Improve Business Continuity PlanningOrganizations Must Come Together, Share Information
The catastrophe in Japan a few months back offers many lessons for business continuity and disaster preparedness here in the states. A top area of improvement in developing a strategic plan of action in the event of an emergency is information sharing. Looking at Japan, "the information is unclear and contradictory at times," Tishuk says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
"One cannot implement a business continuity plan on spotty or contradictory information," he says.
ChicagoFIRST, of which Tishuk is executive director, was developed in 2003 to bring private sector firms together to address common issues around business continuity and homeland security.
In Chicago, for example, the group offers seminars to test disaster plans and gain insight from various organizations. The seminars focus on earthquakes, water availability, radiological incidents, terrorist attacks, cyber attacks and even working from home in the event of a catastrophe.
By developing a seamless web that connects many people together, business continuity can run more smoothly in the event of an emergency. "People need to think about how they can keep themselves prepared, their families prepared, and how businesses can ensure that their employees are prepared," Tishuk says.
During this interview, Tishuk discusses:
- Why more communication and information sharing needed between the private and public sectors;
- How financial institutions are taking steps to ensure they can respond within hours to a major catastrophe or disaster;
- Minimum steps the healthcare and government sectors should take when it comes to disaster recovery and preparation.
Tishuk became the first executive director of ChicagoFIRST, Chicago's financial-services industry coalition for business continuity, in February 2004. He is responsible for forging a relationship between financial institution members and government at all levels, as well as for developing best practices for business continuity. Prior to ChicagoFIRST, Tishuk worked for the Treasury Department, where he addressed an array of public policy issues affecting financial institutions. Following the events of Sept. 11, 2001, Tishuk led the Treasury's efforts to enhance the resiliency of financial institutions, establishing the Office of Critical Infrastructure Protection and Compliance Policy and serving as its acting director and deputy director. Focusing attention on financial institutions in other parts of the country, Tishuk initiated a Treasury outreach effort that encouraged and facilitated cooperation among financial firms in Chicago, which led to the formation of ChicagoFIRST.
ChicagoFIRSTTRACY KITTEN: ChicagoFIRST was created in 2003. Can you tell us a bit about the organization, as well as its membership?
BRIAN TISHUK: ChicagoFIRST is an association of private sector firms that have come together, even in some cases as competitors, to address common issues around business continuity and homeland security, and we began primarily within the financial sector. Chicago is the most diverse financial community in the country, and so it made sense for the firms here to come together and work on these types of issues as a group. And this, as you said, began in 2003.
KITTEN: You've kind of answered my next question. What was the catalyst for creating ChicagoFIRST? Was there some catastrophic event, or was this just basically seeing a need and filling a void?
TISHUK: There had been a need, at times. And firms in the community had come together over certain incidents in the past, but the effects of 9/11 really drove the formation of ChicagoFIRST. When large sections of lower Manhattan were cordoned off”understandably so, given that it was a crime scene”firms had to find a way to persuade those guarding the gates to let them in to perform their functions, even in buildings that were perfectly safe. That led folks here to think about how they would handle such a situation. How will they work with local government on issues like evacuations, credentialing and getting information that is both accurate and timely about events of those natures?
KITTEN: ChicagoFIRST serves entities in greater Chicago, but what about other parts of the country? Are similar organizations offering similar services in other U.S. cities and states?
TISHUK: Most definitely. We stood up ChicagoFIRST in 2003 and proceeded to try to encourage financial sectors or communities across the nation to do the same. At the time ChicagoFIRST formed, I was with the U.S. Department of Treasury. And one of my missions following 9/11 was to identify means of enhancing the resilience of the sector at large. So I was very excited to help ChicagoFIRST get started and then to take that model and try to replicate it. At this point, there are nearly two dozen FIRST organizations, if you will, throughout the country, including Alaska and Hawaii, and they all work in a similar fashion. They're private sector firms, mostly financial institutions, that work together on these homeland security business continuity issues and collaborate with the government at all levels.
KITTEN: ChicagoFIRST works primarily with financial institutions. What other types of entities do you work with, and how do you facilitate collaboration and information sharing?
