news / tech talk

Have a Plan

by Lee LeClair
As seen in Inside Tucson Business

Do you have a plan? Most new businesses do especially whey they are just starting out. It keeps the team focused. Older established businesses often have an implicit rather than explicit business plan. Plans are important in information technology as well, in fact they are often more important than in technology than in a general business. Why? Technology is a volatile animal. Everything about it changes at a furious pace; processors get faster, storage bigger, hardware cheaper, operating systems and applications more complex.

But at its foundation, technology is just a set of tools that enable you and your staff to manage information about your business. While those tools make things easier, the tools themselves are complex to configure and run. A prudent business owner or manager will have a general plan for their technology covering about two years out. Any less and it's just reacting, not really a plan at all. Much farther out and it becomes speculation - two years is a long time in tech-time. From a management view, the technology plan should be somewhat strategic with clear business goals and cost objectives which relate to the derived technical requirements it will take to meet those goals and objectives. That is the basic requirement of the Sarbanes-Oxley (or SOX) act for publicly traded businesses so at least think about it.

At a lower level, your business should have clear technology plans relating to Incident Management and Business Continuity of Operations. Sound complicated? It really is not. An Incident Management plan lays out in written form what to do about important events and the time frames that should be associated with them. For example, it should be clear to employees that when a virus is discovered on a PC, they need to disconnect the system from the network, note the time and what system message they saw, and call the security guy (including the security guy's phone number). The event should kick off a timer about how long to wait for resolution of the event. The security guy should know that for a virus, he will begin a diagnostic of the disconnected system with a scanning tool while also ensuring that the rest of the PCs on the network are checked for the infection. He might have two hours to resolve the issue; if he finds more infections or other problems and its not under control in two hours, he needs to call his manager and let him know what's going on.

A Continuity of Operations plan should outline which data and systems are the most critical and have detailed procedures for what to do about recovering data or systems in the event of a problem. The plan should cover the most likely problems as well as a general philosophy for how to deal with general classes of problems (since no one can think of every contingency). Again, the plan should have clear instructions for what to do first and how to do it.

The point of planning is to take the time to work through ugly situations before they actually occur. It should be done with the best minds in your business and while everyone is thinking clearly and objectively about what needs to be done. The plan captures details and lays out actions that have been thought through. This is because when it hits the fan, it will be at the most inconvenient time with a lot of pressure, little sleep, and the best people sick or on vacation.

Finally, planning is good but it isn't enough. Like piano, baseball, and almost anything you're good at in life, you and your staff need to practice. It is hard enough to take the time to plan and it is even harder to actually practice your plans for recovery and incident management, but that is where the payoff really is. If you plan without practice, you'll discover the flaws in your plan on the day of your disaster and that is really not the time for self-discovery. If you practice back-ups and especially recoveries, then your staff will flush out the inconsistencies and problems in your documentation. Your staff will become more confident with the tools and processes and won't second-guess themselves. In the end, you and your staff will know what to do and how to do it. Then the big event won't be such a big deal after all and you will still have a business.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business