THE MAGAZINE OF THE BUSINESS CONTINUITY INSTITUTE | Q2 2018
A SHARED APPROACH A respect for resilience at strategic level pays dividends for Dubai Airports
3D printing: Putting the parts together smartly and efďŹ ciently GDPR: EU data protection regulation is a worldwide issue Talent pipeline sees welcome surge of cyber security expertise
01 BCI2_Cover.indd 1
24/05/2018 11:31
RESILIENCE LEADER
YOU are a champion of continuity. You
WE are Sungard Availability Services.
think beyond backup to business resilience— ensuring critical data is always accessible. But when it comes to achieving resilience, changes to the production environment can be risky and complex.
We help transform IT and deliver resilient, recoverable production environments.
As a recognized leader by multiple industry analysts for Disaster Recovery as a Service, we can calm the chaos of IT recovery. Imagine how we can help resilience leaders with everyday production systems. Lead with resilience at www.sungardas.com.
Transforming IT for resilient businessTM Sungard Availability Services is a trademark or registered trademark of SunGard Data Systems or its affiliate, used under license. The Sungard Availability Services logo by itself is a trademark or registered trademark of Sungard Availability Services Capital, Inc. or its affiliate. All other trademarks used herein are the property of their respective owners.
01 BCI2_Cover.indd 2
24/05/2018 11:41
Q2 2018 | ISSUE 2
12 REGULARS 04 Welcome 06 News
32
F E AT U R E S
BCI’s Manifesto for Organizational Resilience, TSB data slip-up, warning over Brexit agreements
10 Debate
SPECIAL REPORT
20
16 Putting the parts together
How do you make an organization better adapted to deal with business continuity?
20 SPECIAL REPORT: Data guardians The EU’s General Data Protection Regulation (GDPR) came into effect on 25 May. Businesses and continuity professionals must quickly deal with the implications of this seismic change
28 PROFILE: Dr Marwan Ibrahim The director of corporate resilience at Dubai Airports says the profession needs teamwork from organizations to improve operability
32 Tooling the talent pool
16
Business Continuity Awareness Week reviewed, BCI innovation rewarded at Memcom awards, BCI event calendar
37 Appointments 12 Interaction Opinion: Global links can help BCI growth Expert View: GDPR has potential, but simplified policies will achieve real change
3D printing offers business continuity and resilience countless solutions to everyday problems, but making them fit effectively is crucial to avoid operational difficulties
36 BCI News
15 Tech Round-up News from: Office 365, Continuum, Adler and Allan, Kaspersky and CompuCom
Who’s moved and where in the industry
38 My Lightbulb Moment BCI North West Forum’s Stephen Nuttall on getting the question right
15
Business continuity faces a growing recruitment challenge, but pinpointing where the skills shortage lies is proving difficult for some
COVER PHOTO: DR MARWAN IBRAHIM BY SIDDHARTH SIVA/TWENTYTWENTY ©
03 BCI2_Contents.indd 3
24/05/2018 11:31
LEADERS’ MESSAGES
WELCOME JAMES MCALISTER FBCI
Don’t be complacent on GDPR
A
don’t have an EU business presence. GDPR will require every organization that fits that description to understand its own security frameworks and take steps to reduce or eliminate risks. GDPR is self-policing, and provided you can demonstrate that the systems you have in place are adequate for your business, then complying with GDPR should not be too difficult. If you haven’t done so yet, you will need to undertake a thorough risk analysis to assess the likely impact of GDPR on your business. Begin by classifying the data you collect and store to ascertain which data is sensitive, where it is stored and who has access to it. Organizations should
t the time I’m writing this we’re just a few days away from the European Union’s General Data Protection Regulation (GDPR) coming into effect on 25 May, 2018. It brings with it new obligations, ensures increased data protection rights for EU citizens and places restrictions on the flow of data across borders. The GDPR applies to any company globally that holds EU contacts in its databases and guarantees the protection of the personal data of all EU citizens. In simple terms, any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they
ideally adopt a single platform for data governance and policy management to avoid the risk of data fragmentation in storage. This will help you to identify risks specific to your organization. Your risk assessment will need to be a dynamic process through which you are constantly monitoring new data, identifying new risks, and re-evaluating your risk levels, then updating your analysis and action plans. The greatest danger many non-EU organizations face is complacency: check your exposure – do not assume. James McAlister FBCI Chairman, BCI
D AV I D T H O R P
I
have always believed that the most important stakeholder of any professional association or institute is not its membership, but society itself. Professional bodies develop and broaden expertise in their members and are actively involved in supporting and improving the performance of practitioners and developing the professional discipline they represent. But who benefits from that performance? The individuals themselves, obviously. The organizations that they work with or for, definitely. But in helping those organizations to perform optimally they contribute their expertise directly to the maintenance of a stable society… and that’s
to the benefit of us all. Our annual outreach programme Business Continuity Awareness Week (BCAW) took place during the week of 14-18 May and this year we had more activities planned than ever before: more webinars, more interactive opportunities, more events, and more social media activity to get across the message that business continuity processes should be at the heart of every organization, regardless of its size, sector, and location. And, of course, this year BCAW also saw the launch of our Manifesto for Organizational Resilience, which carries a number of undertakings from us about what we are going to do to play our part in bringing disciplines together for the common benefit (see News p6). BCAW to me is one of the most significant campaigns the BCI undertakes. Of necessity many of our activities and
P H OTO G RA P H Y: A K I N FALOP E
Reach out to the community
4 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
04-05 BCI2_Welcome.indd 4
24/05/2018 14:00
DEEDEE DOKE
Editor’s comment
F
or travellers making the prolonged journeys between Asia or Australia or New Zealand to Europe, a stopover at Dubai International Airport offers a welcome breather between flights. It’s also a pleasant entry point to Dubai itself. But as well as providing air-conditioned and spacious comfort, luxury shopping and food and drink, the airport is almost a complex city of its own. And Dr Marwan Ibrahim, our cover subject this month, oversees corporate resilience for both this and a sister airport that is destined to receive even more traffic than the existing Dubai International. Have a look at the resilience framework that is in place at the Dubai Airports, and see what you and your own organization may be able to learn from their experiences at this international crossroads of commerce. Also featured in this issue of Continuity & Resilience are an examination of the role 3D printing can play in business continuity (BC) activity, a view of the global talent market within the BC and resilience disciplines, and most urgently, information on the global impact of the General Data Protection Regulation in effect in Europe, most recently the UK. Have a good quarter!
initiatives are focused on our member community. At the same time BCAW is deliberately designed to take the message to a non-practitioner audience, to raise awareness across organizations on how they can be geared to survive setbacks or disruptions by identifying and analysing areas of risk and developing solutions to ensure continuity of business. The very first time I became aware of the BCI was when I was leading another professional body and received a communication about BCAW. We were able to play our own small part in spreading the importance of business continuity management by ensuring our own members were fully aware of what was involved and encouraging them to take part. In the complex, interdependent world in which we live, the standing of any professional body will be at risk if it allows itself to become too inward-looking. A broader view is required. The body must consider the needs of the wider networks of people and organizations who can benefit from the accumulated expertise and body of knowledge of its members. BCAW is the visible manifestation of this philosophy.
DeeDee Doke Editor
David Thorp Executive Director, BCI
5 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
04-05 BCI2_Welcome.indd 5
24/05/2018 14:01
G L O B A L N E W S U P D AT E
40%
Nearly two-thirds of employees use a company-approved device for work. However, less than half (40%) of those who use a personal device are regulated when using it, finds a recent Clutch research study of 1,000 employees
O R G A N I Z AT I O N A L R E S I L I E N C E
BCI launches Organizational Resilience manifesto By DeeDee Doke The Business Continuity Institute (BCI) has launched a call to action to fellow professional bodies across the resilience disciplines to collaborate on delivering a new vision of organizational resilience (OR). Unveiled in London on 14 May at the start of Business Continuity Awareness Week (BCAW), BCI’s Manifesto for Organizational Resilience is intended to broaden knowledge and understanding of resilience and business continuity. It also aims to increase development and expertise across BC and related disciplines. To achieve both goals, the Manifesto offers four pledges aimed at supporting
the delivery of resilience to organizations “whatever size they are, whatever it is that they do, and wherever in the world they are located”. “We believe that (OR) is delivered when different disciplines work together in a co-ordinated manner,” a BCI statement said. “There is no discipline that can claim to cover all aspects of resilience. Instead, resilience is delivered by multi-disciplinary specialists working together toward a common purpose.” Business continuity professionals, the statement went on to say, play a key role
in co-ordinating the activities of the various specialists. One of the pledges, focused on championing academic research, involves a series of key initiatives that include: the development and launch of a new journal to be available from 2019, creating an academic/ practitioner conference and establishing a foundation with corporate partners in 2019 to develop a resilience research agenda. Speaking at the launch, BCI executive director David Thorp promised that research would be tied to
potential impact, with the BCI ensuring projects were “rooted in reality”. The online tool referred to in the fourth pledge, which will be free and available on the BCI website, is specifically intended to benefit smallto-medium sized businesses (SMEs), which are “constantly overlooked”, said BCI’s Thorp. “They don’t even know which questions to ask.” The tool, which is expected to be available within 12 months, will instruct practitioners on what needs to be done to achieve OR. It will also provide a starting point for the journey toward OR. Business continuity and related disciplines may benefit within their organizations from the more strategicsounding ‘organizational resilience’, speakers at the launch agreed. While too often BC gets little attention
6 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
06-09 BCI2_News.indd 6
24/05/2018 11:33
VISIT THE WEBSITE FOR MORE NEWS: WWW.BCI.ORG.UK
76%
11%
Most employees use se passwords
The cyber security industry is suffering a skills gap, with half of under 25s seeking to use their skills for financial gain instead
as the primary form of IT security urity at their company. %) practice some form More than three-quarters (76%) of password protection, the Clutch survey finds
The Manifesto’s four ur pledges are:
1
To champion academic c king research and new thinking for the benefit of the practitioner community
2
To create a series of lience global and local Resilience eAlliances with other “likeodies minded” professional bodies
CYBER SECURITY
To establish a series of Next Practice Groups across the UK, Europe, India, North American and Australasia
C b security Cyber it ‘‘needs d tto d do more’ to recruit young people
4
By Graham Simons
3
To develop and launch an Online Resilience Tool designed to increase awareness amongst organizations of all sizes and across all sectors
within organizations until an incident, an ‘OR’ approach may resonate more strongly with C-suite executives who are focused on their legacy, suggested speaker Tony Reilly, global strategic marketing director at BSI (British Standards Institute). “Is the organization better after me?’ Organizational Resilience hits that spot,” he said. SAI Global and Strategic BCP ResilienceOne sponsored BCAW 2018.
