We have an association of CIOs residing in the NCR region and we meet regularly to discuss matters of common interest. These meetings are in the form of seminars or group discussions, either amongst us or those involving external speakers who are technology or management experts.
Relevance of ERP
As a part of the series, we held an internal meet of CIOs a few days ago for a discussion on ERP implementation and its effectiveness in our respective organizations. About 50 CIOs attended the event. Since the subject was vast, it was important to decide the format of the meeting so that the desired objectives were met. Instead of presentations by a few members, we thought it would be better to place a few salient points for discussion by members.
These points encompassed all elements of the ERP journey, like establishing the need for ERP in the organization, formal definition of project objectives, evaluation/ selection of ERP package and implementation partner, project manager and the team, business transformation, etc. We thought of capturing best practices adopted by the member organizations.
The meet was conducted in a panel discussion format, but at the same time, allowing enough opportunities for all participants to join in the discussion with their views. I was asked to moderate the session.
Establishing the need for ERP
The discussion kick-started with the point – whether the need for ERP was clearly established in the organizations right at the beginning. Answers varied; some expressed their plan of taking ERP as the core application accumulating data from all other legacy systems for consolidation. For someone, it was his company CEO who, having seen it running at some other organization, opted for ERP. Some were clear that their companies needed financial reports and that led to the introduction of ERP. Some said that it was due to peer pressure and also the fact that other companies in their industries had ERP, while some others said that the objective was just to replace their old and creaking legacy systems.
I tried to elicit CIOs’ views on the business value of ERP and the role it can play to further the business of the organization, but didn’t find adequate appreciation from the audience about this being a genuine requirement or an admission that this aspect was left out in their scheme of things.
Laying out project objectives
The second discussion point was about the need for an organization to formally lay down the project objectives or their expectations from the ERP implementation. It was explained that without a clear definition of objectives, it is very difficult to assess the degree of success for any project. There are elements like business drivers, KPIs, or some measures that define goals for the enterprise.
The responses from participants ranged from saying that there was a broad definition to some small and insignificant measures. For example, one CIO stated that the objectives were set based on broad expectations spelt out by the CEO or some functional head during the kick-off meet. Some said that the expectation was to reduce manual entries, or for preparing final accounts from the system. Some said that meeting demands of compliance to IFRS was the need and some said that generating MIS was the need expressed.
Getting IT right
It was only towards the end that one of the CIOs got up to explain that their organization had hired a consultant to lay down KPIs for the CEO and further down to each functional head and that served as the document to drive the design of the ERP system. That was a significant statement and I thought that adequately explained this point and grand finale for the meet.
Discussions during the entire meet were intense and we thought it better to discuss a few issues in depth rather than running through many. To me, the meeting revealed one significant point: there is a need for the CIOs to understand the business value of ERP and IT in general. They need to focus on business outcomes and not limit their focus to operational matters. CIOs still have some distance to travel in spite of their assertions that they have already ‘arrived’.
There is a joke doing the rounds. When we meet a CIO friend we ask for his business card and when he looks surprised we enquire whether he is still with the same company that he was with when we met him last. This joke is not limited to CIOs alone as we are often surprised when we meet the same sales representative who then come representing another company and sometimes the competitor.
A cyclical problem
IT sector has been in the news for its high growth trajectory and also for the lay-offs during times of recession. Bad times bring in some stability, though at other times, shortage of skill-sets create opportunities for the good candidates to move around. Attrition has been cyclical a problem that the industry and corporates have to battle with.
When recruiting a person, I have often been confronted with cases where candidates who look good otherwise, are let down by their track record which shows frequent movement. There are, however, others, who have not moved for too long a period of time. Each case has to be examined in detail to ascertain their suitability to the requirement.
Now let us take a look at some reasons for people preferring to change jobs. Some may have genuine reasons while others may be undone because of their unreasonable expectations or hurried reaction to unexpected events. Some reasons that I have come across are:
Change for better prospects: Everyone has an ambition and a desire to grow. He may be stagnating in an organization and the moment he sees an opportunity to perch on a higher branch, he would take that jump. For example, he may be offered a manager’s position from the current position as a staffer, or may get to be a CIO if he is just a manager in the present company. Such a move, in my opinion, is justified.
