Business Continuity Planning: The Optimistic Pessimist

Mike Hager escaped from the World Trade Center and got OppenheimerFunds up and running again in less than five hours. Now he faces another challenge: keeping America interested in business continuity planning.

When Mike Hager suggests that much of corporate America is oblivious to the risks of even a minor system outage, it's hard to write him off as just another pessimistic pundit. After all, Hager, then the vice president of security for OppenheimerFunds, escaped the World Trade Center on 9/11 and helped get the company back up and running within hours. The man knows a disaster when he sees one.

But now, this practitioner-turned-consultant is facing a quieter but equally daunting challenge: making sure that, as the horrific events of that day recede from our collective memory, corporate America doesn't stop caring about business continuity planning. And that, he's sorry to say, is what he's seen happening, as he travels the country speaking at conferences and talking with security and IT chiefs.

"We had a short window to try to change a lot, with regard to security and business continuity," says Hager, now president and CEO of the Business Risk Management Group, a consultancy he created in 2003. "Unfortunately, it was not in a good economic time."

Hager recently spoke with Senior Writer Sarah D. Scalet about how to crack that window back open again. The key? An integrated, risk-centric approach to information security, physical security and business continuity that ultimately costs less money and is much more effective. But be warnedyou'll still have to paint disaster scenarios to keep people's eyelids from drooping.CSO: Is business continuity planning a profession for pessimists?Mike Hager: I like to think of myself as an optimistic pessimist. I tell a joke about a little boy who gets thrown into a room with a 10-foot-high pile of horse manure, and he comes out saying, "Hey, where there's this stuff, there's gotta be a pony, right?" Pessimists believe that there are all kinds of threats out there, but there's no way to keep them out. Optimists say, "Yeah, I know there's an opportunity for people to attack, but we haven't been attacked in 20 years, so why worry about it?" I'm the optimistic pessimistI actually believe something is going to happen, but I'm crazy enough to believe that I can do something about it.Some headline writers are calling you a 9/11 survivor. Do you mind having your identity tied to the fact that you escaped the collapse of the south tower of the World Trade Center?A lot of people ask me how I feel, if I have nightmares, those kinds of things. I don't. That probably goes back to my military traininggoing into survival mode and doing what I needed to do. But I don't take offense to someone saying I was a 9/11 survivor, as long as they put it in the proper context. Yes, my company went away. I watched it disappear, and then in four and a half hours, I literally had all our systems up and operational again.Did your focus change after 9/11?Mine did because management decided that I needed to spend more time in business continuity than in security. Unfortunately for us, someone did a survey that said we were one of the best in the Fortune 500 from a security perspective, and as a result the money dried up. [He laughs.] That's what happens sometimes. People say, "Well, if we're already one of the best, why do I need to spend more right now?"Yet you certainly can make a much more persuasive case for business continuity planning than the next guy.I learned a lot of lessons on 9/11. As a result, I'm able to help companies with things that I hadn't even thought about beforethings that became important afterward, like having an accounting of what we had. Everybody thinks they know what they have on their networks, but most of them don't really know how many servers they have, or how they're configured, or what applications reside on themwhat services were running, what version of software or operating systems they were using. Isn't that why people use asset management tools?Yes. But guess what? They don't work. Asset management tools will tell you that you have 6,000 hard drives. They won't tell you how many copies of Microsoft Office you have deployed or where those licenses are. After 9/11, companies such as Microsoft were willing to say, "We understand you lost your documentation. Just tell us what you had, and we'll replace it for you." If it's a smaller disaster that's very isolated, vendors may not be as agreeable.Two years out from 9/11, is it getting harder for CSOs and CIOs to justify the expense of business continuity?It depends on the size of the company. Some of the costs can be very, very high. If you have a large data center and you want to mirror it to someplace else to make it available immediately, you're talking millions of dollars. That's a lot of money. Smaller companies have a lot more options. Such as?The data can be taken home at night. That's a pretty big risk, though, putting the company's most important data in somebody's backseat.You have to protect it like you would anything. It's not like you just throw it in the trunk of your car and forget about it. You might put it in a safety deposit box. You might put it in a safe at the CEO's house.You make it sound easy.Not really. People don't always remember all the critical functions of their business that would have to be resumed. Maybe you can live without the payroll folks for three days, because you don't make payroll for another two weeks, but you definitely need the people answering the phones to get more orders.Doesn't that become intensely political? You're talking about deciding who within the company you can do without for a period of time. Nobody wants to admit they're that person.But the whole process is based on value. That's why it's important to, first thing, do a business impact analysis to find out what those key critical activities are. Someone at the senior level within the company has to say, "These are the functions I have to have for us to continue this business in the event of a major disaster." And a disaster is anything that stops your operations for X period of hours.But planning for, say, a huge terror attack is a waste of time for companies in Denver, isn't it?It doesn't matter what causes the loss of a facility. You have to plan for the fact that you might no longer be able to occupy your buildingwhether the windows blew out from a tornado or you found some white powder in the mail room or there's been a major power outage. You need to categorize your planning based on these three things: loss of facilities, loss of personnel, loss of critical systems. So disasters come in all sizes?Absolutely. It could be a server that's down. It could be a flu bug that takes out a critical organization. How will you manage? Do you have other people that can do that job to keep things going?

