IT managers gird for post-Sept. 11 attacks

Air strikes in Afghanistan and the specter of retaliatory terrorist attacks have catapulted disaster recovery planning, business continuity, and technology-asset protection to the top of many senior IT executives’ agendas.

Yet struggling against the toughest economic tide seen in a decade, IT executives faced with fortifying their infrastructure are also confronting Solomon-like budgeting choices that could impact spending well through the next fiscal year.

“[Fears of retaliation] has definitely made our executives and board of directors take a second look at [business continuity and security] and raise it to the top of the list,” said Darren Ruhr, IT director at Precision Drilling Corp. in Calgary. “We have put off this process off for the past few years due to other priorities, but executives are starting to ask more questions.”

However, getting funding in light of shrinking budgets is a “challenge,” Ruhr added.

John Lindquist, CIO and director of technology management services for the city of Stamford, Conn., is about to propose to city officials a three-year capital investment project for disaster recovery (DR), costing between US$500,000 and $1 million.

“This would be an appropriate time for us to have an ‘insurance policy’ in place so that we don’t lose our [US$18 million] investment,” Lindquist said, referring to the city’s recently completed five-year, mainframe-to-client/server conversion project.

To promote better redundancy, the project will allow Lindquist to investigate state-of-the-art data storage solutions such as NAS and SAN technologies, OC3 cabling between government and school system data centers, and the construction of a third data centre site that would be key to meshed networks of real-time data backups, Lindquist said.

Analysts at this week’s Gartner ITxpo conference in Orlando, Fla., concurred with strategies discussed by users, recommending a myriad of DR planning approaches. This includes a call for IT to complete a business impact and risk assessment analysis and test their existing DR plan at least three times per year.

Other steps include prioritizing which applications are mission-critical, determining how much downtime is acceptable, and mapping a plan for bringing these apps back up. Companies should also maintain backup sites within roughly 50 km of the main office; establish alternate means of communication such as home e-mail addresses, pagers, and cell phones; consider decentralizing operations; and insist on knowing the DR plans of key suppliers, vendors, and service providers, Gartner executives said.

Internal network security, too, is topping company priority lists. Mark Yankowskas, IT director for Atlanta-based Rockwood Specialties Inc., is particularly concerned of a ripple effect of electronic attacks from its overseas installations back to the United States.

“We really don’t know what the next strike will be or what direction this whole war will take, but if you sit there on your hands it’s going to be too late when [an incident] happens,” Yankowskas said. “Proactive [measures are] the way it’s going to be.”

The good news is that IT executives are expecting a sympathetic hearing. “The priorities have definitely shifted,” Lindquist said.

The chairman of the board at Oklahoma Publishing, in Oklahoma City, is “very interested” in taking disaster recovery and business continuity to a higher level, said Dan Barth, the company’s CIO.

The company has been exploring ways to accommodate scenarios beyond tornadoes, which are frequent in Oklahoma. The recent quarantine of a building in Florida because of an anthrax scare is one such instance.

“We’re making sure that key systems can be accessed remotely on a minute’s notice,” Barth said. “That could happen on a much more frequent basis than natural disasters.”

Barth is also pushing for more data storage at the company’s remote locations. “On a day’s notice, we may need to increase capacity [at the remote sites],” Barth said.

Funding will not likely shrink “our other initiatives – everything is a zero-based budgeting process where it’s all approved on its own merits,” Barth said. “That’s the good news … [But] there will come a point where preparation will cost more than you can afford.”

Karen Lowman, information systems specialist at Nissan North America in Gardena, Calif., said the automaker is likely to continue forging ahead with e-business projects, but it might have to delay spending on things such as upgrading its basic IT infrastructure. “Something else will have to give in our budgets,” she said.

“The No. 1 thing on the agenda is backup, telecom, alternate sites, and the like. But it’s all at the same time as companies are laying people off,” said Glenn Ricart, CTO of CenterBeam Inc., a desktop management service provider in Santa Clara, Calif. Ricart is also a member of InfoWorld’s CTO Advisory Council.

Gartner Inc., based in Stamford, Conn., estimates that the average portion of IT budgets now dedicated to DR and business recovery planning is two per cent. That number should creep higher under the added weight of the current U.S. terrorist threats; how much depends on company size and current state of readiness.

Many users at the conference seemed acutely aware that the benefits of such planning could be immeasurable in terms of saving IT assets – and in some cases the company – from complete loss.

Doug Valcour, CIO at the Farm Credit Union in McLean, Va., said risk assessment was already a must-do item for his federal institution’s IT infrastructure prior to Sept. 11. But his company, which regulates the financial institutions that provide credit to farmers, has accelerated assessments and disaster testing from annually to three times per year. And they are monitoring for viruses and other security risks more than daily.

Located just kilometres from the Pentagon, Valcour says the credit union’s DR plan now includes a mobile recovery site to bring applications back up and to re-establish communications.

Facing tough fiscal times, some users suggested a tactical approach to loosening the CEO’s purse strings.

“I’d run a simulation of my DR plan to see that it works. Then I’d document the shortcomings and go back to the CEO and show him where we need to spend money,” said John Thompson, president of Crossmark Performance Group, a business services consulting company for the consumer packaged goods industry that runs an online exchange for its 900 clients worldwide.

Crossmark, based in harsh weather-prone Plano, Tex., has spent a year updating its DR plan, which now includes new applications. Companies that ignored their DR plans until they had a technology risk audit will not have that luxury now, he said.

“I think you’ll see that change. … It will be more a part of the application [lifecycle] process,” he said.