Change for higher compensation: This is certainly an inducement and sometimes enticing. At times, this could be the right market price for his skills and he may seek to correct the low compensation paid by his current employer. This is a reasonable expectation but at other times people just jump at any higher price or use the offer letter to bargain with his current employers for higher compensation. People have also to realize their responsibility of completing tasks assigned and the trust placed on them by the management. In one instance during my career, I had to turn down an attractive offer just because the Board of Directors had just then approved my plans and cleared allocation of a huge sum for the purpose.
Being unhappy in present position: Life is not always smooth and we face turbulence at various moments in our professional life. We may sometimes be unhappy with the treatment meted out to us or when the company and the management do not understand or do not want to understand IT. It may be logical for us to think of moving elsewhere where we may be of better use.
These are real situations and such a move could be justified. However, moving just because the situation looks difficult, may smack of defeatism. It is these difficult situations that bring the best out of us and is a challenge that sharpens our management skills. Our credibility would go up several folds if we come out those seemingly impossible positions to chart a success. Just quitting the battlefield doesn’t help as we may end up moving from ‘a frying pan to fire’. So my suggestion, quit only after you have tried your best to retrieve the situation.
For personal reasons: There are some cases when people have to move from one city to another or from one type of job to another because of some personal or family compulsions. The candidates here have to weigh their personal commitments against their career aspirations and take a call that is in their best interest.
In the end, I would say that people have to be balanced in their approach towards changing jobs and should maintain high professional standards during their entire career spans. Needless to say, our reputations are our greatest strengths and our history speaks for us and for our doings.
I have seen a good number of seminars being held these days in our towns with at least two of them happening every week. These are breakfast meetings, evening sessions or half-day events, usually packed with CIOs/ CXOs who are obliged to visit due to the intense follow-up on the invites sent to by the organizers. Most of the participants are familiar and we keep meeting them more often than we would desire. These seminars were held earlier during the busy months of winter & spring but are now organized throughout the year, just like cricket matches.
These events are arranged by vendors of hardware/ software/ services or by the media companies and sponsored by vendors. They all target CIOs who usually sit on huge budgets to be spent on IT goods and services. So there are two or three parties involved here: the vendor company that sponsors such events, the media company that organizes the meets and extends invitations (with vendors tagged along), and CIOs who serve as the target audience. Let us take a look at these three groups as they engage with each other.
The vendor: He gets an opportunity to display his wares and to put on an elaborate presentation describing the hardware, software, or the bouquet of services he provides. He tries his bit to convince the CIOs that his offerings are second to none and that they score over the competition on every front. He knows that this effect is reversible and can change soon as the CIO attends the next event organized by his contemporary, but he strives to build a mind share and hence sees potential for better business. He has his sales force as well who spread amongst the guests and strike a conversation with the CIOs during coffee/ lunch-break in an effort to win them over. The vendor execs have pre-approved budgets and not spending those budgets may not go down well with their top managers.
The media company: The media company convinces the vendors that it has a great influence over CIOs, and can, therefore, ensure a high CIO participation. It also proclaims to be better-equipped to manage events. Media companies use the occasion to widen their sphere of influence and to obtain news/ content for their next issues. They brand these programs and call them as their ‘properties’. This enables them to generate larger revenue for themselves. Usually, they laugh their way to the bank.
The poor CIO: Without doubt, these seminars would not survive if CIOs choose not to attend them. CIOs are spoilt and pampered by the vendors and are profusely thanked every time they attend such an event. A CIO is tied to the event and has to sit through the entire session, whether he likes it or otherwise, often yawning and eagerly waiting for the break, and for the cocktails to flow. He comes all the way for the event to fulfill his obligation to the vendor and / or to the media company who do a wonderful job of befriending him. It also serves as a welcome break for the CIO from his drab routine and gives him an opportunity to network with fellow sufferers from other companies.
