Five questions to help weed out the posers from the real deal. Plus: a checklist of topics a BC/DR consultant should know. Siemens IT Solutions and Services always had a solid business continuity and disaster recovery (BC/DR) plan in place. But it wasn’t until 9/11 that BC/DR planners truly understood what was lacking.“We probably had the larger things covered, but on a moment’s notice we were not as well put together as we could have been,” says Debbie Hoppenjans, manager of business continuity planning. “It made us, as a company, really take a step back and look at what we would do.” So the company began its search for business continuity consulting services. But it wasn’t exactly thrilled with most of its prospects. “There seem to be a lot of them out there, and from our experience a lot of them are not very good,” says CISO Dave Bixler. DRI: What Should a Business Continuity Consultant Know? Project initiation & management Risk evaluation & control Business impact analysis Developing business continuity strategies Emergency response & operations Developing & implementing business continuity plans Awareness programs & training Maintaining & exercising BC plans Crisis communications Coordination with external agencies Overall, complaints range from a lack of knowledge about the business and miscommunication, to not understanding the scope of the challenge. “A lot of times the [consulting firms] are so dead-set on upselling,” Hoppenjans says. “Any BCP 101 person will tell you that we have to document our plans up to today. So many times you find companies trying to help you plan for years to come.” If they don’t know your business and what you’re going through, “how do you know this is where we need to go?” she adds. The problem can be traced to the days following 9/11, says Russell Wooldridge, marketing manager at the Disaster Recovery Institute International in Washington, D.C. Many security firms simply added business continuity to their list of services to meet companies’ demands, but offered little training and experience to back up their claims, he says. Business continuity services represent a $3 billion to $4 billion business, according to Gartner. Some 28 percent of companies manage their business continuity plan with the assistance of an external provider, according to a survey of 254 senior executives by consulting firm KPMG. There is a higher reliance on external support—38 percent—in midsize enterprises, and the financial services sector showed the highest preference for external service providers at 41 percent. Companies have taken giant steps in business continuity preparations, says Ben Thornton of Corus, a disaster recovery and business continuity consulting firm. Larger companies are forming their own DR and BC staff and certifying their skills through disaster recovery groups like The Business Continuity Institute, DRII and the Business Resilience Certification Consortium, to name a few. “We’re not out there as evangelists anymore trying to convince people to do this. There’s now a genuine understanding that business continuity [planning] is a part of business, and that’s good,” Thornton says. While that creates more competition for consulting firms, these in-house groups still need coaching, assistance and “spot help,” he adds. BC/DR planning consultants include large firms like Accenture, Deloitte, PricewaterhouseCoopers, EDS, Booz Allen Hamilton and IBM Global Services. There are also dozens of boutique consulting firms—regional and niche players that just focus on business continuity planning. How can you be sure that the consulting firm has the expertise to fill in your business continuity gaps? Here are five questions to ask when choosing the best business continuity consultant for your company. 1. Do you know what you need?Good BC/DR planning starts with understanding what your exposures are and making a good decision on recovery strategy. If you’ve got a solid strategy, developing your plans becomes very straightforward. The solution may not be in place, but it’s on the way. Now you can develop plans to execute that strategy. “The most critical part of the whole process is your business impact analysis, including the risk assessment,” Hoppenjans says. “That’s where you need to spend most of your time. If your consultant tells you differently, [that’s a problem]. Business impact analysis is the key to your entire plan.” Consultants should also perform a recovery option study to determine these priorities. Some consultants will perform a business impact analysis and identify the exposures and impacts to expect in a disaster. But they won’t describe how to solve those problems. Make sure the consultant is willing to outline your recovery options and the amount of time each option will take. 2. Will the firm present several options?If you go to a company that provides big-name technology solutions and consulting services, “why would it surprise you what their answer should be?” Thornton says. There are a lot of options out there, and consultants should present several options for business continuity solutions. “When it comes to business continuity, it’s about planning and services, and it should be less about technologies,” says Stephanie Balaouras, analyst at Forrester Research. “It’s your strategy for responding to business disruption and covers people, facilities and technologies. It covers everything from pandemic planning to ‘Microsoft Exchange is down.'” Firms that offer BC/DR planning and consulting services should be able to help you do a business impact analysis, identify critical business processes, map all the dependencies and define how critically you need them, and what the impact would be on revenue. “When you understand that, you can build a business case and invest in the right solutions,” she adds. Consultants should first conduct a threat assessment and then put a plan together. “It’s a huge, in-depth process” that needs regular reviewing and updating, Balaouras adds. 3. Are the consultants certified in business continuity planning?Certification ensures that business continuity consultants are well-versed in all aspects of BC/DR planning. At Siemens, certification is preferred, not required, “but I would recommend it to anyone,” Hoppenjans says. Nationally there are about 4,500 certified business continuity consultants, according to DRI International, a nonprofit business continuity certification group based in Washington, D.C. “Most of the major consulting firms have [certified BC consultants], as well as about 14 percent of independent BC consultants,” says Al Berman, executive director. A survey by BC Management, a business continuity executive search firm in Huntington Beach, Calif., showed that 75 percent of the respondents were certified, while 25 percent were not. Business continuity certification bodies include BCI, DRII, BRCCI, the University of Virginia and Strohl Systems. Specialized certifications are available for emergency management, risk management, audit, security and technology.DRI International offers certification specifically for business continuity consultants and vendors to ensure that practitioners understand professional practices. Each subject area includes the professional’s role within the area and an outline of recommended knowledge within the subject area. The 10 subject areas cover topics such as risk evaluation and control, business impact analysis, emergency response and operations, awareness programs, training, crisis communication and coordinating with external agencies. Ask if the consultants you’ll be working with are certified in business continuity planning. 4. Are they willing and able to prioritize?You can save a lot of money by evaluating your BC/DR priorities, Thornton says, adding, “If you need systems back up in six hours—you can, but you’ll have to throw a lot of money into that. Instead, consultants should be asking, ‘Do you need that? What can you wait a couple of days on, or a week on?’ and establish priorities.” Perhaps only 20 percent of the total environment—the most vital systems and applications—must recover in minutes or hours. “I can do that more economically than the whole thing,” Thornton says. Different strategies can be deployed for lower priorities. “If I’ve got three days, I can build that system up very quickly—that’s a lot less expensive than equipment that is standing there ready—not to mention the added cost of keeping that equipment current and fresh,” he adds. 5. Do they offer BC/DR solutions to fit your budget?Nearly one-quarter of companies surveyed by KPMG have not been able to justify the costs of business continuity plans. Most of these companies are focused in the large enterprise with 500 to 999 employees, according to the study. Consultants should know your business well enough to understand budget constraints and your immediate BC/DR needs. “We let the business [units] decide what they want to spend and help coordinate based what the numbers tell us,” Hoppenjans explains. “We let [business impact analysis] data tell us what each department is doing as far as BC planning, what their risks and what their vulnerabilities are, and they decide what to spend. Some responses may be customer- or contract-driven.” With all of their questions answered, Siemens IT Solutions and Services found a qualified BC/DR consulting firm and has worked with the firm since 2002. “You can never know how prepared you are until something happens,” Hoppenjans says. “But I think we’re well-equipped with the right tools to guide us through.” ## Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe