What are we missing?

I’ve been doing a number of programs recently about how organizations develop their business continuity plans and what does into them.  As I have spoken with security leaders across America I have found that, almost without exception, they have key elements missing from their plans. I’ll toss out an example. Businesses are worried about an avian flu pandemic so they have beefed up online access to their data systems so that all their employees can work from home. This can require tremendous amounts of infrastructure investment. But many are over-building capability into their data centers. Why? As John Stewart, Cisco’s CSO pointed out to me, what’s the likelihood that all of your employees will need that access? If there really is an avian flu pandemic 50% of your employees are likely to be caring for sick relatives, ill themselves, or dead. You only need to worry about the 50% who are willing and able to work. Beyond that, what happens if you have servers fail during the pandemic.  Will anyone be there to fix the problem? Will anyone be willing to go in and do it?

Look at your continuity plans with an eye towards what is missing. This is one of the topics we at CSO and CIO will cover this July in New York City at the 2007 Business Continuity Forum.