Rothstein Home: Your Source for Disaster Recovery, Business Continuity Books, Service Level Agreements & More Rothstein: Management Consulting Services Rothstein: Business Survival Newsletter Rothstein: Original Feature Articles Rothstein: Disaster Recovery Forum Rothstein: Today's Industry News Rothstein: Links to Industry Web Sites Contact Rothstein Associates

BCP Comes of Age Disaster Recovery & Business Continuity & Contingency Planning & Disaster Prevention Bookstore
Service Level Management & Service Level Agreements Bookstore

by  Three senior business continuity planners discuss new dimensions in the relationship between BCP, disaster recovery and information security.

BRIAN MACKAY, FBCI, is the senior business continuity coordinator for Check Free Corp., a provider of financial e-commerce services and products based in Norcross, Ga. ( He is also a Fellow of the Business Continuity Institute.

MELVYN MUSSON, FBCI, CISSP, is the business continuity planning manager for Edward Jones, a leading financial institution in St. Louis. He is a Fellow of the Business Continuity Institute and a Certified Business Continuity Professional from the Disaster Recovery Institute International.

MICHAEL SLINGLUFF, FBCI, is a business continuity planner at the Federal Home Loan Mortgage Corp. (Freddie Mac). He is also president of the mid-Atlantic Disaster Recovery Association, and a Fellow of the Business Continuity Institute.

Rothstein Associates Inc., a management consulting firm in Brookfield, Conn. ( He is the editor of Disaster Recovery Testing: Exercising Your Contingency Plan and publisher of The Rothstein Catalog on Disaster Recovery. He is also a Fellow of the Business Continuity Institute.

INFORMATION SECURITY MAGAZINE (ISM): There's a lot of debate these days about what constitutes an information security issue vs. what constitutes a business continuity issue. Virus and worm attacks, Trojan horses and distributed denial-of-service attacks are considered information security issues, but they are also business continuity issues. There's not always a clear definition, and that muddies both jobs considerably.

MACKAY: I agree. In almost every organization, you have an IT function that probably handles dozens of problems a day, if not more-systems that are down, files that are open, validation issues that are never addressed beyond the IT organization, or are addressed and coordinated internally. I think there is a fine line between an IT inter-organizational problem and a business continuity problem. Do you draw that line at the point where the company as a whole is being impacted, as opposed to a system or a platform? Viruses are a great example, because the actual response to protecting against the virus-cleaning the virus, whatever tools are necessary to attack that situation-lie within the IT organization. As a business continuity planner, I try to ensure that the organization has those tools and a plan in place, and that they understand it's a risk. If the company is affected, my job would be not to go in and coordinate the recovery, but to go and touch base with the IT point person handling it. I'd then act as a conduit to senior management or any of the groups-for example, PR or HR-that need to get the information out to the public about how we're doing, what we're doing, what we believe the impact is going to be, etc.

      Historically, data processing ran business continuity. Now, the business units themselves run the data center, and they're really the core of your planning. How long can you be out of business? What impact does that have on your customers? What impact does that have internally? As a business continuity professional, my job is to make sure those processes are in place, and can be executed when they need to be.

ISM: So the ownership of the problem resolution, in this example, would be with the information security area, but the ownership of the business impact would be with the business units themselves.

MACKAY: Correct. Let the experts fix the problem. Their resources need to be allocated to resolving and fixing the problem, not to getting on the phone to call senior management, trying to touch base with PR people, trying to assess the impact outside of the organization, etc. Their job is to fix the problem, get it resolved or provide a workaround, so that the impact is either not there at all or lessened considerably.

MUSSON: I'd go even a little further than that. You need to define where the business continuity plan would be activated, or could be activated, and this is the key thing-if you know something is happening, you can monitor the situation and start to see if the business units are going to be affected. If they are, then, obviously, you have to look at the business continuity plan and see what's needed. But the actual work of handling the virus, reconstituting data and everything else, that's for information systems/information security.

MACKAY: I think this gets back to how we design our organizations, and the best practices and professional standards we use. When IT identifies a problem, they should be able to depend on the business continuity department to activate either core response teams or market-support teams, to get hold of the internal communication groups and send out a broadcast message or voice mail, saying, 'Here is the situation as we know it, here is what you can and cannot do, and here's when you'll get further updates.' There may be one message for staff, one for management, one for the public, one for stock holders and so forth, and it all has to be orchestrated.

ISM: Of course, the best disasters are no disasters at all. Kenneth Brill of Compusite Engineering often talks about the value of avoiding the pain and destructiveness of a 'corporate heart attack' that could have been prevented in the first place. To what extent do business continuity professionals really focus on preemptive risk-assessment, mitigation and prevention-as distinct from contingency planning-to deal with disruptive events when they actually occur?