TISHUK: It's very important to know how to make your own firm resilient, but your firm depends on other firms. You need to have power, water, telecommunications and the like, so our members work regularly with those sectors. We also operate within buildings, so we need to have good relationships and continuity plans that take into account commercial facilities. We work with those sectors in myriad ways. Local government too is a necessary dependency for us. We need to have local responders, police and fire. We promote collaboration and information sharing through exercises, working groups that address physical and IT security, as well as business continuity and the establishment of institutionalized structure.
The most important one to date is something called the Chicago Critical Infrastructure Resilience Task Force, which is chaired by the City of Chicago's Office of Emergency Management and ChicagoFIRST. On this task force, we also have fire, police, as well as OEM on the public side and the mayor's office as well. On the private side, it's the finance through ChicagoFIRST, commercial facilities, telecommunications and then power. This is a major means through which we can address many of the issues that gave rise to ChicagoFIRST and some of the thornier issues that continue to come up in trying to address security and continuity issues.
Disaster Preparedness TestingKITTEN: Now I understand also that ChicagoFIRST oftentimes works with some of the members that it has”financial institutions and other types of businesses”to test some of the preparedness and to test some of the disaster plans that they have in place. Can you tell us a little bit about some of the testing that you do?
TISHUK: Sure. A lot of our work is focused on promoting seminars and tabletop exercises, and at times combining the two. These issues include earthquakes, water availability, radiological incidents, terrorist attacks, cyber attacks and even working from home, which became a prominent issue when the pandemic threat occurred. We will invite public sector experts and private sector experts to provide us with the necessary background and information on these various subjects, and then proceed to have a scenario-based discussion, the tabletop component if you will, where folks will share with those at their table the manner in which their firms, or, in the case of government, their agencies, are handling these kinds of issues. And thereby we learn from one another in small groups. Then we report out to the group at large as to the major lessons learned or best practices that were identified.
One of the most important ones we've launched is the work-from-home exercise. Just last month, we held our second annual work-from-home exercise and had several thousand employees participate. The goal here is to, on one day, have as many people as possible work from home so that they can test out their capabilities, identify any issues that may arise and also spotlight the fact of if there are incidents. We see what's going on in Japan. I'm sure many people are now working from home. We want to be prepared for that kind of incident. It's not just pandemic planning; it's not just a major disaster. But should either of those happen, or something else, then we're all better prepared to work through it and keep operations in check.
KITTEN: When we look to the crisis in Japan, what lessons can we learn, and how well prepared are U.S. businesses for a crisis like the one Japan is facing?
TISHUK: That's a good question. I certainly cannot speak for all U.S. businesses, or even for all financial institutions. But it's clearly the case that since 9/11, the private sector has become much better prepared than it was previously. Japan offers some very cogent lessons about the need to be prepared, the need for family preparedness, as well as employee preparedness. And you work your way up to firm preparedness and community preparedness, all centered around the idea of community resilience, if you will.
Differing threats face differing regions, and each region has a different set of key firms and government structures in place. That is why I am a firm believer in regionalism and why we have at least nearly two dozen FIRST-like organizations around the country. They know their area, their firms and the government that's in those particular jurisdictions. They need to work on the threats, whether it's a tsunami, an earthquake, a tornado, or what happened here recently in Chicago, a snowstorm. Are you able to fail over, to operate out of some other location? Do you have sufficient backup plans and sufficient backup capabilities?
Areas of ImprovementKITTEN: Can you give us any idea about the areas, maybe as you've gone in and done testing, or worked with some of the entities in your area, specifically, financial institutions? Could you tell us about some of the areas that perhaps need improvement?
TISHUK: What often needs improvement is information sharing. Getting that access to credible information in a timely manner is very, very important and very hard to come by. We see that in Japan right now. The information is unclear and contradictory at times. One cannot implement a business continuity plan on spotty or contradictory information. One may have to, ultimately, but one should try to plan to not have to do that, or at least make it as minimal as possible.
What we've done in Chicago, for example, is work with the city on a database that's about to launch full-scale”we've been helping them pilot it”where this kind of information can be shared two-way, and where we provide information about our facilities and contacts to first responders so that they have access to it when they are on scene. And as I say, it also allows them to provide us with the necessary information we need so that we're taken care of and we don't have to bother them for more. That task force I mentioned before also is a good means of getting that information.
