CIPS logo

Canadian Information Processing Society

 

CIPS logo

 

 

 

News from National -- Current Articles

4/26/2002 8:00:41 AM
Disaster Recovery Expert: Dexada Jorgensen
Interview by S. Ibaraki, I.S.P.

This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Dexada Jorgensen, a world leading expert on disaster recovery, business continuity planning and security.

*****
Q: Dexada, thank you for agreeing to this interview.
A: You are welcome Stephen, it is my pleasure.


Q: What made you decide to get into computing and what challenges did you have to overcome?
A: The University of Calgary was offering their first courses in computing science and curiosity got the better of me. The biggest challenge was learning to think in a very different way. It is a very logical rather than an intuitive process when one programs or designs circuitry.


Q: How did your career evolve from the time you decided to get into computing to the present? Can you describe your current role at Telus, and how this position evolved over time?
A: After a few detours into retail, marriage and ‘ghost’ programming for a consultant, I started with TELUS (then BC TEL) as a data communications designer. The logic design and mathematics courses put me in good stead for a job that required both the technical know how and the mathematical analysis.

As TELUS (BC TEL) is a large company, I was able to move into different areas. The next job was as a course developer and instructor for other ‘MIS’ employees and ‘users’. Course topics ranged from computer basics to IMS/VS DC application programming. In my first class there was a range of people from an executive and to a clerk. What an introduction to the field: the clerk was in tears the entire class. I guess the positive note is that the executive wasn’t.

I enjoyed instructing but the lure of ‘more to learn’ led me into the data protection administration area. We were responsible for the corporate computer systems security: both the technical support and administration. I was hired to do technical support however at the end of seven years I was the manager and had the disaster recovery program, data warehouse and information management in the portfolio.

The next step seemed obvious, it was into Corporate Business Continuity and Emergency Preparedness. This has been my focus for the past 7½ years, through our company’s merger and reorganizations. This work has opened up a whole new realm of contacts and learnings.


Q: You’re an acknowledged world expert in business continuity and security and your work is so very highly regarded. Can you talk about your role with the United Nations, NATO, the ITU, the Canadian Government, and other organizations?
A: TELUS has supported initiatives with other telcos, governments, utilities, agencies and organizations. With Y2K, I was ‘on-loan’ to the UN ITU-T Study Group 2. My contribution was in Business Continuity and I was part of the BCP sub-team. The work included creating presentations, web and workshop materials; and doing the presentations, giving and participating in workshops internationally. Some of these were held in London, England; Geneva, Switzerland; Brisbane (the Gold Coast) in Australia, and Amman, Jordan. I also did a workshop in Miami for Verizon (then GTE) for their international business units and consulting team. There was a G8 meeting in Berlin that I participated in, and an International Energy Agency workshop in Prague where I presented. There were many more locations for workshops, however many I had to decline due to timing issues and the necessity to keep a focus in our own company. The other countries were very interesting however the travel quickly became just a longer commute to the next meeting or workshop. In retrospect it seems a blur, but I know I’ve been to these places as I have photos.

As with most Canadian telecommunications business continuity planners there is a strong relationship with governments at all levels. We have also built relationships among the telcos as well as with other utilities. These relationships began prior to Y2K and have endured through the industry changes. The events of 9/11 has again brought security, disaster recovery and business continuity to the fore. It is at times of disaster, whether natural or manmade, that tests our ability to communicate, respond and continue, and strengthens our partnerships. I have been fortunate in that I have been able to participate in workshops, seminars, regional economic initiatives, and ‘think-tank’ sessions with respect to business continuity, mitigation strategy, emergency planning, and cyber issues with governments, ministries, agencies, utilities on the local, national and international fronts. I have served on boards of directors, ad-hoc committees, and steering committees and we are working on current issues. Until the findings and recommendations are released, I am not able to comment on the specific work being done.