More needs to be done to encourage people into cyber security roles, according to David Emm, a principal security researcher at multinational cyber security and anti-virus provider Kaspersky Lab. Emm’s comments followed reports in UK national newspaper The Times that Cyber Security Challenge UK and the police had organised a series of boot camps earlier this year with support from the National Cyber Security Centre (NCSC). The NCSC is part of the UK’s Government Communications Headquarters (GCHQ), an intelligence and security organization which supports the British government and armed forces. The
boot camps were devised with the aim of turning youngsters away from crime and plugging the shortfall of specialists within the NCSC and wider industry. But Emm warns authorities have a challenge
50% only half of under-25s would actually join the fight against cyber crime
33%
ofa significant number would use their skills for fun, secretive activities
on their hands in light of the research they have carried out. “The cyber security industry is suffering from a significant skills gap – despite efforts by managers to increase hiring, demand is outpacing supply. Kaspersky Lab research has revealed that only half (50%) of under-25s would actually join the fight against cyber crime – a significant number would use their skills for fun (17%), secretive activities (16%), and financial gain (11%) instead,” Emm said. “The technology industry and education institutions therefore need to do more to encourage young people into this profession. More young people have an interest in computers generally and possess the right transferrable skills.”
7 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
06-09 BCI2_News.indd 7
24/05/2018 11:34
NEWS
IN BRIEF
Brands warned to ditch ‘damaging’ attempts at corporate humour
Germany tops cyber pay table Germany leads the way in terms of cyber security pay, according to research from global multinational risk management, insurance brokerage and advisory company Willis Towers Watson. Germany ranked first for cyber security pay in Europe, followed closely by Ireland and France. The UK ranks fifth. A mid-level cyber security professional in Germany is likely to earn almost a fifth (18%) more than their British equivalent.
Businesses have been urged to lay off the corporate humour. The warning follows an April Fool’s joke played by Dutch recruitment agency YoungCapital, which issued a press release claiming it would offer candidates a shot of alcohol to relax them at interviews. Alastair Turner, global CEO at public relations agency Aspectus said such misguided forays can damage a brand. “Leave the comedy to comedians,” he said.
T E C H N O LO GY
‘Full transparency will help both TSB and its customers’ By Graham Simons Providing effective support to staff and timely, transparent communications should be among the top priorities for the UK’s TSB Bank in the wake of an error that occurred during the transfer of accounts to a new IT system. In April, more than 1.9m online TSB customers were unable to access their accounts following g the error.
Commenting on how TSB CEO Paul Pester should navigate this crisis, Alice Kaltenmark, President, Continuity Professionals of Ohio and Vice President of the BCI USA Chapter told Continuity & Resilience Pester should now prioritise timely, transparent communications with customers and resolving their worries. Kaltenmark also recommended expressing sincere concern for every customer, providing consumers with easy
ways of reporting their issues, monitoring the bank’s social media presence to ensure their customer care message is visible and training employees so they can provide the support and guidance customers need. “The bottom line is – be prepared for things to go wrong so that they can be dealt with immediately, mitigating impact to customers,” Kaltenmark said. Elaborating on their response to the problems the bank had encountered, a TSB spokesperson said: “Our teams have continued to work around the clock to put things right for our customers. “Our website and mobile banking services are now operating at around the same levels that they were prior to the system change. We will ensure that no customer is left out of pocket as a result of these issues.”
In ela elaborating on what she would expect to see ffrom fr om such a technology migration, Kaltenmark pointed to the following procedures: po oint The running of new and old sys systems live in parallel
have been feasible in this instance
for at lleast three months to ensure all transactions are compl completed successfully with
The design, documentation and exercising of a release
accura accurate results
fall-back plan, including A ph phased release plan
the decision criteria for
thatt m migrates functions or
proceeding or falling back,
subsys subsystems over a period
to revert to the old system
of time to ensure accuracy o
if catastrophic issues are
at eve at v every step – this would
encountered
req qu uir ire the old and new require ssystems sys stem e architecture to
Retaining the ability to
acc a c om o accommodate a phased
revert to the old system for
rrel lease strategy, so may not release
at least a month
Monitoring system stem performance and d validating all transactions and system feature/functions functions for accuracy after er go-live release The communications cations plan be designed, documented cumented and exercised to o manage any issues that may arise from the migration on The anticipation on of increased customer mer calls by augmenting customer support call centres tres and training the representatives esentatives well to respond to any technical issues customers may encounter
8 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
06-09 BCI2_News.indd 8
24/05/2018 11:34
VISIT THE WEBSITE FOR MORE NEWS: WWW.BCI.ORG.UK
$715,000
the average cost per DNS attack has risen to $715,000 (£530,000), an increase of 57%
CYBER SECURITY
Domain name server attacks on the rise By Colin Cottell DNS (domain name server) attacks in which perpetrators look to exploit vulnerabilities in the domain name system are on the increase across the world, with the average cost per attack increasing by 57% year-on-year to $715,000 (£530,000), according to a new report.
of DNS attacks can cause disruption and brand damage to businesses. DNS malware and phishing were the most common source of DNS threats, followed by the threat from DDoS (a type of denial of service attack). The report, based on 1,000 respondents in North America, Europe and Asia Pacific, found that the cost of
The 2018 Global DNS Threat by EfficientIP, a specialist in DNS security, found that over the past year organizations on average faced seven DNS attacks, costing some businesses more than £5m. More than three-quarters (77%) of respondents said they had been subject to a DNS attack. The impact
DNS attacks varied between different countries, with an attack costing businesses in Singapore an average of S$710,000 compared to $654,000 for businesses in the USA. David Williams, CEO of EfficientIP, said: “The frequency and financial consequences of DNS attacks have risen and businesses are late in implementing purpose-built solutions.” However, he said “IT leaders now have a better understanding of why DNS is fundamental to business continuity so securing DNS has become a top priority.”
FINANCIAL
Brexit de deal must safeguard data – trade body By Graham Simons A trade association for the UK banking and financial services sector has called on both sides of Brexit se negotiations to agree to a “standstill” transitional ne arrangement to avert a crisis that could see the ar transfer of personal data between the UK and EU tr when the UK leaves the European Union in 2019. w Commenting on a recent speech made by UK Prime Minister Theresa May in Munich in which Pr she outlined proposals for bespoke arrangements sh tto allow the continued sharing of data post-Brexit, Stephen Jones, the CEO of the trade association UK Finance called on government for transitionary U arrangements to be put in place. Jones told Continuity & Resilience: “Citizens, businesses and organizations move personal
data back and forth across national borders within Europe as a normal part of their day-to-day activities. “When the UK leaves the EU, it will leave this relationship and, without another arrangement in place, transfers of personal data between the UK and EU could be severely disrupted and in some cases will be forced to stop. “A framework on mutual adequacy agreements between the UK and the EU would allow citizens, businesses and organizations to continue to enjoy the benefits and protections that they currently do. “This would enable both sides to [ensure] citizens’ personal data enjoys high standards of protection. “We encourage the EU and UK to agree to a standstill transitional arrangement for a set period of time to allow for agreements to be put in place.”
9 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
06-09 BCI2_News.indd 9
24/05/2018 11:34
D E BAT E
THE BIG QUESTION
How can organizations be encouraged or persuaded to take business continuity more seriously? A L E X F U L L I C K , C A N A DA
M A R K M A H O N E Y, U K
Give clarity to executives
Put the spotlight on cross-functionality
Organizations don’t take business continuity (BC) seriously because there is a battle raging between the bottom line of current business priorities and the need for immediate results from investors versus an unclear description of a complex, time-consuming methodology that doesn’t clearly outline its value. To get organization executives to take BC seriously – or provide greater support and buy-in, we as BC professionals need to start speaking the language of executives and understand their expectations; what drives them and what they focus on. Currently, we convey the message ‘we need to do this because of that’ and then follow that up with a long list of complex and confusing processes (recovery time objectives, maximum acceptable outage etc.) before ever getting to any tangible deliverable executives expected. Why would any executive take BC seriously when the methods are long, complex and the value is unclear? Alex Fullick, MBCI, CBCP, CBRA, v3ITIL
Fundamentally, the reason for taking business continuity (BC) seriously is, as its title suggests, to ensure business continuity. However, sometimes even the most obvious things are not always visible. It is ultimately about managing risk. Of foremost importance when engaging organizations in BC, is the explanation and awareness of the cross-functional approach to, and nature of BC and how this ultimately builds the organization’s resilience to
risk. The capability of a BC practitioner must also be crossfunctional in their make-up. This effectively enables the practitioner to explain the links and understanding of the relationships between (among other things) BC, communications, crisis management, heath and safety, risk management, security, the operating environment and the organization’s culture. If you are this, and you know this, and you take this approach when explaining the purpose and effectiveness of BC to an organization, they will take you, and BC, more seriously. Mark Mahoney, MBCI, GIS Independent BCM
10 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
10-11 BCI2_BIG_QUESTION.indd 10
24/05/2018 11:35
D E B AT E
ESRA ERBAS, UK
Simulate crises – show the reality of BCM
BOB ALSAN, USA
P H OTO G RA P H Y: I STO C K
Highlight BCM’s importance to profit loss There are numerous avenues to promote business continuity and resilience among companies. First and foremost should be a life safety matter. The costs associated with not having plans in place likely outweigh that of creating and maintaining those. Bottom line loss due to extended business disruption is always a tune that will ring with executive leadership. Compliance to regulatory or contractual obligations sometimes dictates the need to maintain such plans. Finally, this is something that astute clients are further seeking from their vital suppliers. Bob Alsan, business continuity director, Ultimate Software Group
Running crisis management simulation exercises are an unbeatable way to unleash (nervous) energy in the boardroom and fully capture executives’ attention, so BC practice and resilience is promoted from being just a tick-box exercise to a meaningful company discipline. Nothing is more sobering for exec teams than having to work through a fictional, but entirely possible, crisis scenario which is occurring in real time, generating eye wateringly negative media coverage and hostile customer enquiries, while having to make snap decisions without full information or a clear understanding of exactly what is happening.
