Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business resiliency. Each year, we focus on a particular resiliency domain: business continuity, IT disaster recovery, crisis communications, or overall enterprise risk management. The studies provide BC and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique due to its size, industry, long-term business objectives, and tolerance for risk, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to understand if you’re in line with industry best practices and/or you need to convince skeptical executives that change is necessary.
This year’s study will focus on business continuity. We’ll examine the overall state of BC maturity, particularly in process maturity (business impact analysis, risks assessment, plan development, testing, maintenance, etc.), but we’ll also examine how social, mobile, analytics, and cloud trends are positively and negatively affecting BC preparedness. In the last BC survey, one of the statistics that disturbed me the most was that very few firms assessed the BC preparedness of their strategic partners beyond asking for a copy of their BC plan. And we all know plans are always up to date, tested and specific enough to address the risk scenarios that the partner is most likely to experience (please note the tone of sarcasm in this sentence). I hope this year’s survey shows an improvement; otherwise, most of the industry is in mucho trouble.
Yesterday, Symantec announced that it too was ordering up a bowl of the organizational strategy du jour and splitting itself into two independent, publicly traded companies, one focusing on security and the other on information management.
I have doubts whether simply splitting in two can spark innovation after nine years of gobbling up gargantuan (I still miss you, Veritas) and small vendors alike with little to show for it but operational indigestion. But I suppose anything is better than changing CEOs as frequently as I change the oil in my car and standing by and watching CISOs turn to completely new security brands as their trusted advisor. And there is this little matter of how mobile, social, cloud, and big data are completely transforming not only the way digital businesses compete and serve their customers but how technology vendors themselves deliver their own solutions and engage with their clients -- and Symantec isn't leading the charge in any of those market shifts.
October has arrived and it's time for what is becoming a fan-favorite series here at Forrester: the Security & Risk Analyst Spotlight Podcast featured in our bimonthly newsletter. This month, we're featuring 8-year Forrester veteran and analyst Heidi Shey, one of our leading analysts on data security and privacy. You'll hear some great insights from Heidi on clients' top challenges, surprising research findings, and upcoming research and vendors to watch. To download the MP3 version of the podcast, please click Read more
Each month we use our newsletter and a podcast to highlight one of the many talented and hardworking analysts and researchers on Forrester's Security & Risk team. If you're not signed up for our newsletters, I highly encourage you to do so; please email firstname.lastname@example.org for additional details. In the meantime, click below to listen to our analyst spotlight on senior analyst Renee Murphy, one of our leading analysts on governance, risk, and compliance. You'll hear some great insights from Renee on clients' top challenges and requirements, surprising research findings, and upcoming research and vendors to watch. To download the MP3 version of the podcast, please click here.
The Forrester S&R team has doubled in size during the last several years. Today, we're 17 analysts and researchers across the US, Europe, and India, 19 if you count the research associates that support every project. Given the size of the team and the degree to which analysts have been able to specialize, we decided that we'd take a little time each month to highlight each member of the team in one of our bi-monthly newsletters and in a short podcast. If you're not signed up for our newsletters, I highly encourage you to do so, please email email@example.com for additional details. In the meantime, click below to listen to our analyst spotlight on Senior Analyst, Tyler Shields.
S&R Podcast Listening Options
Click here to download the MP3 file of this episode.
On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel, in large part because of the massive and embarrassing customer data breach that occurred just before the 2013 U.S. holiday season kicked into high gear. After a security breach or incident, the CISO (or whoever is in charge of security) or the CIO, or both, are usually axed. Someone’s head has to roll. But the resignation of the CEO is unusual, and I believe this marks an important turning point in the visibility, prioritization, importance, and funding of information security. It’s an indication of just how much:
Security directly affects the top and bottom line. Early estimates of the cost of Target's 2013 holiday security breach indicate a potential customer churn of 1% to 5%, representing anywhere from $30 million to $150 million in lost net income. Target's stock fell 11% after it disclosed the breach in mid-December, but investors pushed shares up nearly 7% on the news of recovering sales. In February 2014, the company reported a 46% decline in profits due to the security breach.