SLINGLUFF: I think the business continuity planner has to have oversight and see what's there before the disaster occurs. Here's a classic example: At a customer site, we once moved a wire room from one building to another. But after the move, the company turned around and eliminated the backup site. It took me about three months to get it put back in-and about a month later we needed it and actually used it. There was no disruption to the customer's business, yet if I hadn't done that, we would have had a major problem. It can be extremely hard to sell preventive measures to an organization that's always busy trying to push the leading edge or a new development. So my feeling is that a business continuity planner should have the ability to find these things, which generally show up as a result of exercises and tests, and the appropriate business areas or IT can go ahead and fix them before a problem occurs.

MACKAY: I think risk assessment is one of the core competencies of a business continuity planner. Our job is to go out there, evaluate the risks, present them to the business units and management and provide solutions; whether they choose to buy into it or not, that's a business decision. But our job is to identify risks and suggest how to mitigate them. Here at Check Free, I will identify a virus as a risk, or denial-of-service attacks or hackers, whatever the case may be; we are very Internet-based, so those are risks for us. And it's up to the information security people to put appropriate procedures into place. But it's also my job to create a virus-response plan, because we don't want to look at planning as being for recovery only. We want to be proactive, which means putting together a virus- response plan-i.e., if we have a denial- of-service attack, or a hack, or a virus, here's what we're going to do as an organization. The information security people will do this, public relations will do this, senior management will do this and so on. And it's my job to make sure that plan is coordinated and executed when necessary.

ISM: Information security professionals are often perceived as being intrusive when they put policies in place to protect the organization on a proactive basis. Do you ever find yourselves in the same type of battle, fighting the perception that somehow you're not helping but rather disrupting business processes?

MUSSON: I think it really depends on how you present it.

MACKAY: I agree. Y2K, for example, was a mixed blessing. It was great because there's much higher awareness now about business continuity and risk mitigation; but, on the other hand, so little happened that a lot of people were asking, 'Well, why did we go through all of this?' That's a risk sometimes, and it depends on the management and it depends on how you sell it. If you sell it as a proactive measure-that it's going to enhance either information security or the business as a whole-I think you get a better reception than if you try to force it as an audit requirement, for instance, to the business units.

MUSSON: You've got to explain the problem and also what the plan is going to do. You can't just impose it. It comes back to education and awareness. And it doesn't matter whether it's security, business continuity, or whatever. Education and awareness are key.

SLINGLUFF: I agree with Mel, you've got to integrate it into the business, and they've got to see the benefit of it. Otherwise, they won't do it.

MACKAY: In my experience, the best time to implement awareness or program planning is after you've had a disaster, because that's when the awareness is highest-after a tornado has come through in the county next to yours, or after the building down the street has burned down. That's when you get your most impact.

MUSSON: Well, I think you can also do it another way. One of the things that you can do is develop credible scenarios. These show what the impact of a disaster like a tornado or earthquake would have on a company, its employees and the community. What would happen if there were a gasoline or propane explosion? Using these real-life scenarios, you can make believers out of most management and the people in the business units.

ISM: It's amazing how many organizations stumble through a recovery and somehow come out okay despite a lack of planning. I wonder if that's part of the reason why business continuity isn't as well established as information security in organizations. Is it that companies do too good a job recovering without the resources? That, when things actually do happen, they seem to muddle on through anyway?

MACKAY: It's true that most organizations will somehow get through it. What we provide is the ability to react quickly and get through it very quickly, with pre-established and preplanned objectives. Instead of a 12-hour recovery, we have a two-hour recovery, because procedures are in place, the exercises have been conducted, and expectations are already established.

MUSSON: Yes. You've got to provide information on disasters-or let's call them incidents-that were prevented, or where impact was reduced because of mitigation measures or prevention measures that had been put in place. I think what you need is an after-action report. It doesn't have to be a major document, but you've got to be able to define what happened, what was done to handle it, and what were the problems. Then you've got to spell out the lessons learned, and what your recommendations are to reduce the impact even further should it happen again.

SLINGLUFF: Part of what I've been struggling with is how to manage soft costs: things like good will, loss of business, how much of your business will go to someone else if you have an outage. How do you quantify this? Or, in our case, the regulatory impact, or external orders jumping all over if you have one of these things. Customers, good will, shareholders-they're all tangible losses if you have an outage.

MACKAY: As a whole, business continuity departments are nonprofit centers; we do not generate income. We prevent a loss of income, but how do you quantify that? However, one of the advantages we're starting to see is that, for many companies, business continuity has become a marketing edge. Potential business partners are now coming in and saying, 'Okay, it's wonderful all these things you can do for us, but what's your continuity program? How can we set a service level with you and know we're going to perform these functions or transactions within these time frames consistently?' So business continuity is slowly starting to evolve, and we're working with the transition teams and the sales and marketing teams a little bit more.

ISM: How do you really measure the performance of a business continuity professional? There are employee performance reviews, which are not really much more than how many pages of documentation they've written. Very few organizations have objective measures of contingency planners' performance. How does an organization really gauge the effectiveness of its business continuity practitioners?

