It was 5 years ago today that the Blackout of 2003 shutdown power to Southern Canada and down most of the Northeastern cost of the United States. I was in Toronto, Ontario, Canada at the time attending some Check Point VPN-1/Firewall-1 training, had just thrown out my back, and was stuck in my hotel room without power or even the ability to use, let alone flush, the toilet.

Let me tell you….hobbling around with a herniated disc is probably the last thing you want to be doing in the dark. The staff at the hotel was kind enough to bring me some crackers and cheese and told me to call out from my hotel room if I needed anything (my door was left open in case I needed help). Luckily I was able to struggle through it and make it home when the power came back on.

Can anyone top that Blackout of 2003 story? 🙂

The recent Russia/Georgia conflict made me wonder last night how prepared businesses, which are located in so called political hot spots, are when it comes to the continuation, and subsequent restoration, of their business when faced with a regional, national or international military conflict. Living in North America the thought of an invasion by a foreign power is low on my list of threats to think about managing. However, if you live in Georgia (the country, not the state) or Estonia, it is a threat to the operation of your business that you probably wished you could have planed for.

Can we, as information security practitioners, really hope to build a business continuity plan (BCP) that would allow us to keep our business running in a time of war? How could you plan to move operations to a cold/warm/hot site if its located in the same town/city/country/region? Could you draft a disaster recovery (DR) plan to ensure the restoration of your business operations? What makes you think that you’ll be able to get the hardware/software/people/location/internet/power needed to get your business back up in a timely manner?

I know most will argue that keeping your business going in a time of war is very low on the priority list and that human life is a greater concern. I completely agree. The fact is, however, that business continuity is a requirement of business operations and we must, during our risk exercises, plan for the worst case scenario. I think that war is really the worst case scenario but I have yet to see a BCP/DR that has a section on “Dealing with Armed Conflict“.