CMP -- United Business Media

Intelligent Enterprise

Better Insight for Business Decisions

 UBM
Intelligent Enterprise - Better Insight for Business Decisions
Part of the TechWeb Network
Intelligent Enterprise
search Intelligent Enterprise
Advanced Search

RSS
Webcasts
Whitepapers
Subscribe
Home



March 8, 2002

The Vigilant Enterprise

The war on terrorism must include an enterprisewide view of business continuity

Yobie Benjamin

Before the Sept. 11th disaster, most companies had a split-screen view of security: One side focused on protecting the organization's physical assets, and the other on keeping data and information safe. In these parallel worlds, companies developed strategies to prevent — or recover from — a variety of threats, such as physical encroachment, digital thievery, or malicious acts by company personnel. Rarely, however, did these views (or policies) intersect.

The tragic events of Sept. 11th have changed everything, forcing executives to rethink their approaches to security and business continuity planning (BCP). As everyone has learned, damage or disruption may not be an isolated event; in fact, total destruction of physical facilities and civic challenges of major proportions are distinct possibilities.

In a nation at war against a terrorist regime, companies must do more than keep disorganized hackers and disgruntled employees at bay; they must be ready to protect themselves from attacks by well-organized and well-funded terrorists. To achieve a heightened state of preparedness, BCP, security, and business risk management must be similarly well planned.

COMING TOGETHER

Most important, companies must weave well-crafted protective strategies together to form comprehensive enterprisewide defenses that reflect a thorough understanding of terrorist organizations, their activities, and likely targets. This necessity means companies must be ready to deal with attacks on core components of the nation's infrastructure, including communication networks, banking and finance systems, emergency services, and so forth. Organizations must anticipate cyberattacks, too.

These requirements are a tall order — and they can't be met unless executives and their organizations alter their pre-Sept. 11th views of security to include:

  • A more expansive approach to BCP. Companies that once found adequate protection in disaster-recovery or emergency planning must begin thinking in terms of enterprisewide BCP.
  • A broader application of defensive measures. Before Sept. 11th, security tended to focus on "rights" or "policy" management, such as business security and controls. Organizations must expand this view to include operational, application-level, and fail-safe features, such as banking or credit card systems.
  • Rigorous enforcement. Most companies didn't strictly or regularly enforce rules governing the establishment and maintenance of backup facilities and offsite storage. Moreover, management guidelines regarding the importance of following these policies weren't widely circulated to employees and business partners. Now more than ever, greater organizational awareness of operating policies and wider geographic dispersal of operations are critical to a business's long-term health.
  • Formalized structures. Many companies lacked a formal security organization and structure; too few had assigned team responsibilities. Now, companies are beginning to create BCP structures that include incident-management teams whose members have preassigned roles and responsibilities.
  • Frequent reviews and revisions. Annual planning updates are no longer enough. BCPs must be updated frequently, for example, as soon as a new dependency is added.
  • An understanding that the stakes — and the risks — are now substantially higher. The widespread view is that bioterrorism, infiltration, and terrorist attacks are more likely to occur. Accordingly, organizations must expand their BCP efforts to include workforce issues, workplace availability, and government intervention.
  • Closer scrutiny of workers and business partners. Investigations must go deeper and focus on more than just new hires — or even all of a company's people, facilities, and IT systems. Such reviews must incorporate key suppliers and other outside business partners — much as they did during most Y2K initiatives.

Most companies are surprised to learn the degree to which they are on their own when it comes to implementing fail-safe systems and contingency plans to address recovery situations on a fast-response basis. Unfortunately, a very large number of organizations lack the rigorous controls and adequately scaled recovery systems needed to respond to a national attack or a cohesive, organized cyberterrorist threat.

NEW CHALLENGES

The world has changed. If businesses are going to survive the challenges ahead, they must adopt an integrated approach to security; one that prepares people across the organization — and at every level — to work systematically and closely together to overcome threats to people, processes, information, and physical assets.

Among a long list of updated security issues that businesses need to address are:

  • Will the business survive if multiple sites are attacked simultaneously? Before Sept. 11th, risk-management models tended to look at only single-location disruptions.
  • Do mailroom practices, call-center policies, reception protocols, or other back-office or administrative processes leave — or create — gaps in security efforts?
  • Are adequate safety measures in place to protect personnel and other assets in high-risk areas outside the United States? Will reliance on local civil authorities enhance or decrease risk exposure?
  • Will corporate efforts be closely aligned or at odds with local and regional community interests if emergency procedures must be implemented?
  • Are vulnerability assessments limited to cyberattacks?
  • Are risks adequately categorized, tracked, rated, ranked — and responded to?
  • Is information about policies, procedures, configuration standards, vulnerabilities, and viruses frequently and systematically communicated to people across the organization?



Rate This Article

Comments:

Optional e-mail address:

Clearly, to meet these challenges, organizations must be ready to replace static security postures with initiatives that let them continuously gather intelligence, reassess their risks, and adjust security measures accordingly.


Yobie Benjamin, a partner and chief technology officer of Ernst & Young's Security and Technology Solutions organization, has been involved in the security space since the 1980s. He is a frequent author and commentator on technology issues and has been profiled by ABC Television's 20/20 and the Discovery Channel.


Most Popular This Week
Kimball University: Better Business Skills for BI and Data Warehouse Professionals
Business Process Management 101: The Basics of BPM and How to Choose the Right Suite
Forrester Sees Convergence Trend In BI, Search
A Mashup Gives New Meaning to 'Military Intelligence'

IE Weekly Newsletter
Subscribe to the newsletter
    Email Address