As business continuity leaders, let’s not overuse the word “risk” to get business continuity taken seriously. We’re way more energising than that and critical within the organization. Let’s make sure we bring real-life drama into our programmes to really ensure we get the attention we need to keep business continuity in its rightful place at the top of the corporate agenda. Esra Erbas, CBCI, Head of business continuity management, Paysafe Group
JOOP FRANKE, THE NETHERLANDS
Communicate the necessity of BCM To organizations I would say, “just look at the impact of a disaster or a crisis, then you will take BCM seriously”. From the top to the bottom of your organization, communicate the necessity of BCM. Ways of doing that could include making a longterm communication plan that will ensure the message gets through. Make a video with the organization’s C-level leadership. Announce who is accountable and is responsible for the working of BCM. Build a BCM intranet site where employees will find all the information they need, or use a company magazine
to give specific attention to a BCM theme. Ensure you have a BCM help-desk, telephone number and email address so you can have two-way communication with all employees. Publicise your policy document, carefully plan all crisis management, safety and health and disaster recovery tests, and perform them on time as planned. Joop Franke, FBCI, owner of BCxPERT
11 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
10-11 BCI2_BIG_QUESTION.indd 11
24/05/2018 14:02
INTERACTION
OPINION G E O F F H O WA R D
Global links can help drive BCM growth
A
t the beginning of 2007, Shanghai had five metro lines and China was the fourth largest economy, predicted to be the second largest by 2025. Mobile banking as we know it did not exist. Now, Shanghai has the biggest metro system in the world with 16 lines and 644 kilometres of track, compared to London’s 400 kilometres. China became the second largest economy much earlier than predicted. This year, more than half of all cash transactions are conducted using AliPay or WeChat Pay on smart phones: whether it’s buying a bottle of water or paying your rent. But has implementation of business continuity management (BCM) kept pace with China’s growth? In 2007, I met with the Chinese general manager of the China division of one of the UK’s multinationals. “Mr. Howard,” he said, “I have been told to implement BCM, but what is it?” In other organizations, BCM was either non-existent or in its infancy. Here was an opportunity for growth. The BCI took heed and put on a conference in Shanghai four years in succession. The result was that by 2012, it had 91 members. That was the last year the China conference ran. Since then, the BCI’s reduction in interaction with China has had depressing consequences. Membership has dropped to 29 in total, with only 18 professional members or CBCI certified.
By contrast, awareness of the need for BCM has risen markedly. On 28 December 2011, China’s government issued a 28-page BCM directive to banks, financial asset management companies, credit unions, trust companies, enterprise group finance companies and leasing companies. Since then, China has introduced laws governing network security, with BCM and resilience requirements enshrined in law. However, the BCI’s decline there since 2012 doesn’t reflect that. Growth of membership has been impressive in the Englishspeaking countries; at the same time, such growth has proved difficult not just in China, but nearly everywhere where English isn’t the first language. The obstacles to growth in China are huge, but there is a way to make progress. I have made good friends in China’s BCM community. In every case, they were referred by their colleagues in the West. If your organization has links to China or other non-English speaking countries, reach out and promote your institute. And I say to the BCI, use your membership at home to promote the Institute abroad.
If your organization has links to China or other non-English speaking countries, reach out to them and promote your institute
Geoff Howard is Chairman of Continuity Shop. Ten-and-a-half years ago, he went to China on a trade mission, tasked by the BCI with delivering a report on the state of BCM there. He has made 19 business trips since, and continues to analyse China’s development.
THIS MONTH’S BEST TWEETS TWITTER @THEBCEYE
John Boitnott @jboitnott May 15 Tesla is holding a hackathon to fix two problematic robot bottlenecks in Model 3 production https:// electrek.co/2018/05/13/teslahackathon-robots-model -3-production/
Public Safety Canada @Safety_Canada May 10 Emergencies don’t just affect humans – make sure to plan for your animals too! Learn how to include any pets or service animals in your emergency plan: #EPWeek2018 http://ow.ly/ dbV930jVKTj
Avalution Consulting @Avalution May 11 Addressing the Ransomware Threat at Hospitals and Health Systems: Working toward a cross-functional solution to protect against the ransomware threat http://ow.ly/CCXQ30jZcBv #healthcare #incidentmangement #businesscontinuity #ITdisasterrecovery #informationsecurity
Towergate insurance @Towergate May 14 A simple guide to creating a business continuity plan https://goo.gl/JYS5KQ #BCAW2018 #businesscontinuity
12 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
12-13 BCI2_Interact.indd 12
24/05/2018 11:36
INTERACTION
EXPERT VIEW JASON COBINE
GDPR has potential, but simplified policies will achieve real change
T
he General Data Protection Regulation (GDPR) has no exemptions that organizations I work with can rely on – perhaps for the first time with data, we are all in it together. The challenges facing organizations trying to comply are magnified by the amount of ‘fake news’ surrounding it. I haven’t been surprised by the feeding frenzy from those trying to cash in, yet I am somewhat alarmed by the number of self-described “experts” on this untried legislation. I understand that it takes 10,000 hours to become an expert in something, and I’m wondering how these so-called experts managed that. C’est la vie. What truly concerns me is GDPR is a massive cultural change. I fear that the policies being written and disseminated are not going to empower the people that need to deal with data on a daily basis. During my 29 years in the field of risk, insurance and business continuity I have seen many issues that could have been avoided by educating people. Yet it seems that policies are written to ensure employment or contracts can be terminated rather than actually encouraging people to comply. I realise that this is partly due to legal precedent, yet motivating people by fear is far weaker than motivating them by other means. Having listened to many people and taken in copious amounts of information, I think that the feeding frenzy has prevented people
from understanding the data regulator’s mission. They want organizations to be careful with data and to respect the wishes and privacy of ordinary people. These aspirations are not a lot to ask, yet achieving them is undoubtedly awkward. The awkwardness diminishes if the culture of an organization recognises this. I have this awful nagging doubt that people will not be motivated to do the right data thing if they are either told off or disciplined when they make mistakes. I’ve seen many policies that tell people what to do, yet they are rarely allied with the cultural piece. Even more rare is the right level of education and reinforcement that motivates. The deadline will come and go. Yet the regulator’s mission will not be achieved if the blame culture continues to be the most pervasive in organizations. One issue that seems to have escaped scrutiny is the way salespeople treat data. Arguments over who owns it are regular, especially with the advance of online networks. Roughly 50% of people take data with them when they leave one organization for another. At least two companies are in breach when this happens and the individual involved has broken the law. It is theft after all. The existing regulations say this shouldn’t happen. Yet half of the population think it’s OK to take the data when they really know that they shouldn’t. It could be argued that policies that discipline people have worked because they have stopped the other half from doing this. Yet half is not enough.
It should be a single digit number, at the very worst. So policies and procedures are not working now. New ones will not change that if they don’t address the cultural side of human behaviour. What can be done? A new type of policy is required. Naturally, it should start at the top of an organization. It should motivate people to change the way they think about data. It should be readable, not shrouded in jargon. And most of all, it should reward people for doing the right thing. Jason Cobine is an insurance broker in London who works with businesses and charities. He has built a business from scratch without pilfering data, so he knows how hard it is. Yet it was a cultural decision that has been proved to be correct.
P OW E R P O I N TS
Getting started
1
Assess the data impact
2
Get the workforce involved
3
Inspect your insurance plan
Carry out a Data Protection Impact Assessment – https://ico.org.uk/fororganisations/guide-to-the-generaldata-protection-regulation-gdpr/ accountability-and-governance/ data-protection-impactassessments/
Engage your people in the process and the findings to get them on board. They will probably have diverse ideas that can improve data security and make it easier for everyone.
Check your insurance policies to see what is covered or excluded like crime, which is often excluded – even in cyber insurance policies – and contact your broker or risk adviser to identify gaps.