So friends, this is a win-win-win situation, making each of the constituents happy, in one way or the other. Each one is benefited or thinks so and returns home with a sense of accomplishment. The cycle, thus, continues and the CIOs gather again to be a part of another spectacle. To prevent a burn out, organizers announce a grand event once a year where the honored CIO is taken on a jaunt to an exotic location either within the country or to some wonderful location abroad. But there too, he is made to sit in the seminar hall and then shown a place or two as consolation. All stay happy, however, and the story goes on. These are happy times for everyone.
We often hear of talks or read articles on green datacenter and we also see awards being constituted for those who implement these measures. I have also read about cases wherein people have claimed achieving a good return on the investment made in green technologies. Some of these, as you know, are business moves made by vendors who peddle such solutions.
I am neither challenging the efficacy of these technologies nor the intent of vendors, but just expressing my opinion that the propaganda borders on hype. Rather than being pressured by such moves, the CIO should think independently and act in a way that is in the best interest of the organization he works for and for the environment and society at large.
The CIO is a respectable professional and a responsible citizen. He, therefore, has to ensure that all resources that he uses are properly utilized and nothing is wasted. By doing so he does well for the organization that he works for as he optimizes use of assets and resources like power. He serves the society by putting less pressure on the scare resources. He also does a great work in protecting the environment from wasteful use of energy. Instead of just trying to show that he has implemented green technologies, CIOs should look at the larger picture of optimal and best use of technology resources which automatically will take care of issues that green technology promotes.
This objective can be met by adopting the following actions:
- Judicious upgrade of technology: Very often we find ourselves burdened with equipment that are old and comparatively low on performance. Besides frequent breakdowns and increasing cost of repairs, these equipment also consume more power, need more cooling, and turn out to be energy guzzlers. However, it is not so easy to throw out old and expensive stuff and the CIO needs to put in sufficient justification to propose a change or replacement of equipment.
There comes a time when the old machines have to be retired and the CIO needs to recognize the fact and act accordingly. There is no point in holding on to old machines and flog them till they are dead. Newer technologies not only give more speed and capacity for the same buck but also consume less power and occupy less space.
- Using the right technology: At the time of technology selection, the CIO has to scout for new product introductions and choose the one that is most appropriate for his requirements. There have been several solutions in the market, in the form of server virtualization, enterprise storage, precision air-conditioning, sleep mode for idle machines, etc. But CIOs have been very slow in adopting these new technologies, often preferring to stay with the familiar. Most of these solutions help you optimize the use of resources, cost lesser per unit of data or processing power, and carry a smaller footprint than the old solutions. Delay in adoption is, therefore, undesirable and should be addressed appropriately by the CIO.
- Optimal utilization: Use of technology resources needs care; we have to ensure that all servers, storage, desktops, etc., need to be utilized optimally. Unutilized or under-utilized equipment is a waste. Along with the overheads in maintaining them, it costs dear to the organization and to the society. There has to be a proper distribution of load, proper evaluation and sizing before procurement, and frequent monitoring of utilization thereafter. Before rushing in to add further capacities, it is advisable to examine whether optimization of usage can create more capacity for use.
- Product end-of-life programs: Replacement of old equipment has become inevitable today due to accelerated changes in technologies. Equipment like desktops, laptops, printers, and media like CDs, DVDs, tapes, etc., have often to be disposed as they become unusable. Simple disposal is an environmental hazard and we, as enlightened citizens, should avoid such a step.
Desktops, laptops, etc., are often given by companies as buy-back to the vendor and vendors have their own channels for putting them to alternate use. In other cases, corporates give away the old machines to rural schools so they are put to use further. Specialized agencies exist today that undertake dismantling of equipment and media for to extract useful elements and to scrap them in an environment-friendly manner. CIOs should get in touch with such agencies and do their bit to protect the environment.
These small but significant steps can go a long way in ensuring a better environment for our children.
As CIOs, we hold important positions in our organizations, and usually have large budgets for our activities. We go about our jobs with due diligence, and earn a name for ourselves in the companies we work in and also in the professional circles. But it is also important to retain the reputation in the long term. A reputation can take several years to build, but may suffer a dent even with a small mistake.
A three-step formula
Let us consider a few ways by which we can ensure that our personal integrity stays at a high level. This has to be a sustained effort and a part of our work ethics. We can do so by following three easy steps.
