IT watchfulness rises, but budgets limit change

Though IT professionals are now alert to the threat of terrorism, that threat generally hasn’t pushed IT organizations to radically revamp their business continuity or data security plans, according to the results of an exclusive Computerworld online survey.

“I worry more about the Russians and script kiddies than al-Qaeda,” said Alan Weber, senior systems analyst at Austin, Texas-based DS Associates, which manages human resources data for other firms.

His remarks reflect the findings of an online poll conducted the last week of August by 2,620 IT professionals, barely half of whom said their organizations have launched projects to improve data security in response to the terrorist attacks on the World Trade Center and Pentagon a year ago this week.

Many users said their existing plans to protect their IT assets are adequate. “If you’re already connected to the Internet, you already have a security issue, and 9/11 should not have made a difference,” Weber said.

He added that his company had disaster preparedness and recovery plans in place already because of the threat of tornadoes and fire, “where the odds of them happening are far higher.”

Jim Prevo, CIO at Green Mountain Coffee Roasters Inc. in Waterbury, Vt., said that his company is simply continuing with the disaster preparedness plan it had in place before Sept. 11.

Like most companies in the survey, Green Mountain didn’t boost spending to take on new projects for business continuity and security, because funding for those areas is already addressed in the budget process. The installation of a new firewall was in the budget before last September, Prevo said.

Standard Reponse

Mark Shainman, an analyst at Meta Group Inc. in Stamford, Conn., said he isn’t surprised by the survey’s findings.

“Initially, there was a great fervour about security and business [continuity],” he said. But with IT budget constraints and existing protections in place, most companies left things alone, Shainman said.

“Everyone agrees it’s a big issue,” said David Nessl, a senior systems administrator at American Systems Consulting Inc. in Dublin, Ohio. “But there’s no budget for it, and you still have to deal

Nessl said his department is now taking “snapshots of the data twice a day to make sure we’re no more than a half-day out of sync.” The company also used previously budgeted dollars to buy mass storage technology from EMC Corp. that can mirror data to a remote site.

Still, many firms did take the 9/11 tragedy as a wake-up call to improve data security.

At Stanley Aviation Corp. in Denver, MIS director David Edwards said backup was the company’s only disaster recovery plan before 9/11. Stanley Aviation is working out plans with a sister company to use each other’s data centres for business continuity operations, he said, and it has added a hardware firewall and new proxy servers to improve security.

Some firms even changed their management structures in response to the attacks. Charlie Orndorff, CIO at Crossmark Inc. in Plano, Texas, said that although his overall budget hasn’t increased, there has been a shift in priorities. “Most significant is the creation of a new position for manager of infrastructure security,” he said. He added that while the company had already been evaluating a 72-hour business continuity program with Wayne, Pa.-based SunGard Data Systems Inc., “Sept. 11 expedited the process.”

In some markets, the shift has been dramatic. According to John Hall, president of call centre designer Televerity LLC in Indianapolis, his clients are now demanding business continuity options.

“Disaster recovery is now 40 percent of our revenues,” he said. “Last year, it was zero.”

Computerworld’s survey was conducted in collaboration with Perseus Development Corp., a market research firm in Braintree, Mass. (


Attitudes: The Single Biggest Change

Brookings, S.D., is a long way from the World Trade Center and the Pentagon. And the IT workers at Falcon Plastics Inc.’s headquarters there have no illusions that they are on any terrorist’s hit list. But that doesn’t mean the events of Sept. 11 didn’t change the company’s attitude about protecting its information assets.

“It has caused us to sit back and evaluate our disaster protection and data security policies,” said Lisa Bender, IT manager at the plastics manufacturer. “We’ll never assume we have no gaps in our system again.”

Attitudes about disaster preparedness and security are what changed the most after the terror attacks on the U.S. last year, according to many IT professionals.

Barbara Brennan, director of technology at Panzano Partners Ltd. in Morristown, N.J., said that although the company updated its firewalls and bought some virus protection software after Sept. 11, “the biggest change since the tragedy has been in people’s awareness of security.”

Jim O’Keefe, IT director at Resco Products Inc. in Pittsburgh, agreed. “Sept. 11 brought out how vulnerable everyone is,” he said.

O’Keefe added that the tragedy focused employees’ attention on business continuity and security. “It did away with the ‘That’s nice, but it’ll never happen here’ thinking.”