13 CONTINUITY & RESILIENCE | Q2 2018
12-13 BCI2_Interact.indd 13
24/05/2018 11:36
15 BCI2_Tech.indd 14
24/05/2018 11:37
TECHNOLOGY
Log on to Office 365 monitoring
Understand your flood od risk
Real-time IT management company, ManageEngine, has added Office 365 monitoring capabilities to O365 Manager Plus. It offers health and performance monitoring for a range of 365 services including Exchange Online, Azure Active Directory, Skype for 365 Business and OneDrive for Business. Providing real-time email alerts on Office 365 service outages and historical monitoring data, it aims to give administrators and managers the ability to make quick business continuity decisions. O365 Manager Plus is one of the components of ManageEngine’s Log360 solution. www.manageengine.com
Asia-Pacific gets on the Continuum for BDR
In the future, the UK is expected to be one of the countries zations worst affected by rising water levels. Its organizations dler can better understand their own flood risk with Adler y. & Allan’s new flood risk management technology. The system allows a site to predict future flooding events and be alerted of any changes in weather patterns that are likely to lead to rising waters. The technology is delivered as a stand-alone service or as part of Adler & Allan’s 360-degree nd flood resilience service. It draws on historic and ment predictive data, is fully integrated with the Environment Agency and Natural Resources Wales data, and is updated ion. Users every 15 minutes with latest flood warning information. atial data. receive automated flood risk scores based on geospatial llan.co.uk flood.adlerandallan.co.uk
TECH ROUND UP Best new tech this month
Continuum’s back-up and disaster recovery (BDR) platform is being extended to IT service providers in Asia-Pacific, thanks to the addition of a data centre in Sydney. Continuum BDR equips service providers with the tools and technology to protect client data with a unified platform, supported by Continuum’s network operations centre and integration with IT management tools. Recognising that it can be difficult for IT service providers to offer robust business continuity services The latest incarnation of Kaspersky Lab’s flagship as well as have healthy business security product claims to offer real-time detection of profit margins, the system malicious activity via dynamic machine learning and increased visibility is designed to make it easy and granular security controls. Kaspersky Endpoint Security for Business for them to scale their also provides vulnerability management, credentials protection and services and centralise BDR. integrates with the cyber security company’s Endpoint Detection and Continuum claims this should Response (EDR) product. Other next-generation technologies built into help providers to lower the the product include behavioural detection, host intrusion prevention total cost of ownership by system, exploit prevention and remediation engine. An added serving a broad range of client mechanism guards system-critical processes and is designed to environments. prevent credential leakage. The product is available globally. www.continuum.net www.kaspersky.com
BEST NEW TECH
Rising to the cyber-crime challenge
Eliminating a bank’s pain points The Self-Healing Branch is an automated service that aims to keep US bank branch technology up and running. CompuCom Systems worked with six of the top US financial institutions and other clients to fully understand banks’ pain points and how to resolve them. The service automatically monitors device performance in real-time and claims to eliminate the need for user intervention so bank employees can focus on customer service. The technology behind the service, which has built-in artificial intelligence and analytics, is designed to detect and resolve issues such as outages and failures, with the aim of fixing them before they affect the business. If an issue can’t be “self-healed” the system records it, opens a service ticket and dispatches a technician without an employee having to get involved. www.compucom.com
15 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
15 BCI2_Tech.indd 15
24/05/2018 11:37
3D PRINTING
BY SUE WEEKES
3D printing has the possibility to change construction and, by extension, business continuity for the better, but using the technology more concisely is crucial
PUTTING THE PARTS TOGETHER 16 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
16-19 BCI2_3D_Printing.indd 16
24/05/2018 11:37
3D PRINTING
W
hen it comes to ensuring business continuity in sectors such as manufacturing and automotive, the ability to print a 3D spare part on the premises when needed seems an irresistible prospect. While there is no doubt that 3D printing – or additive manufacturing to give it its other name – has obvious potential for business continuity, there is more to it than simply installing a printer and pressing a button. It is a complex market made up of many different types of printers, technologies and raw materials. “For instance, a plastic 3D printer that will print with carbon-filled polyetheretherketone for car engine parts couldn’t be used to print steel parts,” explains Dr Phil Reeves, vice president of strategic consultancy at 3D printing company, Stratasys. “Organizations sometimes get obsessed with the technology rather than identifying the business problem they want to solve.” 3D printing is the creation of a 3D object from a digital file. The printer prints out layers of material (hence use of the term ‘additive’) until the object is created. It is rare to get a top 10 list of disruptive technologies in which 3D printing doesn’t appear in the top three. Without doubt it will be one of the underpinning technologies of the Fourth Industrial Revolution. Many organizations are only just starting to recognise its potential. Recent years have seen the technology start to be used in high-profile projects such as buildings. Dubai-based 3D print firm Cazza has announced its intention to 3D print a skyscraper while Aerial Additive Building Manufacturing (ABM) is exploring the use of aerial robots to print buildings autonomously. Design and engineering firm Arup and CLS Architects recently worked on the first 3D building made in the EU which was printed in 48 hours. Arup is also helping Amsterdambased start-up MX3D to print a steel pedestrian
3D PRINTING
A STEP-BY-STEP GUIDE Despite the number of practices and materials on the market, most 3D printing techniques adhere to the following standard procedures:
1
CAD
2
STL Conversion
3
Transfer to AM Machine and STL File Manipulation
Produce a 3D model using computer-aided design (CAD) software. The CAD software can often give an idea about the structural integrity of the finished article.
Convert the CAD drawing to the STL format, which is a file format that allows stereolithography apparatus machines to interpret the data for build. Most 3D printers can use STL files along with some proprietary file types.
A user copies the STL file to the computer that controls the 3D printer, gauging for print size and alignment.
4
Machine Setup
5
Construct
6
Removal
7
Post-processing
8
Application
Each machine has its own requirements for how to prepare for a new print job, which includes providing refills of the printer consumables. This can also add trays to help with building foundations or temporary water-soluble supports.
Most build processes are automatic, and variables such as object size, machine and materials used will determine how long the process takes. It can be hours or even days, but regular checks of the machine are vital to ensure that no mistakes have occurred.
The object is removed from the machine safely, as certain materials may produce hot surfaces while toxic chemicals must also be considered in some cases.
Most 3D printers require a certain amount of post-processing for the printed object, such as bathing the object to remove the water-soluble supports, or removing excess material shavings. Some materials need time to dry, to prevent from breakage or collapse.
Use the newly-printed object or objects as desired.
17 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
16-19 BCI2_3D_Printing.indd 17
24/05/2018 11:37
3D PRINTING
The Office of the Future in Dubai was constructed entirely through the use of 3D printing
A reverseengineered part printed in Grey Resin
footbridge. Meanwhile on the roads, Autocar magazine reported in March that the first entirely 3D printed car could go into production in 2019. For business continuity and resilience, the most immediate application today is in the area of creating parts to reduce downtime. “Where you could potentially suffer big productivity losses, that’s where people are looking at 3D printing,” says Reeves. GoPrint3D is the 3D printing division of the Express Group, traditionally a printer parts distributor, and has clients using the technology to keep their production lines going by printing jigs, fixtures and spare parts on-demand. It also has clients operating in the military sector that print parts remotely. “A common problem is that it is often difficult to anticipate stock levels, particularly for manufacturers. Typically, this can result in fourto-six-week lead times or sometimes longer,” says GoPrint3D’s David Whitehouse. “The other side of the coin is that you can also end up with high stock levels because the manufacturer has over-estimated how many spares will be needed. These two problems are huge: you either have long lead times or you have huge wastage. 3D printing has the potential to fix both of these problems.” One of GoPrint3D’s clients must regularly replace a particular part, and traditionally has had to hold a lot of stock because getting replacements required machining, which often took two to three weeks. “Now this client can simply print the part overnight,” says Whitehouse. “It takes 15 hours to print so it’s the equivalent of getting a pre-9am delivery. It still needs to hold one in stock, but has reduced stock holdings, saved money on spare
“Where you could potentially suffer big productivity losses, that’s where people are looking at 3D printing” parts, reduced lead times and is also benefiting from weight reduction across the production line.” Traditional production costs for the part were almost three times as much as it cost to 3D print it. Despite its usefulness, there are a number of barriers to entry for using 3D printing for spare parts. First off, the object that requires printing has to have a data file. Also, the material properties of the raw material the printer uses may be different from those of the object you want to replace. Reeves explains that the theory of having a 3D printer offshore on an oil rig to print spare parts sounds great – but the reality is somewhat different because of regulations and standards. “Everything on that oil platform has gone through rigorous testing, rigorous approval and rigorous industry standards all the way back to the material when it is made,” he says. Whitehouse agrees that certification and regulation mean the clients that use this service are in the minority at the moment. He adds that design constraints can also be an issue. “For example, a part originally designed to be injectionmoulded is going to need some tweaking in order to be 3D-printed,” he says. Organizations are exploring how they can surmount some of these issues, and Reeves recommends that exploration begin with a conversation with suppliers. Stratasys is seeing some supplier companies start to
18 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
16-19 BCI2_3D_Printing.indd 18
24/05/2018 11:38
P H OTO G R A PH Y: G OP RI N T 3D , D UBAI F U T U RE F OU N D AT I ON , A R UP/LU CA O R L AN DI N I
3D PRINTING
design equipment and parts from scratch using a 3D printer, because those parts can then be printed by a 3D printer when they are needed. “You need to have a long vision with 3D printing,” Reeves says. In February this year, Stratasys and Singapore Airlines (SIA) Engineering established a joint venture agreement to set up an additive manufacturing service to provide 3D-printed parts for use in commercial aviation. The Singapore-based joint venture will offer design, engineering, certification support and part production to customers worldwide, including airlines, maintenance, repair and overhaul providers as well as original equipment manufacturers. “At the moment the barrier to entry for printing the tools is lower than it is to print parts,” says Stratasys’ Reeves. As well as design and regulatory requirements, it is important to assess the economic feasibility of printing any 3D object, big or small. Reeves says organizations often overlook whether it is economically sensible to use 3D printing. “They don’t look at technical feasibility and economic feasibility in equal weighting,” he explains. He admits though that it is easy to be dazzled by the array of technology available, with several fundamentally different types of 3D printers on the market, alongside some 400 companies making plastic printers and around 100 making metal ones. The starting point is to identify the material required for the object, which will narrow the choice of printer required. The other decision is whether to invest in a printer or use a service. For a one-off print, a 3D printing service will be the best option. In the future, though, more companies will want to explore the benefits of switching manufacturing of some products and parts to 3D and therefore invest in their own printer. “By 3D printing in-house, organizations can also build their competence in 3D printing as a whole,” says Whitehouse. “And they are likely to spot more opportunities internally where 3D printing can be applied to save time, money or improve business continuity.” Indeed, the more exposure organizations can give different departments and functions to 3D printing, the more likely new applications will emerge. “I’ve seen some fantastic companies – mainly in tech – put 3D printers in lunch rooms or internal spaces where people can experiment with them,” says Reeves. “Of course, users still need CAD skills at the moment, but the software is becoming more intuitive and easier to use and that will continue.”
