of the American Society for Information Science and Technology  Vol. 28, No. 6    August / September 2002

Search

Go to
Bulletin Index

bookstore2Go to the ASIST Bookstore

 

Copies

Information and the War Against Terrorism, Part V: The Business Implications

by Lee S. Strickland

Lee S. Strickland, J.D., is with the College of Information Studies, University of Maryland, leess@ucia.gov

Almost all business executives, and certainly every information officer, would agree that the events of September 11, 2001, changed the threat picture presented to every government and commercial enterprise. But this is not the first call to invest in a comprehensive plan to protect information the most significant business asset. Whether we consider the 1993 bombing of the World Trade Center (WTC) garage, devastating hurricanes, raging forest fires or the years of  IRA terrorism in the United Kingdom, the range of catastrophic events that can destroy business information and information technology (IT) resources should be well known but are all too often ignored in the interests of reducing overhead and seemingly unnecessary administrative expenses.  Moreover, the trend of recent years toward centralization of information and the support infrastructure, again in interest of costs and efficiency, has exacerbated the risk picture and substantially impacted the resilience of most enterprises.

So, how should information managers approach and address this dangerous new world?  Five points should guide our actions. First, we must recognize that the threat of terrorism is a "low probability, high impact" type of event. Second, we must similarly recognize that many other, much smaller and more likely threats continue to present themselves broken pipes and resulting floods, construction crews cutting communications lines and sabotage from inside or outside are merely some of the more mundane threats that can equally and adversely affect business information. Third, given this disparate universe of threats, we must employ classic risk management analysis: How much are we willing to spend to protect against and mitigate the results of risks to specific assets? How can dollars spent on protection be maximized against risks? It is in essence an insurance question where we balance the requirement to continue to serve our customers efficiently against the required protective steps. Fourth, given that information is our most critical asset, we must plan to protect all facets, forms, values and enablers whether explicit or implicit, whether data or knowledge, and wherever situated and however communicated. And, fifth, we should plan to respond to the universe of risks additionally by re-engineering our mode of business in order not only to reduce vulnerability to attack but also to make our business more resilient to an attack that may in fact ensue.

I believe that these concepts, which could be considered the axioms of business preservation, translate into three planning arenas or goals that businesses may wish to address:  continuing to serve the customer in times of threat, implementing new communication paradigms and establishing a comprehensive knowledge redundancy program. 

Continuing to Serve the Customer in Times of Threat

Maintaining a sense of normalcy and safety for customers and staff has never been more important since the perception of danger can produce many of the same effects as an actual disaster. Perhaps the most significant key to that normalcy is awareness and preparation for the unknown. At one level, every organization should understand and be prepared to respond to the new investigative authorities of the federal government (under the USA Patriot Act) and the similar new statutory provisions in many states. In particular, corporate managers and counsel, as well as IT and human resource (HR) officers, should be familiar with the broad parameters of the new law and corporate policy to respond to the range of demands. The receipt of a court order to produce a wide spectrum of electronic records is not the appropriate time to develop that policy. 

At another level, the physical safety of the corporate premises must be re-examined. On-going environmental testing for biological and chemical contaminants should be considered for spaces with significant public access as well as all mail processing facilities. In this regard it is useful to remember the many cases of incidental contamination in the last six months. In conjunction with the environmental testing is the re-consideration of physical security. Here we must carefully balance risk and response and avoid a bureaucratic or rote approach that serves primarily to inconvenience staff and customers and not to enhance effective security. Moreover, in evaluating this balance it is critical to remember that threats especially to information resources are more often internal than external, especially in this era of fungible human resources. Lastly, in all of these planning efforts, it is important to avoid the common tendency to focus on the mechanisms of the most recent disaster; rather, our focus should be on the range of threats and more specifically on the effects that may be presented. For instance, the loss of access to a primary data center is a specific effect; the contributing incident is of less import in the planning effort to maintain continuity of operations.

Planning for New Communications Paradigms

There is little doubt that paper-based communications, commerce and government have been substantially impacted by terrorist activity and undoubtedly more can be expected, especially given that the majority of Al-Qaeda operatives and cells remain active as do, quite likely, domestic terrorists that may be responsible for the anthrax attacks. Examples include credit card companies and public utilities that saw collections of millions of dollars delayed for weeks if not months; the U.S. Supreme Court, one of the most paper-centric businesses, where time critical legal proceedings ground to a halt and there were no contingency plans in place; and the U.S. Congress where the majority of the members of the Senate were displaced for nearly six months and thus lost their critical electronic constituent communications in addition to mail access. We also know that remediation is costly and difficult and that prevention is uncertain. The Brentwood Post Office in the District of Columbia, for example, remains closed. 

