What have we learned? IT directors speak out

Since last year's terrorist attack in the US, IT directors in Britain have seen business continuity and disaster recovery issues...

Since last year's terrorist attack in the US, IT directors in Britain have seen business continuity and disaster recovery issues climb the corporate agenda.

Mark Gorringe, IT director at law firm DJ Freeman, said: "Last year's events have encouraged us to focus on our business continuity plans in a much more pragmatic way. The fear is real, rather than 'it will never happen'. Business continuity planning has emerged as critical task and has been given real focus."

Roger Ellis, ex-IT director at Blue Circle, agreed. "The horrific events of last year have caused nearly everyone to reappraise their disaster recovery plans, and also security, particularly IT security, which has moved very close to the top of the agenda. All of a sudden even board members have realised that it could actually happen to them," he said.

At the Treasury, head of information systems John Dodds has witnessed this change in emphasis. "The scale of destruction made us completely rethink the underlying assumptions behind our business continuity and business recovery processes. Since 11 September, business continuity planning has had an absolutely central place in our business planning and our IT investment programmes."

Some senior IT staff picked out the human element of any business continuity plan.

"You can have warehouses full of desktop PCs and servers, a complete duplicate network capability available - even boxes of Post-It notes and biros - but unless you have processes in place to cope with shocked, bewildered or frightened people who work for you, then you will not achieve business continuity," said Ministry of Defence IT director Peter Spens-Black.

Others felt that their role had changed little in the past year. One IT director, who did not want to be named, said: "Apart from an initial rush I have seen very little progress, especially in the area of disaster recovery."

Martin Smith, managing director at The Security Company, has seen this attitude in other businesses. "The events of 11 September were so awful and so unexpected that I believe it has been difficult for most of us to relate them directly to our own lives and our own businesses," he said.

"I found that after the initial terrible shock that these terrorist attacks caused, the [more thorough] approach to security has now largely dissipated, and the exposure that many businesses have to the risks of disruption and disaster remain unchanged.

"I sometimes wonder what it will take to place security properly on the agenda of senior management"

Ben Booth, IT director at research organisation Mori, was directly affected by the terrorist attacks. He said: "In my previous role I was able to learn directly from the experience of 11 September. A related business unit was a couple of blocks south of the Twin Towers and had to be relocated out of the area as its offices were unsafe."

As a result, Booth drew up a shortlist of lessons he learned:
  • Offsite backups must be tested regularly

  • Use standard technology that can be replicated easily, either at a sister business or a third-party disaster recovery facility

  • Clients who are accustomed to a high level of service will understand a fall in service levels in a real emergency

  • There is immense value in being able to co-operate with sister businesses.

"I would still use third-party disaster recovery facilities, but this taught me that the quality of planning and the performance of my team in an emergency would determine whether we survived," said Booth.

Preparing for the worst
A recent conference of IT user groups, The Infrastructure Forum (Tif), was attended by a number of companies that were affected by last year's terrorist attacks. The lessons learned included:

  • E-mail was invaluable as a mechanism for confirming that employees in the vicinity were safe as the phone lines on the whole eastern seaboard of the US were congested and almost unusable for about 12 hours after the attacks

  • Disaster recovery plans did not deal adequately with the human factor - safely transporting their staff. Many companies found that it was extremely difficult to get their employees, particularly the ones trapped in Lower Manhattan, to the recovery sites

  • IT suppliers held insufficient stock to deal with all the demands of the 70 or so major corporations that declared disasters. Those whose staff travelled to the supplier site and collected the IT kit they needed, or had disaster recovery contracts already in place, fared best.

Read more on IT risk management