Interview with Al Berman, CEO of DRII.org
Can you introduce yourself to Security Kaizen readers?
I have been the Executive Director for DRI International for the last five years. Prior to that, I was the Business Continuity Management Global Head for Marsh and prior to that I was the Operational Resilience Director for PwC. Additionally, I am the former CIO of a major bank, as well as a former CEO.
Can you please introduce DRI International as an organization and the role the DRI members play in the various industries/professions?
DRI International is a non-profit organization, which for the last 23 years has been dedicated to preparedness around the world. We are the largest certifier and educator of people in Business Continuity. We serve on committees all around the world. We teach in 45 countries, in eight languages, and we have some 8,500 certified professionals in more than 100 countries and in every industry and profession.
Does DRI International play a role in supporting conferences covering Business Continuity and Disaster Recovery (BC/DR)?
DRI has been involved in conferences all around the world. In fact, I recently returned from a conference in Brazil, of which one day (DRIDAY) was dedicated to DRI certified professionals discussing their roles in their organizations. And at the end of June, I am attending a conference in Brussels. DRI has spoken at conferences in Spain, Mexico, Singapore, the United States, and Malaysia in 2011 alone. And in 2012, DRI International will be having its own conference in May in New Orleans.
Can you give us an update as well as your insight onto the recent activities centered around BC regulations and standards worldwide?
We’ve seen a number of new standards and regulations around the world in business continuity, and most of them turn out to be a reaction to an event. 9/11 was a big impetus in the United Stated, but we’re seeing it all over the world. Every central bank has a business continuity requirement. There are British standards (BS 25999), U.S. standards (NFPA 1600), and there are other standards as well. The new evolving standard, ISO 22301 will be another attempt at creating an ISO standard to replace BS25999.
But we are starting to see more regulations, and they come out of major events. If you look at the events in the United States recently, the Dodd-Frank Bill – which is to deal with the economic crisis – has business continuity in it. FINRA, which is the financial regulatory body in the United Stated, just passed regulation 4370, which also covers business continuity.
But what we’re seeing is the real understanding that businesses have to be prepared for emergencies, and they have to go through the planning process so they can maintain the viability of not only their business but also everybody else’s. And recent incidents in March in Japan, for example, showed how incidents affect supply chains around the world.
Do you think the new and emerging BC/DR standards will also focus more about the recovery of the technology environment as most standards haven’t been historically?
I think there are a lot of standards about technology; ISO 27001 is totally focused on technology. But I think, to some extent, you’re right. The new ISO standard 22301 will replace BS 25999. As you probably know, BS 25999 does not contain IT recovery. So, I think there is significant understanding that technology is an instrumental part of recovering all operations.
In your opinion what will the new ISO 22301 try to improve and stress compared to the current BS- 25999?
I think the obvious one is technology recovery, which is missing from BS 25999. I also think that it is more broad-based, being an international standard, as opposed to being a strictly British one. It provides a broader framework in which to work. I think it’s certainly an improvement over BS 25999.
But as most people know, standards themselves are not as strong as regulations. And I think we’re going to see more regulations. When you look at regulations, they are prescriptive so they tell you what to do. And they are performance-based, so they you how to measure what you are doing. Standards, on their own, do not do that. They only serve as a basis of comparison, from best practices to how you are doing at your organization
After the recent conditions in the Middle East and also the huge earthquake disaster in Japan, do you think that organizations that use the Cloud concept will be a step ahead?
I think what the Cloud concept does is distance you from a particular incident. What we saw, in Japan in particular, was the ability for financial system to continue to operate even in those areas that were devastated by the sunamis. So, I think the answer to that is yes. However, in the Middle East, one of the big problems when we looked at the recent disruptions in Egypt was closing down the Internet. Closing down the Internet would not have helped you continue to work even if you had Cloud technology. So, as long as communications are available, Cloud technology certainly is a better way of doing things, especially in a crisis.
In the wake of the recent ME events, how would you prioritize the biggest concerns for organizations that are in the region now?
Obviously, we have great concerns about people, but I think technology is a very big component of what is needed. We need to make sure technology is available so that you can communicate within the country and without the country. I think we need to understand that there have to be plans in place and there have to be resources that you can utilize outside of the affected area. So, I think what we’re really saying is that we do need a great deal of planning, and more importantly, we need to be able to test those plans.
Many organizations reported a rise in fraudulent transactions following the events, especially activities that fall under money laundering. What are some of the associated risks that organizations need to consider in a time of disaster?
In a time of disaster, we tend to go use facilities that are not as case-hardened and not as protected as those that are in our normal dayto- day operations. So, one of the things we need to make sure of is that the security of those facilities, including Cloud technology, is equal to if not better than our own security.
And we have to have some oversight. One of the things we often miss is not having audit/compliance teams available to understand what’s going on. In a crisis, we can expect that people will try to commit fraudulent acts, and we have to be prepared for those things.
In your opinion what can be the ideal driver for adopting a culture of BC/ DR in a region like the ME where there are no regulations or laws?
Well, one thing is that we are starting to see some of that come about. I think that if you look at the central bank of any Middle Eastern country, you will see that BC/DR is included. But I think the driver is going to be what it has always been, and that is business – outside corporations considering doing business in the Middle East and using Middle East suppliers. Those
suppliers are going to have to reach a level that is at least equal to what people are seeing domestically. I think the driver will be business, but I think corporations have shown that they will comply with regulations no matter where they are. And what we’ve found is if you want to continue to grow your business, you’re going to have to have business continuity