THINK BIG, PRINT BIG Thinking big about the future prospects of 3D printing in business continuity management (BCM) requirements suggests that alongside spare parts, 3D printing could help organizations to costeffectively print something as big as an office in a particular location if required. And the Dubai Future Foundation already has, in 2016. The 250-sqm Office of the Future was created by a giant cement printer (20ft high, 120ft long and 40ft wide) in 17 days and installed in two days. The technology reportedly cut the cost of labour by more than half, compared to
conventional buildings of a similar size. It is a fully functioning office and has also been built with energy-efficient features such as LED lighting and low energy air-conditioning. The UAE has committed to the use of 3D printing in 25% of its buildings by 2030. Guglielmo Carra, senior engineer, materials consulting lead Europe at Arup, was
involved in creating 3D Housing 05 for the Salone del Mobile design festival in Milan earlier this year. It was built by a portable robot onsite to showcase the role 3D printing can play in reducing construction waste. The building is made of 35 modules that were printed in 60-90 minutes each and the whole house took 48 hours to print. It is located on a square in the city centre, demonstrating that a temporary building can be made even in “hard-toaccess locations” says Carra. “Therefore, a temporary office could be made as well. One of the key aspects of 3D printing is really about the flexibility and adaptability of the process to any location and environmental constraint.” Carra reports that the cost is comparable, if not slightly lower than traditional manufacturing technologies used to make concrete buildings and, as the technology evolves, this margin is likely to widen. Taking a wider view, Carra believes 3D printing will be instrumental in increasing resilience in cities and buildings, allowing for faster and more efficient builds. “3D printing allows for easy disassembly and repurposing. This could be key in the future of construction, where speed of erection and flexibility of adaptation to societal and environmental changes will become more relevant.”
19 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
16-19 BCI2_3D_Printing.indd 19
24/05/2018 11:38
SPECIAL REPORT
I N F O R M AT I O N S E C U R I T Y
20 CONTINUITY & RESILIENCE | Q2 2018
20-26 BCI2_Special Report.indd 20
24/05/2018 11:41
I N F O R M AT I O N S E C U R I T Y
Protecting online personal information has become a global affair, as the introduction of the European Union’s General Data Protection Regulation (GDPR) aims to improve digital security worldwide
GUARDIANS OF DATA SPECIAL REPORT BY MARK SMULIAN
21 CONTINUITY & RESILIENCE | Q2 2018
20-26 BCI2_Special Report.indd 21
24/05/2018 11:41
SPECIAL REPORT
I N F O R M AT I O N S E C U R I T Y
I
n offices in India, Singapore, America and other parts of the world, danger to business continuity (BC) lies in the computers that process data for European clients. Those that own them may be in for a distressing shock. Since 25 May, the long arm of the European Union’s General Data Protection Regulation (GDPR) has been able to impose maximum penalties for data breaches of €20m or 4% of worldwide turnover, whichever is greater. These may be imposed on both companies that own data and those that process it for them. The GDPR was adopted in 2016, but was not widely noted until late last year, when a rash of warnings from consultants, legal advisers and others began to appear. Even so, those based outside the EU may have felt GDPR either did not affect them, or that the EU could not enforce fines in another jurisdiction anyway. Think again. GDPR is based on the concepts of a data controller, who collects the data – for example, a large EU retailer – and one or more data processors, who perhaps work outside the EU. A major business in Europe that has data processed in Asia can be fined for a data breach committed by its Asian contractor. Even if the contractor was not itself fined, it would likely lose the client concerned and have difficulty finding others, since its failings would be made public by regulators. A company based outside the EU but which does business with people within it – for example by selling to them – is also covered by the GDPR. As a matter of BC, the GDPR poses problems if, for example, entire databases were held in ways deemed unacceptable by regulators or back-ups held abroad were stored on some unlawful basis. Accountancy firm PricewaterhouseCoopers (PwC) has warned clients: “Breaches may require crisis management response. GDPR has more stringent requirements and penalties, so breaches have the potential to deliver greater damage.” Gini Blake, chief executive of advisory business at the GDPR Institute, says: “We have done some surveys which show that even in the UK, 63-67% of businesses have not started to do anything on GDPR, but 16% of Singaporean businesses think any breach of GDPR would be terminal for them. “Fines will cover anyone dealing with the EU who
“ANYTHING THAT BELONGS TO AN EU CITIZEN IN YOUR CONTROL MEANS YOU NEED TO COMPLY WITH REQUIREMENTS” processes the data of individuals there and it does not matter where the company is based.” While the EU’s ability to enforce fines beyond its borders is questionable, Blake says: “I think worse than the fines could be the reputational damage. Businesses that process data, and their data controllers, will find themselves jointly and severally liable if any breach occurs. “The biggest problem is being named as responsible for a breach, as anyone who has been fined a percentage of their turnover for the action of a processor is going to be rather upset.” Blake thinks India could see problems because while few Indian businesses deal directly with EU consumers, a lot of
22 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
20-26 BCI2_Special Report.indd 22
24/05/2018 11:42
S T O R M I N F O R M AT I O N S E C U R I T Y
Palestinian employees process data on their laptops in Gaza City Citigroup Data Processing Centre China
PH OTOG R A PH Y: G E T T Y, RE UT E RS
GDPR: HOW DOES IT WORK? processing is offshored there. So does accountancy firm Deloitte, which in a guide to Indian clients warns GDPR is linked to the processing of personal data “in the context of the activities of… a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not” or concerning “data subjects who are in the EU”. The GDPR does not prohibit data transfers outside the EU, but these may occur only where the European Commission has decided that a country offers an adequate level of protection. Blake notes: “We are seeing the US slowly waking up to the implications of GDPR in the last few months, and really it is shocking, since the GDPR has been law since 2016.” However, opinions differ on how cautious a business should be. Michael Herrera, chief executive of Arizona-based BC adviser MHA Consulting, says: “Any US company that has a web presence and markets their products over the web will have some homework to do to figure out how they must deal with GDPR. “For everyone involved in business continuity and disaster recovery, note there will be new restrictions on data portability,” Herrera continues. “Under the GDPR, what happens in Europe stays in Europe. “If you have a disaster in Europe you will probably not have the option of recovering the affected personal data in another country such as the United States.” (continued on p26)
The GDPR is complex, but is based on principles set out in its Article 5: Individual data must be processed lawfully, fairly and in a transparent manner; Data collected for one legitimate purpose must not be further processed for purposes incompatible with that; Processing must be adequate, relevant and limited to what is necessary for the purpose concerned; Every reasonable step must be taken to remove inaccurate personal data; Data must be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which it is processed; Data must be processed with protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
23 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
20-26 BCI2_Special Report.indd 23
24/05/2018 11:42
SPECIAL REPORT
I N F O R M AT I O N S E C U R I T Y
ANATOMY OF A CHIEF DATA OFFICER BY SUE WEEKES
With almost every large company expected to have a chief data officer (CDO) by 2019, Sue Weekes finds out exactly what the role entails and why it will become such a coveted position in the years ahead
T
oday the focus is to ensure the organization is compliant with GDPR. With data touching almost every aspect of a business, firms should be further bolstering their resilience for the future by recognising it needs representation at board-level. According to Gartner, 90% of large companies will have a chief data officer (CDO) by the end of 2019. So, what is the typical makeup of the perfect CDO who, as well as putting in place robust standards of governance, will play a key part in overseeing the strategies that enable an organization to maximise the value of their data?
24 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
20-26 BCI2_Special Report.indd 24
24/05/2018 11:42
I N F O R M AT I O N S E C U R I T Y
z
PART-GOVERNANCE AND PART-COMMERCIAL The CDO has a balancing act to perform; to be business-focused regarding data as well as its guardian. Hyde sums up the role as having two main areas of responsibilities: to improve the governance and quality of an organization’s data and to help organizations commercialise their data. “To turn information into money. For example, boards are looking for their organizations to improve the customer experience, and key to this is innovating around customer data,” he says. “At the same time there is increasing scrutiny from the consumer about how data is used, especially with GDPR being introduced, as well as concern about data security.” Hence, it is a potentially multi-layered role. Hyde adds: “CDOs are the Sherlock Holmes of the IT space: uncovering business value from something that to many people might be indecipherable.”
3
BACKGROUND AND EXPERIENCE Recruitment firm Harvey Nash says it sees individuals typically work their way into CDO roles from either a business intelligence or data management background, having occupied “manager”, “head of” and “director” positions before taking the top job. Joshua Hyde, managing consultant of its data and business intelligence practice, says that while it is an advantage to have a science, engineering or mathematical background, the real differentiator isn’t technical expertise, “but the ability to sell ideas to CEOs and boards”. “Corporate data can often be seen as a ‘black box’,” he says.
1
SOFT AS WELL AS TECHNICAL SKILLS CDOs need excellent powers of communication and other soft skills such as the ability to persuade and influence. They must champion data and how it is used in the boardroom and equally be able to cascade down and clearly communicate the policies and procedures put in place to manage and protect it. “This is not a job for an individual with a silo mentality,” explains Richard Chiumento, director of leadership and management development firm, Rialto Consultancy. “Data is everywhere in the company and their actions must reflect this. They must be able to liaise with people from all levels and all departments of the organization. They must be respected for their technical knowledge, but equally must have strong leadership skills.”
AN AGENT OF CHANGE CDOs will often be called upon to lead both process and culture transformation in the organization, which requires change management skills. Chiumento points out that developing the right data-driven culture should allow the organization to maximise the value of their data assets while also acting as a safety net. “CDOs need to instil the right behaviours around the use and management of data so they become embedded in the company culture,” he says. “They should put in place and model transparent, ethical, trustworthy and accountable practices so employees are in no doubt about the organization’s approach to data.”