Although experts are divided on whether the current situation will facilitate a movement to electronic forms of communication for business and government, we believe the answer is an unequivocal yes, given cost and risk issues, although the transition may continue to be evolutionary. Just one measure of the scope of the plans in play is given by the Office of Management and Budget (OMB) which hopes to see the conversion to electronic form of over 5,000 types of government-to-government, government-to-business and government-to-citizen transactions during the Bush Administration. 

In developing new communications paradigms both to improve efficiency in general and to build resilience to attack there are both models and challenges. To date, a significant number of credit card issuers and utilities have brought online secure Internet bill payment capability and the majority of banks have significantly enhanced online-banking services for their customers. Although few if any have explicitly linked these rollouts to the disruptions of September and the continuing threats, the number and richness of services offered makes clear that such businesses are positioned to survive in an electronic milieu as necessary. Another model is Senator Kennedy's redundant information and communications processing system that prevailed over facilities closure. Although initially introduced last year to improve office efficiency by managing information and maintaining communications between the Senator's offices and his many constituents, it proved adept at maintaining those services even with the mail disruptions and office closings in Washington. Modeled after a system used by New York Governor Pataki and utilizing Lotus Corporation's Domino workflow automation software, but Apple Macintosh workstations, this environment is essentially a wide-area network with a central server and databases, for ease of administration and common data availability, but also duplicately hosted at a remote location, in this case Boston, for purposes of redundancy. In addition to supporting seamless continuity of operations, the system also provides a superb platform for the development of additional e-services several of which are planned, including an automated scheduler.

Challenges? Yes, ranging from the ubiquitous security issues to design problems that adversely affect customer service. Indeed, informal surveys have highlighted an increasing failure to perform design tests as well as subsequent beta operational tests with a subset of the customer base prior to deployment. This, I submit, is perhaps a primary impediment to more effective e-government and e-business solutions.

Moving Beyond Traditional Vital Records Schemes: The Need for a Comprehensive and Effective Knowledge Redundancy Plan

Vital records programs taught in schools and advocated by consultants are an element of the records management program in most enterprises but, I submit, are woefully antiquated. As an attorney advising private and government clients over the years, I have found that few senior managers or corporate principals understand the composition of the full range of their information assets and that the majority of vital records plans are rooted in the days when paper records dominated the world and all too often were ignored in substantial part on a daily basis. What this suggests is the gravity of the need to understand the distinctions among data, information and knowledge in each of our businesses, to define each with exactness (that is, to define a taxonomy of the full scope of business information assets) and to develop an effective "knowledge redundancy" program.

What is a knowledge redundancy program? It is the key element in the plans of an organization to survive disasters and continue operations. It seeks to guarantee that the key knowledge of a business is preserved along with the infrastructure to store, move and apply that knowledge. It follows then that we must include in our plan not only key information assets in electronic or paper form but also the human element where the most valuable business knowledge resides, the communications infrastructure to protect the various forms (for instance, transactions, research, news and peer-to-peer communications) and the storage and processing infrastructure, including both hardware and software such as user applications. It may be considered similar to or an element of the more familiar disaster recovery plan or business continuity plan but with an important distinction the focus is on information and knowledge preservation and the ability to continue to apply it.

Some businesses are more data-intensive (for instance, commercial banking) and others, such as law firms, are more knowledge-intensive, but what is critical for each is the requirement to understand the structure of the most important business asset and to develop a program for "knowledge survivability" and hence organizational survival. In some businesses such as those in highly regulated fields like banking, the practices are quite good vis--vis data protection. Because the business is data driven their ability to survive disaster is quite good. Others, such as law firms, are in much more jeopardy since even 100% survivability of their information, such as litigation and client files, would mean little without the tacit knowledge maintained by the individual lawyers and paralegals. What these facts suggest is that we must no longer be satisfied by a "vital records" plan in this day and time since a substantial minority (some experts estimate less than 20%) of an organization's critical knowledge may be contained in such forms. We must understand the forms of all of the knowledge and insure survivability.

What is the focus of such a plan? A knowledge redundancy plan should not consider and address every form of attack or threat any resulting plan would be impossibly long and certainly incomplete. Rather, it is critical to focus on specific results the denial of access of specific assets and proceed to solve that problem set. A classic approach here derives from the taxonomy work that many organizations have employed to organize their information resources. Foci could include physical space (ranging from building loss to floor loss); hardware assets (from servers to workstations); data and software assets; and communications assets. The objective, of course, is to remediate the immediate loss and provide continuity of operations. 

What are your organization's plans and practices in this regard? The answer, I fear, is not uniformly excellent. The old solution of a vital records plan and backup tapes is hopelessly unsuitable in terms of scope and practice. First, the focus is solely on data and second the practice in the long term runs from good to poor. Today, the solutions range from this antiquated approach to a comprehensive software system that replicates data on a real-time basis and transmits it to a mirror-image hardware facility over secure fiber optic lines. Veritas and EMC are two companies who can provide such services, yet the scope of implementation of such solutions is not good. A September 2001 survey by the Society of Human Resource Management found that only about half of American businesses have a comprehensive disaster plan in place and whether the majority could be characterized to include a knowledge redundancy plan is unknown. 

