The 2011 (ISC)2 Security Congress

notifying customers about the outage?”
he says. � ese are examples of processes
and elements that technologists o� en fail
to consider.
“Disaster recovery has been narrowed
down to IT capabilities,” says Zuk.
“� ere is less and less involvement with
the business, which is discouraging. It
should be involved a lot more with DR
planning and testing.”
Addressing people and processes
doesn’t require a huge � nancial investment,
but it does require you to sit down
with the right people and plan for these
actualities. “It takes time and it takes
thought and it takes expertise. You have
to sit down and talk through some of this
stu� , and say ‘what if?’ � e people who
have gone through this problem before
or experienced a disaster are good people
to bring to the table,” Dunlap says.
“You can look at a manual to � gure out
how to back up to tape. But are you backing
up and restoring the right stu� ? What
gets restored � rst? Who in the organization
gets their stu� done � rst?” asks Dunlap.
“� at’s a hard conversation, but they’re
the ones that, as practitioners, we need to
come to the table prepared to have.”
MANAGING RISK
IN THE BOARD ROOM
There is another risk associated with
a company’s people that puts business
continuity in danger. It resides in conference
rooms of businesses everywhere:
potential executive or corporate risk
behavior. “Businesses run the risk of
being knocked out by bad business decisions,
but they don’t take that into consideration,”
says Dunlap.
According to Chris Kaufman, president
of Agovia Consulting, companies
lose millions of dollars every day because
of poor business decisions. Managing this
business risk is an essential part of business
continuity, and it’s vital in today’s
environment. Moreover, “It’s a low-cost
way to manage risk,” Kaufman says.
Kaufman cites a number of examples
of risky business decisions that should be
a red � ag to systems security professionals.
One of these is when management
pushes to release a product on time even
if it’s not ready. “Nobody will remember a
year from now if we’re three months late;
everyone will remember if we lose 10
14 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
percent of our business,” says Kaufman.
Another risky behavior is the purchase
of systems, products and consulting services
based on hype from trade shows
or industry conferences; or continuing
a rollout that is costing the organization
millions of dollars and is clearly doomed
to fail.
Luckily, it doesn’t cost much to mitigate
risky behavior to ensure business
continuity. It’s simply a new way to
approach decision making. “It’s common
sense,” he says, “getting people to think
along the lines of applying the decisions
they’re making today to the place they
want to be two, or � ve, or even 10 years
from now.” In other words, think about
Become an
the long-term impact of the decisions
you’re making.
� is approach also o� ers a bene� t to
CISOs. “Organizations are holistic, and
to be successful, they should operate as
a uni� ed entity. � ese concepts overarch
and tie the various pieces of the organization
together. � e ideas of risk evaluation,
risk management, and business
continuity have begun to mature. � is
should give a natural entre to partnering
with and being a part of the business, as
opposed to being an order taker,” Kaufman
says.
Crystal Bedell is a freelance writer specializing
in technology.
IEEE Certified Biometrics
®
Professional
Why CBP?
The IEEE Certified Biometrics Professional ® (CBP)
program has two major components: Certification and
Training. Professionals and organizations can
both benefit from the IEEE CBP program.
Key advantages are:
n Prove your knowledge
n Increase your credibility
n Learn a baseline of industry
knowledge
n Train employees
n Gain a competitive advantage
Learn more and register today!
www.IEEEBiometricsCertification.org