Q: What did you learn from working on the Y2K task force and what was the impact of your contributions?
A: One likes to think that they are contributing to the better cause. This was the case with Y2K, but the contribution was two-way. We interfaced with other telecom industry, utility and government personnel world wide. It was very humbling to see different cultures and countries. I learned a lot as I shared what knowledge I had with others. I found that the differences between peoples faded as everyone faced a common threat. I can’t think of anything else that has had so many focused on one common concern. It was a very unifying experience. My biggest learning experience was how much we all have in common worldwide. The bonus has been the people that I have met and some I am still in touch with today.


Q: What are the ten biggest traps or pitfalls or common mistakes with regards to security, disaster and business continuity planning?
A: Ten? Only ten? Seriously the biggest ones for DRP and BCP are

  1. to start too large – you need to walk before you run.
  2. to expect it to be done in three months – it can take up to three years for BCP to get to a level of maintenance, if there aren’t huge corporate changes.
  3. to assign it to one person to do – the best plans are those that involve many; those who have the expertise from all areas of the company
  4. to only focus on one area of the company – there are intra-dependencies and these must be included in your plans
  5. to only focus within your company – there are inter-dependencies with suppliers and other entities, these should be included in plans
  6. to think that there is an ‘end’ date – plans are dynamic as they reflect the business and must change as the business changes.
  7. to plan and not exercise plans – this is really when people remember and this is essential training.
  8. to have corporate computer systems with no DRP – if you have systems that are deemed non-essential and do not have backup and recovery plans for them this would imply that the corporation could manage without them after a disaster. If that is the case, why are you continuing to run them? Get rid of them now.
  9. to build DRP into applications and systems after they are implemented – it is harder to do and more expensive.
  10. to call it a ‘Plan’, these are ‘Plans’ – disaster recovery plans, and business continuity plans.

For security:

  1. your employees need to be educated and trained. Security is everyone’s concern.
  2. ensure that security policies are part of an employee introduction program and ongoing it is part of an annual employee awareness program
  3. individually assign userids/logonids and passwords to employees (and tell them that they can only share their password with someone that they would give their bank card pin to).
  4. don’t set userids as your employees’ names (makes social engineering so easy),
  5. don’t allow ‘soft’ passwords (my term), set up a rigor around the password process so that they are not easily ‘guessed’ or ‘broken’ – ensure that system passwords are not the vendor defaults
  6. ensure that passwords are changed on a regular but reasonable basis
  7. set up filters (e.g. viruses – strip attachments), and set up a virus intrusion, detection and notification process.
  8. use firewalls to protect your network
  9. match the security level to the risk and sensitivity of the data
  10. validate your security programs both from the ability to protect and the ability to provide service – it is a balance that you need to maintain. If security is onerous, then employees will circumvent it.


Q: Based upon your years of experience working at the highest levels, what advice would you give to IT professionals on security issues?
A: What I have noticed is that security issues have not changed over the years. I have that déjà vue feeling now. When I left the security group for business continuity, I thought I had left it behind. This wasn’t and isn’t the case – it seems as if I have gone full circle as cyber issues are a large business continuity concern for many. This potential threat has grown in proportion to the increased net and data use. Getting back into the security issues, I was surprised to see how little things had changed. The issues were the same, the platforms and software different. We still have people using the systems with little or no ‘innate knowledge’ of security. I know that we didn’t get that talk from our parents as we were bounced on their knees “Don’t talk to strangers and don’t share your passwords.” But really, one would think that after all this time companies would not leave backdoors open for external callers to make those long distance calls through their phone systems (PBX); and what about that garbage? There are still healthy pickings for that garbage ‘engineer’.

So to the IT professional - don’t ignore it, it isn’t going away and it isn’t someone else’s problem. Don’t throw the problem over the fence to the security department, and don’t assume that they will fix it after installation or promotion. It is everyone’s responsibility so it is yours as well, and your job could depend on it. Security issues are based in the hardware, firmware, software, protocols, how service providers implement what the vendors provide, how the system is administered and how the users use it. You don’t want to be the weakest link. Stick to the corporate standards, the security professionals have a lot of knowledge and experience. Consult with them at the beginning of and throughout your project.