In addition to the information itself, it's important to have public and private sector planning; joint planning, knowing what each other needs in the event of a crisis, and knowing what to expect from one another should a crisis occur. Sometimes there are very unrealistic expectations on both sides”what government can do for us, or what the government expects us to do for ourselves. Have a healthy level setting, in addition to things that arose quite starkly on 9/11, such as credentialing, evacuations, shelter in place, etc. Joint planning and joint understanding can go a long way to making a response and recovery effort work much more smoothly.
KITTEN: Can you tell us about some of the preparedness work financial institutions, hospitals and government agencies, to name a few, have accomplished in recent years?
TISHUK: They've all focused on how they can continue their operations in the event of some emergency besetting them. Financial institutions, in particular, the critical ones are required to be down for no more than a few hours. That's a very high hurdle and a heavy burden to shoulder. They have responded by spreading their operations across wider geographic regions, so that if an incident affects one region, it hopefully will not affect another, or it will affect it at a different time. And they could roll, if you will, their operations accordingly.
Hospitals and the medical sector, they really need to focus on, and have been focusing on, how to address the need or the ability to handle mass casualties. If one is faced with say a pandemic or some other incident, perhaps like in Japan, you're overwhelmed in people who need medical care. There needs to be some type of mutual aid system in place where patients can be distributed in some fashion, transportation can be made for them, etc.
And government, too, needs to be able to provide its critical services during a crisis. It has to be out there”fire, police, emergency management and public health. They're all very important. They too need to operate, and they do not have the luxury of spreading their operations across the whole country, because they have to provide it in a very compact area. Therefore, they too rely on mutual aid compacts. In Chicago, there's mutual aid with both fire and law enforcement to draw upon other jurisdictions' responders in the event there is a need for them.
Top Areas of VulnerabilitiesKITTEN: And if we were to break those sectors down”banking, financial, medical and government”what would you say are the top areas of vulnerability for each?
TISHUK: Well, I'm not sure that I would identify any vulnerabilities, per se, but clearly their ability to serve their customers and their constituents is paramount. And I know they are undertaking that effort and putting as much into it as they can, as I just stated before. There are many methods by which they are doing this. And it's difficult and it depends, again, on the threats faced to particular firms, hospitals and government jurisdictions in various parts of the country. They need to evaluate what they're most vulnerable to. I mean, the government of Honolulu is probably not too worried by the threat of a snowstorm, whereas we in Chicago are concerned about snowstorms. They are evaluating their risks and the threats that affect them in their jurisdiction, all with the goal of remaining operational, or as operational as possible, in the face of some type of emergency.
KITTEN: And if communications were completely or partially knocked out, how would the public be impacted when it comes to financial services or other key areas?
TISHUK: Well, if communications are completely gone, then I would presume we have much more serious problems of an immediate nature than of the financial services. That would be the life safety of individuals in that area and the goal then would be for people to move out of that area as quickly and safely as possible in order to get to a place where they can take care of themselves and their families, and then avail themselves of financial services or any other needs they may have. If communications and power is partially down, then I know, as far as the financial sector is concerned, we try to communicate with our consumer constituents in many different methods. There are ways to communicate via the Internet. So if folks can get on the Internet, there will be messages there about how services can be rendered, how electronic services may take the place of physical services. On the other hand, there may be situations in which it's easier to get to ATMs than to the Internet. In that case, they may roll out portable, mobile ATMs and make those services available to folks. It depends on the nature of the event and which particular portions of the communication spectrum are unavailable or partially available.
Lessons Learned from JapanKITTEN: And in closing, what final thoughts can you share with our audience about events in Japan and lessons we all can learn?
TISHUK: I think the most important aspect of the Japanese experience is to realize that it isn't just an earthquake, tsunami or even radiation. People need to think about how they can keep themselves prepared, their families prepared, and how businesses can ensure that their employees are prepared. If the employees know their families are safe, they will participate in what needs to be done to keep the operation of a firm going. And if the firms are connected to one another through something like a partnership, then they can help one another through mutual aid and collaborate with government at all levels. In essence, the best way to be prepared is by putting together a seamless web, at the center of which is a public-private partnership.