Business continuity suffers as the "ugly stepchild" of IT security.
Let's face it: The 21st century has gotten off to a bad start. We've had threats of pandemics (avian flu and severe acute respiratory syndrome); major natural disasters (hurricanes, earthquakes and tsunamis); and large-scale, man-made crises (terrorist attacks and power grid blackouts). The list is long for a century that's less than a decade old.
These large-scale upheavals have occurred at a time when government business increasingly has moved online. For citizens and public-sector workers, government is a 24/7 operation, where vehicle registrations can be renewed online at 2 a.m. and critical public safety IT infrastructure must be fully operational during a crisis or disaster.
The public is expecting more from government, and running public-sector operations has become increasingly complex, said Jim Kennedy, principal consultant for business continuity and disaster recovery at Alcatel-Lucent. "It used to be if there was a problem, you lost a computer. Now there's digital telephony and more mission-critical applications impacting customer service."
Few would argue about the rising complexity and criticality of IT in government. Clearly business continuity (BC) is no longer a luxury, but rather a necessity in the public sector. When it comes to spending time and money on the matter, BC is treated like a second-class citizen in the public-sector IT world. Funding for BC isn't where it should be, say a number of experts.
Money isn't the biggest obstacle to successful BC in government, according to most experts. Poor planning remains the largest challenge. While most organizations have some kind of BC plan in place -- 93 percent, according to a survey by CSO Research Reports -- the quality, readiness and comprehensiveness of those plans is highly questionable.
CIOs at mid- to large-size firms find many barriers to implementing a sound plan, according to a 2007 survey by Hewlett-Packard. More than half of the respondents (55 percent) said their companies couldn't agree on the right IT solution for BC; nearly half (49 percent) said they didn't have enough time to implement a BC plan; and a third (34 percent) revealed they lacked the data to create a true business case for implementing BC.
Don't Fly the COOP
Part of the problem might be what CIOs are supposed to be planning for. Since many parts of government never shut down, it's no small wonder government IT executives delay the process of figuring out how to make sure they can resume IT in a logical and businesslike fashion.
BC is a more comprehensive approach to disaster recovery (DR), which is the process of getting an organization running after a disruption. BC and DR are supposed to fit into the overall framework of continuity of operations planning (COOP). Ever since the public sector started installing mainframe computers, IT departments have had COOP plans in place to protect payroll and ensure Medicaid, Medicare and Social Security benefits keep flowing during a disaster.
At the federal level, COOP has taken on greater significance since 9/11. Yet problems remain seven years later. Last year, the Government Accountability Office released a report critical of federal COOP exercises, which were meant to assess how well federal agencies could activate their BC plans and get back on an operational footing following a major disruption.
In 2007, the National Association of State Chief Information Officers (NASCIO) published a DR/BC toolkit for CIOs. Citing the growing flow of electronic information within states that has raised the stakes for disruption of public services, the organization warned of the cost both in terms of taxpayer dollars and public trust, should mission-critical applications cease to operate during an emergency: "State CIOs have an obligation to ensure that IT services continue in the state of an emergency."
NASCIO says the steps outlined in its toolkit are simple. However, the depth of planning, communication, cross-boundary relationships and collaboration necessary to carry out such plans is considerable.
As Kennedy points out, BC planning must be carried out in the shadow of IT security. "Let's face it, business continuity is the ugly stepchild of IT security," he said. As evidence, he points to the number of recent surveys that show BC planning lagging in the public and private sectors, especially when compared with security planning.
CIO Role, Difficult Job
Creating and executing a BC plan is like putting a bull's-eye on your back, according to Kennedy. Checklists on what a CIO is supposed to do are awash with the term "critical:" identify critical systems, ensure all critical staff understand the process, ensure all critical business functions remain operational and so on.
Kennedy recommends CIOs become champions for BC planning and find a champion on the business side to help when it comes time to implement and test the plans. But that's not all: CIOs also must ensure their plans have the support of senior-level managers. NASCIO insists today's government CIO needs to go one step further and ensure public-private partnerships -- especially with the industry sectors that deliver power and telecommunications -- are on board ahead of any crisis.
The root of BC is the work that takes place before a crisis occurs. NASCIO's toolkit contains a detailed list of "strategic and business planning responsibilities," with an emphasis on building relationships. Other organizations recommend CIOs' first step should be a business impact analysis. Still other BC planning documents ask that government CIOs take into consideration the need for remote-emergency workers' communications and remote workers in general.
And don't forget the details, say experts. One company had a detailed BC plan, but when a disaster struck, it failed to consider how it was going to feed workers who had to stay on the job for several days. Now it stocks the same ready-to-eat meals used by the military. Another mistake organizations make is not having an alternative work site, a problem that plagued firms devastated by the 9/11 terrorist attacks. What good is backed-up data if your workers have nowhere to work?
The bottom line, said Kennedy, is that good BC requires CIOs to address people, processes and technology. "They've done the last item on the list well," he said. What's been lacking is comprehensive oversight and better execution for following policies and procedures. "We're getting better," he concluded, "but we need to get better a lot faster."