting from major worm outbreaks over the past few years have caused more companies to pay attention to such issues, Witty said.

Though computer security incident response teams are often ready to deal with disruptions from a security failure, more work still needs to be done, said Lloyd Hession, chief information security officer at New York-based BT Radianz, a provider of network connectivity services to financial firms.

"There's a real need for better synergy and communications between the information security team and the disaster recovery and contingency planning [function]," Hession said. "It's a question of how two groups with a similar function can work together to manage risk."