There are, however, instructive examples that highlight the importance of detailed knowledge preservation planning, appointment of responsible personnel, establishment of critical communication links in the community, the purchase of necessary equipment like radios and regular drills. The law firm of Harris Beach occupied the entire 85th floor of the south WTC and while they lost only six of their personnel, they lost all of their information and explicit knowledge. As a result the firm was required to call every client and ask, "By the way, would you send us a copy of everything we've ever sent you?" and then adversaries and ask, "Would you send us a copy of everything that's in your file? and then the courts and ask, "Would you send us a copy of everything there?"  Today they occupy cramped space on 42 nd Street that resembles a telemarketing operation and are attempting to rebuild operations having lost millions of dollars in billable time and knowledge rebuilding operations. 

By contrast, Morgan Stanley, the financial empire that employed thousands of people in the World Trade Center array of buildings, adopted a comprehensive disaster plan after bomb threats during the Persian Gulf War in 1991. As a result, only six of 2,500 employees in the WTC died, a result characterized by company officials as "pretty miraculous" but a direct result of a "pretty detailed evacuation plan." 

Similarly, Deutsche Bank, with three buildings and 5,500 employees within blocks of the WTC, was able to activate a reserve and mothballed data and operations center within a few hours that operated perfectly and preserved the information assets of the business as well as replaced the destroyed communications and processing infrastructure. The cost but critical value of such a center is demonstrated by the bank's observation in the days immediately after: "It sits here and collects dust until you have an emergency and now everybody realizes just how important it is." 

And, among government businesses there are also bright spots including the federal Office of Personnel Management that employs some 2,500 employees at its headquarters in the District of Columbia. This agency has had a comprehensive disaster plan in place for several years with designated wardens and emergency response teams to preserve life and information.

The result of failure? The well-respected information technology research firm Gartner Group estimates that 40% of organizations go out of business after a disaster if they do not have a comprehensive knowledge redundancy plan. Similarly, Global Continuity, Inc., a preservation firm, notes that in the 1996 bombing of the Manchester City Center, some 50% of the affected 450 firms failed in the aftermath. 

Concluding Thoughts

The bottom line is that this will be a long and costly war. And, most if not all of our wars in the past have opened with battlefield debacles or surprise attacks on strategic resources Long Island 1776, Bull Run 1861, Havana Harbor 1898, unrestricted submarine warfare 1917, Pearl Harbor 1941 and Korea 1950 come immediately to mind. In most cases, we have snatched victory from the jaws of defeat through two mechanisms first, the ability to marshal our labor and intellect to the challenge (for instance, the Manhattan Project), and, second, the belief and determination that we will win no matter the cost, no matter the time, in other words, resolve. But, we have failed to demonstrate these mechanisms more recently Vietnam, Lebanon, Somalia and even the 1991 Gulf War that was not brought to the conclusion required. Terrorists and thugs today, like the Japanese military warlords of 1941, believe that the United States is cowardly and can be defeated.

Here, it will take time and the two mechanisms that have served us in victory before. But the domestic implications cultural and business will be substantial. For the information manager, the world events at play today present an opportunity to address a critical issue that often has been allowed to languish knowledge preservation. This is the time and here is the necessity to move from antiquated vital records plans to a modern knowledge redundancy plan to identify the key informational and knowledge assets, tacit and explicit, and guarantee their survival in the face of a host of traditional and new threats. And, as we have seen in a range of examples from Senator Kennedy's office to international banking, it is also an opportunity to re-engineer our information environment to increase business efficiency.

Working Definitions 

Data may be considered information in its rawest, most pristine form, most often simple facts and figures. 

Information is a compilation of data elements that is obtained by communication, study or investigation and that can be organized and represented in written, electronic or incorporeal forms. 

Knowledge is more than data and more than information. Knowledge flows from the ability of an organization to mine both the tacit and the explicit information resources in its possession and to apply those resources most effectively to the business. 

    Tacit means those resources in the minds of the workers or similarly extant, and especially those resulting from expert judgments.

    Explicit means those resources contained in the physical and electronic records of the business. 

In sum, knowledge is the fullest intellectual exploitation of information resources and its application to the bottom line of the business enterprise; knowledge is the primary strategic asset of the business.

How to Order


ASIST Home Page

American Society for Information Science and Technology
8555 16th Street, Suite 850, Silver Spring, Maryland 20910, USA
Tel. 301-495-0900, Fax: 301-495-0810 | E-mail:
asis@asis.org

Copyright © 2002, American Society for Information Science and Technology