• United States



by Sandy Kendall

Do You Dare Test Your Plans?

May 19, 20032 mins
CSO and CISOData and Information Security

Maybe because the airwaves were full of news of real terrorism, we heard relatively little outside of Chicago and Seattle about Topoff2, the massive counterterrorism drill conducted in those cities over five days last week.

Topoff2 was the largest counterterrorism exercise since 9/11, and the first since the formation of the Department of Homeland Security. From what coverage there was, the drills appeared to be a successthey gave the first responders and top officers (hence Topoff) being drilled some practice, some confidence, and some indication of what has to be fixed before they can respond to a real event with real effectiveness. Most participants, at least, believe that it was $16 million well spent.

The same threats that public safety agencies just trained for, as well as other dangers, would have hideous effects on businesses whose physical plant or information/communication systems were struck. In a recent report, the Robert Francis Group said that to guarantee success, disaster recovery and business continuity strategies and plans must require and support frequent testing and refinement of underlying scenarios and assumptions.

Last November, CSO magazine reported on an elaborate drill conducted by insurance giant USAA, replete with simulated loss of key leaders, decontamination showers and impromptu relocation of workstations. But thats a model that few companies follow. According to an online poll conducted last summer by St. Louis-based trade publication Disaster Recovery Journal, 65.5 percent of the 2,223 respondents said their company had not enacted its business contingency/disaster recovery plan in the last 10 years. About 26 percent had enacted their plans between one and three times. Additionally, a KPMG study found that some 47 percent of U.S. companies admit that they do not have a crisis plan in place or a method to measure their readiness.

Gartner Group analyst Tony Adams told CXO media, Unless theyre regulated, companies arent protecting themselves from something that may or may not happen down the road. Even if plans are in place, he says, a lot of companies (other than utilities) dont know how well those plans work because they are rarely tested. Many companies dont have the guts to throw the switch.

A recent Gartner survey found that one in three U.S. companies would suffer critical losses during a disaster because their recovery plans are not fully funded. Does your company have the guts to throw the switch?