Modernizing Authentication — What It Takes to Transform Secure Access
Andrew Lippo was at a conference with about 200 other CIOs on a cruise ship off the coast of Atlantic City, N.J., on Sept. 11, when the BBC broadcast a bulletin: An airliner had struck one of the World Trade Center towers.
"My daughter was flying from Boston to New York City that morning, and I thought it was her plane," says the director of MIS at Standex International Corp., a diversified manufacturing company based in Salem, N.H. "I was kind of panicky." He would eventually learn that she was safe, but another passenger got word that a relative was on board one of the ill-fated airliners. All over the ship that day, the CIO Forum's program of meetings and speeches on IT issues yielded to anguished huddles of executives, many of whom knew someone who worked in lower Manhattan.
In Orlando, Robert Kreiger, vice president of information technologies at the Hilton Grand Vacations Co., a unit of Hilton Hotels, was in an IT planning and strategy meeting when the news broke. His first thought was of colleagues at the Millennium Hilton Hotel, which stood in the shadow of the World Trade Center towers. "Frankly, I was thinking more about the people than the systems," he says.
In Detroit, Donald Ledwith, manager of information security and disaster recovery planning for General Motors' North American operations, immediately began planning the relocation of people in GM's corporate headquarters at the Renaissance Center, which features a 77-story tower. "It appeared to be the kind of target the hijackers were aiming for," he says. GM's employees were given the option to evacuate, and they did; an alternate site was designated and equipped with laptops and phones. "Where," Ledwith had to figure out, "would we put people if they were out a second or third day?"
In New York City, in the days following the attack, Larry Tabb, vice president of securities and investment research at the TowerGroup, a research firm that focuses on technology in the financial services industry, talked to CIOs in the financial district. In addition to the myriad technical issues they faced, "they were trying to make sure their people were okay," he says. "They were trying to make sure that even if their people were okay physically, that they were also okay mentallywhich a lot of folks weren't."
As we talked with CIOs who participated in our disaster recovery survey, what emerged as the single largest issue in the aftermath of the terrorist attacks was not systems or technology, but people.
"The technology executives I've had an opportunity to discuss this with are still focused on the human and emotional element of this disaster," says Larry Henderson, senior vice president of operations at SunGard Recovery Services L.P., a Wayne, Pa.-based supplier of disaster recovery services. Soon after the attack, the company was working on 22 disaster declarations. "They're not talking about how to improve their DR plans right now; they're still focused on the human side."
Something fundamental changed for technology executives on Sept. 11: "Even if you get data and systems backed up, the people who know how to run them might be gone," says Robert Enderle, research fellow at Giga Information Group. "People were prepared for some kind of outage, but they weren't prepared for loss of life."
At Standex, Lippo is revising his DR plan. "Our approach is employee awareness. Employees need to know all of the potential threats." As for his own MIS department, "The human equation is the most important piece of disaster recovery. I can find machinery. I have my backups in a fireproof vault at a bank. But I have to pull together multiple people to make this work. That's the issue: You have to identify who the people are and make them aware of their part in recovery."
All of the CIOs we spoke to have some kind of DR plan in place, but they are reviewing them, revising them in some cases, driving harder to wrap up parts that are unfinished and anticipating that their spending might rise. "This hasn't changed what I want to do," says GM's Ledwith, "but I'll probably get more resources to make it happen. People don't seem to respond until something like this happens." His near-term focus: bringing the company's distributed applicationsengineering and operations programsup to the same level of readiness as the mainframe and Web apps.
"In the short term, I think spending may actually go up a little bit," says John Lambeth, CIO of Xerox Connect Inc., a unit of Xerox Corp. that provides IT and knowledge-management systems. "I don't think your average company will cancel ongoing projects. A lot of CIOs may go back to their boards and say they need to carve out a little incremental investment. Non-technical C-level executives will have the awareness right now, so CIOs will be successful in making their point."
Lambeth's own DR plan was well along when the attacks occurred, although he didn't need it that day. "We initially focused on business continuity, looking at things like diesel generators, self-healing networks and the like. Now we're implementing phase two'the building disappears'and we need to go to hot backup or redundant backup. This began unfolding two or three months ago," he says, "but everyone has more energy around it now."
CIOs are now thinking about risk in entirely new and unfamiliar ways. "Corporations here, unlike those in other parts of the world, have not thought about the possibility of targeted destructive action," says Giga's Enderle. This means, for one thing, that a company does not have to have a high profile to be vulnerable. "Those attacks didn't just take out the towers; they took out the surrounding buildings as well. You might be a small company near a government facility or a high-profile brand. You may not be able to get employees in if, for example, a bridge gets hit."
In that sense, no location is immune, and that's part of the new reality every CIO is facing following the attacks. No historical context exists to help comprehend the magnitude of events. Says TowerGroup's Tabb: "I don't think anybody's prepared for what happened, unless they're in Iraq or Afghanistan. I don't think you can prepare for this. You can make as many plans as you want, but what do you do when 6,000 people are missing and lower Manhattan is closed?"
Even the vocabulary of disaster recovery has been affected. "We used to talk about the 'plane dropping through the roof' scenario," says Xerox' Lambeth. "Now, sadly, it's real."