Bringing BC, EM, Homeland Security and InfoSec Together!

By Kathy Gannon Rainey

Publisher, Disaster Resource GUIDE and the Continuity e-GUIDE

Each year, the GUIDE invites a group of industry leaders to participate in a teleconference discussion on the most important issues for the year ahead.  Without fail, one topic always makes the list:  the need to INTEGRATE the disciplines of business continuity, emergency management, information security and now also homeland security into a powerful and coordinated force to facilitate preparation and response to a multitude of threats.  This has been a hot button for the GUIDE since its inception in 1995. In his article for the 2000 GUIDE, the late Robert Campbell, urged this industry to accelerate the convergence of disciplines to meet the challenges of the new millennium.  

How far have we come?  Why have we not gone farther?  What is still left to do?

The events of the last year—the tsunami in Asia, hurricanes Katrina and Rita—have shown us how much is at stake.  As I ponder these terrible events, I am struck by a recurring theme:  lack of communication and poor coordination was to blame for many of the problems.  

How can emergency management, risk management, crisis management, disaster recovery, business continuity, and information security all fit into one cohesive concept, or one unifying objective?  How do we get beyond turf wars, conflicting philosophies and stagnation?    

To me, it's a no brainer!  The CEO is the Chief Integrator.  Whether it is a business, a government agency or a community, top management must balance three key priorities:  growth of the business, operations, and protection of assets.  The CEO integrates these priorities with the objective of continuity. 

Continuity is about protecting what has been built.  Enterprise continuity is about managing and protecting corporate assets through preparedness, mitigation, response, and recovery of the business brand, people, facilities, and information. Insightful leadership has a “vision for continuity” along with a commitment to provide resources.  Focused management uses its power to foster communication necessary to reach the objectives.  

The following article, featured in the 2000 Disaster Resource GUIDE was written by the late Robert Campbell, an esteemed consultant and industry leader. 

CONTINUITY PLANNING IN THE NEW MILLENIUM
The Convergence of Disciplines

By Robert P. Campbell

THE ACCELERATING CONVERGENCE OF DISCIPLINES
In the last decade, emergency preparedness, crisis management, incident response and other related disciplines heavily influenced the evolution of continuity planning. We saw the tenets of disaster recovery and business resumption broadened to embrace important concepts from each of those disciplines.

In the new Millennium, look for more significant changes in the way we do business. One area that is underway, is the accelerating convergence of the information security and continuity planning disciplines. Quite simply, as disruption tolerances shrink to hours, minutes and nano-seconds, the business continuity planner must move into areas of computer viruses, unauthorized access, denial-of-service attacks, and other hostile actions where potential abuse and misuse can seriously disrupt critical operations.

THE RISING WORLD OF E-CONTINUITY
Increasingly distributed technology, highly integrated applications and systems, and greater dependence upon complex electronic relationships are all factors that can threaten the security and survivability of mission critical applications and continuity of vital business activities. Add to this the growth of e-business through the Internet, extranets and virtual private networks. The threat of devastating compromise of sensitive information or catastrophic disruption of critical systems looms heavily. Unless careful attention is paid to the dynamics of security, survivability, fault tolerance, fail-over and privacy needs of vital network-based technology, the potential exposures can be life threatening to the enterprise.

URGENT NEEDS FUELING CHANGE
The most influential forces fueling this convergence are the federal government’s urgent concerns over cyber-terrorism, information warfare and its National Plan for Infrastructure Protection.  Its key elements are a mix of information security/mission continuity requirements, presented in the Plan without concern for boundaries between the disciplines.

Additional forces and influences are summarized below:

Continuity Planning –More than ever, the burgeoning web of electronic interdependencies is creating the potential for minor failure to cascade throughout the enterprise and beyond – a virtual meltdown. This exposure to potentially catastrophic disruption of critical business activities must be dealt with aggressively and thoroughly. New technologies for survivability and fail-over, combined with careful disaster prevention and business continuity planning, are needed to eliminate potentially catastrophic architectural flaws and single points of failure.

We must develop new tools and measurement techniques for e-business vulnerability assessment, business impact analysis, evaluation of recovery and continuity alternatives, and replacement for the recovery and continuity exercises that have offered false comfort for so many years. Traditional software-based and hard-bound recovery plans will give way to exciting new continuity-driven technology that will allow modeling, simulation and prediction of potential failure points, disruptions and defined responses. New products for documenting complex e-business processes and relationships will be desperately needed for all of this to work.

Network Security –Explosive growth in networking has brought all aspects of information technology into highly integrated and efficient business-oriented processes. At the same time, this degree of automation and electronic integration has created electronic pathways reachable by interlopers from anywhere on the globe, which poses a serious threat to the continuity of mission-critical systems.

Careful attention to security in the implementation of these electronic highways is essential to minimizing devastating compromises and business losses. At the same time, highly sophisticated security technologies and schemes will vastly complicate continuity planning and thus must be factored into new and forward-thinking solutions. New security software for intrusion detection and response will also serve to document business processes and relationships, and will be useful in creating modeling and simulation capabilities for business continuity purposes. Maintaining global synchronization of highly integrated but dislocated and encrypted databases in the midst of a dissembling network, for example, sounds like the continuity planner’s worst nightmare. It could well be.

Privacy –Increasing focus upon consumer privacy, federal legislation and mandated controls demands a more aggressive approach to protection of sensitive personal information. At the same time, new security technologies are now making it possible to reasonably plan, design and implement the level of safeguards required to protect these records. These changes have dramatically increased the ante for failure to apply adequate safeguards.

Mandated control and accountability requirements for consumer information, particularly as it flows through surging Internet-based business-to-consumer relationships, will require new thinking, advanced record protection and retention, and business continuity solutions. New federal guidelines and proposed legislation, especially dealing with patient medical records, increasingly speak to continuity planning issues.

THINKING "OUTSIDE THE BOX"
Thus, a new paradigm will confront conventional wisdom in the areas of information security and disaster recovery/business continuity. Old solutions likely will not work. New, "outside the box" thinking will be required to avoid flawed network security implementations and ensure the level of continuity required. These forces will reshape our industry and dramatically alter the landscape. Look for them.