Gartner Tackles Biz Continuity

LAKE BUENA VISTA, FLA. – With a nod toward the terrorist attack last month, Gartner Inc. CEO Michael Fleisher kicked off the Gartner Symposium here Monday morning with a discussion of what it means for IT to be strategic.

After an opening welcome by Florida Governor Jeb Bush, Fleisher said that IT is being tested on its ability to react "prudently and forcefully" to the results of the attack to get corporate America back in the game.

The two obvious issues for IT are disaster recovery and security, he said, but being strategic "is about understanding the fundamental forces at work in your environment."

Fleisher began by outlining the forces at work one year ago, when the technology industry was still in the afterglow of a five-year boom. The industry had delivered a long stream of advances, significant business investments had been made in technology, and corporations spent much for both Y2K remediation and e-business. The legacy of that period: The understanding that technology is fundamental to business.

"Today the forces at work are entirely different," he said. "The boom is ancient history. Those times were unsustainable." Because of the slowdown in spending, "it is no surprise that real innovation has slowed," he said. "Capital markets that once encouraged startups to rush to market with half baked ideas" now have no incentive to spend, he added.

Over the past year there has been a precipitous drop in technology spending, while IT suppliers were "producing like demand would never slow," he said. And unlike the airline industry, there will be no bailout for the technology industry, he said.

Indeed, Fleisher painted a bleak future for the technology sector, predicting that "50 percent of all IT companies with a household brand name will cease to exist in three years." The proposed merger between Hewlett Packard Co. and Compaq Computer Corp. is at the beginning of a wave of anticipated consolidation in the industry.

With the expected consolidation, it is important for CIOs to focus IT on solidifying relationships with existing partners.

Fleisher also touched on themes from last years Symposium to reiterate the need to outsource non-strategic functions. "You must delegate cherished roles that give you visibility for the wrong reasons," he said.

He concluded his talk by urging IT to "cultivate restless creativity. Make a small but sure bet on something improbable. Our best days lie ahead."

Business Continuity in the New World

The keynote was followed by a panel discussion with Gartner analysts to address more immediate concerns about security and disaster recovery. To start, Fleisher asked the experts what made the recent disaster different from others.

"We werent prepared for the tremendous loss of life," said Donna Scott, research director for business continuity at the Stamford, Conn., based Gartner. Nor were we prepared for the loss of physical assets and the loss of communications, she added.

"Companies typically plan for a single outage," added Roberta Witty, research director. "We were trying to recover and then got hit by the Nimda virus."

In looking at the worst case scenarios seen by the analysts to date, Scott described how a credit union in the South was hit by a hurricane three times in three years. Its response was to create a mobile unit that incorporated all the technology necessary to turn the unit into a branch office to serve customers, and even disperse cash from the back of a car in the immediate aftermath. "Business continuity is about how to continue to serve customers immediately after the disaster," she said.

Witty described another client that lost an entire staff, and another that lost both its main site and recovery site. But because of events such as September 11 caused major transportation outages, Gartner recommends that clients put backup hot sites in place in locations between 20 to 50 miles from their central sites.

Gartner security expert John Pescatore said that its time to look for more business-strength Internet services as a result of the aftermath. He described how banking clients that did business with Israeli companies had experienced denial of service attacks in their e-business operations.

Physical security should also be of major concern. "Outsourcing physical security to the lowest bidder may not be an option anymore," Pescatore said.

And the ripple effect extends out to hiring practices. "Hiring people as fast as possible without relevant background checks isnt wise anymore," chimed Richard Hunter, another Gartner security expert.

To that end, Scott warned of clients falling back into a state of complacency after operating in a heightened state of awareness. "We estimate that two of five (smaller) enterprises will go out of business as a result of not being prepared in a disaster," she said.

Other unexpected ripple effects from the terrorist attack include the increased use of webcasting in lieu of travel; the increased use of Instant Messaging and the need to open ports to allow such traffic through; the need to be able to immediately react to changing demands on Web sites, and a need to rethink centralization of data centers and operations.

"Most enterprises have all their executives on the same floor," Witty. "If theyre not available in a crisis, decision making is hard."

In responding to a question about whether enterprises will spend too much on disaster recovery plans, Scott urged the audience to first perform a business-impact assessment. "That should drive finding for this," she said. Such analysis looks at the cost to recover versus the amount of money lost in the interim. In other words, the shorter the time frame, the greater the cost. "Some industries need to recover in an hour, some need to recover in three days," she said.

To get started, Witty recommended hiring a business continuity manager. She also rattled off a quick to-do list: "Look at your ability to recover; do a risk assessment of critical processes; make sure you can get in touch with all your employees; and make sure you can get in touch with your suppliers."

Bottom line according to Hunter: "You have to look at what your resources are – not everything needs the same level of protection."