Careers: Interviews
Disaster Recovery Expert: Dexada Jorgensen
This week, Stephen Ibaraki, I.S.P.,
has an exclusive interview with Dexada Jorgensen, a
world leading expert on disaster recovery, business
continuity planning and security.
*****
Q: Dexada, thank you for agreeing to this interview.
A: You are welcome Stephen, it is my pleasure.
Q: What made you decide to get into computing and
what challenges did you have to overcome?
A: The University of Calgary was offering their
first courses in computing science and curiosity got
the better of me. The biggest challenge was learning
to think in a very different way. It is a very
logical rather than an intuitive process when one
programs or designs circuitry.
Q: How did your career evolve from the time you
decided to get into computing to the present? Can
you describe your current role at Telus, and how
this position evolved over time?
A: After a few detours into retail, marriage and
‘ghost’ programming for a consultant, I started with
TELUS (then BC TEL) as a data communications
designer. The logic design and mathematics courses
put me in good stead for a job that required both
the technical know how and the mathematical
analysis.
As TELUS (BC TEL) is a large company, I was able to
move into different areas. The next job was as a
course developer and instructor for other ‘MIS’
employees and ‘users’. Course topics ranged from
computer basics to IMS/VS DC application
programming. In my first class there was a range of
people from an executive and to a clerk. What an
introduction to the field: the clerk was in tears
the entire class. I guess the positive note is that
the executive wasn’t.
I enjoyed instructing but the lure of ‘more to
learn’ led me into the data protection
administration area. We were responsible for the
corporate computer systems security: both the
technical support and administration. I was hired to
do technical support however at the end of seven
years I was the manager and had the disaster
recovery program, data warehouse and information
management in the portfolio.
The next step seemed obvious, it was into Corporate
Business Continuity and Emergency Preparedness. This
has been my focus for the past 7� years, through our
company’s merger and reorganizations. This work has
opened up a whole new realm of contacts and
learnings.
Q: You’re an acknowledged world expert in business
continuity and security and your work is so very
highly regarded. Can you talk about your role with
the United Nations, NATO, the ITU, the Canadian
Government, and other organizations?
A: TELUS has supported initiatives with other telcos,
governments, utilities, agencies and organizations.
With Y2K, I was ‘on-loan’ to the UN ITU-T Study
Group 2. My contribution was in Business Continuity
and I was part of the BCP sub-team. The work
included creating presentations, web and workshop
materials; and doing the presentations, giving and
participating in workshops internationally. Some of
these were held in London, England; Geneva,
Switzerland; Brisbane (the Gold Coast) in Australia,
and Amman, Jordan. I also did a workshop in Miami
for Verizon (then GTE) for their international
business units and consulting team. There was a G8
meeting in Berlin that I participated in, and an
International Energy Agency workshop in Prague where
I presented. There were many more locations for
workshops, however many I had to decline due to
timing issues and the necessity to keep a focus in
our own company. The other countries were very
interesting however the travel quickly became just a
longer commute to the next meeting or workshop. In
retrospect it seems a blur, but I know I’ve been to
these places as I have photos.
As with most Canadian telecommunications business
continuity planners there is a strong relationship
with governments at all levels. We have also built
relationships among the telcos as well as with other
utilities. These relationships began prior to Y2K
and have endured through the industry changes. The
events of 9/11 has again brought security, disaster
recovery and business continuity to the fore. It is
at times of disaster, whether natural or manmade,
that tests our ability to communicate, respond and
continue, and strengthens our partnerships. I have
been fortunate in that I have been able to
participate in workshops, seminars, regional
economic initiatives, and ‘think-tank’ sessions with
respect to business continuity, mitigation strategy,
emergency planning, and cyber issues with
governments, ministries, agencies, utilities on the
local, national and international fronts. I have
served on boards of directors, ad-hoc committees,
and steering committees and we are working on
current issues. Until the findings and
recommendations are released, I am not able to
comment on the specific work being done.
Q: What did you learn from working on the Y2K task
force and what was the impact of your contributions?
A: One likes to think that they are contributing to
the better cause. This was the case with Y2K, but
the contribution was two-way. We interfaced with
other telecom industry, utility and government
personnel world wide. It was very humbling to see
different cultures and countries. I learned a lot as
I shared what knowledge I had with others. I found
that the differences between peoples faded as
everyone faced a common threat. I can’t think of
anything else that has had so many focused on one
common concern. It was a very unifying experience.
