A majority of the executives we surveyed are confident in their ability to continue critical business operations in the face of a malicious disaster, and perhaps they are justified: Many have tightened security procedures, decentralized computing and storage architectures, and even relocated data centers. The security experts we spoke with about the survey results, however, were not as sanguine, and they warned that many companies are likely still vulnerable.
Ian Mitroff, a crisis management specialist and business professor at the University of Southern California, says uncertainty has to be part of any plan. All too often, he says, companies rely on risk analysis, cost-benefit analysis and simplistic simulations, which don't factor in the unexpected. "The first characteristic of any major crisis is uncertainty," he says. "I left engineering because we were producing a lot of certainty junkies accustomed to solving textbook problems where you know everything. In the real world, the problem changes dynamically over time. You have to cope with extreme uncertainty. Al Qaeda is uncertain. September 11 shows the faultiness of risk analysis. You have to prepare for at least one act of terrorism."
MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlborough, Mass., agrees. "We know the other terrorist shoe will drop, but we don't know who, what or when," he says. There are no simple answers: "You don't just buy some software and install it. We're dealing with a number of issues that are pretty complexinternal and external security, disaster recovery, business continuity, crisis management, privacy and regulatory issues."
One thing is certain: CIOs face serious budget constraints. "After Sept. 11, security has gone from being not such a hot issue to the front burner," says Donald Lee, CIO at Maryland's Department of Assessments and Taxation, in Baltimore. "We have the commitment from the executive level. But in this economy, the state is in cost-reduction mode. Money is really tight."
That's also true in the private sector. "Unfortunately, the financial impact of the terrorist attacks greatly outweighed the fear factor of spending on security," says John Pescatore, a vice president at Gartner Research. "If I'm an airline, and my revenues have disappeared, I have to delay spendingI have to report to Wall Street. The concern is up, the spending is not."
Still, many companies have changed their IT practices to ensure continuity by relocating data centers, or moving to a more distributed data processing or storage architecture. These changes were picked up in our conversations with CIOs and CTOs; everyone we spoke to was aware that after Sept. 11, what matters is location, location, location. In Phoenix, for example, Blue Cross Blue Shield of Arizona has decided to mirror critical data at a center in Tempe, Ariz.ironically, in the same facility it once used as second data center (which was shut down in a cost-cutting move). "I've seen it go in circles," says Chief Technologist Gerard Farmer. "Years ago, everyone was on centralized mainframes, then everyone decentralized, then centralized again to save money. Now we're decentralizing again for disaster recovery reasons."
In Baltimore, Maryland's tax department surveyed its 24 offices around the state to determine where it could move its 900 employees in an emergency. "Our business continuity plan had been related to equipment and software," CIO Lee says. "But where are you going to house the staff?" The agency is also reconsidering telecommuting, something it had hesitated to use, as part of the solution.
Some companies have discovered that a backup site isn't enough. Ulsch tells of a financial services company in a suburb west of Boston that before Sept. 11 had established a hot backup site 20 miles away, anticipating that employees could reach it in 30 minutes. When bomb threats were made against financial institutions following Sept. 11, however, it took the employees six hours to get there, because every other business around them was evacuating as well.
"A number of companies have analyzed, tested and revised their plans," Ulsch says, "and they found out the plans don't do what they thought they did. There are many consequences when a disaster occurs, but companies will intellectually prepare a plan that covers only one factor."
Our survey revealed that the sense of urgency spiked after Sept. 11 and has since fallen back, something Gartner's Pescatore sees as well. "It looks like the half-life of concern was about six months. In March and April, spending was pretty much back to normal," he says.
CIOs are most worried about internal and external security breaches and cyberterrorism, the survey showed. Are they justified? Some anecdotal evidence from our conversations: Government CIOs tell of sharply higher external hacking into their systems since Sept. 11; based on their origins, many attempts are thought to be from terrorists. Several of Ulsch's large clients report up to a million automated probes of their systems a day.
Are the roughly two-thirds of our respondents who are confident of their business continuity plans for cyberterrorism and system breaches right to feel that way? "Their optimism is a little overplayed," Gartner's Pescatore says. "Our estimate is that the Internet systems of about 65 percent of Fortune 5,000 companies are vulnerable to an attack that at least results in a content change." For example, says Pescatore, several companies have had false press releases planted on their sites. The releases were picked up by newswires, which resulted in their stock dropping 50 percent. Another 25 to 30 percent are vulnerable to an attack that could cause a financially significant event that would have to be reported.
Surprising, too, was this survey result: About one in five respondents still don't have a business continuity plan. "Want to hear something even more ridiculous?" Farmer asks. "I talk to people at conferences who don't have a clue about security. These are technical people, and I'm still amazed when I learn their IT shops don't have firewalls. You can get one for a couple hundred bucks. This isn't rocket science."
Are some organizations still in denial about the terrorist threat? Mitroff thinks so. He surveyed Fortune 1,000 companies before and after Sept. 11, and found that about 85 percent are what he calls "reactive." The farther these companies are geographically from New York City, the less they are preparing for terrorism. "Only when something is close to them will they take action," he says. "A lot of organizations have their heads in the sand." He also found that the larger these reactive companies are, the less they are prepared. "They think, 'We're so big and powerful, nothing can happen to us.' The number one problem we're facing is this overwhelming denial."Terry A. Kirkpatrick