Regardless of how imminent a U.S.-led war in Iraq might be, IT budget constraints are preventing many companies from taking appropriate security and disaster-preparedness measures to defend themselves against possible retaliatory terrorist strikes.
It’s not necessarily that the threat is being ignored. It’s just that the money many IT managers would like to have to combat it just isn’t there.
John Ervin, a systems administrator at Tessy Plastics LLC in Lynchburg, Va., said a lack of funding has forced him to buy used equipment to back up his systems. “We’ve implemented a used tape drive on our main server and do good backups,” he said. “If I had to purchase the stuff new, I couldn’t have done it. . . . Right now, money is tight.”
And Ervin isn’t alone, according to a study released this week by Dataquest Inc. in San Jose. The study, “Investment Decisions: Preparing for Organizational Disasters,” found that IT managers from 205 companies representing eight vertical industries in the U.S. aren’t investing appropriately in disaster plans because of inadequate budgets.
“Budget constraints are forcing an average of 40 percent of respondents to rely on a best guess to determine potential risk rather than obtaining formal assessments, which would be too costly,” said Tony Adams, principal analyst at Dataquest’s IT Services group.
“Preparation is key, and without adequate investment for protection of critical systems, the repercussions of disasters will be lengthier and more costly,” he said.
A security manager at one of the nation’s largest banks, who spoke on condition of anonymity, said the sheer size of his company means that departments report to various executives and require different levels of certification by third-party disaster assessment firms. As a result, “business continuity planning is as the business sees fit,” the manager said.
Moreover, it’s difficult to show the return on investment from hiring third-party firms to certify disaster recovery processes and assess risk, he said. “Companies in this space came off as if they’re looking for big dollars to tell you what you already know. We all see the best-practice picture at the end of the tunnel, but we choose due care and sound business decision processes to get to that end,” he said.
In any case, crisis management plans have been implemented at 53 percent of the sites that responded to the Dataquest survey, and an additional 30 percent that don’t already have plans are considering developing them, according to the study. But 17 percent of respondents said that they don’t foresee developing any such plans.
“It could be merely that clarity about the aim and function of crisis management is needed,” according to the study. “It could also be explained in terms of the IT systems not being deemed mission-critical in importance.”
In fact, only 10 percent of companies said they always evaluate new initiatives in terms of business continuity.
Susan Bradley, a security manager at Tamiyasu, Smith, Horn and Braun Accountancy Corp., an accounting firm in Fresno, Calif., said the small to medium-size business community is never proactive when it comes to ensuring business continuity.
“We don’t plan. We don’t assess. We don’t analyze. We don’t test. We don’t plan on redundancy,” Bradley said. The Dataquest survey indicates that many large companies aren’t doing much better, she added.
Although the Dataquest study focused on the responses and plans of IT managers, John Keast, chief operating officer at SEEC Inc., a Pittsburgh firm that develops software for the insurance and finance industries, said that although the CIO designs and implements the plan and likely orchestrates its execution during a disaster, the ultimate responsibility for focusing the appropriate resources on disaster recovery and continuity of operations planning rests with the CEO, the chief operating officer and the board of directors.
“Losing data that affects business operations is avoidable and unacceptable,” said Keast. “So CEOs and COOs must make it their priority.”