Who's in charge of business continuity?
SINGAPORE--Nearly one in four businesses in the Asia-Pacific region are unclear who in their organization should be responsible for business continuity, a new study has found.
Willie Low, a senior software market analyst at IDC Asia-Pacific, said that 22 percent of respondents in a recent survey indicated that no one in their organizations was specifically assigned to oversee business continuity. The study, conducted earlier this year, polled over 300 IT decision makers in the region.
Speaking at a security and continuity conference here, Low noted that 34 percent of survey respondents favored the CIO to take on the responsibility for business continuity. The CEO garnered 27 percent of the vote, and the compliance director and COO, 11 percent and 6 percent respectively.
However, business continuity need not necessarily fall on the shoulders of the CEO or CIO, Low said. Just make sure that a "relatively senior" executive with a good overview of all the aspects of the business is in control. "If a person has only a partial view, then he or she may not be able to do an adequate job when disaster strikes," he explained.
Shared responsibility is also not a good option, said Low. "Ultimately it has to be attributed to a single person; as the saying goes, if more than one person is responsible, then no one is responsible."
Low noted that businesses today face challenges that have an impact on business continuity. For example, companies are installing new technologies that add to the complexity of IT infrastructures and have a shorter response time to security threats. Businesses, therefore, he added, need to take a more proactive stance toward business continuity, also known as "dynamic resilience".
"Dynamic resilience is about being aware of what is happening around you, [and to] think further ahead," he said. "This will filter into the decisions you make--what sort of security technologies you buy, how you implement it, and how you defend your architecture."
The study also found that 20 percent of organizations are least confident about managing threats posed by employees. In contrast, areas such as communication infrastructure, client relationships, and assets were deemed to be the weakest by fewer respondents.
Other conference speakers also touched on the broader issue of security, saying that although the IT department is often seen as the lead for security, it is "everybody's problem". It is also important for the Board and senior management to focus on security by constantly talking about it and making investments to secure information and computer networks.
Judhi Prasetyo, a country manager with security vendor Fortinet, cautioned that not everyone in the organization has the ability to detect threats or the knowledge to protect against threats. "It is the responsibility of [the] IT [department] to educate other users before they get into a problem, and drag [it] into the problem," said Prasetyo, who is responsible for Indonesia, Singapore and Vietnam.
Kuan Siew Mun, a security solution manager at Microsoft Singapore, added that there is a need to "breach the language gap between [the] IT [department] and management". This, he said, can be done by explaining the need for security using business terms such as ROI (return on investment) and TCO (total cost of ownership).