February 01, 2004
—
CSO
—
When Mike Hager suggests that much of corporate America is oblivious to the risks of even a minor system outage, it's hard to write him off as just another pessimistic pundit. After all, Hager, then the vice president of security for OppenheimerFunds, escaped the World Trade Center on 9/11 and helped get the company back up and running within hours. The man knows a disaster when he sees one.
But now, this practitioner-turned-consultant is facing a quieter but equally daunting challenge: making sure that, as the horrific events of that day recede from our collective memory, corporate America doesn't stop caring about business continuity planning. And that, he's sorry to say, is what he's seen happening, as he travels the country speaking at conferences and talking with security and IT chiefs.
"We had a short window to try to change a lot, with regard to security and business continuity," says Hager, now president and CEO of the Business Risk Management Group, a consultancy he created in 2003. "Unfortunately, it was not in a good economic time."
Hager recently spoke with Senior Writer Sarah D. Scalet about how to crack that window back open again. The key? An integrated, risk-centric approach to information security, physical security and business continuity that ultimately costs less money and is much more effective. But be warnedyou'll still have to paint disaster scenarios to keep people's eyelids from drooping.CSO: Is business continuity planning a profession for pessimists?Mike Hager: I like to think of myself as an optimistic pessimist. I tell a joke about a little boy who gets thrown into a room with a 10-foot-high pile of horse manure, and he comes out saying, "Hey, where there's this stuff, there's gotta be a pony, right?" Pessimists believe that there are all kinds of threats out there, but there's no way to keep them out. Optimists say, "Yeah, I know there's an opportunity for people to attack, but we haven't been attacked in 20 years, so why worry about it?" I'm the optimistic pessimistI actually believe something is going to happen, but I'm crazy enough to believe that I can do something about it.Some headline writers are calling you a 9/11 survivor. Do you mind having your identity tied to the fact that you escaped the collapse of the south tower of the World Trade Center?A lot of people ask me how I feel, if I have nightmares, those kinds of things. I don't. That probably goes back to my military traininggoing into survival mode and doing what I needed to do. But I don't take offense to someone saying I was a 9/11 survivor, as long as they put it in the proper context. Yes, my company went away. I watched it disappear, and then in four and a half hours, I literally had all our systems up and operational again.Did your focus change after 9/11?Mine did because management decided that I needed to spend more time in business continuity than in security. Unfortunately for us, someone did a survey that said we were one of the best in the Fortune 500 from a security perspective, and as a result the money dried up. [He laughs.] That's what happens sometimes. People say, "Well, if we're already one of the best, why do I need to spend more right now?"Yet you certainly can make a much more persuasive case for business continuity planning than the next guy.I learned a lot of lessons on 9/11. As a result, I'm able to help companies with things that I hadn't even thought about beforethings that became important afterward, like having an accounting of what we had. Everybody thinks they know what they have on their networks, but most of them don't really know how many servers they have, or how they're configured, or what applications reside on themwhat services were running, what version of software or operating systems they were using. Isn't that why people use asset management tools?Yes. But guess what? They don't work. Asset management tools will tell you that you have 6,000 hard drives. They won't tell you how many copies of Microsoft Office you have deployed or where those licenses are. After 9/11, companies such as Microsoft were willing to say, "We understand you lost your documentation. Just tell us what you had, and we'll replace it for you." If it's a smaller disaster that's very isolated, vendors may not be as agreeable.Two years out from 9/11, is it getting harder for CSOs and CIOs to justify the expense of business continuity?It depends on the size of the company. Some of the costs can be very, very high. If you have a large data center and you want to mirror it to someplace else to make it available immediately, you're talking millions of dollars. That's a lot of money. Smaller companies have a lot more options. Such as?The data can be taken home at night. That's a pretty big risk, though, putting the company's most important data in somebody's backseat.You have to protect it like you would anything. It's not like you just throw it in the trunk of your car and forget about it. You might put it in a safety deposit box. You might put it in a safe at the CEO's house.You make it sound easy.Not really. People don't always remember all the critical functions of their business that would have to be resumed. Maybe you can live without the payroll folks for three days, because you don't make payroll for another two weeks, but you definitely need the people answering the phones to get more orders.Doesn't that become intensely political? You're talking about deciding who within the company you can do without for a period of time. Nobody wants to admit they're that person.But the whole process is based on value. That's why it's important to, first thing, do a business impact analysis to find out what those key critical activities are. Someone at the senior level within the company has to say, "These are the functions I have to have for us to continue this business in the event of a major disaster." And a disaster is anything that stops your operations for X period of hours.But planning for, say, a huge terror attack is a waste of time for companies in Denver, isn't it?It doesn't matter what causes the loss of a facility. You have to plan for the fact that you might no longer be able to occupy your buildingwhether the windows blew out from a tornado or you found some white powder in the mail room or there's been a major power outage. You need to categorize your planning based on these three things: loss of facilities, loss of personnel, loss of critical systems. So disasters come in all sizes?Absolutely. It could be a server that's down. It could be a flu bug that takes out a critical organization. How will you manage? Do you have other people that can do that job to keep things going?
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
In this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.
