Wednesday, July 09, 2008

IT 9-1-1: Emergency Preparedness Eliminates the Line Down
By Jeff Brewer

What would happen if your information technology (IT) systems or infrastructure failed and stayed down for a day, a week or even a month?

  • First, would you be able to communicate effectively with customers and suppliers?
  • Second, would you be able to meet production deadlines, delivery schedules or customer commitments on time?
  • Third, would you be able to respond immediately to customer requests, change orders or price adjustments?
  • Finally, would you lose sales, customers, the company's reputation or jobs?

The answers are no, no, no and a resounding yes. Because if a manufacturer's IT systems go down for a week or even for a single day, the entire company comes to a screeching halt.

Don't believe me? Think again. Even though you may be producing packaging, polymer tubing or textiles, there is no part of the organizationÑnot engineering, production, sales, marketing or logistics--that is not supported by IT. Everyone, from the company president to the second shift supervisor to the front-line plant worker, is completely reliant upon having immediate, reliable access to accurate information.

So what are you doing to keep your IT infrastructure operational and your information secure?

Know thy enemy
Is your IT system friend or foe? I would have to say both. On the positive side, IT is a powerful enabler. It allows manufacturers to share information up and down the supply chain, accelerating everything from product design to order processing, logistics and support. IT can help manufacturers to become more competitive, more responsive, and ultimately more profitable.

Yet, this dependence upon IT also can make manufacturers vulnerable to a variety of risks. Natural disasters like hurricanes, floods, fire, and ice storms can knock a system off-line in a matter of minutes. External forces like hackers and viruses can penetrate an IT system and render it useless or create significant liabilities.

Other threats such as spyware can infiltrate your system via email, steal confidential information, and pass it on to a competitor. And don't forget internal threats. Bored or disgruntled employees can wreak havoc by accessing or stumbling upon confidential information. Hardware and software also offer their own sets of vulnerabilities that need to be managed.

If you're starting to get the idea that IT is a double-edged sword, you're right. But your company doesn't have to be a victim. If you know thy enemy, that is, if you understand the risks posed to your organization by IT, you can mitigate and very possibly avoid most IT-related risks and their impact.

The starting point: an IT audit
The best place to start is an IT security audit, a top-to-bottom objective review of your hardware, software, communications, infrastructure, people and processes. The purpose is to identify vulnerabilities and potential points of weakness or failure. Because manufacturers often maintain shared systems or portals with customers and suppliers, the audit also should include a penetration, or "PEN," test of key suppliers and distribution channels with whom you do business. The objective is to identify holes or leaks that might allow loss or compromise of proprietary information.

The need for objectivity when conducting an audit cannot be overemphasized. Audits by their very nature are intended to point out weaknesses. Some companies will limit the scope of an IT audit and vulnerabilities are overlooked. Failure to conduct a comprehensive audit can lead to an unreal sense of security.

Develop an actionable plan
Once risks are identified, you should develop a business continuity and disaster recovery plan (BCDR). A full 80 percent of the plan should focus on prevention and assurance and 20 percent should focus on recovery. It makes far more sense to put safeguards in place that reduce or eliminate the opportunity for interruptions and ensure high availability of IT systems.

A word of caution: BCDR plans must be actionable. That is, you can't expect words on paper to maintain IT functionality. An effective BCDR contains specific action items, both proactive and reactive, that are tested and documented to be effective.

Test, question and test again
Now that you've got a BCDR plan in place, don't be lulled into complacency. Manufacturers must test the plan, question the findings, and test again to ensure it continues to meet security requirements. Don't ever forget bad guys are smart and will always find new ways to penetrate the fortress. So you've always got to test and refine to keep them out and keep your operation running smoothly and without interruption.

Consider outsourcing
In the wake of the dot.com bust, business leaders across all sectors naturally began to question the investments they had made in IT. While some of that has subsided, manufacturers facing the financial realities of offshore competitors and shrinking margins must be particularly careful with the cost of IT.

Which leads to the age-old dilemma of make versus buy. Should you establish your own IT department, or if one already exists, should you add to itÑpersonnel and hardware/softwareÑto ensure the system is functional and information secure?

Other questions to ask are:

  • Can your company support additional overhead?
  • Will you be able to secure the level of expertise you need without investing a small fortune?
  • Where exactly do you need expertise? Is it an ongoing or periodic need?
  • Would you be better served to outsource mundane tasks and focus current IT staff on strategic activities?

These are all valid questions. How they are answered has led many manufacturers to the conclusion that outsourcing is the wisest choice. If your core skill is making widgets, why devote scarce resources to being IT security specialists, too? Outsourcing selective IT functions or the entire department will help you secure a high level of experience, expertise, objectivity, confidentiality and accountability.

Which brings us to the final question:
Who should own IT?
The traditional business model has IT existing in its own silo, overseen by an IT department. While this may have worked years ago when IT was in its infancy, it is no longer valid, and in truth, is downright suicidal.

IT is a critical part of a manufacturer's core business strategy and should sit at the same table as accounting/finance, sales, marketing, research and development, and operations. IT departments must be held to the same standards of other departments and therefore must be accountable to the CEO, the board of directors and other senior management team members. IT personnel must speak the language of business and eliminate technical jargon, which hinders clear decision-making on the part of non-IT managers. And finally, IT must align all activities with the company's strategic objectives. The day of IT existing in a silo is not acceptable in today's IT-dependent manufacturing environment.
 
Jeff Brewer is founder and president of Business Vitals, a national information technology risk management firm based in Columbia, SC. Contact Business Vitals at 803-753-5200 or visit www.businessvitals.com.

Privacy Policy