Testing required

01 Feb 2006

The latest enterprise security study from AT&T and the Economist Intelligence Unit says that CXOs are spending more on business continuity but aren't testing their plans. Stanley Quintana, VP of managed security services at AT&T, explains to global technology editor John C. Tanner why that's as bad as having no plan at all and why managed security services can help

Stanley Quintana

  • Planned, managed and implemented AT&T's internal business continuity and recovery program
  • Formerly AT&T's global CIO for finance and business operations
  • Bachelor's degree in mathematics and physics; M.S. in computer science and electrical engineering

Telecom Asia: AT&T just released its latest security study with the EIU. What were the key findings and what do they mean for your customers‾

Stanley Quintana: First of all, at the top of CXOs' minds is security and business continuity. From a security perspective they see that with risks and exploits that are taking place in the industry today. The spending is going up with security. But what's alarming is that even though it's in the forefront of their minds, when you look at our survey and the business continuity planning that's been done, it's not happening at the rate one would expect it to be happening. The trends are showing pretty much the same trends that have been in place last year. In 2001, of course people had a lot more sensitivity to it and began to put in place some plans, but we see a flattening out of that planning. As a matter of fact, if you take a look at the business continuity plans being put in place in the past two years, approximately 40-44% of companies still don't have executable plans. That's alarming when you consider all the types of terrorist activities, the physical anomalies occurring throughout the globe. And I include in that figure the folks who don't have plans at all, and the ones that do but don't execute them. That's as good as not having a plan.

By 'not executing' you mean they're not testing them at all‾

Right. We did some benchmarks many years ago that we did internally, and we have this probability certification criteria that shows the cycle you go through, from having no plan to having plans that are executed in a process orientation, which is the highest level you want to get to. Those that have plans but don't test them have a very low probability for successful implementation during a disaster - something like a 15% chance that they'll work. So the survey has shown that trend continuing over the past couple of years, and I'm very surprised given what's been going on in 2005 with terrorists, hurricanes, the tsunami - you gotta have plans.

Any ideas why they don't‾

I think that's a product of closeness to the events that are occurring.

Related content

No Comments Yet! Be the first to share what you think!