9/11: Are Lessons Learned Still Being Applied?
In the weeks and months following 9/11, businesses closely assessed their disaster recovery and business continuity plans. Do they still do that today?
There’s no equating the horrific, world-changing terrorist attacks on Sept. 11, 2001, with any other disaster we’ve experienced in the United States in the 21st century. That day, nearly 3,000 lives were taken in a matter of hours. This Sunday, on the tenth anniversary of 9/11, it is those lives we will honor, as well as the brave men and women around the country who did their part that day and in the days that followed to help us recover, heal and live on.
What IT executives around the country realized, amid all the destruction and violence, was that new business and IT contingency plans were in order. Pre 9/11, had you asked any data center manager, IT executive or CIO, they would have told you that disaster recovery is a critical part of any sound business technology strategy. That has long been a widely-held view. But with 9/11, disaster recovery took on a whole new meaning. It was no longer just about how to protect data centers, but also how to quickly – almost immediately – recover and continue operations in the event of any disaster: natural, man-made, or heaven forbid, terrorist-wrought.
The loss of equipment in the financial district was unbelievable. IT and telecommunications equipment housed underneath the World Trade Centers was destroyed. It was estimated by the Tower Group that the securities firms alone would have to spend up to $3.2 billion just to replace their computer equipment, and another $1.5 billion to set it all up. We’re talking thousands and thousands of workstations, PCs, servers, printers, network equipment, and more.
In September 2001, many companies had disaster recovery plans that leveraged onsite backups to tapes that were then transported and stored elsewhere. Fewer were leveraging hot site backups that create mirror images at alternative sites, which while more costly, allows for much quicker access. If backups are real-time (even more costly) or near real-time, then companies are guaranteed those replicated systems will be exactly as they need them to be when switching over.
Wall Street was relatively well prepared. The New York Stock Exchange and the Nasdaq exchange had to close for four business days after the attack, then re-opened. Many of the larger and more technically proficient businesses in and around the World Trade Center were leveraging real-time data backup at secondary data centers. But not all their noncritical applications were being backed up that way, and much time was taken to recreate those. While mainframe and back-office operations were well-prepared, other business processes were not. That lesson taught IT managers to assess which servers and applications in their data centers and even in their various departments should be included in a more intensive disaster recovery plan.
Equally important was the lesson that, while an IT disaster-recovery plan matters greatly, so too does a business continuity plan that covers workforce, employee communications, workflow, and continuity of applications that may not be the brains of your business but are the heart – those applications that connect your employees to each other and to customers.
One former VP and CIO of a Fortune 500 construction services company, Joe Puglisi, says many businesses either began hosting their IT operations at data center providers’ facilities outside of the major metro areas into the suburbs or simply moved their data centers into those areas. The market for data center hosting continues to grow.
That’s what Hologic, a $1.7 billion medical device company based in Bedford, Mass., did following 9/11, according to this great article about how 9/11 continues to influence IT strategy. Listen to what Dave Rudzinsky, CIO at Hologic told CIO.com editors about why the company decided to move key applications including its ERP systems to a hosted data center facility. "We're in the medical device business, not the data center business," he’s quoted as saying. The data center provider has more expertise implementing state-of-the-art disaster recovery plans and technologies, he added. Futhermore, the 9/11 tragedy shifted Hologic's disaster recovery preparations from an exercise to satisfy corporate auditors to a strategic priority for both IT and the company’s top executives.
Likewise, 9/11 forced Brandeis University in Waltham, Mass., to take seriously its disaster recovery, which had always seemed to get pushed to the back burner, according to the CIO.com article. The terrorist attack was the impetus that drove the university to fund and build a second, redundant data center.
I’m sure there are many other examples we could point to. It’s clear that 9/11 left an indelible mark on everything we do. But as we reflect on all we lost from those horrific terrorist acts of September 11, 2001, and all that we’ve learned since, we still need to be vigilant.
The recent recession and ongoing economic crisis is affecting our current lives, and leaving lasting marks on our IT and business endeavors. Disaster recovery, business continuity and IT contingency planning may be being pushed to the back burner once again. That’s Puglisi’s concern. “Talk to anyone and ask them what are the hot buttons regarding data centers, and they’ll tell you energy efficiency and sustainability. Those are the areas that are most easily getting funding now. Second, you’ll hear the cloud and whether or not it’s being leveraged,” says Puglisi, who also serves the president of the Fairfield Westchester Chapter of the Society of Information Management (SIM) and sits on the executive council of the Cloud Computing Consortium at Stevens Institute. “Third is security. It is the almighty dollar that’s leading. We need it faster and cheaper, then more reliable. Then we need it secure.” Puglisi's not so sure that's the best ranking of priorities. I agree.