NEW YORK -- More enterprise security officers are assuming responsibility for disaster recovery and business continuity. Though these areas were once considered separate, experts are starting to advocate the integration of security into recovery, continuity and high availability.
"The real objective is to have a resilient infrastructure. You need a high-availability strategy that needs to address security [issues] like denial-of-service attacks, for example," said John Jackson, vice president of IBM's continuity and recovery services division. "These are not three or four separate disciplines any more."
Jackson said most organizations have foregone security during recovery from natural or digital disaster. But maintaining a business off-site requires security in a recovery environment.
"Going forward, as enterprises do more integration, there's going to be a new paradigm," Jackson said. "Traditional thought is 'experience, then react.' Now, it's going to be 'anticipate and adjust.'"
Jackson said enterprises no longer have the luxury of not expecting security breaches and outages. They must implement organizational changes that adjust to those events.
"There's a shift for recovery moving from just an IT issue to a business responsibility," Jackson said.
Jackson urges enterprises to not only back up their data, networks and paper records (to microfilm, for example), but to ensure that their business partners have adequate recovery strategies as well. Also, Jackson advocates backing up people -- by cross-training employees, so that they have at least cursory knowledge of other departments and functions in the event of an emergency.
That kind of resilient, centralized approach to security and recovery resonates with New York state chief information officer James Dillon.
Dillon's efforts are somewhat handcuffed, he said, by stovepipe funding systems that "drive wedges," rather than foster centralized IT development and security. In the meantime, the demand for online government services is growing at an annual rate of 500% for some agencies, like the Department of Motor Vehicles, further exposing the state's networks to downtime from digital attacks, which come via malicious code and hackers, and natural disasters, like blackouts and hurricanes.
"Take the human services network, where we've got 50,000 people from the county and state agencies. We're only as strong as our weakest link there, and some of our rural counties are not very sophisticated in this area," Dillon said. "The whole issue of remotely pushing out patches to every system -- we can't do it for every instance. We find ourselves trying to do other things to keep the systems secure."
Part of the state's anticipate and adjust strategy is to educate employees at every level of government and develop tight relationships with experts at vendor firms.
"Our relationship with vendors is particularly important because of the skill set [issues] of some of our users," Dillon said. "We rely on the private sector to bring in certain skills that we apply to our systems and our problems."
Government funding methods are sometimes counterintuitive to security. For example, Dillon said, Medicaid and welfare funding streams eventually could have forced every county worker to have separate PCs on their desks to handle requests from each agency.
"It could have easily happened if we hadn't intercepted it," Dillon said, shuddering at the potential security issues. "Never mind the issue of how many passwords; it would have been horrible."