Being honest: That is, doing only what we say; and conversely, saying only what we do. There is then no dichotomy to your behavior.
For example, if we can learn the act of delivering systems by the promised date, and do so more than once, then we build a reputation. If we are unable to meet the deadline for some unavoidable reason, it is better to approach the user/ management and seek some more time. That way, people begin to trust us. Justifying ourselves with a list of reasons (after the failure to meet the deadlines), does not take us too far as people start losing confidence in us.
Working in the company’s interest: We work for a company and its management. The management reposes confidence in us, and therefore, it is incumbent on us to live up to the management’s expectations. We have to ensure that every rupee spent on IT assets is properly utilized. When we choose various technology components, the main consideration should be their relevance to the company’s goals and objectives. Technology components should not be chosen just to impress the seniors or to show off amongst our peers in the industry.
I know of cases wherein CIOs boldly put in solutions like ERP, CRM, VOIP phones, unified communication, etc., but the projects couldn’t take off or got grounded soon after deployment. Being embarrassed, some of these CIOs even quit their jobs and joined other firms. But such mistakes can damage their reputations as the CIOs; their track records follow them, and may potentially harm their career prospects in future.
Procurement ethics: A CIO is involved in various capacities when selecting a technology, software, or a service provider. His role could be of a recommender, the final authority on selection, or of a negotiator. All these roles demand responsibility, transparency, and fairness in judgment. I know of a few unfortunate instances wherein CIOs have been accused of seeking personal favors from vendors for choosing their products/ services. Such actions, although may not leave behind any evidence, can still inflict sufficient damage to the reputation of the CIO in question, both within and outside the company.
People development: We need to remember that we are not bigger than the companies that we work for. The company must run well even if we depart. To ensure this, we must do two things while in the job. First, we should prepare a succession plan, and second, train our staff members well so that they can manage their work themselves. We should guide people and make them work on their own so that they get confident. We shouldn’t corner all glory to ourselves but share it with our colleagues.
These measures can go a long way in defining our characters and building reputations. The power that these actions can bring to us can be tremendous. In fact, many a time our reputations reach a place even before we arrive there. It’s on account of our reputations that we are respected and are invited for various forums, and thus, experience a feeling of invincibility.
To be a good and an effective CIO has always been a challenge. I have been in various organizations and what I could achieve depended a lot on the organization’s understanding and approach to IT. I would group these organizations into the following types:
1. Organizations which are forward looking, where the CEO is dynamic and articulate enough to spell out his vision of making the business win with the help of IT.
2. Organizations where the CEO wants IT to be effective but leaves it to the CIO to define his own role.
3. Organizations who are indifferent and don’t care much.
Changing business expectations
All high performance organizations display the first two characteristics. They demand more out of IT and are supportive of various IT initiatives that address business needs. Here, the CEO encourages his managers to be self-starters and to take initiatives to make the organization effective in winning over its competition. With the markets changing faster than before, CEOs want their managers to rise up and act; in short, they want their managers to be intrapreneurs.
Who is an intrapreneur?
An intrapreneur is a person who has an entrepreneurial skill set but works within an organisation, enterprise, or venture. An intrapreneur thinks like an entrepreneur seeking out opportunities, which benefit the corporation. It is a new way of thinking, in making companies more productive and profitable.
It is no surprise that with increased competition, CEO wants his managers to be innovative and to add that extra muscle with which the company can score over others. In such circumstances, therefore, CIO has a great opportunity to stand up and get counted. In my opinion, it is crucial for CIO to boldly take that step forward and come out of his comfort zone. He will no doubt face challenges but he has to learn to get over them. However, to come out trumps, he will have to imbibe the following qualities.
Initiative: He will have to step forward on his own and not wait for someone to call him over. He has to look around, sense the requirement and move in to address the issue. He has to seize opportunities to add value.
Business understanding: He has to develop a close understanding of the business by engaging with managers from other functions and visiting areas of work like the shop floor, warehouses, sales offices, vendors, dealer sites, customers etc. That would give him the right perspective and context of various business operations. His appreciation of the issues will lead him towards better solutioning.