2
4 25
C OCNOTIN N TIN UITY UITY & R&E RS EILSIEILNIECNE C |E S| PQ2 R IN2G02180 18
20-26 BCI2_Special Report.indd 25
24/05/2018 11:42
SPECIAL REPORT
I N F O R M AT I O N S E C U R I T Y
Conor Hogan, GDPR specialist at BSI – the international business standards company – says: “Companies would be well advised to educate themselves about the GDPR wherever they are, if they hold any data from the EU. “In BSI we see queries from organizations outside the EU who think it does not apply, but if they store data it does. Anything that belongs to an EU citizen in your control means you need to comply with requirements.” BSI advises a risk-based approach to GDPR, which Hogan says is “essential to any business continuity plan”. This covers both continuing business and the less noticed subject of the ability to respond to requests from people for data held on them. Hogan says: “It is critical that you have a plan for GDPR in place for securing data and meeting the data availability obligation. “People can make subject access requests and these must be answered in 30 days. That needs to be in your continuity plan, as while a regulator is unlikely to regard a short outage as a breach, they could do if data were unavailable for a long time. “You need an effective disaster recovery (DR) plan. Data availability is one of the conditions in the GDPR and it is not always obvious what would happen if an organization could not respond.” Adds MHA’s Michael Herrera: “In addition to your live system, your DR system will also need to meet GDPR compliance. Because your DR provider is obtaining, holding and retrieving data, they will be a ‘data processor’. If your DR provider is non-compliant, it could render you non-compliant.” Trent Clouston, MBCI, senior manager at RiskLogic, which provides business resilience to clients in Australia and New Zealand, says: “The fact that Australia has a high level of connectivity to the internet and the ‘she’ll be right’ attitude can leave some organizations unprotected. “The advice we are providing is that the GDPR legislation will be far reaching and enforceable to Australian companies,
€20m GDPR has been able to impose maximum penalties for data breaches of €20m or 4% of worldwide turnover, whichever is greater. These may be imposed on both companies that own data and those that process it for them
this is significantly due to the diplomatic relationships between Australia and EU nations. “Specifics are not clear, and I am sure this will be tested in courts, as some organizations could face severe penalties.” RiskLogic warns clients to focus on how they respond to any data breach. “The biggest cause of a data breach is actually human error, not someone hacking into your system,” Clouston says. “Having a plan to deal with threats is vitally important, and should any organization find themselves faced with a data breach, a well-designed and exercised plan is crucial.” Ireland’s Storage Craft, which provides data management for BC, warns clients that the GDPR requires measures to restore availability and access to personal data in the event of a physical or technical incident and a process for regularly testing, accessing and evaluating the effectiveness of processing security. What sort of approach might businesses expect from regulators, at least in GDPR’s early days? Blake says: “If you look at the Information Commissioner’s Office in the UK it is clear that where breaches do occur it is their policy to publicly
name those responsible and set out the reasoning for their decision. “If you have attempted to comply with GDPR principles then it is unlikely a regulator will throw the book at you right away, but for those that have done nothing it could be painful and difficult.” Hogan warns: “We are yet to see what approach regulators will take and to get any case law, but there are two issues. “Reputational risk is very large as public awareness of personal data security is growing, and we don’t yet know how they will use powers to levy very significant fines.” Herrera warns that the requirement to report data breaches within 72 hours, with fines dependent in part on how a company responded, “makes it more imperative than ever that companies bring their A game when it comes to disaster preparedness and incident response”. It is entirely possible that companies will get some leeway from regulators in GDPR’s early days. However, the GDPR is now out there, and the severe potential penalties will surely concentrate the minds of BC professionals as the issue looks set to continue to grab industry attention in the years ahead.
26 C OCNOTIN N TIN UITY UITY & R&E RS EILSIEILNIECNE C |E S| PQ2 R IN2G02180 18
20-26 BCI2_Special Report.indd 26
24/05/2018 11:42
S T O R M I N F O R M AT I O N S E C U R I T Y
Crises Control is an award-winning incident management platform UDGLFDOO\ GLÎ?HUHQW IURP LWV FRPSHWLWRUV What You Get
Our USPs
Š Incident action plan creation, administration and hosting tools Š 0XOWL FKDQQHO HPHUJHQF\ QRWLȴFDWLRQ platform Š Track and trace with one-touch SOS button Š Incident task manager module and incident timeline Š Audit logs and performance reports for post-incident review
Š Simply beautiful and intuitive mobile app Š Ease of deployment, with a quick start, self-implementation option Š Templates and incident library to help organisations without a BC plan Š Low cost, monthly subscription and simple pricing
For a FREE demo of Crises Control go to crises-control.com/request-a-demo.html
2XU YLVLRQ LV WR GHOLYHU XQLČ´HG dependable & secure communications to organisations and their people at times of disruption
www.crises-control.com 27
PREPARE Š COMMUNICATE Š PROTECT
C O N TIN UITY & R E S IL IE N C E | S P R IN G 2 0 18
20-26 BCI2_Special Report.indd 27
24/05/2018 11:42
PROFILE
DR MARWAN
IBRAHIM As director of corporate resilience for Dubai Airports, operating calmly in the chaotic space of an airport is a recurring challenge for Dr Marwan Ibrahim, but he believes adapting to change is key. DeeDee Doke found out more INTERVIEW BY DEEDEE DOKE
A
s a dual-centre retail outlet, logistics hub and international transport crossroads for 89m travellers a year, the commercial entity known as Dubai Airports lies at the core of the emirate’s ambitious economic diversification plans. By 2020, just 18 months away, aviation is expected to provide 38% of Dubai’s gross domestic product (GDP). “This is huge pressure – considering the aviation industry as a whole provides only 3.5% of the world’s current GDP,” acknowledges Dr Marwan Ibrahim, director of corporate resilience for Dubai Airports. Economic pressure is just one of the challenges facing Dubai Airports, which owns, operates and
develops the two mega airports – Dubai International and Dubai World Centre, also known as Al-Maktoum International – serving the Middle East’s fast-paced business and holiday centre. In his role of leading the airports’ resilience capability, Ibrahim must operate in the space where chaos meets calm. Security issues, everyday disruptions that can be experienced by any business, new air travel restrictions imposed by foreign governments and the ever-hovering potential of aircraft incidents from the multitude of landings and take-offs occurring each day and night – all are within the realm of possible activity that the airports’ 60-person resilience team may have to deal with on a given day. In 2017, for instance, Ibrahim tells Continuity & Resilience (C&R), factors including “laptop bans,
28 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
28-31 BCI2_Profile.indd 28
24/05/2018 11:43
PROFILE
visa restrictions, geo-political issues and the resulting fluctuations in consumer confidence and demand”, but still the airports achieved an awe-inspiring 89m-passenger flow. “To maintain our status as a global leader, our business processes should have the ability to respond quickly to any change,” explains Ibrahim, who has well over more than a decade’s experience with Dubai Airports. “This may be a diverse, complex business, but corporate resilience and departments such as finance, procurement, legal and quality assurance ensure agility prevails.” Collaboration enabling a firm state of resilience is a welllearned lesson for Ibrahim and his colleagues across Dubai Airports’ many departments – it has to be, given the lifeand-death situations the organization encounters. The crash landing at DXB of Emirates flight EK521 in August 2016 was such a situation. All 282 passengers and 18 crew were evacuated from the Boeing 777-300 inbound from Kerala. However, nine minutes after the crash landing, the central fuel tank exploded. An airport firefighter was killed, and 30 people were injured, four seriously. At the same time, the incident response and
“As resilience practitioners, we can’t afford to get left behind”
29 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
28-31 BCI2_Profile.indd 29
24/05/2018 11:44
PROFILE
CAREER
DR MARWAN IBRAHIM JAN 2015 TO DATE: Director of Corporate Resilience, Dubai Airports
2013 – 2014 Head of Airports Business Continuity, Dubai Airports
2012 – 2013 Chief of General Civil Aviation Authority (GCAA), UAE
2011 – 2012 Head of Crisis Management — HSSE, Dubai Airports
2008 – 2011 Manager — Security Development and Compliance, Dubai Airports
2005 – 2008 Senior Security Advisor, Security Assurance, Dubai Airports
EDUCATIONAL HIGHLIGHT John F Kennedy School of Government, Harvard University: programme on Crisis Leadership, Leadership in Crises: Preparation and Performance
subsequent recovery have been recognised as being highly successful, thanks to a truly collaborative response from all stakeholders involved, both internal and external. “Resilience made the recovery process faster,” Ibrahim says with some pride. “We were able to resume single runway operations within six hours, and business was able to absorb the economic, reputational and operational impact sustained from such an incident.” “This experience highlighted many great aspects of our people and how we operate our businesses, as well as opportunities to improve how we manage emergencies and disruptions of similar nature in the future.” “The bigger future,” he adds, “lies in how we integrate and collaborate to drive the business across a number of dimensions.” Integration and collation are clearly already underway, and Ibrahim credits “an integrated holistic approach” to resilience for ensuring the organization’s agility in the face of challenge. How does this work? He says the approach includes “stakeholders’ commitment and collaboration, identifying risks and single points of failure, implementing risk mitigation techniques to ensure continuous availability of resources” and, possibly the most important element, “integrating business continuity and resilience into day-to-day operations”. He explains further: “We created a holistic framework that allows evaluation and prioritisation of resilience concepts, approaches and practices. We recognised that while enterprise risk management, business continuity and insurance management are three different disciplines, they essentially share the same goal, which is to increase resilience and enhance the organization’s response capabilities to disruptions and challenges.” (See graphic on p31.) Having the three disciplines under the resilience function, he continues, “allowed us to anticipate… and prepare for, respond and adapt to events” through a variety of risk assessments, response and recovery planning, exercise and simulations. The adaptation element was achieved through insurance coverage for losses, business continuity plans and lessons learned. Further, he says, the framework allows an integrated approach that effectively eliminates recognised gaps and overlaps within the three interrelated disciplines. “In my view,” Ibrahim adds, “it puts Dubai Airports in a better position to achieve the optimal balance between organizational performance and risk governance.”
