WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
And industry analysts say that difference in opinion is affecting companies' continuity plans, leaving them at risk of being unprepared for or even ignorant of the business interruptions that a disaster could cause.
''I'm not sure business, even today, understands the depth of the problem,'' says Dan Woolley, a vice president with SilentRunner, a network security company out of Virginia. ''Disaster recovery and business continuity are huge issues but it's often overlooked because technology is pretty reliable. The business guys can get on the network and get their email and do their thing pretty reliable, so they fail to recognize the significance of what would happen if we did take a major hit.''
And a study released this week shows that IT leaders aren't feeling nearly as safe as their colleagues on the business side.
The study, which surveyed 274 executives at major U.S. business, also showed that 9 percent of business execs think it would take three days or more to resume normal business operations after a disaster. That number is compared to 23 percent of technology executives who said the same thing.
''The gaps were surprising considering all the recent attention focused on preserving and gaining access to business information and the need, in general, to be able to effectively respond to any sort of disruption in business,'' says Edward Keller, CEO at RoperASW. ''There's also a general feeling that the focus on corporate governance and regulations in the area of business continuity are going to bring issues like this even more into the forefront. Once compliance and reporting is on the table, it's clear that the business leaders and their IT counterparts are going to have to get in sync with exactly what their capabilities are.''
Gordon Haff, an analyst with Illuminata, an industry analyst firm based in Nashua, N.H., says disaster recovery efforts -- such as offsite backup, secondary energy sources, backup ISPs and mirrored systems -- gained a lot of attention after the terrorist attacks of Sept. 11, 2001. But that attention didn't necessarily transfer into money being spent and plans being put into place.
''Thoughts of disaster recovery didn't really start on Sept. 11 but that certainly very much elevated its visibility,'' says Haff. ''But this isn't a new idea for the financial services industry, for example. But across all the industries as a whole, it's relatively new in the scheme of things.''
And Haff points out that IT leaders need to sit down with business executives and do some heavy calculations. Figure out what information is most business critical. Figure out what part of the system is most in danger of going down? How much down time could the business handle without suffering too much? How much would it cost to put specific business continuity systems in place? Is the risk greater than the cost of implementation would be?
''These are all important questions,'' says Haff. ''The answers are going to be different for every different company... A financial services company in California arguably has a need for a more expensive disaster recovery plan than another company does. How much you are willing to pay will depend on what degree your business as a whole needs to be up and operating.''
And Haff points out IT managers won't know any of these things until they spend some serious face time with the suits.
''It's a matter of IT understand what the CEO's and CFO's business-level requirements are,'' says Haff. ''It's a matter of sitting down and talking.''
And it's IT's responsibility to make sure that these talks happen and that the business side is clear on the risks associated with a major disaster, according to SilentRunner's Woolley.
''The thing is that people have been complacent,'' says Woolley. ''We haven't had any major take downs or viruses that have really shut people down. Combine that complacency with the current business climate. But if business executives don't think they're at risk, it's because there's so much they don't know.''