"My advice is to get a good, strong education with some specialization in business continuity," Berman says in an interview with Information Security Media Group's Tom Field [transcript below].
Businesses are demanding more education, and there's higher demand for professionals to attend more seminars and readjust their focus to no longer being corporate-centric. Instead of just the organization, "does it work throughout the supply chain?" Berman asks.
According to Berman, certifications and credentialing are becoming the new degrees. DRI International has been spending time with organizations looking to understand what they need. "For those people starting out that want to get into this, my recommendation is not only do you get a degree from an institution of higher learning, but you get a credential that will be recognized in the field."
In an exclusive interview about business continuity and disaster recovery, Berman discusses:
- The state of BC/DR globally as we enter 2012;
- The weaknesses inherent in current BC/DR plans;
- How BC/DR pros must evolve to be more effective in the face of new disasters.
Berman is a CBCP, a NFPA committee member, a member of the ASIS BCP technical committee, a member of the Committee of Experts for ANSI-ANAB, a former member of the NY City Partnership for Security and Risk Management, Executive Director for Disaster Recovery Institute (DRI) and the co-chair for the Alfred P. Sloan Foundation committee to create the new standard for the US Private Sector Preparedness Act (PS-Prep). Over a career that has spanned 25 years, he has served as a President and CIO for a major financial institution, National Practice Leader for Operational Resiliency for PricewaterhouseCoopers and Global Business Continuity practice leader for Marsh.
2011 Disasters: Lessons Learned
TOM FIELD: The last time we spoke was after Japan suffered its natural disaster. Since then, we've seen east coast hurricanes, early snow storms, as well as a variety of data breaches. Given all of these disasters, what would you say we have learned from 2011's incidents?
ALAN BERMAN: I went to Japan about three months after March 11, 2011 and spent some time talking to the Japanese. What was seen around the world was this huge impact on our supply chain, the inability of companies to be able to deliver products because of things that happened around the world. Japan, Indonesia, Brazil - all of these have had dramatic effects on the ability to deliver product and services to customers, and considering the economic climate has had even more of an effect. The big challenge we're looking at, and what I hear from corporate customers around the world, is to try and shore up that supply chain.
State of Business Continuity and Disaster Recovery
FIELD: Given that, what would you say is the state of business continuity and disaster recovery globally as we head into the New Year, given your concerns about supply chain?
BERMAN: It varies country to country, the U.S. being one of the more prepared countries, simply because of the over-abundance of regulations that almost govern every industry we're in. We see great preparedness not only on the disaster-recovery side but also on the business-continuity side, the ability of businesses to deliver product and services under direst. We're starting to see that in other parts of the world. I just took part in a regulatory-and-standards development for the United Arab Emirates who have come up with what's a very strong standard. We're starting to see the spread of governments creating standards and regulations that companies have to live up to. If that continues, we'll have the force of regulation to help build a more prepared global economy.
FIELD: You mentioned supply chain. What do you see as the biggest areas in disaster recovery that really do need attention?
BERMAN: I think it's in manufacturing, and I think it's partially because many, especially American, companies have offshore key production facilities. The flooding in Indonesia will have a very, very big effect and has had an effect. Companies will not broadcast it just as they didn't broadcast the problems that came about in Japan, but I think this is becoming the big issue we're seeing. Now it's really making business continuity proactive rather than reactive, finding the right place, doing the right risk assessments, to make sure the facility will be able to survive an incident.
Improving BC/DR Plans
FIELD: Let's talk about business continuity and disaster recovery plans. How do they have to evolve, the plans themselves and how they're used, how they're audited even? How must they evolve to be prepared for the year's challenges?
BERMAN: I think this is another maturity one, and I think it's looking at intent processing. For a long time we looked at our capabilities as if we were isolated from everything else, and I know I'm harping on supply chain, but now we're starting to look at intent processing and the evaluation of our suppliers. I think that's now taking a real turn for the auditors to start looking at it. The regulations really require due diligence. The audit community is requiring due diligence, so the inability to deliver regardless of where it's impacted within your supply chain now is really under scrutiny. I think the key thing we'll start to look at is end-to-end, and look for weak links and diversify where those weak links are, or even purchase facilities where we need to.
FIELD: What's your sense of how many organizations have effective business continuity and disaster recovery plans, and do they audit them regularly?
BERMAN: Before or after a disaster? A hundred percent before a disaster; maybe thirty percent after one. I mean, everybody claims to be prepared but the truth is how do we react when something stresses the organization? We're seeing better and better at this. We're seeing everything from 100 percent prepared all the way down the supply chain because people in procurement are demanding that they see business continuity and disaster-recovery plans, and even be involved in the vesting of them to people who just take for granted that everything's going to work. But I think from an organization itself, we're seeing more and more and that's simply being driven by customer requirements.
Professionals Must Evolve
FIELD: Let's talk about business continuity and disaster-recovery professionals. How do they have to evolve in their careers to keep pace with the changes we've talked about?
BERMAN: DRI International is unique in its certification of business-continuity professionals and disaster-recovery professionals. We're the only organization to require that they have continuing education and as the businesses evolve, so must professionalism of those in business continuity and they must reach out further. There's more demand in education, there's more demand in being able to attend seminars and what people have to do is adjust their sights so it's no longer myopic and corporate-focused. It's becoming deeper focused. Does it work throughout the organization? And, broader focus, does it work throughout the supply chain?
FIELD: Let's talk a little about DRI International. What are the organization's biggest goals for this next year?
BERMAN: We have a number of goals. One of the things that we've worked on for the last three years is this private sector-public sector convergence. When you look at the United States especially, where 85 percent of the resources of the federal government lie in the hands of private enterprise, we need to have people thinking in a broader sense of what goes on. Even Craig Fugate, who's the head of FEMA, this hurricane season, spent time in private-corporation headquarters and emergency-management centers watching how they did it, and his conclusion was, and it's probably a quote, "They do it better than we do."
There's this true need for convergence. DRI International has run a number of seminars working with public and private sectors and for the first time, we're actually going to certify people in the public aspects of business continuity.
Careers in BC/DR
FIELD: It's an attractive field, business continuity and disaster recovery. What's your advice for someone that's looking to start or restart their career in this field?
BERMAN: We spend a lot of time with people and corporations looking for what they're asking for. In fact, we're running a program with a number of universities to embed our curriculum into it. For those people starting out that want to get into this, my recommendation is not only do you get a degree from an institution of higher learning, but you get a credential that will be recognized in the field. The second thing for those people looking to bring their experience to bear, certifications and credentialing are becoming the new degree. Corporations want people who can hit the ground running and want people to understand what they're doing. My advice is to get a good, strong education with some specialization in business continuity, which could be acquired obviously through DRI International.
FIELD: When you talk about effective business continuity professionals - you talk about the credentials - what are the essential qualities in these individuals that make them effective?
BERMAN: Besides a thick skin, I think the things that make them effective is we're a very information-driven practice and profession. We do tremendous amounts of analytics and "what if" type analysis. What we're trying to do is predict what the effects are going to be regardless of what the cause is, and then to understand what a risk tolerance is or how do we combine the insurance coverage we have with it so that we minimize the impact upon the organization.