On the fifth anniversary of the Sept. 11, 2001, attacks, eWEEK sought the perspective of several members of our Corporate Partner Advisory Board as they looked back at the disruptive forces that have reshaped the enterprise agenda during that time.
Technology Editor Peter Coffee spoke with Robert Rosen, CIO of the National Institute of Arthritis and Musculoskeletal and Skin Diseases, in Bethesda, Md.; Kevin Wilson, product line manager, desktop and mobile, Duke Energy, in Charlotte, N.C.; and Judy Brown, strategic adviser, University of Wisconsin System, in Madison, Wis.
Our goal today is to look at the adjustments that enterprise IT has been forced to make in the time since the 9/11 attacks. How has 9/11 affected IT operationally? Is there more demand for support for teleconferencing or other remote collaboration because of the greater nuisance of travel? Is there more proactive investment in information security or a growing role of IT in physical security? And has there been any change in the posture as to resource availability for any new roles?
Rosen: What has happened, I think, for the most part, is that people are much more aware of the need for disaster recovery and continuity-of-operations plans. Theyre clearly spending more time making sure that theyre doing these things, doing a lot more inspection and so on. The downside of it is, for most people, theres no additional funding available. We have to be ingenious about doing these things along with everything else.
So, rather than the movie-plot scenario planning, youre seeing more emphasis on readiness for disruption from whatever source?
Rosen: The terrorist scenario or natural disaster scenario provides an impetus, but the smarter people are saying: “If you plan for the previous disaster, the next one will be different. What you have to do is take a step back and deal with disruption regardless of the cause.”
Has there been any increase in demand for remote conferencing or other operational impact on IT infrastructure?
Rosen: Thats more a personal preference. There are people who dont want to travel anymore, and you can understand that because its become such a hassle. We are seeing more questions of what we can do across the Web and what do we have in the way of collaboration software.
The other thing is a lot more in the tele-work arena. We just had a drill last week, saying, “Suppose the campus was shut down—could you work from home?” We had a sizable population testing that.
So, you didnt just send out a survey and ask people if they could do it; you did this as a live fire drill, so to speak?
Rosen: Actual testing.
Were there any surprises that you can talk about?
Rosen: They did an after-action survey, which was good. The percentage of people who had problems was very low, on the order of 1 or 2 percent out of 2,000 people who were testing this. I think that was pretty good.
The problems they had were pretty much what we predicted. Most of it is … a problem between chair and keyboard. Its a matter of training. You really cant just assume that people, because they can read their e-mail from home, can do all the other things from home. More training is needed.
All in all, I think it was a reasonably successful exercise—but it only represented 10 percent of the population. What will happen to IT infrastructure when theres 80 percent remains to be seen, but were taking steps to address that.
Kevin, when we think of you at Duke Energy, we think of critical infrastructure issues of energy production and distribution that have gotten a tremendous amount of attention in the last five years. Is your involvement in that sector an important factor in the way that youve had to think about the last five years, or are your IT operations like any other companys?
Wilson: From our viewpoint as an IT shop, I dont think things have changed as much [due to 9/11] as they have due to [the] Sarbanes-Oxley [Act] and Enron. When you get to physical plant security, thats where youve seen the world turn upside-down. All the garages have barriers, there are more guards, the physical facility looks different.
Have you had to provide IT support for that, with IT systems for smart cards or other more granular access controls?
Wilson: It seems to be more contractor augmentation, not redesign of the infrastructure. I have not seen IT systems for physical security.
Are your own IT systems getting improved physical security against attacks that might take out a data center rather than a generating plant?
Wilson: Weve been protecting things, yes.
Brown: Were looking at using the collaboration and tele-work technology from home, but Im seeing a lot more lockdowns from corporate IT: Some of the tools, the Web 2.0 tools and Skype and things, users cant install. Its problematic for them to collaborate around the water cooler from a distance.
Next Page: The real attack on IT.
Page 2
Was the real attack on IT the reaction to Enron and SarbOx?
Brown: I think the tools for collaboration and knowledge capture are exciting, but theyre locked down, and Im not sure where thats going to go.
Does this get any additional flavor in the wake of the current controversy over Hewlett-Packards aggressive internal investigation of employees and board members, and even journalists, in its effort to get control of sensitive internal discussions? Do employees understand the nature of their communications at work and the fact that those are enterprise property?
Rosen: As much as we tell people, and put it on the log-on banners and send it out every six months, people still dont realize that [investigations] may go through e-mail. I have been involved in investigations, and its amazing what people will put on their computers. They just dont think about it. People have that sense of privacy, even though its not true.
Brown: Under open-records laws, we have to provide that kind of information. Theres training, theres audits of how youre handling records collection and storage.
Does that include instant messaging, for example?
Brown: Yes.
Five years after 9/11, we have a tremendous response to specific threats against air travel and enormous time and cost consequences to businesses. Are there any initiatives that you think youll be undertaking as we start to deal with the fact that this is “the new normal,” whether were talking about terrorists or SarbOx? Now that were past the startup issues, is there anything that you think youll be doing to move that to a more sustainable steady-state level of readiness and response?
Rosen: There are still more surprises coming down the line. People tend to prepare for the last disaster, or set of disasters, as opposed to the future. What I think will bite people is how to deal with the people issue: A lot of people ran into that problem after 9/11, and they certainly did after Katrina. …
And in a possible pandemic situation?
Rosen: Thats what were looking at right now. How do you keep things running? We had an interesting discussion—we were talking about people working from home, but we discussed the assumption that the ISPs will be up and the communications will be up.
Theres a lot of hand-waving going on about that, but nothing that makes me feel warm and fuzzy.
Kevin, I suspect that Duke doesnt make naive assumptions about other infrastructure being up when youre having problems yourselves. Do you have microwave, satellite …?
Wilson: We have our own radio network, and theres some low-data-rate capability there. Weve got a lot of experience because our people help out when other areas have problems.
Say each of you ran into a senior manager in the elevator who asked you, “What have we learned from 9/11 that makes us more ready for the next thing that happens?” Is there anything you could say that youd feel good about?
Rosen: Were better than we ever were before.