Innovation: Standard solutions are passé. Companies today need new solutions and breakthrough ideas to take a leap in the markets. Apart from new technology solutions to address business issues, he could suggest new ideas to cover areas that have hitherto been unaddressed.
Thinking big: Gone are the days of incremental changes and improvements. At a time when organisations are looking for fast growth, a CIO can’t think of playing safe and moving cautiously. Whether it is about using a new technology, revamping our systems, re-architecting the IT setup, or taking up large projects, he has to act fast and decisively after doing proper due diligence. His risk taking ability will come to fore and he should be ready to put his neck on the block. As they say, the greater the risk, greater the profit.
Run his role as a business: The thinking has to move from being purely a service organization to being a critical part of business. It is not just about delivering some user needs but about helping the organization to win and grow rapidly. He has to be conscious of the benefits derived and the expenses incurred.
In my opinion, there has never been a better time for the CIO to assert himself. We have been, for long, talking about the CIO playing a second fiddle in organizations; but ‘here – now’ is the great time for him to make that quantum jump and get into the next orbit.
When discussing disaster recovery planning (DRP), I mentioned about its being a part of the larger and extensive practice called the ‘business continuity plan’. So let’s discuss this subject in a little more detail.
Business continuity planning (BCP) is ‘planning which identifies the organization’s exposure to internal and external threats and provides effective prevention and recovery for its business, whilst maintaining the competitive advantage and the value system integrity. The intended effect of BCP is to ensure business continuity, the ongoing state in which the organization’s business is conducted.
In plain language, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, and may include any event that could potentially cause loss to business.
It may also include any event that results in damage to the aspects that business is dependent on, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/ network resource), or theft or vandalism. As such, risk management must be incorporated as part of BCP.
DRP versus BCP
These terms are often used interchangeably and though they address the same issue, their coverage is different. DRP refers to a process by which you are able to restore your work environment, i.e. data and the computing infrastructure, affected by any disaster.
BCP, on the other hand, suggests a more comprehensive approach to making sure you can keep making money and run business efficiently in the face of problems involving illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time. BCP, therefore, addresses the larger concern of business and ensure continuity of company’s business even when faced with grave situations.
Role of the CIO
It is here that a CIO can show the business orientation and lay emphasis on BCP rather than limiting himself to DRP. When talking of disaster recovery our focus is on ensuring recovery of data and the computing infrastructure so that the business can function. We forget that various business processes that have been affected may need their own time to recover the lost work and get back to normal functioning.
Many a time when there is a disruption and the IT department helps in rolling forward the database to the last position, business struggles for a couple of days more before getting back to normalcy. The business executives sit with the IT staff to reconcile transactions lost during the disruption phase, to cover of the backlog of transactions that might have taken place during this period but not entered (in the systems), or to restart with the right voucher/ document number.
In many cases, the users are not aware how to run their processes when any such disruption occurs. Some organizations have alternate systems which permit simple invoicing, issue of material, or recording production, etc. so that the immediate work does not suffer and then help transfer this data to the main application when the system is recovered.
Focus on the nitty-gritty
There are a few other factors that need clarity, for example, how to assess a failure and when to declare a disaster, how should the business function during the period of disruption, who would lead and manage the scene during this period and how to recover and regroup to get back to a steady state once the failure has been addressed?
BCP policy should clearly define when to inform the management, when to communicate to the working staff and also the standard operating procedure for the people / areas affected. This, of course, should be preceded by a business impact analysis and measures to ensure that the loss to the business is minimal. Post any disaster, the CIO should help assess the loss if any that the business might have suffered due to the disruption.
BCP, therefore, has a significant business element. It takes a holistic view of business to ensure that the company continues to function and stays competitive and rises quickly with minimal damage from any unforeseen and grave event that threatens to ground the organization.
In my previous post, I wrote about disaster recovery measures necessary to protect the organization from the after-effects of any possible disaster. Once the need is felt and understood, the next step would be to plan and execute these measures.
The question is, how do we go about doing it? Many CIOs that I know take considerable time to take necessary steps because a large portion of their available time is often consumed by their day-to-day tasks and by attending to emergencies. The organization then runs the risk of badly losing out in case there is any mishap.
