Having rode through Hurricane Sandy here in the Boston area, I see that we came through relatively unscathed compared to others in New York City, New Jersey, etc.
Our thoughts are now with the resilient people everywhere who are now challenged to restore a semblance of order to a world upended by an unusual massive weather event.
That being said, I believe there is the small spark of opportunity for selected IT leaders to use this very dramatic and very public event to drive a more meaningful discussion with their executive teams around business continuity.
And as I often say "don't let a perfectly good crisis go to waste".
Like so many folks online, I despair at vendors who #stormjack a crisis and attempt to turn it into a marketing opportunity. I find it crass and insensitive, as do many others obviously.
That being said, there is a very real and palpable issue between IT leaders who fully understand the threats and know how to best prepare -- and the willingness of business leaders to invest in that kind of comparatively expensive IT insurance.
Having worked at EMC for so very long -- and, inevitably, been fully engaged in many discussions of this kind -- I think there might be an opportunity for certain IT leaders to re-engage in an important discussion that (unfortunately) needs an occasional massive disaster to bring it more clearly into focus.
Why Is This?
Long ago, I often became frustrated at the clear and obvious need for business continuity, and the stubborn unwillingness of many businesses to invest appropriately.
The risks are well understood, the various strategies are well understood, multiple technologies are clearly understood, the processes and methodologies are familiar, there are a variety of consumption models available and a wide range of service providers who can help.
No, most definitely it's not a supply problem -- it's clearly a lack of demand for this kind of insurance. Not lack of demand from IT; lack of demand from the business to protect themselves.
So, I've sort of come up with my own explanation as to why this might be.
Many business leaders don't fully understand the IT risks they're exposed to.
Most senior business executives see IT as mostly a supporting function to the business, and not the core of the business itself.
Conversely, these same people are fully conversant with financial risk, operational risk, etc. -- and are more than willing to invest in various forms of insurance against these risks.
Since they don't fully appreciate IT risk, they're unwilling to invest.
Many business leaders see this as an IT problem, and not a business problem.
It would be nice to live in a compartmentalized world where every business function "owns" a problem (and the solution!), but this is rarely the case.
In the real world, many business priorities transcend a single functional unit (e.g. blaming the sales team for poor sales), and that's where the executive team earns their living -- getting to the root of the challenge, and orchestrating resources and talent to come up with the right solution.
Many businesses have become more digital than most people realize.
Years ago, we were able to go back to manual and paper-based processes if the IT stuff wasn't available. That's been long gone for many years now.
If the IT services aren't there, business just can't be done at any level. You're essentially out of business until things come back.
Having a sustained inability to do business is a risk on the same order of a massive quality problem, defect or recall. Your customers can't depend on you anymore. And blaming other parties (e.g. your service provider, etc.) won't cut it -- trust me.
Now, if your product or service is "sticky" in nature (high switching costs, etc.) you might be able to weather a brief outage at reasonable cost to the business. But so many products and services today have low switching costs, which means if you're not available, they'll go find someone else who can do the job.
A Lack Of Willingness To Invest In Protecting Against"Black Swan" Events
When failure modes are frequent and well-understood, there's a willingness to invest in protection. For example, meet anyone who runs an IT shop in the Florida area, and they've got a pretty good handle on how to protect against hurricanes coming through.
Talk to someone who does business in a part of the world that's subject to erratic power, network connectivity, political turmoil, etc. and they've got a pretty good mindset.
The scrambling occurs when we're faced with an event that is hard to predict and infrequent in nature. Hurricane Sandy, an earthquake or tsunami, a nuclear meltdown, a massive power grid failure, and so on. Since these sorts of events are infrequent in nature, we're not thinking about them as part of our day-in, day-out risk mitigation scenarios.
And thus we're badly exposed when they do happen. In some sense, we need to protect against our own human biases in perceiving and reacting to risks.
Back To The Original Thesis
There's nothing like a good crisis to focus people's attention. Sad, but inevitably true.
We've now have a clearly documented (and somewhat unusual) crisis at hand. Could this be an opportunity for certain IT leaders?
Perhaps.
Many IT organization I meet with have fantastic BC/DR capabilities: redundancy, geographical dispersion, well-exercised contingency plans, disaster drills and so on. More importantly, they have a culture of risk identification and mitigation -- not just in the IT organization, but across the business.
Others are not so fortunate. The desire to invest in better IT protection has to compete with other business priorities: new product development, expanding the business, and so on. One set of investments clearly leads to more revenue and profitability. Another set of investments provides a useful hedge against things that are relatively unlikely to happen, but could.
And for this second group, I'd hate to see them waste a perfectly good crisis.
Hi Chuck,
Great article and people would be terrified if they knew the total LACK of DR/BC that most companies have.
I have worked in IT at companies in the healthcare, banking, and telecom industries. I sadly can say that in all of them (except banking) they have detailed DR/BC PLANS but no real DR. The upper management of these companies live in a fantasy world that believes that in the event of a disaster a fleet of trucks from IBM, HP, Dell, HDS,& EMC will magically appear with servers and storage arrays and in a couple of days this gear will be delivered and set up and then PETABYTES of data will magically be restored in a day or so and less than a week after a disaster they will be back in business.
The only company that I worked at that had real DR/BC was at a very large bank that I worked and that was because the Feds demanded that they have it.
Posted by: jimmyPx | October 31, 2012 at 01:52 PM
Isn't this simply the truth? When you look at the scope of the geography that Sally encompassed, the frequency of recent Hurricanes, and other catastrophic events (earthquakes, snow storms, tsunamis, floods, tornadoes, and terrorism, etc), it's a fiduciary responsibility to protect the stock holders and company's assets. It's not that it won't happen - It's a question of When.
Posted by: CHRISTOPHER FINNEY | October 31, 2012 at 06:27 PM