Q: What do your see the whole security issue evolving over the next five years?
A: The security issues have been around for a long time. There was a recent article in CSI that said just that ‘Hey this isn’t new’. Prior to 9/11, I would have said that it would only be when ‘popular’ demand insists that something be done that we would see significant changes. This could have been in the form of users demanding that their ISP ensure secure access and protected data, or in the form of service providers taking vendors to task over protocols that do not meet their basic needs.

We will see government taking a more active role in this arena and this has been precipitated by the 9/11 event. Don’t be surprised if you see more legislation.

Businesses initially reacted to this event with more physical security, then relaxed somewhat but the cyber issues are still there and the SMNPv1 issue was another reminder of work to be done.


Q: What 10 tips can you provide to others that helped you in your path to success? What would you do different looking back in hindsight?
A: What helped me in my path was:

  1. Being prepared – to take advantage of opportunities
  2. Kept learning – in addition to courses for your career path, be curious, and find out ‘why?’.
  3. If I didn’t know I’d ask - be willing to make mistakes, some of the best training is gleaned through mistakes.
  4. Return calls – if you can’t do it have someone get back to the caller.
  5. Networking – I didn’t have one mentor but I learned from both the best and the worst of those I interfaced with. Don’t forget to say thank you.
  6. Knowing where to find things- you may not be able to or even have to remember everything but you should know where to look it up.
  7. Saying yes to more work.
  8. Knowing when to let go – when it is time to move on.
  9. Being willing to compromise – giving up that movie with friends to put in a few more hours at work.
  10. Being customer focused - it doesn’t matter what type of business you are in – the customer is why you are there. Do not forget them.

In hindsight:
I would ensure a more balanced life, there are sacrifices we all make; try to make the right ones. Saying no to the wrong things is as important as saying yes to the right things.


Q: I can see that you’re an active professional and that your work occupies much of your time. What are your five ways you can relax?
A: I’m still working on that. Over the years, I have skied, played squash, cycled, worked out but it is too easy to skip the exercise for a few more hours at work. I am a voracious reader though and that will remove work from my brain’s center stage. I do relax with family members and enjoy cooking those family dinners.


Q: Businesses are seeing many technologies in their strategic paths? What advice, regarding security, would you give to businesses as they plan their own evolution in the next five years? Do you have specific technologies and processes they should watch out for and implement?
A: The technologies a business chooses should be based on need not on the ‘fad of the day’. I would want to know the need or the reason for the perceived need before making recommendations. Security advice is to have a well-developed and communicated security program. One corporation made security targets a significant part of their executives’ personal objectives for the year. You need that kind of commitment for security, DRP and BCP programs to succeed.

The only generic recommendation on technology and processes, I would make is to the uninformed user at home on their PCs with constantly linked high-speed connections. They need to be aware of the lack of security and their vulnerability on the Internet. They need to look at either a hardware or software firewall and at encryption for sending files. There are some good ones in the industry and I would recommend that they obtain some – and turn off the PC when not in use.


Q: If you were doing the interview, what two interview questions would you ask of someone in your position and what would be your answers?
A: You have asked the best questions. It really depends on what knowledge one wants as to what questions one would ask - are you looking for a career in this field, are you representing a company interested in putting together a security program, are you in the process of contracting for hotsite services and what questions do you need to ask? So for this interview, you have asked the best questions.


Q: It’s a blank slate, what added comments would you like to give?
A: There so much one could say about security, disaster recovery and business continuity planning- they are all fascinating subjects (spoken like a true programmer). These are definitely growing fields and for those who would like to pursue a career or implement these programs you need both the technology and social skills to succeed.

Thank you Stephen for this opportunity to talk about these subjects.

**You are most welcome Dexada. Thank you for sharing with us, your vast experience, wisdom and knowledge.

 

 

 

Copyright © 2000 - 2002 Canadian Information Processing Society All rights reserved. Terms of Use Privacy Statement