News from National -- Current Articles
Disaster Recovery Expert:
Interview by S. Ibaraki, I.S.P.
This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Dexada
Jorgensen, a world leading expert on disaster recovery, business continuity
planning and security.
Q: Dexada, thank you for agreeing to this interview.
A: You are welcome Stephen, it is my pleasure.
Q: What made you decide to get into computing and what challenges did you
have to overcome?
A: The University of Calgary was offering their first courses in computing
science and curiosity got the better of me. The biggest challenge was
learning to think in a very different way. It is a very logical rather than
an intuitive process when one programs or designs circuitry.
Q: How did your career evolve from the time you decided to get into computing
to the present? Can you describe your current role at Telus, and how this
position evolved over time?
A: After a few detours into retail, marriage and ‘ghost’ programming for a
consultant, I started with TELUS (then BC TEL) as a data communications
designer. The logic design and mathematics courses put me in good stead for a
job that required both the technical know how and the mathematical analysis.
As TELUS (BC TEL) is a large company, I was able to move into different
areas. The next job was as a course developer and instructor for other ‘MIS’
employees and ‘users’. Course topics ranged from computer basics to IMS/VS DC
application programming. In my first class there was a range of people from
an executive and to a clerk. What an introduction to the field: the clerk was
in tears the entire class. I guess the positive note is that the executive
I enjoyed instructing but the lure of ‘more to learn’ led me into the data
protection administration area. We were responsible for the corporate
computer systems security: both the technical support and administration. I
was hired to do technical support however at the end of seven years I was the
manager and had the disaster recovery program, data warehouse and information
management in the portfolio.
The next step seemed obvious, it was into Corporate Business Continuity and
Emergency Preparedness. This has been my focus for the past 7½ years, through
our company’s merger and reorganizations. This work has opened up a whole new
realm of contacts and learnings.
Q: You’re an acknowledged world expert in business continuity and security
and your work is so very highly regarded. Can you talk about your role with
the United Nations, NATO, the ITU, the Canadian Government, and other
A: TELUS has supported initiatives with other telcos, governments, utilities,
agencies and organizations. With Y2K, I was ‘on-loan’ to the UN ITU-T Study
Group 2. My contribution was in Business Continuity and I was part of the BCP
sub-team. The work included creating presentations, web and workshop
materials; and doing the presentations, giving and participating in workshops
internationally. Some of these were held in London, England; Geneva,
Switzerland; Brisbane (the Gold Coast) in Australia, and Amman, Jordan. I
also did a workshop in Miami for Verizon (then GTE) for their international
business units and consulting team. There was a G8 meeting in Berlin that I
participated in, and an International Energy Agency workshop in Prague where
I presented. There were many more locations for workshops, however many I had
to decline due to timing issues and the necessity to keep a focus in our own
company. The other countries were very interesting however the travel quickly
became just a longer commute to the next meeting or workshop. In retrospect it
seems a blur, but I know I’ve been to these places as I have photos.
As with most Canadian telecommunications business continuity planners there
is a strong relationship with governments at all levels. We have also built
relationships among the telcos as well as with other utilities. These
relationships began prior to Y2K and have endured through the industry
changes. The events of 9/11 has again brought security, disaster recovery and
business continuity to the fore. It is at times of disaster, whether natural
or manmade, that tests our ability to communicate, respond and continue, and
strengthens our partnerships. I have been fortunate in that I have been able
to participate in workshops, seminars, regional economic initiatives, and
‘think-tank’ sessions with respect to business continuity, mitigation
strategy, emergency planning, and cyber issues with governments, ministries,
agencies, utilities on the local, national and international fronts. I have
served on boards of directors, ad-hoc committees, and steering committees and
we are working on current issues. Until the findings and recommendations are
released, I am not able to comment on the specific work being done.
Q: What did you learn from working on the Y2K task force and what was the
impact of your contributions?
