PORTLAND, Ore. – We learned (or maybe just heard about) Security being comprised of three main Components, Confidentiality, Integrity and Availability. Some argue that there is a fourth, Compliance, but we?ll leave that for another time. Yeah, the press latches on to the violations in confidentiality and we hear endless stories of credit card, driver?s license, social security, health and criminal records being lost or stolen.
The buzz around the confidentiality violations is constant and chronic. We also hear about public companies that take a severe stock price hit because they had to restate revenue or earnings because of a misalignment of data or the accumulation of un-corrected errors. But only when we are already in the midst of a crisis do we hear about loss of availability.
The interesting part of the availability component is that it isn?t only about overcoming bad things, but it is also about capitalizing on good things. I don?t like the term Disaster Recovery Planning. The focus on recovery from disruptive events is certainly in important part of an I/T charter, but it only addresses half the issue.
What about the situations where a tremendous business opportunity is squandered because the technology infrastructure is unable to rise to the occasion and perform well enough to capitalize on the potential for market share increase. Just about everyone knows about the underwear retailer who had the web site crash under the strain of the television fashion event. That was newsworthy probably more because of the product than the technology issue. But do not be misled, there are hundreds of availability issues that occur regularly and do not make headlines or even trade journals. There are a couple reasons for that phenomenon:
? It isn?t hard to solve the problem. Especially if you have enough money. Just buy faster computers, bigger pipelines, more workstations, sales partners, etc. If the system is too slow, turn up the speed. Unfortunately, I have only been in a very few data centers that actually do an effective job of capacity planning. They discuss capacity issues long after the horse has left the barn. Capacity should be an ongoing discussion with a sidebar topic of: ?What would happen if our transaction volume suddenly increased two, three, ten or a hundred-fold?? Where would we turn for the increased capacity? Good question.
? Computers that fall over, performance wise, have an effect on the company profits that can be covered with insurance. To draw a parallel, are you really concerned about losing your credit card? No, because you just call the credit card company and they send you another one, for free! And they wipe out all the purchases you didn?t make. Nothing lost, nothing to worry about. The same holds true for failed sales due to computer failures. Just file a claim on the insurance policy. Most major companies spend a ton of money on business interruption coverage, and computer failures aren?t usually questioned. But that will only provide some percentage of the customary and regular revenue. What about the increase that caused the systems to fail in the first place? Well I guess we just chalk that up to experience.
What to do about this? I?ve been talking to literally dozens of companies in the past year alone about the need for a real, effective and cost beneficial Business Continuity Risk Management plan. An aggressive look at the traditional Disaster Recovery but also the ability to integrate all the key areas of the organization into a response plan that covers hurricanes, fires, earthquakes and floods and all those events, but also covers massive sicknesses (pandemic) where the technology works fine, but nobody is in the office, or loss of the supply line to manufacture goods, the distribution capability (and with the spiking price of fuel, this is an as yet untapped risk), and all sorts of disruptions. Even including phenomenal sales growth!
Don?t forget about Availability in your I/T Security strategy. There may even be some ?gold in them thar hills?. Great positioning for an acquisition, reduced business interruption premiums, or possibly a workforce that is under a little less pressure when things turn bad, or good.
This column was written by Michael J. Corby, CCP, PMP, CISSP, and appeared in the March issue of the SecureWorldExpo eNewsletter.
a>>
