This article will focus on the difficulty encountered when trying to sell information security projects and Disaster Recovery Plan projects to business managers or financial officers.

Why is it that so many managers view IT as an additional component of their business operations?

I can suggest a few possible reasons:

• Bad experiences in the past
• IT is viewed as a liability instead of an asset
• Lack of knowledge, complexity, technical language, all intimidate people from becoming IT fluent and aware
• Inability to perceive the Return On Investment  of any IT-related project
• Misconceptions about the reality of their current IT situation and state of the organisation
• Lack of planning. No IT strategy, No roadmap
• Business plan does not factor in any IT elements or spending

The reality is this. There are two ways to spend money on IT.

1. You can undertake planned spending OR
2. You can undertake un-planned spending.

Do you want to allocate $0 to an IT budget forecast and pay as you go along?

Sure, make inaccurate predictions for the next fiscal year that look impressive and then bleed funds from the company’s bank account during the year as incident behind incident occurs.

At the start of the year, your predictions look healthy. The balance sheet is in your favour and you have the extra money to buy more assets. During the year, IT costs go from $0 to $10 000 – sometimes overnight – to cater for your unprecedented incidents or minor disruptions. At the end of the year, 5 disruptions later and $20 000 afterward…you’ve moved from point A to?

…TO POINT A!

You haven’t moved anywhere, just merely saved your information from being damaged and lost completely. (You may have also kept a few IT blokes in employment also.)

Let’s look at the other scenario

• Add IT spending to your annual budget
• Have that money set aside
• Refer to your short-term IT business plan
• Allocate a set amount for each project you PLAN to undertake for the next 12 months

As the year unfolds, start and finish all proposed projects. All the while, keep an eye on your system and information security. Take notes and start to think about what IT investments might be adequate for the next budget.

Anticipate incidents, disruptions and disasters. Have your disaster recovery documents up to date. Perform test drills of possible scenarios and ensure all employees know how to respond under these conditions.

At the end of the year, you may or may not have encountered incidents. You may have overcome some incidents or identified and addressed others before they affected your organisation. Your IT infrastructure performed as expected but you are planning some upgrades for the next year already.

There are two ways to exist in your environment. You can let your environment impact on you, by dictating when and how much you spend on your organisation.

Or…

You can impact on your environment. Deciding when or if you spend money. Anticipate possible problems before they manifest themselves and plan the future growth of your company. Always one step ahead and stronger than before.

My advice for organisations that don’t currently have an adequate IT infrastructure and are unsure on how to spend and invest on this part of the organisation.

1. Create and IT strategy
2. Begin an Information Security vision

There are no excuses for not having spent the resources on IT or security. The first is fundamental to your growth, the second is fundamental to your existence and survival.

Another thing to note is that IT is not a cheap expense in business. And it won’t be getting any cheaper (regardless of how fast the price of memory drops). You will spend the money whether you are proactive or not. The difference is “do you want to get quality solutions, or do you want to use that money just getting by, covering patches and quick fixes?”

In summing up. I think organisations need to view IT with a more positive perspective. It always gets treated with less attention, regard and seriousness compared to other areas of a business. It doesn’t have to be just a daunting and negative experience.

The fact is:

• YOU NEED I.T.
• WE SHOULD BE GRATEFUL FOR THE TECHNOLOGY WE HAVE ACCESS TO AND ENJOY TODAY
• YOU NEED TO EVENTUALLY GET INVOLVED SO START ASKING THE QUESTIONS AND START SPEAKING THE LANGUAGE

Increase your IT spending. Bring the IT part of your organisation up to par with the rest of the business functions. If you don’t then, it will cripple your ability to achieve success regardless of your industry.

To those of you who are proactive and see the need for resilient IT solutions, good on you. For the rest of you that will stubbornly continue with the “IT ON A SHOE-STRING” model, good luck to you.

Feel free to add a comment if this topic is relevant to you or if you have any experiences or advice to share.

More related topics coming soon…

The people involved in these projects also find it difficult to get collaboration. All disaster planning projects must have direct and public support from the CEO in order to encourage participation by all parties.

Unfortunately, due to the dynamics of organisational structure most divisions of a company are far more preoccupied with their own deadlines and milestones to pay some time to disaster planning. Employees are often mistaken when they think their data is being backed up somewhere in the office. There is always the quick remark “oh we’re alright, if anything should happen to us, our team can just work from home”. Really? A bit hard to progress when the rest of the company is at a standstill and the future of any organisation is not guaranteed after a disaster.

The best way to avoid your worst nightmares coming true?

• Invest in a Disaster Recovery Plan, if one exists then review or update it. You might need a whole new plan.
• Allocate resources for a disaster recovery analysis project. If done properly this should take from six months to a year. There needs to be a team at work here as one person will not be adequate.
• Educate employees of new procedures for Business Continuity and recovery stages. The damage of a disaster can be drastically reduced if everybody knows what they should be doing.
• Any plans, new protocols or procedures must be tested and rehearsed on an ongoing basis. Once a month might be too much but keep in mind, a lot of changes occur in a year.
• Once you have achieved a satisfactory level of preparedness the job isn’t over yet. Disaster Planning is a topic that will always require review and attention.

A satisfactory state is met when:

1. All critical data is backed up and held offsite
2. An offsite office is secured and can be setup and functioning within hours of an major incident
3. Customers and suppliers can be contacted and reassured that things are under control and no orders have been lost
4. All employees are familiar with the procedures outlined in the Business Continuity Plan
5. When employees and managers are aware of who the team leaders in charge of recovery are

So in Summary. The important aspects of Disaster Recovery Planning are: risk assessment, disaster planning and backup procedures, disaster recovery plan, plan testing and maintenance.

This is such a complex topic so I have decided to revisit this issue in future blogs outlining how to address this in phases.