What has the IT industry really learned from 9/11?

Computer Technology Review, Sept, 2003 by Mark Ferelli

Of all human lamentations, without doubt the most common is: "If I had only known." But we can't know, and so days of death and fire so often begin no differently than those of love and warmth.--Tom Clancy

Another year has gone by since the tragedy we call 9/11 took place, and the world was transformed. We learned more about our own vulnerabilities than we ever knew, or perhaps cared to know. In the IT world, some kinds of disasters are predictable and can be provided for--given manpower and resources. California has earthquakes, the Midwest has floods or cyclones, and the East Coast has hurricanes. But 9/11 was unprecedented in many ways. The raw loss of life was like nothing in the American experience. Financial markets closed for days. Communications, transportation and public services were taxed beyond any precedent. And the information technology resources of large to mid-sized businesses were challenged and, in some cases, over whelmed. Last year, I wrote an article examining whether the industry has learned from the experience. The results this year don't look all that promising.

The commitment to data security and business continuity has always been uneven, with many companies unwilling to make the investment necessary to be sure that the business survives. The IT manager, in the face of our new recognition of vulnerability, is no longer just responsible for bringing up the data canter in all emergency, but is rightly or wrongly expected to recover business and information that was never part of the IT mandate.

Imation conducted a recent national survey of IT directors and network managers, focused on perceptions of data backup and disaster recovery, and how 9/11 impacted data backup and disaster recovery. The results are pathetic; only 26% of those surveyed had developed a disaster recovery plan. Only 21% established a disaster recovery budget (see Figure). An outside observer can only wonder what it takes to get the message across.

Old Lesson

Last year, we examined the old adage of Scouting to "be prepared." In too many cases, IT management wasn't. But since that time, even government leadership has shrank from taking the reins. Storage consultant and author Jon William Toigo (Dunedan, FL) observes: "I was disappointed that the review board of Federal agencies that oversee financial affairs failed to establish that minimum 'safe distance' between a primary IT site and its secondary site. They decided it was not within their purview to suggest a distance." It should also be noted that the administration could come under considerable criticism mandating a potentially expensive and unpopular distance, no matter how necessary.

In last year's examination, we observed that some lessons can be learned from what succeeded as well as from what failed. Modern high availability technologies received their first acid test. Those solutions, on the LAN, PC, Client/Server and Internet level, were often successful. Many of the data security plans put in place for Y2K were useful in recovering from 9/11. This includes all the documentation and drilling that Y2K inspired--employees and emergency personnel were practiced, and therefore prepared.

One lesson, then, is that contingency planning actually worked, for those who did it. Incident management teams were effective and adaptable to circumstances. The Imation survey also suggested that one area where some progress has been made is in injecting more sophistication in backup and recovery efforts. As shown in the figure, respectable numbers of respondents increased backup budgets, established regular update procedures and in many cases moved data backup off site.

Being Prepared

Last year, I had written that the new focus was on preparedness. And that preparedness is beyond just the IT center. In enterprise organizations, I thought, a new sense of urgency and awareness is present in the CFO, the CEO, and the board of directors.

This assumption could well have been false. Consultant Toigo observes: "Disaster recovery is a different kind of a sell. In the best of all cases, you are paying for something that will never be used." This is tree, but insurance is costly as well--and no business exists without the appropriate kinds of coverage. To fail in either adequate coverage or adequate preparedness in case of disaster is to risk a business beyond reason.

It was true last year, and it is true now. The problem is no longer just loss of data and loss of profits. The issues in the boardroom will be loss of life, security planning, a reassessment of traditional risk management formulas.

But while the board deals with the broader issues, IT has a number of narrower ones to consider. There has been a trend in IT for a number of years to consolidate IT resources in the data center. While distributed computing is likely to continue, management and control is the responsibility of the data center. With this trend in view, IT management will have to look at the risks involved with consolidation.