What is disaster recovery planning (DRP)?
Disaster recovery planning (DRP) is the process of developing in advance, the facilities, plans, and procedures, that enable an organization to respond to a disaster by being able to resume critical business functions within a defined time frame, to minimize loss, and to restore affected areas of business. DRP is a part of the larger, more extensive practice called business continuity planning (BCP).
The primary objective of a business resumption plan is to enable an organization to survive a disaster and to re-establish normal business operations. In order to survive, an organization must ensure that critical operations can resume within a reasonable time frame.
Therefore, the goals of a business resumption plan should be to identify weaknesses to implement a disaster prevention program, to minimize the duration of a serious disruption to business operations, to facilitate effective co-ordination of recovery tasks, and most importantly, to reduce the complexity of the recovery effort.
Elements of DRP
The main elements of DRP are given below.
Policy statement: Defining the goal for the plan and a business impact analysis. This is where, I feel, many people slip; I have often found people talking of a DR site and on-line replication without even assessing the tolerance of business to a few hours of shutdown.
Preventive steps: It is important to make a list of all the possible failures and examine steps that can be taken to ensure that such failures could be prevented. This may even include measures like a dual power line to the data center, redundant servers, data back-ups (at remote sites), storage replication, two data centers in the same campus but apart with equipment distributed etc. Larger important measures need to be planned well.
Recovery strategies: This deals with the question ‘what and by when to recover’. Here we talk of Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
RPO refers to the age of the data you want the ability to restore to in event of a disaster. For example, if the RPO is eight hours, systems should be restored in the state they were in no longer than eight hours ago. This helps in defining the back-up or data replication strategies. RTO is the number of hours or days that management has put on resuming a business process or a system; in short this describes the time needed to get back to normal work.
Plan development: All the measures and steps including the infrastructure, back-up devices, processes and recovery steps need to be planned and documented so that the process is uniformly understood by all. Plans would then be run and tested.
Plan buy-in and testing: DR plans would not be effective if people are not aware of what is to be done in the event of a disaster. So awareness and training sessions are of utmost importance. It is a good practice to carry out drills so that the real recovery process is enacted and is a real world exposure.
Maintenance: It is not end of the story if we install a DR solution ― it has to be maintained on an ongoing basis. As the business grows there would be changes to our technical landscape, additions to capacities and realignment of business priorities, thus necessitating a review of our plans. Therefore, plans need to be examined and changed to reflect the current business realities.
DRP, hence, is a well thought of exercise and assumes the significance of a strategic plan designed to protect companies operations from disasters.
Organizations worldwide face various threats and mishaps that disrupt their operations and cause loss to business. Reference is to disruptions caused due to the failure of the computing infrastructure. And yet, disaster recovery has been ignored by many organizations citing prohibitive costs or due to pure apathy. Some feel that if nothing untoward has happened so far, nothing is likely to happen in future too. The approach is: ‘let’s cross the river when it comes’.
Disaster recovery explained
Disaster recovery (DR) is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions.
Why DR planning is important
Disaster recovery, as a concept, got developed long time ago when organizations became more and more dependent on the computer systems and related technologies.
Many a time, when problems occur, companies take long to recover, leading to disruption in work, and often causing loss to business. For instance, interruptions in manufacturing, delay in dispatch of goods, or invoicing may lead to delay in reaching of goods to the market, drop in sales, or loss of customers. Nowadays, organizations are more worried about the dent that disasters may cause to their reputation. Another driving force for ‘DR’ is increasing government regulations mandating business continuity and disaster recovery plans for organizations in various sectors of the economy.
Worldwide, it is estimated that the most large companies spend between 2% and 4% of their IT budgets on disaster recovery planning. By spending on DRP, they aim at avoiding larger losses to business that the damage to IT infrastructure and data can lead to. Of companies that have had a major loss of business data, many never reopened, many closed business within two years, and others survived in the long-term. Today, DR planning is important even to small and medium companies; at times, it is mandated by the principals to whom they supply goods or services.