Emirates airlines Boeing 777-300 A6-EMW flight EK521 from Trivandrum at Dubai international airport after being gutted by fire when the central fuel tank exploded. This incident, although infrequent, is among the type of events Ibrahim’s team must deal with to ensure the airport remains operational
Within Dubai Airports, he suggests that resilience operations have a strong voice at the strategic level. The organization envisions a transition from “being burdened by bureaucracy” to becoming more agile in the ways it can operate. “Resilience plays a big part in ensuring that we are ready for these changes,” he says. In fact, the organization has put in place governance which includes the corporate resilience function to regularly review decisions made for dayto-day operations and for transformations “to create long-term value” for Dubai. “The decisions are based on the use of real-time data to be able to react to issues,” he says, “and also to proactively plan for the future, ensuring that we have the right fit of capabilities and systems in place to establish a more resilient business.” Ibrahim said that he could not provide an annual budget figure to C&R, but he emphasised that ensuring operational and business resilience was “a key strategic objective” for the Airports organization. Asked about topics in the business continuity management and resilience field that he is keen to explore, he identifies several that are “changing the way we need to look at business and our resilience practices”. First, he says, is the small matter of demographic shifts. “We’re seeing increased mobility and media access; even in some of the poor developing nations, people can now get on an aircraft and
30 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
28-31 BCI2_Profile.indd 30
24/05/2018 11:44
PROFILE
travel long distances. The same can be said about increasing access to social media and the internet. People are looking for experiences, not just services or products, and there is rapid feedback. One tweet or one wrong feedback can damage and erode company value,” explains Ibrahim. Another topic involves a geographic economic shift. “It took thousands of years for economic power to migrate from East to West – but now we’re seeing a shift back to the East in a fraction of the time,” he says. “Meanwhile, more people want to live in cities, and more people want to be connected. They want to gravitate to a socially developed environment and be enabled with each other. “This,” he points out, “impacts our capacity to prepare and respond to any disruptions, whether on an airport or a city level.” He is also cognisant that the “massive technological breakthroughs every day” have an effect on his own field of business. “These present both opportunities and challenges; as resilience practitioners, we cannot afford to get left behind,” he warns. Having completed a doctorate in Operational Risk and Resilience through the University of Atlanta in 2016, Ibrahim has demonstrated his commitment to lifelong learning. Asked if he believes resilience is science or art, he laughs gently and says, “It is both. Resilience and business continuity practice is not a uniform practice… that you can easily learn out of a book. I could borrow
GETTING THE FRAMEWORK RIGHT – A BLUEPRINT FOR SUCCES SS ENTERPRISE RISK MANAGEMENT Identifying and assessing risks Controlling and treating risks
RESPONSE AND RECOVERY PLANNING Business Impact Analysis Crisis management/Command & Control Response and recovery strategies Business continuity plans
MONITORING AND REVIEW
Established as a commercial entity in 2007, Dubai Airports owns and manages operations and development of Dubai International Airport (DXB) and Dubai World Central Airport (DWC), also known as AlMaktoum International Airport. The two airports served 89m passengers in 2017. On its own, DWC, once expanded, is set to have capacity to serve more than 160m passengers per year. Both airports also are significant cargo hubs.
LEARNING LESSONS
DUBAI AIRPORTS
(author) Isaac Asimov’s words to explain: ‘There is an art to science, and a science in art; the two are not enemies, but different aspects of the whole.’” He adds: “A good resilience and business continuity practitioner should recognise that they should be both rational as well as innovative and imaginative in dealing with challenges to the business. Standards and best practice allow for the careful and step-by-step planning and methodical aspects of continuity. “Creativity and innovativeness allow you to come up with scenarios and solutions that anticipate, identify and respond to disruptions to the business. Creative solutions to problems can follow reason slowly – but if not done, will render methods and plans void and inoperable.” Finally, he points out that Uber, Amazon, Facebook and eBay all avoided conventional thinking during their start-up phase, but became synonymous with new norms of doing business through their “ingenious and imaginative” ways. The lesson for BC practitioners is clear: “They should be at the forefront of this breakthrough thinking,” Ibrahim urges. “Not to restrict, but to enable it.”
Exercises and simulations Response and recovery strategies
INSURANCE MANAGEMENT Risk transfer mechanism
31 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
28-31 BCI2_Profile.indd 31
24/05/2018 11:44
TA L E N T M A R K E T
TOOLING THE TALENT POOL BY COLIN COTTELL
Business continuity and resilience must work towards developing more diverse skillsets among its workforce to help battle key issues concurrently
T
alented people have always been at the heart of business continuity (BC) and resilience. But today with all the new, constantly changing and emerging threats to organizations, that need for talent has arguably never been greater. Whether it is the potential damage and disruption caused by the trend for extreme weather events spawned by global warming, or the increasing number of cyber threats from criminals, and hostile foreign governments, BC and resilience professionals are in the frontline.
32 CONTINUITY & RESILIENCE | Q2 2018
32-34 BCI2_Talent.indd 32
24/05/2018 11:45
I LLU ST RAT I O N: I STO C K
TA L E N T M A R K E T
Tom Chapman, managing director of specialist cyber security recruitment agency Iceberg, is in no doubt that talent is the difference between keeping organizations safe and potential catastrophic business failure. “Sometimes cyber attacks on an organization can be hundreds of times a day, and that’s why it is so important to have the right individuals in place to make sure the systems are secure,” he says. “The number of cyber breaches that don’t reach the press is quite worrying,” he adds. While the need for talent to fend off attacks such as WannaCry, a malware ransomware attack believed to have hit 300,000 computers in 150 nations, is indisputable, specialist recruiters such as Chapman say that finding that talent is no easy task. According to Karla Reffold, managing director of BeecherMadden, a recruitment agency operating in the resilience and security talent market,
the BC market can essentially be split into two broad areas. For many organizations that built their BC teams prior to 2010, and now have their BC management (BCM) plans in place, there is no longer the need to recruit for traditional BC roles, such as disaster recovery, at the same rate. In most organizations, “you only need a couple of people to keep things updated,” says Reffold. This part of the market has been “quite slow moving” in recent years, characterised by “quite a lot of skilled people with a lot of experience,” she says. “Generally, we have seen replacement roles rather than new skills or new heads of department being added.” However, while BC in its traditional guise is “definitely in decline,” in marked contrast, Reffold says “cyber is going crazy”. Gary Billings, lead consultant, cyber and information security at VIQU Recruitment, agrees that “more and more organizations now look to hire cyber security expertise to ensure they are protected from threats”. Previously it was predominantly larger organizations, defence and the public sector that took cyber security seriously. But today, Billings says the publicity surrounding WannaCry and Petya, another international malware attack launched in 2017 and designed to make computers inoperable, “has meant that even SMEs [small to medium-sized enterprises] are aware of the threats, and this has driven up demand [for talent]”. The introduction of the General Data Protection Regulation (GDPR) on 25 May in the UK has also contributed to putting cyber security higher up organizations’ agendas. (See Special Report on p26 for more on the GDPR.) “With more roles than candidates,” Chapman says, “desperate organizations are willing to pay salaries that are over the odds.” Candidates with a strong security background, who hold relevant qualifications and have a track record of delivery are in a strong position, notes Billings. “It is not uncommon for them to end up with multiple offers,” he adds. Billings advises that simply throwing
more money at candidates is not the answer. “They are much more concerned about working with businesses that want to invest in them and in the right security technology [to help them do their job and enhance their skills].” Reffold says that the technicallyskilled, such as security architects and penetration testers are particularly in demand. “For application security engineers, we can make a couple of phone calls, and they get an interview; there doesn’t need to be an open role,” she says. “And that’s not just in London, it’s around the world.” People with an ID and access management background also are increasingly in demand, says Reffold. “People are realising that you can put in all the technical solutions you want, but if you don’t tell your staff ‘don’t leave your password under your keyboard’, those type of things can have just as much an impact.” As a result, she says, “we are starting to see more training and security awareness roles coming into the market”. Those with experience in compliance and governance are also much sought after. Cheyene Marling, founder and president of international business continuity executive search firm BC Management, part of Firestorm Solutions, based in Huntington Beach, California, says there is a lack of leadership across the sector. “Leadership skills are very sought after, as are soft skills, including the ability to communicate and cultural fit,” she says.
Talent is the difference between keeping organizations safe and potential catastrophic business failure
33 CONTINUITY & RESILIENCE | Q2 2018
32-34 BCI2_Talent.indd 33
24/05/2018 14:02
TA L E N T M A R K E T
“A candidate must understand the culture of the organization, how to engage with its executive leadership, understand how to communicate across the entire organization and show passion for the industry.” Chapman says the biggest issue is not the shortages of suitable candidates per se, but employers’ lack of understanding of the market. With budgets tight, he says, many employers make the mistake of combining too many different roles into one job. Candidates are not impressed, he says, and he recalls how one candidate laughed out loud when asked to consider a job that incorporated five separate roles. Marling agrees that employers are combining multiple disciplines within a single role, citing business continuity and risk management, as an example. Marling says this trend that she first noticed more than 10 years ago has become more marked. “For business continuity professionals, it is critical for a candidate to diversify their discipline,” she explains. “This is important because business continuity is working across an entire organization.” Professionals are beginning to realise this, says Marling, and as a consequence are extending their experience and skills and certifications across different BC disciplines. “Candidates are becoming savvier and looking at ways to increase their marketability,” says Marling. While Marling says there are many similarities across the major markets in which BC professionals operate – the US, UK and Europe, India, Canada and the Middle East – there are also significant differences. In Canada, for example, she says BC “seems to be emergency management-focused more than anything”. In Japan, she says there is more of a focus on corporate social responsibility and “doing what is right”, while elsewhere in Asia the focus “is more on making sure their BCM programmes are compliant”. While the market for those with the right skills and experience is tight according to Reffold, there are
signs that the current are missing a trick by mismatch between supply not doing more to attract ISSUES FACING women returners into the and demand is being THE TALENT addressed. industry.) SECTOR “There is quite a Many employers, good pipeline of talent,” particularly in the UK, Lack of leadership skills she says, with “a real rely on candidates from Higher salaries for willingness to train overseas to fill roles that candidates is not the answer graduate level talent”. can’t be filled by domestic Employers lack of Many employers are talent. Yet, by its nature, understanding of the market also choosing to go this is an international Candidates must be down the apprentice market, and candidates diverse in disciplines route, she says. “are very flexible in terms Using a strong talent Chapman agrees of their location”, says pipeline to create more the talent pipeline Chapman, noting that it’s distinct multi-faceted roles “is very strong”, and not unusual for someone highlights “more and to spend “a couple of more people with cyber years in Singapore and security degrees”. He is encouraged by then move to London”. the number of graduates entering the With many BC professionals from the profession through internships, and EU working in the UK, recruiters say also takes heart “from females coming Brexit is an obvious concern. However, through on the back of degrees they have according to Reffold, to date any ‘Brexit been doing, in what has traditionally effect’ has been marginal. “It’s not really been a male-dominated industry”. been a problem yet,” she says, although “Give it another five years,” he adds, she admits: “I have had to reassure predicting the situation will be even people that we don’t hate them and that better. (According to Reffold, employers we need them, because of lack of talent. Nobody is panicking yet, and everyone is waiting to see what happens.” Chapman says a bigger concern is that the UK “is losing a lot of talent to other parts of the world”. She argues that the root of this exodus has come about because of the UK’s failure to invest in critical infrastructure on a par with other countries, particularly in Europe. Reffold says that although “it’s not yet a brain drain”, there is “a bit of a trend” for Brits to go to the US in particular – with the main reason being that basic salaries are around 40% higher.