A: One likes to think that they are contributing to the better cause. This
was the case with Y2K, but the contribution was two-way. We interfaced with
other telecom industry, utility and government personnel world wide. It was
very humbling to see different cultures and countries. I learned a lot as I
shared what knowledge I had with others. I found that the differences between
peoples faded as everyone faced a common threat. I can’t think of anything
else that has had so many focused on one common concern. It was a very
unifying experience. My biggest learning experience was how much we all have
in common worldwide. The bonus has been the people that I have met and some I
am still in touch with today.
Q: What are the ten biggest traps or pitfalls or common mistakes with regards
to security, disaster and business continuity planning?
A: Ten? Only ten? Seriously the biggest ones for DRP and BCP are
- to start too large –
you need to walk before you run.
- to expect it to be
done in three months – it can take up to three years for BCP to get to a
level of maintenance, if there aren’t huge corporate changes.
- to assign it to one
person to do – the best plans are those that involve many; those who
have the expertise from all areas of the company
- to only focus on one
area of the company – there are intra-dependencies and these must be
included in your plans
- to only focus within
your company – there are inter-dependencies with suppliers and other
entities, these should be included in plans
- to think that there is
an ‘end’ date – plans are dynamic as they reflect the business and must
change as the business changes.
- to plan and not
exercise plans – this is really when people remember and this is
- to have corporate
computer systems with no DRP – if you have systems that are deemed
non-essential and do not have backup and recovery plans for them this
would imply that the corporation could manage without them after a
disaster. If that is the case, why are you continuing to run them? Get
rid of them now.
- to build DRP into
applications and systems after they are implemented – it is harder to do
and more expensive.
- to call it a ‘Plan’,
these are ‘Plans’ – disaster recovery plans, and business continuity
- your employees need to
be educated and trained. Security is everyone’s concern.
- ensure that security
policies are part of an employee introduction program and ongoing it is
part of an annual employee awareness program
- individually assign
userids/logonids and passwords to employees (and tell them that they can
only share their password with someone that they would give their bank
card pin to).
- don’t set userids as
your employees’ names (makes social engineering so easy),
- don’t allow ‘soft’
passwords (my term), set up a rigor around the password process so that
they are not easily ‘guessed’ or ‘broken’ – ensure that system passwords
are not the vendor defaults
- ensure that passwords
are changed on a regular but reasonable basis
- set up filters (e.g.
viruses – strip attachments), and set up a virus intrusion, detection
and notification process.
- use firewalls to
protect your network
- match the security
level to the risk and sensitivity of the data
- validate your security
programs both from the ability to protect and the ability to provide
service – it is a balance that you need to maintain. If security is
onerous, then employees will circumvent it.
Q: Based upon your years of experience working at the highest levels, what
advice would you give to IT professionals on security issues?
A: What I have noticed is that security issues have not changed over the
years. I have that déjà vue feeling now. When I left the security group for
business continuity, I thought I had left it behind. This wasn’t and isn’t
the case – it seems as if I have gone full circle as cyber issues are a large
business continuity concern for many. This potential threat has grown in
proportion to the increased net and data use. Getting back into the security
issues, I was surprised to see how little things had changed. The issues were
the same, the platforms and software different. We still have people using
the systems with little or no ‘innate knowledge’ of security. I know that we
didn’t get that talk from our parents as we were bounced on their knees
“Don’t talk to strangers and don’t share your passwords.” But really, one
would think that after all this time companies would not leave backdoors open
for external callers to make those long distance calls through their phone
systems (PBX); and what about that garbage? There are still healthy pickings
for that garbage ‘engineer’.
So to the IT professional - don’t ignore it, it isn’t going away and it isn’t
someone else’s problem. Don’t throw the problem over the fence to the
security department, and don’t assume that they will fix it after
installation or promotion. It is everyone’s responsibility so it is yours as
well, and your job could depend on it. Security issues are based in the
hardware, firmware, software, protocols, how service providers implement what
the vendors provide, how the system is administered and how the users use it.
