With bushfires already burning their way through swathes of land around Sydney, storms battering Brisbane, and winds flattening parts of Melbourne, attention across the nation is again focusing on disaster preparation.
Yet despite the frequency of risky events and the known value of preparing for them, CIOs continue to underestimate the significance of doing so across their IT environment.
According to a recent ISACA Australia whitepaper, 64 per cent of IT professionals believe the risk culture at their organisation is only moderately effective, or not effective at all.
The IT Risk Management: Drivers, Challenges and Enablers for Australian Organisations report surveyed 111 Australian business and IT professionals from a range of sectors including banking and financial services, energy and utilities, government and defence and manufacturing.
Seventy-one per cent said Australian business teams lack awareness that IT risk management is important to attain business process goals and targets, while a startling 89 per cent believe IT risk management activities are generally perceived by business stakeholders as a compliance burden, whether it’s external or internal.
There is some basis to these concerns. Research by IDC and Flexera Software undertaken in 2012 found 11 per cent or more of respondents’ application spend was associated with out of compliance use, up from 26 per cent a year earlier. The report also highlighted the financial and legal risks of non-compliance, with unplanned, unbudgeted audits of between seven and eight figures common in large enterprises.
In addition, the ISACA report noted perceptions of how to manage IT risk largely focus on security, and often fail to take into account the wider IT environment or business implications of a major catastrophe or IT change.
Given the dramatic adoption of new technology delivery methods such as cloud and mobility, as well as the broader utilisation of consumer and enterprise solutions across all lines of business, it is incumbent on CIOs to manage risk differently.
Planning for disaster
Tim Janes, managing director at Risk Management Design, says the failure of man-made technology, or ‘self-inflicted’ incidents, continues to be the primary source of business disruption for most organisations.
“The frequency and often mundane causes of these incidents mean they tend to receive less attention than headline grabbing natural disasters,” he says. “The fact that the technology platforms and delivery methods the business relies upon are changing, such as cloud and mobility, does not necessarily alter the fundamentals of this situation, but it does refocus the picture.”
Irrespective of technology platform, Jane argues taking a risk management approach will result in significant bottom-line benefits such as reduced reliance on insurance cover and improved insurance terms.
“Better staff retention, increased customer confidence in service reliability, better understanding of the organisation, its operations and the risks it faces, and meeting compliance expectations of regulators, boards and business associates also flow from a proactive approach to risk management,” he says.
Tom Ceglarek is CIO of STW Group, Australia’s largest advertising and marketing services provider, and has spent the last couple of years risk-proofing the business. He says the business faces both external and internal risks.
“External risks include viruses, malware and hackers trying to obtain our IP. Environmental factors include the building burning down or something else preventing people from getting to work,” he explains.
“Internally, there is also the possibility staff might accidentally or deliberately misuse information.” That risk is minimised through the group’s discouragement of staff using their own devices to connect to the company network.
Two-and-a-half years ago, STW’s infrastructure came from 82 media marketing agencies ‘sticky-taped together’, Ceglarek continues. “To reduce risk and increase IT efficiency we wiped that out and started again building our system using NetApp’s Flexpod, and use CommVault’s Simpana for backup and replication management.
“This means we can now manage data not only in each Flexpod stack, but across our 14 offices, while being able to increase visibility across the entire organisation.”
As a result, the group has been able to develop a comprehensive disaster recovery plan that has helped further grow its business. “We need to be able to demonstrate that capacity when pitching for clients in regulated industries such as healthcare, insurance and government,” Ceglarek explains.
“Before they award a contract to us, they want to see we have strategies in place to manage risks to our business – and their account.
“By leveraging a range of technologies we can tell a strong story in how we manage risk and can resume work even in the worst circumstances.”
Using Simpana also helped by reducing the amount of time the IT department spends fighting fires. “Our licence is based on the total amount of data backed up, meaning we can deploy it to as many locations as we like,” he says. “It offers us more flexibility, and makes it easier to roll out new system initiatives as they come up.”
Streamlining the backup process helps ensure minimal disruption to the business. “Commvault’s Simpana 9 Solution integrated tightly with the Net App storage system by hooking into each data set and managing snapshots as disk-based backups to eventually migrate the backups to a tape store,” Ceglarek adds.
“When used together, the systems provide better protection and better visibility into data while making our IT easier to manage overall.
“It’s like insuring hope.”
While many cloud technologies are still maturing, one of the benefits is that data is no longer restricted to single physical boxes, Ceglarek says. “It can safely float around while you’re bringing the business back up to speed after an incident.
“When we had a bunch of isolated solutions, we had to manage them all individually – we couldn’t give business specific recovery objectives, and in a disaster it was difficult to predict and come up with a result. Now we can confidently demonstrate our capabilities in a crisis situation.”