September 11: The lessons learnt - planning may not be enough

Bayerische Landesbank's senior leaders felt they had one of the best possible contingency plans in place to meet potential...

Bayerische Landesbank's senior leaders felt they had one of the best possible contingency plans in place to meet potential disasters or emergencies. But the loss of life in the 11 September terrorist attacks highlighted a gaping hole in that plan.

David John, the bank's vice-president and chief technology officer said: "Without personnel, without staffing, what good is a disaster plan?"

Russ Lewis, executive vice-president and chief information officer at GFInet, an online trading company based six blocks from the World Trade Centre site in New York, said the number one hole in GFInet's disaster recovery plan was its vendors. GFInet's primary telecommunications supplier was Verizon Communications whose nerve centre was badly damaged during the attack.

Lewis said the company also had contracts with WorldCom and General Electric, allowing it to continue running its business.

The growing trend within IT departments to simplify systems and cut back on the number of vendors they use could be a mistake, said Lewis. Instead, he suggested a strategy based on diversifying suppliers.

"Triage your systems, and triage your vendors," Lewis said, adding that he chose more expensive vendors because they had better security processes in place. "Know who you depend on for what."

Mack Hicks, senior vice-president of the Bank of America, said executives needed to change the old stereotype that information security is a dead-end career in order to get effective leaders to take charge of security.

He suggested that companies make it clear that manager can move in and out of information security jobs and that it's a dynamic field that can advance their careers.

Howard Schmidt, vice-chairman of President Bush's Critical Infrastructure Protection Board and formerly chief security officer at Microsoft, suggested centralising information security management but decentralising execution. That way, everyone knows what to do, but there's someone at the centre controlling everything, he explained.

Read more on IT risk management