34 34 CCOONNTIN TINUITY UITY && RREESSILILIEIENNCCEE || Q2 Q2 220018 18
32-34 BCI2_Talent.indd 34
24/05/2018 11:45
EMPOWER YOUR BCMS with the best BC Software worldwide
BCMS Features Plan Management Business Impact Analysis Exercise & Testing Corrective Action Tracking Incident Management / Notification Management Information Dynamic Reporting Mobile & Tablet Enabled
continuity2.com 32-34 BCI2_Talent.indd 35
simplicity power resilience security
0845 094 4402 24/05/2018 11:45
NEWS FROM THE BCI
BCINEWS EVENT
EVENTS
Business Continuity Awareness Week 2018 Business Continuity Awareness Week (BCAW) is the BCI’s engagement week, designed to get those within the business continuity community involved in the issues affecting the discipline and discuss how we can continue to evolve in a challenging environment. We believe that good business continuity is achieved best when everyone is pulling in the same direction and working together for a common goal. With that in mind, we decided ‘Working Together to Improve Organizational Resilience’ would be our theme this year. Our jam-packed week included many exciting events and resources, which were available to both our members and the wider community to experience and learn from. BCAW 2018 included: The release of our Manifesto For Organizational Resilience. The 16-page document outlines the BCI’s goals within resilience and the pledges we are making to ensure greater contribution to societies that deal with the subject.
Webinars. From 14-18 May, we had an incredible 30 webinars from members and organizations, which included discussions on ‘collaboration’. Industry Insights. The Industry Insight papers were produced by four of our newer members who are looking at dealing with Organizational Resilience in innovative, exciting new ways. Members shared their different approaches to embedding BC. BC24. BC24 is our interactive game, which allows you to test your reaction during an incident or crisis. For the whole month of May, we provided free access to the game. BC24 is available online for your organization to make use of at: http://bc24.thebci.org/ Posters, banners, and social media assets. In order to raise awareness around your office, you need visibility. All of the resources above are available on the BCI website following another successful BCAW, so if you missed the chance to join in with the campaign, you can still benefit from the knowledge and insight of others.
Upcoming in 2018 The BCI has a busy calendar of events around the world, where members get together to network with their peers, celebrate the global successes of our partners and members, and learn more from speakers about business continuity. Take a look at the BCI events calendar at: https:// www.thebci.org/events/ event-calendar.html June – BCI Netherlands & Belgium Conference 2018. 14 June in Antwerp, Belgium July – GRCCS – BCI Annual Conference 2018. 23 July in Kuala Lumpur, Malaysia July – BCI Australasia Summit 2018. 30-31 July in Sydney, Australia November – BCI World Conference and Exhibition 2018. 6-7 November in London, United Kingdom
AWA R D W I N N E R S innovative use of the website for mentoring the community directory and groups. Executive Director, David Thorp, was full of praise for the well-deserved win, saying: “It’s a great achievement to receive this award and it is fantastic to see that all the teams’ hard work has paid off.” Visit www.thebci.org to see all the new changes.
BCI rewarded for website innovation at MemCom awards The BCI is pleased to announce that on Wednesday 16 May we won the ‘Most Innovative Use of a Website’ award at the 2018 MemCom Awards. The MemCom Awards are the leading annual awards for Professional Bodies. The BCI started the project
to redevelop the website in 2016, with the goal of delivering an improved service to our members and the wider community. The awards judges were impressed with how easy the news and knowledge sections are to navigate, and the
36 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
36_BCI2_BCI news_Appointments.indd 36
24/05/2018 11:46
APPOINTMENTS
PEOPLE MOVES Alan Nathan Alan Nathan has joined professional security services provider Axis Security Systems as business continuity and risk manager. He was previously security superintendent at Kazakh oil company Tengizchevroil.
Grainia Long Belfast City Council has made Grainia Long its first commissioner for resilience; the role aims to help the city prepare for potential scenarios which could challenge its ability to function. Long leaves her post as chief executive of the Irish Society for the Prevention of Cruelty to Children.
TO P M OV E
Andy Ng Professional services firm EY has appointed Andy Ng as information protection lead for EMEIA (Europe, Middle East, India and Africa). Ng joins the company from rival Deloitte, where he was director, cyber risk services.
Continuity & Resilience is the magazine of the Business Continuity Institute and is published four times a year. BUSINESS CONTINUITY INSTITUTE 10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF tel: +44 (0) 118 947 8215 bci@thebci.org | www.thebci.org
EDITOR DeeDee Doke deedee.doke@redactive.co.uk A S S I STA N T E D I TO R Patrick Appleton patrick.appleton@redactive.co.uk REPORTERS Colin Cottell colin.cottell@redactive.co.uk Graham Simons graham.simons@redactive.co.uk CONTRIBUTING WRITERS Sue Weekes Mark Smulian SENIOR DESIGNER Carrie Bremner
Steve Cagle Clearwater Compliance, a provider of healthcare cyber risk management solutions,
PRODUCTION EDITOR Vanessa Townsend PICTURE EDITOR Claire Echavarry SENIOR SALES EXECUTIVE Charles Boutwood Tel: +44 (0) 20 7880 7661 charles.boutwood@redactive.co.uk PRODUCTION DIRECTOR Jane Easterman Tel: +44 (0) 20 7880 6248 jane.easterman@redactive.co.uk PUBLISHING DIRECTOR Aaron Nicholls Tel: +44 (0) 20 7880 8547 aaron.nicholls@redactive.co.uk
PRINTER The Manson Group, St. Albans PUBLISHED BY Redactive Publishing Ltd Level 5, 78 Chamber Street, London, E1 8BL Tel: +44 (0) 20 7880 6200 www.redactive.co.uk
welcomes Steve Cagle as chief executive officer and Baxter Lee as chief financial officer. Bob Chaput, founder of Clearwater, becomes executive, while current CFO Mary Chaput will transition into an advisory role.
Robert Hannigan Global cyber security services firm BlueVoyant has hired Robert Hannigan as executive chairman of BlueVoyant Europe and Global Head of Strategy. Hannigan has served as chairman of BlueVoyant’s European Advisory Board since launch.
Gary Miller Gary Miller has joined French multinational Thales as vice president of Cyber security in the Middle East. Miller will lead Thales’ new cyber security hub, which is being established in Dubai.
© Business Continuity Institute 2018 The views expressed in C&R are not necessarily those of the Business Continuity Institute. All efforts have been taken to ensure the accuracy of the information published in C&R. However, the publisher accepts no responsibility for any inaccuracies or errors and omissions in the information produced in this publication. No information contained in this publication may be used or reproduced without the prior permission of the Business Continuity Institute.
37 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
37 BCI2_BCI news_Appointments.indd 37
24/05/2018 11:47
W H A T A G R E AT I D E A
MY LIGHTBULB MOMENT
“Many organizations failed to truly analyse what was critical to their business”
The right question
Stephen Nuttall, FBCI, chairman of the BCI North West Forum
As Bill Clinton didn’t say: “It’s the question stupid!” Perhaps like many of you, I started my business continuity (BC) career developing BC plans in an existing organization. Fast-forward 20 years and, having left my long-time employer and ‘gone-solo’, I was a newly-minted ISO22301 (BC) lead auditor on my first long-term assignment reviewing the BC programmes and plans of external suppliers for my customer. As well as seeing lots of plans which tried to conquer us by word-count , I saw many truly thoughtful, detailed and impressive solutions and approaches to the way an organization designed their BC programme and plans. However, a key theme which emerged was that many organizations failed to analyse what was critical to their business and produced solutions to either the wrong ‘question’ or without even thinking what the ‘question’ was. However good a solution may be, it needs to answer the requirements of the business or else it fails abysmally. My ‘Lightbulb Moment?’ Get the ‘question’ right and there is a good chance you will succeed. But if you don’t know what the ‘question’ is, how can you deliver the right answer….? 38 C O N TIN UITY & R E S IL IE N C E | Q2 2 0 18
38 BCI2_Lightbulb.indd 38
24/05/2018 14:03
O SC
UN
T
E IV F US FE: CR10 CL O D CO
DI
EX % 10
REGISTER NOW FOR BCI WORLD 2018! www.bciworld2018.com 6th and 7th November | Novotel London West, London
10% OFF
EXCLUSIVE DISCOUNT CODE TO C&R SUBSCRIBERS ONLY: The ямБrst 200 readers who use the code CR10 will receive 10% off their conference ticket price!
JOIN US FOR AN EVENING OF GLOBAL CELEBRATIONS, A THREE COURSE DINNER, ENTERTAINMENT AND MORE ON 6TH NOVEMBER 2018. Individual gala dinner tickets and tables of 10 are available. Visit www.bciworld2018.com for more information and booking.
www.thebci.org 38 BCI2_Lightbulb.indd 39
24/05/2018 11:48
38 BCI2_Lightbulb.indd 40
24/05/2018 11:48