Poor security will tank your reputation. The last thing Target needed was to be a permanent fixture of the 24-hour news cycle during the holiday season. Sure, like other breached companies, Target’s reputation will likely bounce back but it will take a lot of communication, investment, and other efforts to regain customer trust. The company announced last week that it will spend $100 million to adopt chip-and-PIN technology.
I attend numerous security and IT conferences each year, most of which simply blur together into a vendor cacophony about the perils of social, cloud, and mobile device adoption or the ever present danger from devious cybercriminals and nefarious state-sponsored agents. The uniform repetition of this narrative from every vendor in the industry reminds me of the drowning din of thousands of cicadas awakening from hibernation. McAfee Focus had a different feel. And overall, compared to other conferences, it was a worthwhile trip, and not just because Chris McClean and I won at craps, but because while McAfee did pay homage to the technical security pros in the audience with the requisite discussion of the changing threat landscape and accompanying hacking demo, there was a palpable difference in their narrative, particularly in CEO Mike DeCesare’s keynote. Here are a few notable highlights from the conference:
When I talk to security (S&R) leaders, they always tell me that in an ideal world, they would have enough advanced warning of impending business and technology disruptions in order to understand the security, privacy and overall risk implications and then prepare and present their business executives with a balanced opinion about how best to proceed if and when the enterprise decides to move forward. Unfortunately, most often, business and IT colleagues move on these disruptions and technology shifts far in advance of the security team’s readiness, and we don’t have to look far for examples; just think of employee BYOD, mobile apps for customer engagement, cloud services, social technology for marketing and collaboration, massive big data projects for business intelligence, or virtual and converged infrastructures within the data center.
On Monday, Hurricane Sandy slammed into the East Coast of the United States, flooding entire towns in New York and New Jersey, triggering large-scale power outages and killing at least 17 people. The health and safety of individuals is the first and foremost priority, followed by the recovery of critical infrastructure services (power, water, hospital services, transportation etc.). As these services begin to recover, many business and IT leaders are wondering how they will resume normal operations to ensure the long-term financial viability of the company and the livelihoods of their employees and how they will serve their loyal customers.
Most likely, if you have offices that lie in the path of Hurricane Sandy, you are experiencing some sort of business disruption, large or small. The largest enterprises, especially those in financial services, spend an enormous amount of money on business, workforce and IT resiliency strategies. Many of them shifted both business and IT workloads to other corporate locations in advance of the storm, proactively closed offices and directed employees to work from home or a designated alternate site.
If you are small and medium enterprise and, like many of your peers, you didn’t have an alternate workforce site, robust work-from-home employee capabilities, an automated notification system or a recovery data center, what do you do now? While it’s too late to implement many measures to improve resiliency, there are several things you can do now to help your organization return to normal operations ASAP. Here are Forrester’s top recommendations for senior business technology leaders:
My house sits atop a hill overlooking the Atlantic Ocean (hence, the neighborhood name of “Beachmont”) and was built sometime in 1890. It’s one of the tallest houses in the neighborhood and as I write this post, my house is swaying back and forth from 50 mile an hour winds (I’ve been told it’s meant to sway which is somewhat comforting but not entirely) and from my porch, I can see waves crashing over the sea wall and slamming into my neighbor’s homes below me. Needless to say, I have a vested interest in the emergency response to Hurricane Sandy.
There will be time for more detailed analysis later but here are just some initial observations and thoughts:
FEMA has come a long way since the incompetent response to Hurricane Katrina.
The response at the federal, state and local level has been much more proactive than I’ve ever seen it in the past. Many New England and Northeast states began communicating to cities and towns about the seriousness of the storm almost a week in advance, many declared emergencies as early as Saturday, and many insisted on mandatory evacuations for the riskiest areas.
The overall approach is better safe than sorry, even if worst fears about the storm don’t materialize.