Post-Superstorm Sandy, as security professionals prepare for disasters, they must consider the integrity and availability of data - an often overlooked business continuity element, says Alan Berman of DRI.
Sandy has come and gone, but in reviewing the lessons learned from this and previous disasters, business continuity pros especially need to develop a better handle on the continuity of organizations' data during and after an incident, says Berman, executive director of the Disaster Recovery Institute.
"We're under the impression, even in this condition, that when we come back everything will be like it is," Berman says in an interview with Information Security Media Group's Tom Field [transcript below].
Yet, in the wake of a water-bearing disaster such as Sandy, Berman says it's likely that server farms were flooded, adequate back-ups weren't prepared, proper distribution of data was overlooked, and the cloud wasn't extensively used to move data away from local areas impacted by the storm.
"My concern, once you get through the emergency aspects, is the ability of businesses to retain the data and come back at the point they left off," Berman says.
In an interview about disaster planning for Hurricane Sandy, Berman discusses:
- Public and private sector preparation for the storm;
- Key information security issues to be addressed;
- Critical post-disaster issues.
In addition to serving as leader of the Disaster Recovery Institute, Berman is co-chair for the Alfred P. Sloan Foundation committee to create the new standard for the US Private Sector Preparedness Act. He is a CBCP, a NFPA committee member, a member of the ASIS BCP technical committee, a member of the committee of experts for ANSI-ANAB and a former member of the NY City Partnership for Security and Risk Management, Over a career that has spanned 25 years, he has served as a president and CIO for a major financial institution, national practice leader for operational resiliency at PricewaterhouseCoopers and global business continuity practice leader for Marsh.
Preparing for Sandy
TOM FIELD: Hurricane Sandy is hitting the East Coast. From what you've observed over the past weekend, how prepared do you believe that public and private-sector organizations alike are for the impact of this storm?
ALAN BERMAN: I think that we're about to see the "perfect storm" hitting the U.S., and it's just remarkable that three things can happen at the same time. You can have a hurricane coming up the east coast and have a cold front coming down from the north, and at the same time you have a storm coming in from the west, all hitting at the same time is unprecedented. I think what we've seen, though, is a tremendous effort by the public sector to try to prevent the aftermath of the storm. Obviously, we can do little about what's going to happen to us, but we've learned something from Irene about water and the dangers that it faces, and the coordination with the private sector where businesses are literally closing down and the government is forcing them to close down to try to prevent casualties and damage.
Strongest Planning Elements
FIELD: From my perspective on the outside, the communication looks like it's been strong. From your inside perspective, what are the strongest planning elements that you see in play?
BERMAN: We're seeing state planning and municipal planning. Federal government will be useful, and the national weather centers are giving bulletins, but we're seeing a huge effort by the state and municipalities to work hand-in-hand. I'm in New York, and we've already seen the New York Stock Exchange saying it's going to be closed for two days. Most of the businesses in lower Manhattan have closed at the behest of the state government, as well as shutting down the New York city subway system. Ninety percent of the people who travel into Manhattan for business, especially lower Manhattan, take public transit, so this forced their hand that they had to close. As bad as we're going to see the winds, we're terribly worried about rain and what kind of waves we're going to see and how much flooding we're going to get.
The good thing is if you watch New York City, for the first time that I can remember they're actually covering up the grates over the subway systems., so that water doesn't poor down into the subway system.
Weakest Planning Elements
FIELD: Now the flipside of the question: What are some of the weakest planning elements you've seen so far?
BERMAN: There has been a lot of cooperation. Some of the weakest elements are human elements, where people refuse to believe something is going to happen, and I think it's a tribute to the non-event that took place in New York during Irene. People just don't realize the magnitude of what's happening now and what will happen in the next few days, so I think this is one of those where people just refuse to leave. And evacuation is going to be a little bit difficult, but I think for the most part the businesses understand what the dangers are, and they're working very hard with the public sector to make sure people don't go to work and that people stay home. It's to the point where there are major high rises that are actually shutting off elevator service because they just don't want people trapped in elevators.
FIELD: You mentioned Irene. You used the term "perfect storm" a few minutes ago. In terms of benchmarking, does this experience compare to any other disaster that organizations have faced?
