Editor’s note: The 9-11 tragedy of a year ago has more companies thinking about disaster planning. Local Tech Wire asked writer Kirsten Tyler to take a look at what companies should be doing.

RESEARCH TRIANGLE PARK -The trend to reduce financial commitments has impacted just about every line item in the budget this year, but as companies prepare for next year’s spending it is worth inquiring how IT expenditures — especially regarding security and backup – will fair.

Talk to any computer security professional and they will tell you they have been sending up red flags and fighting the good fight for security measures for as long as they can remember. Yet, for one reason or another their IT budget request was never viewed as a priority in most instances – until the past year.

Viruses. Worms. Hackers. Terrorists.

It took extreme circumstances to put IT planning and disaster recovery on the radar screen for CEOs and business owners. A recent survey of 1,000 nationwide companies, within major metropolitan markets, with 100 or more employees reported that one in four medium-to-large businesses still do not have business continuity plans to respond to disasters or emergencies. This research, commissioned by AT&T and conducted by Digital Research Inc., also reports that 20 percent of the respondents plan to create a new position to address business continuity.

9-11 sparks new attention

Since September 11th, 2001, 73 percent of those with existing plans have reviewed and evaluated them.

Until the moment you realize it can happen to you, other pressing issues can cloud the vision of the most well intentioned person. Dave Morrow, deputy director of Global Privacy for EDS, refers to this as the “deer in headlights look.”

“EDS provides outsourcing of IT infrastructures to companies around the globe,” explains Morrow. “We approach IT as a business issue, not a technical issue.”

In order for a security plan to be useful or a continuity plan to be effective, CEOs must first define the business strategy says Morrow. From there, the CIO must figure out a technology strategy to support that. “They are intertwined,” says Morrow. “IT strategy supports point A getting to point B.”

Morrow acknowledges that certain industries such as financial services and healthcare have had legislation driving privacy policies for several years. But, since 9-11-01 he says inquiries from organizations of all types have increased significantly not only for security and privacy issues, but continuity planning and disaster recovery as well.

Tangram Enterprise Solutions (Nasdaq: TESI), a publicly traded IT asset management firm based in Cary, is also seeing increased interest.

“Since 9-11, there has been more awareness and business leaders have been forced to dig inside and find real holes in business continuity planning,” says Senior Vice President Ron Nabors.

“IT assets have become the lifeblood of the modern organization,” Nabors states. “They’re the critical link between internal and external communication, manufacturing, accounting, HR systems, sales, and more. Managing these assets is a delicate blend between the far-reaching impact of costs and productivity.

“When the economy was booming and funding was more liberal, spending on technology went unchecked,” Nabors recalls. “Now CEOs are forced to look closely since revenues and profitability are being scrutinized.”

“IT spending is right behind people and facilities. These areas have controls. IT now receives more attention so the right decisions are made to support strategy.”

Company hit by ‘worm’ was paralyzed

Tangram supports companies with three things: software to manage IT assets, consulting and ongoing maintenance. Nabors explains that in 1985 early adopters began paying attention to managing IT assets, but only since 1996 has the adoption curve begun to rise.

IT asset management pertains to keeping track of thousands of computers, software titles, user licenses, and the potential redundancy or under-utilization therein. Continuity planning pertains to the ability to continue operating during an interim for any given reason, while security and privacy are about protecting IT assets and information.

These are all problems that CEOs hope to solve, but are reluctant to dedicate dollars to these measures since they do not generate revenue. “True. It is hard to prove return on investment,” Morrow adds. “But, it can detriment the bottom line.”

For example, EDS assisted a global manufacturer that was brought to its knees by the NIMDA worm. “They couldn’t eradicate the problem and after three days they called us,” Morrow says. “They were inoperable for five days.” It turns out that the company was only running virus protection software on their servers, not the clients because it was a cost justification issue. “This certainly impacted them,” Morrow continues.

Security and risk management firms such as Secure Enterprise Computing of Morrisville, NC and Internet Security Systems (Nasdaq: ISSX) in Atlanta, GA help clients better understand the legal and technical issues surrounding data security and privacy. Apparently, that is a big need. In fact, damage caused by viruses and hackers worldwide costs upward of $1 trillion annually according to leading analyst firms.

Morrow says that there is no silver bullet approach and recommends a methodology that looks at business impact. What are the critical processes for you to exist? All other processes are secondary, so if you only have X resources in the budget, decide what ones are crucial to protect. Then consider: What are threats? How to protect? How to mitigate those risks? How to test such a plan?

Contingency planning can help put emergency recovery in perspective by building a detailed roadmap of procedures to follow when the unexpected happens. The alternative is that it takes so long to return to business as usual, that the revenue lost drives the company to extinction. So, the question is will C-level executives place enough value in risk management to commit funding it in next year’s budget?

Disaster recovery discussion

A panel of experts will discuss the implications of inept continuity planning next week during the B2T Conference at NCSU. The panel will meet at 1 PM on Wednesday.

The panel is designed to help companies of all sizes put emergency planning and recovery approaches in perspective. This discussion is open to all attendees of the two-day conference planned for Sept. 18-19 at the McKimmon Center. Register online at:

A Disaster Can Be Moment of Truth for Companies Relying on IT: www.localtechwire.com/article.cfm?u=1910&k=15&I=03