Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business resiliency. Each year, we focus on a particular resiliency domain: business continuity, IT disaster recovery, crisis communications, or overall enterprise risk management. The studies provide BC and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique due to its size, industry, long-term business objectives, and tolerance for risk, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to understand if you’re in line with industry best practices and/or you need to convince skeptical executives that change is necessary.
This year’s study will focus on business continuity. We’ll examine the overall state of BC maturity, particularly in process maturity (business impact analysis, risks assessment, plan development, testing, maintenance, etc.), but we’ll also examine how social, mobile, analytics, and cloud trends are positively and negatively affecting BC preparedness. In the last BC survey, one of the statistics that disturbed me the most was that very few firms assessed the BC preparedness of their strategic partners beyond asking for a copy of their BC plan. And we all know plans are always up to date, tested and specific enough to address the risk scenarios that the partner is most likely to experience (please note the tone of sarcasm in this sentence). I hope this year’s survey shows an improvement; otherwise, most of the industry is in mucho trouble.
The recent Computers, Privacy & Data Protection Conference (CPDP) showcased a series of innovative projects that are based on big data. Big data is one of the four imperatives that shape the age of the customer — one of Forrester’s main focus areas — and the changing regulatory framework of data protection in Europe has big implications for big data initiatives.
Central to data protection is the existing EU Data Protection Directive, which legislators have been trying to update for years to reflect the changing online realities. The proposed Data Protection Regulation focuses on a redefinition of the concept of “consent.” User consent now has to be freely given, specific, informed, and explicit.
This new definition forces businesses to be more transparent about how they gather, use, disclose, and manage customer data in the form of the principles of privacy notice and purpose limitation. Complying with these new privacy principles is a challenge in the age of the customer, as privacy regulation affects:
My esteemed colleagues Renee Murphy and Nick Hayes joined me in a fully collaborative, marathon evaluation of 19 of the most relevant GRC platform vendors; we diligently pored through vendor briefings, online demos, customer reference surveys and interviews, access to our own demo environment of each vendor’s product, and as per Forrester policy, multiple rounds of fact checking and review. The sheer amount of data we collected is incredible.
Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack. This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it...four phones, two doors, a scrap of paper, and a lighter.
Photo Credit: Renee Murphy
Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.
It might be an occupational hazard, but I can relate almost anything to security and risk management, and my visit to the Titan Missile Museum at AF Silo #571-7 was no exception. The lesson I took from my visit: there's room for manual controls in security and risk management.
On Monday, Hurricane Sandy slammed into the East Coast of the United States, flooding entire towns in New York and New Jersey, triggering large-scale power outages and killing at least 17 people. The health and safety of individuals is the first and foremost priority, followed by the recovery of critical infrastructure services (power, water, hospital services, transportation etc.). As these services begin to recover, many business and IT leaders are wondering how they will resume normal operations to ensure the long-term financial viability of the company and the livelihoods of their employees and how they will serve their loyal customers.
Most likely, if you have offices that lie in the path of Hurricane Sandy, you are experiencing some sort of business disruption, large or small. The largest enterprises, especially those in financial services, spend an enormous amount of money on business, workforce and IT resiliency strategies. Many of them shifted both business and IT workloads to other corporate locations in advance of the storm, proactively closed offices and directed employees to work from home or a designated alternate site.
If you are small and medium enterprise and, like many of your peers, you didn’t have an alternate workforce site, robust work-from-home employee capabilities, an automated notification system or a recovery data center, what do you do now? While it’s too late to implement many measures to improve resiliency, there are several things you can do now to help your organization return to normal operations ASAP. Here are Forrester’s top recommendations for senior business technology leaders:
The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.
Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:
They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
As a follow-up to my blog post yesterday, there’s another area that’s worth noting in the resurgence of interest in BC preparedness, and that’s standards. For a long time, we’ve had a multitude of both industry and government standards on BCM management including Australian Standards BCP Guidelines, Singapore Standard for Business Continuity / Disaster Recovery Service Providers (which became much of the foundation for ISO 24762 IT Disaster Recovery), FFIEC BCP Handbook, NIST Contingency Planning Guide, NFPA 1600, BS 25999 (which will become much of the foundation for the soon to be released ISO 22301), ISO 27031, etc. There are also standards in other domains that touch on BC, security standards like ISO 27001/27002.
And when you come down to it, several of the broad risk management standards like ISO 31000 are applicable. At the end of the day, the same risk management disciplines underpin BC, DR, security and enterprise risk management. You conduct a BIA, risk assessment, then either accept, transfer or mitigate the risk, develop contingency plans, and make sure to keep the plans up to date and tested.
In my most recent research into various BCM software vendors and BC consultancies, as well as input from Forrester clients, BS 25999 seems to be the standard with the most interest and adoption. In the US at least, part of this I attribute to the fact that BS 25999 is now one of the recognized standards for US Department of Homeland Security’s Voluntary Private Sector Preparedness Accreditation and Certification Program. The other standards are NFPA 1600 and ASIS SPC.1-2009. I’ve heard very few Forrester clients mention the latter as their standard.
During the last 12 to 18 months, there have been a number of notable natural catastrophes and weather related events. Devastating earthquakes hit Haiti, Chile, China, New Zealand, and Japan. Monsoon floods killed thousands in Pakistan, and a series of floods forced the evacuation of thousands from Queensland. And of course, there was the completely unusual, when for example, ash from the erupting Eyjafjallajökull volcano in Iceland forced the shutdown of much of Western Europe’s airspace. These high profile events, together with greater awareness and increased regulation, have renewed interest in improving business continuity and disaster recovery preparedness. Last quarter, I published a report on this trend: Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And 2011.
A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.
The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.
In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.
Even in the toughest times, winners will invariably emerge. With the way expectations are changing regarding corporate controls and disclosure, risk management professionals (whose lack of influence was seen as a substantial cause of our current state of affairs to begin with) will likely be among the first beneficiaries of our new outlook on business.
Forrester customer inquiries seem to have taken a step back when it comes to risk management. While there are still plenty of incoming technology and vendor selection questions, there has been a noticeable spike in calls about fundamental issues, such as how to build and organize risk management programs. Knowledge and experience in risk management basics is in high demand.