MACKAY: Unfortunately, a lot of companies still rely on the audit at the end of their business continuity planning. But I think that that's too simplistic a method. An audit is a paper-driven objective-you're just satisfying specific requirements and proving that the documentation is in place. The actual conducting of exercises, proof of concept, implementation of recovery plans and risk mitigation is a whole other arena.

MUSSON: This is probably the major problem that we have at the moment. I don't think we have the metrics, or measuring methods, clearly defined, and that probably comes back to the professional practices you mentioned. You asked about being evaluated on the basis of the number of plans written. I'm not really sure that's a good measurement, because you can churn out an awful lot of plans, but they may not be effective.

MACKAY: I agree. And these plans are the only metric that the HR supervisor has available to measure us right now. There are no established metrics.
ISM: The only other one that comes to mind is how many disasters you didn't have.

MUSSON: Yes, but you're never going to acknowledge those. The thing is, we've got to change senior management's thinking, because they're looking for successful tests-basically, everything went right and the test was completed on time and everything was recovered. And yet we all know that the best test, or the best exercise, is when things go wrong. We've got to change management's thinking about that, otherwise they're going to end up thinking, well, this exercise had a lot of problems and we get a bad rating in the evaluation.

SLINGLUFF: At Freddie Mac, what we're looking at is, can we recover the business? That's the ultimate goal. The other thing is that business continuity planning has to be integrated with the various business areas, so they all take ownership; they know what changes they need. We put together a basic policy that said the business area is responsible for recovering the system, regardless of whether there's a disaster or not, in order to continue doing business. This changes the ownership, and it may take five to seven years to complete. You've also got to test the typical data center recoveries; you've got to integrate that with the business recovery. But recovering the business is the challenge.

      We've folded two other areas into it. First, we create a crisis to start the exercise, whether it's a business one or a mainframe one. We get management's crisis-management perspective before we start the recovery, and get the business areas involved in the initial flow. We've started to do a number of these in real time, where instead of prepositioning tapes and people on our exercise, we just call it and basically go through the travel and everything else. It gives you a better understanding of how to recover, as well as the shortcomings. But back to the initial question: How do you measure it? As part of our test plans, we've got to find at least three major things that we need to improve out of an exercise, or it's not a good one-that is, we haven't written a test page that's strenuous enough.

ISM: Since all three of you are fellows of the Business Continuity Institute (BCI), let's touch on professional certification. How important is it to business? Does management really care as much as they would about, say, certification for infosec practitioners?

MUSSON: It's becoming more and more important, and I think one of the things we have to do is work within BCI and the Disaster Recovery Institute International (DRII) to emphasize its importance. We hear a lot of talk about standards for business continuity, but I think we're going to hit a major problem as we go further into standards, so certification could be the best option.

SLINGLUFF: Basically, the certification program is kind of a mixed blessing at this stage of the game. When we got started, nobody would recognize it. As it has matured, it is being used more and more by recruiters, so if you're moving around and you're consulting, you have to have certification from one of the groups. Traditionally, DRII certification is better in the United States, and BCI certification is more international in its focus. But you'll want to have one in order to be considered.

MACKAY: I agree with Mike. We're seeing more and more recruiting efforts geared toward certification. But I don't know if there's a really good understanding of what certification encompasses, other than some letters behind your name. However, the management of larger companies are now identifying it as a core competence; we did a recent recruiting effort for a planner and the requirement was certification from either the DRII or the BCI.

MUSSON: I think it behooves the BCI and the DRII to educate HR and senior management about the certification programs. It's also important that these are kept up to date. I think one of the arguments is that even with professional practices, they can get a little bit behind on new concepts. BCI and DRII are now working on a bi-annual review process for professional practices, so that new concepts and ideas can be incorporated.

ISM: How close is business continuity to achieving maturity as an industry?

SLINGLUFF: Well, we still don't have tools and acceptable standards-or even a com-mon nomenclature-that we can use across the industry. Vendors and practitioners call the same things by different names. We've got to get some kind of uniformity and standards there.

MUSSON: I think there are two key issues-well, three, actually: We've got to try and work together more, rather than going all our different ways. The nomenclatures and wording-there's got to be standardization there. And then, finally, we've got to look more and more at professional standards and best practices.

MACKAY: I think the industry as a whole is on the cusp of taking that step into maturity and creating appropriate standardization and organization. We've got the right people in place now, we've got experienced practitioners, and we've got new practitioners coming up as companies commit to business continuity. We need to lay the groundwork for those people coming into the industry; if we want to be successful in doing that, we're the ones who have to go forward and make that happen.

Copyright (c)2000, Information Security Magazine. All Rights Reserved.

Back to Top

Site Map | The Rothstein Catalog on Disaster Recovery | The Rothstein Catalog on Service Level Books

Contact Us | Management Consulting Services | Business Survival Newsletter | Original Feature Articles

Disaster Recovery Forum | Today's Industry News | Links to Industry Web Sites | ‘Keep Me Posted’ | Privacy Policy


E-mail Rothstein Associates Inc.