Don Orifice has trouble getting through to his clients when he tries to stress the importance of preparing for...
"The instant you begin to speak of what they'll do when things go bad, they glaze over and mumble about remembering to take home the [daily, weekly or monthly] backup tape tonight," said Orifice, head of Peabody, Mass.-based Portable CTO Inc., in an e-mail interview. "Or worse, they remind me that those things only happen to big companies."
Orifice, also executive director of the Peabody-based North Shore Computer Society, added: "They remind me of teenagers and that indestructible feeling that allows teens to get stoned, drunk, drive at high speeds and then mourn their friends with another party when they die. In other words, it's a tough sell."
Dan Stolts, president and senior systems engineer for Bay State Integrated Technology Inc. of Lakeville, Mass., has similar dealings.
"The entire problem is that companies see business continuity and disaster recovery as something they should be thinking about. Then it gets pushed aside because of things that come up on a day-to-day basis and other projects that are in the works," he said via e-mail. "I think most are sincere when they assert that they are aware of the potential problems and that it is something that should be addressed. They simply don't know what they don't know on the topic. When it comes right down to it, people do not want to put up the time and money to get it done because they have not really thought enough about the 'what if.'"
Given their experiences, it's no surprise they agree with the findings of a new survey from New York-based Deloitte & Touche LLP and CPM Global Assurance. Two hundred corporate and IT managers from various industries were surveyed, and 50% said their companies have implemented corporate-wide business continuity and disaster recovery plans. That's up 20% from five years ago. But it's still well below where companies must be, said Ted DeZabala, principal and national security services leader of Deloitte & Touche LLP.
"In order for any business continuity management program to truly be effective, it needs the attention and support of senior management across the organization," he said in a statement. "In our survey, only a third of the respondents believe they have a comprehensive [business continuity] governance structure in place, and remarkably only half of them include their senior executives in the program management."
The study shows many companies haven't developed enterprise-wide business continuity programs or they lack the appropriate infrastructure to verify that one is properly maintained. Two-thirds of respondents acknowledged this, surprising in light of the Sept. 11 terrorist attacks, numerous high-profile computer viruses and natural disasters like the recent earthquake and tsunamis in Southeast Asia, DeZabala said.
The survey found that:
- Most organizations lack a senior-level business continuity management champion that can influence both the company's culture and financial resources.
- Business units are reluctant to spend the time and money to implement "optional" programs.
- Creating an enterprise-wide business continuity management program can seem overwhelming to many organizations that are already resource-constrained.
- Corporate executives may operate under the belief that "it will never happen to our organization."
Those are the exact problems Stolts has run into. "Bottom line: without a champion it will never happen, and the champion must be in a position to effect change -- and have some control over the purse strings," he said.
Dig Deeper on Information Security Incident Response-Detection and Analysis