You don’t want to be the weakest link. Stick to the corporate standards, the
security professionals have a lot of knowledge and experience. Consult with
them at the beginning of and throughout your project.
Q: What do your see the whole security issue evolving over the next five
A: The security issues have been around for a long time. There was a recent
article in CSI that said just that ‘Hey this isn’t new’. Prior to 9/11, I
would have said that it would only be when ‘popular’ demand insists that
something be done that we would see significant changes. This could have been
in the form of users demanding that their ISP ensure secure access and
protected data, or in the form of service providers taking vendors to task
over protocols that do not meet their basic needs.
We will see government taking a more active role in this arena and this has
been precipitated by the 9/11 event. Don’t be surprised if you see more
Businesses initially reacted to this event with more physical security, then
relaxed somewhat but the cyber issues are still there and the SMNPv1 issue
was another reminder of work to be done.
Q: What 10 tips can you provide to others that helped you in your path to
success? What would you do different looking back in hindsight?
A: What helped me in my path was:
- Being prepared – to
take advantage of opportunities
- Kept learning – in
addition to courses for your career path, be curious, and find out
- If I didn’t know I’d
ask - be willing to make mistakes, some of the best training is gleaned
- Return calls – if you
can’t do it have someone get back to the caller.
- Networking – I didn’t
have one mentor but I learned from both the best and the worst of those
I interfaced with. Don’t forget to say thank you.
- Knowing where to find
things- you may not be able to or even have to remember everything but
you should know where to look it up.
- Saying yes to more
- Knowing when to let go
– when it is time to move on.
- Being willing to
compromise – giving up that movie with friends to put in a few more
hours at work.
- Being customer focused
- it doesn’t matter what type of business you are in – the customer is
why you are there. Do not forget them.
I would ensure a more balanced life, there are sacrifices we all make; try to
make the right ones. Saying no to the wrong things is as important as saying
yes to the right things.
Q: I can see that you’re an active professional and that your work occupies
much of your time. What are your five ways you can relax?
A: I’m still working on that. Over the years, I have skied, played squash,
cycled, worked out but it is too easy to skip the exercise for a few more
hours at work. I am a voracious reader though and that will remove work from
my brain’s center stage. I do relax with family members and enjoy cooking
those family dinners.
Q: Businesses are seeing many technologies in their strategic paths? What
advice, regarding security, would you give to businesses as they plan their
own evolution in the next five years? Do you have specific technologies and
processes they should watch out for and implement?
A: The technologies a business chooses should be based on need not on the
‘fad of the day’. I would want to know the need or the reason for the
perceived need before making recommendations. Security advice is to have a
well-developed and communicated security program. One corporation made
security targets a significant part of their executives’ personal objectives
for the year. You need that kind of commitment for security, DRP and BCP
programs to succeed.
The only generic recommendation on technology and processes, I would make is
to the uninformed user at home on their PCs with constantly linked high-speed
connections. They need to be aware of the lack of security and their
vulnerability on the Internet. They need to look at either a hardware or
software firewall and at encryption for sending files. There are some good
ones in the industry and I would recommend that they obtain some – and turn
off the PC when not in use.
Q: If you were doing the interview, what two interview questions would you
ask of someone in your position and what would be your answers?
A: You have asked the best questions. It really depends on what knowledge one
wants as to what questions one would ask - are you looking for a career in
this field, are you representing a company interested in putting together a
security program, are you in the process of contracting for hotsite services
and what questions do you need to ask? So for this interview, you have asked
the best questions.
Q: It’s a blank slate, what added comments would you like to give?
A: There so much one could say about security, disaster recovery and business
continuity planning- they are all fascinating subjects (spoken like a true
programmer). These are definitely growing fields and for those who would like
to pursue a career or implement these programs you need both the technology
and social skills to succeed.
Thank you Stephen for this opportunity to talk about these subjects.
**You are most welcome Dexada. Thank you for sharing with us, your vast
experience, wisdom and knowledge.