I think the concept of risk is something that people really struggle with. And their eyes glaze over as soon as you say "business impact analysis."

It all comes down to risk acceptance: How much would it take to put your company at stake? When don't you have a company anymore? And then, what's the cost factor involved in getting you to the point where you feel comfortable that that won't happen?So how do you get people engaged without painting disaster scenarios?You don't. But you don't want to scare them unnecessarily.For so many years, we in the security profession have cried wolf. The way we sold security was FUDfear, uncertainty and doubt. If we didn't scare our bosses to death, we wouldn't get anything. Now, was it really that bad in all the cases? Maybe it was, and maybe it wasn't.And now?Instead of using fear tactics, it's easier today to sell senior executives on things like being a partner to the business and getting a return on investment and making the processes faster, easier, better for the companyand saying, Oh, by the way, while I do this, I can eliminate some of your risk. You've said that security is becoming a business continuity job. What do you mean by that?The things I need to protect from a recovery standpoint are going to mirror the things that are identified in my security model. If you're implementing a good security practice, it translates directly into your disaster recovery modelto say, Here are the key systems that I have to have this kind of protection on, and they're the ones I also need to be able to recover. That's one of the reasons you will see a lot of folks in the CSO world who have both disaster recovery and security responsibilities. So security is really just one part of risk management?The chief security officer could as easily be a chief protection officer or a chief business risk management officer. It's a semantic thing. But we do it for the sake of the businessnot for the sake of security. Why do I want to put in virus protection? It's because the business can't continue if we get hit with viruses.What are the key elements of risk management, then?There are really three: physical security, information security (and I take information to be information, period, regardless whether it's electronic or hard copy) and business continuity. But some companies have people who do information security, and people who do physical security, and people who do business continuity; and the three never meet, which is a big mistake.Like inventing the wheel three times.Exactly. And the three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.A lot of people, especially those close to the 9/11 attacks, are disappointed by our short collective memory. Why is it?As a society, we're forgetful and forgiving. A majority of Americans have gotten on with their lives and don't want to be reminded of what happened. We had a small window to try to change a lot regarding security and business continuity. Unfortunately, it wasn't during a strong economic time. If a company missed that window of opportunitywhere the need for continuity planning was so horrifically illustratedare they out of luck?It's never too late to start planning.I suspect that's easy to say but a lot harder to do.But you have to. If you don't know the impact of an event, you're more likely to push it aside and decide it's not important to do a lot of business continuity planning. The real fear comes in when you commit to the fact that you want to know that information. And what I would profess is that a lot of companies don't want to know it because they are afraid of any potential impact.Can't they just accept the unknown risks?To accept a risk, you have to know what the risk is and what effect it would have on the company. That's why you conduct a business impact analysis to determine, for example, what the loss is in money and reputation if a particular system goes down for more than three hours. Then you compare that with the cost to maintain that particular server with a backup of less than three hours. If the losses are $1,500 a day but the costs are $50,000 amortized over a period of time, maybe the risks don't outweigh the recovery. But the businesspeople have to know what those risks are in order to make an intelligent assessment.But it's easier not to go there.It's easier not to know what the risks are. But you have to understand what you're planning for. It's like insurance. You don't plan on having a car wreck, but you buy insurance. You may not have had an accident in the last five or 10 years, but you still pay it every year.But most of the time you're not going to have a car accident.And most of the time the World Trade Center is not going to fall on your head. We got hit in 1993, so the building will never fall down, right? Don't ever tell me that things won't happen, because I experienced one of those. I was there that day, in one of those events that would never happen.

Copyright © 2004 IDG Communications, Inc.

What is security's role in digital transformation?