A CIO’s task
We, as CIOs, have our bounden duty to protect the organization from the fall-out of any such disaster and take measures to both, avoid any such an interruption and to recover soon if any such unforeseen event happens. Such measures, however, cannot be taken in a jiffy; they require detailed study of the computing environment, listing of possible faults, appropriate mitigation measures, and a good amount of planning.
The DR plan (DRP) is a set of defined policies and processes that detail steps that need to be taken to recover access to software, data, network, and hardware in case of any disaster either caused by human negligence or due to natural causes. DRP is complex process and requires a good amount of thinking and application. The plan should take into account all business critical activities and their impact on business and the cost of counter-measures to take care of such disruptions.
A DR plan (a.k.a. DR strategy) is important as it defines objectives clearly and identifies the measures to be taken when a disaster strikes. Execution of the plans, however, is equally important and in my opinion, it is here that many of us are found wanting. Sometimes we take too long for planning, especially when the issues are complex or when business leaders do not show the required urgency. Sometimes a grand plan could be halted due to the CIO not being able to justify the costs involved. During these periods of delay, the risks persist and may even get more acute with time and if a disaster occurs, the CIO may be left groping for answers.
In such cases, the CIO can start implementing some smaller measures that are simple and lend more protection to the environment. The set-up becomes more secure than earlier and we get free form those small but recurring problems that cause headache often. The larger measures can always follow in due time but we would have some protection in the meanwhile.
We, as CIOs, deal with systems and data that are valuable to the organization. In other words we are custodians of all the information assets of the organization and therefore assume the responsibility of securing and protecting them.
I have spoken to a lot of information systems practitioners and the moment there is a mention of security, the talk immediately shifts to firewalls, perimeter security, UTM, and the like. It seems as if people have been conditioned to think of tools as the only means for addressing the issue. A formal approach to the subject would, however, reveal other issues that need to be attended to so that we develop a holistic view on matters of security.
There are two aspects to security. One is to preserve and protect data so that it is always available for access and the second is to keep it secure so that it is inaccessible to people who are not authorized to do so. A simple and a clear thinking would reveal three aspects that need to be addressed, such as, people, process, and technology. Let’s discuss each of them separately.
People: You may have all the technology and tools but it ultimately will depend on the people who run them. The first thing is to make them aware of the necessity of keeping data and information secure so that the data is available as and when they want.
Many organizations hold awareness and training sessions for employees so that they understand their respective responsibilities and also the dos and don’ts of dealing with organization’s data. They are also apprised of the security policies framed, their roles and also consequences of breach.
People often tend to ignore these advisories, and therefore, many companies regularly send e-mail blasts to all employees so that they sit up and notice, while others install wallpapers and screen savers on the user desktops so that they are constantly reminded of their roles and responsibilities.
Process: When data is to be kept secure, one would need to have a set of rules and processes which act as a guide for execution of the steps necessary to ensure safe keeping of data. All good organizations compile documents listing the standard operating procedures for back-up of data and for ensuring security from unauthorized access.
Companies call these as a ‘back-up policy’ or a ‘security policy’ document. This is circulated amongst employees or posted on their intranet pages for ready access for people who may want to refer to it. If these procedures are communicated, employees cannot feign ignorance for non-compliance. It is, however, not enough to just inform and sit back; adherence to process must be monitored regularly either through a process of internal audit or by audits conducted by an external party.
Documentation of all complaints, incidents, rectifications need to be preserved for study for any serious breach in security.
Technology: In a complex computing environment of today, where we are connected within and outside the organization, it may be difficult to ensure safety and security without the use of automated tools.
Organizations should evaluate and assess technologies that are appropriate and relevant for the needs of the organization. Choosing of the right technology elements should be based on the computing environment and the organization risk assessment based on the criticality of various business opportunities and risks.
It is here that we talk of firewalls, perimeter security, intrusion prevention, antivirus/ spam, identity management, UTM boxes, automated back-up tools, storage technologies, disaster recovery solutions, etc. In my opinion, this forms the third aspect of our preparedness and tools only go on the serve the larger business purpose.
The whole talk of security is incomplete if we do not talk of all aspects of security and safety. Only a reference to technology and tools leaves us woefully short of our task to provide the organization the right environment where the business can function with ease without being unduly bothered about the safety and security of their information assets.