BERMAN: I think not. To the best of my knowledge - and I could be off by a year - in 1992 we had a Nor'easter come through about this time of year, and they actually shut the subway systems down for 10 days. Twenty years ago we hadn't seen anything that looks like this, but that one was one nobody was prepared for. I think as bad as this is going to be, we've had a week of preparation where people understood what's going to happen and the weather services for the first time were all aligned. I subscribe to three independent ones, and from that point-of-vie, we're getting really good information. People understand it and there are zones that are just shutting down, and lower Manhattan is a key for this.
Lessons Learned from Previous Disasters
FIELD: We talked about the disasters of 2011, Irene especially. What are some of the lessons that we can employ from Irene and other disasters that we saw in the previous year?
BERMAN: It's very much like the Great East Japan Earthquake. We've never seen anything that looks like this, so it's very difficult to prepare for something that's a thousand miles wide with waves that we know are going to be 10-20 feet high, and it's a full moon so we're going to have high tide. It's the convergence of all of those things. I think the lesson we learned from Irene is preparation does help. We will prepare our subway system, which is the key to New York City. We may respond enough to move the trains to the yards which happen to be in a lot of the coastal areas of Brooklyn, but I think we're prepared with trying to lessen what the effects are going to be. We learned a lot from all the flooding that took place in New England right after Irene and during Irene that didn't affect New York, but we're worried about water. We're worried about the aftermath of water. We're worried about what the long-term effects are going to be and what the infrastructure effects are going to be, which as you know is always a concern of mine.
Critical Steps Post-Disaster
FIELD: That was exactly where I was headed next, which is, what are the critical issues that are going to have to be addressed post-disaster, post-storm?
BERMAN: I think it's going to be utilities, and especially New York City with the aging infrastructure. New York City is one of the few places that I know of where storm drainage and sewage come through the same pipes, and the fact that we're going to get some flooding with saltwater coming in, either from the Hudson estuaries or from the ocean itself. We have I think roughly 20,000 miles of electric cable just under New York City and transformers and those things that drive the power. There's this great concern about corrosion in that. What you're going to see is shutdowns of power systems so it doesn't endanger some of the equipment. But there are a lot of proactive things that they have put more planning in for this event than any other event I've ever seen.
What we're going to worry about is getting back to New York City and how that's going to affect people. We're going to see utility problems and infrastructure problems, the likes of which we haven't ever seen.
Disaster Recovery Oversight
FIELD: When you've had the opportunity to see disasters all over the world, in your experience, what's most commonly overlooked in disaster recovery?
BERMAN: From our point of view, I think in the public sector we worry about the emergency aspects of it, but we fail to realize how much data - and this is closest to your heart - big data and backups that we don't take. We're under the impression, even in this condition, that when we come back everything will be like it is. I'm sure we're going to see plenty of server farms that have been flooded, inadequate back-ups, not the good distribution of data and not an extensive use of the cloud which would get the data away from local areas. But my concern, once you get through the emergency aspects, is the ability of businesses to retain the data and come back at the point they left off.
Improving Business Continuity Skills
FIELD: Let's talk about the professionals, the business continuity and disaster recovery professionals. Where do organizations need to strengthen their skill sets in those areas?
BERMAN: We've done a lot over the last few years, I spend a lot of time, as you know, with organizations including ISACA and people like RIMS, trying to get some consistency in process, and I think we're doing a good job. I think we've taken great strides in being able to retain communication capabilities. I think we're a lot stronger than we've ever been. I'm sure there will be lessons we learn from this. If you look at 2011, it was the worst year for disasters in our history with many major disasters, $400 billion worth of insurance policies, from the Tsunami and the earthquake in Japan to mud slides in Latin America, to the flooding in the Middle East. The issues we've faced over the last year really helped us and strengthened us a lot, and we've seen that certainly from an international perspective where we're sharing information. We just had, in fact, last week delegations from our people in China talking with us about how we're dealing with it and we brought in some New York City OEM people and security people to talk about how we're dealing with it. 2011 forced a lot of sharing. I think that's going to help us a lot in this event.
FIELD: What's your single biggest piece of advice to organizations being impacted by the hurricane?
BERMAN: They should allow the state and the city to do what it has to do and concentrate on those things that are near and dear to running the business: data capabilities, making sure employees are in contact, making sure that people can work from home. I think those things are important. I'm a true believer in allowing the professionals to do their job, and I think this year we've seen and we will continue to see that the public and private sector are working closely together.