My biggest learning experience was how much we all
have in common worldwide. The bonus has been the
people that I have met and some I am still in touch
with today.
Q: What are the ten biggest traps or pitfalls or
common mistakes with regards to security, disaster
and business continuity planning?
A: Ten? Only ten? Seriously the biggest ones for DRP
and BCP are
- to start too large – you need to walk before
you run.
- to expect it to be done in three months – it
can take up to three years for BCP to get to a
level of maintenance, if there aren’t huge
corporate changes.
- to assign it to one person to do – the best
plans are those that involve many; those who
have the expertise from all areas of the company
- to only focus on one area of the company –
there are intra-dependencies and these must be
included in your plans
- to only focus within your company – there
are inter-dependencies with suppliers and other
entities, these should be included in plans
- to think that there is an ‘end’ date – plans
are dynamic as they reflect the business and
must change as the business changes.
- to plan and not exercise plans – this is
really when people remember and this is
essential training.
- to have corporate computer systems with no
DRP – if you have systems that are deemed
non-essential and do not have backup and
recovery plans for them this would imply that
the corporation could manage without them after
a disaster. If that is the case, why are you
continuing to run them? Get rid of them now.
- to build DRP into applications and systems
after they are implemented – it is harder to do
and more expensive.
- to call it a ‘Plan’, these are ‘Plans’ –
disaster recovery plans, and business continuity
plans.
For security:
- your employees need to be educated and
trained. Security is everyone’s concern.
- ensure that security policies are part of an
employee introduction program and ongoing it is
part of an annual employee awareness program
- individually assign userids/logonids and
passwords to employees (and tell them that they
can only share their password with someone that
they would give their bank card pin to).
- don’t set userids as your employees’ names
(makes social engineering so easy),
- don’t allow ‘soft’ passwords (my term), set
up a rigor around the password process so that
they are not easily ‘guessed’ or ‘broken’ –
ensure that system passwords are not the vendor
defaults
- ensure that passwords are changed on a
regular but reasonable basis
- set up filters (e.g. viruses – strip
attachments), and set up a virus intrusion,
detection and notification process.
- use firewalls to protect your network
- match the security level to the risk and
sensitivity of the data
- validate your security programs both from
the ability to protect and the ability to
provide service – it is a balance that you need
to maintain. If security is onerous, then
employees will circumvent it.
Q: Based upon your years of experience working at
the highest levels, what advice would you give to IT
professionals on security issues?
A: What I have noticed is that security issues have
not changed over the years. I have that d�j� vue
feeling now. When I left the security group for
business continuity, I thought I had left it behind.
This wasn’t and isn’t the case – it seems as if I
have gone full circle as cyber issues are a large
business continuity concern for many. This potential
threat has grown in proportion to the increased net
and data use. Getting back into the security issues,
I was surprised to see how little things had
changed. The issues were the same, the platforms and
software different. We still have people using the
systems with little or no ‘innate knowledge’ of
security. I know that we didn’t get that talk from
our parents as we were bounced on their knees “Don’t
talk to strangers and don’t share your passwords.”
But really, one would think that after all this time
companies would not leave backdoors open for
external callers to make those long distance calls
through their phone systems (PBX); and what about
that garbage? There are still healthy pickings for
that garbage ‘engineer’.
So to the IT professional - don’t ignore it, it
isn’t going away and it isn’t someone else’s
problem. Don’t throw the problem over the fence to
the security department, and don’t assume that they
will fix it after installation or promotion. It is
everyone’s responsibility so it is yours as well,
and your job could depend on it. Security issues are
based in the hardware, firmware, software,
protocols, how service providers implement what the
vendors provide, how the system is administered and
how the users use it. You don’t want to be the
weakest link. Stick to the corporate standards, the
security professionals have a lot of knowledge and
experience. Consult with them at the beginning of
and throughout your project.
Q: What do your see the whole security issue
evolving over the next five years?
A: The security issues have been around for a long
time. There was a recent article in CSI that said
just that ‘Hey this isn’t new’. Prior to 9/11, I
would have said that it would only be when ‘popular’
demand insists that something be done that we would
see significant changes. This could have been in the
form of users demanding that their ISP ensure secure
access and protected data, or in the form of service
providers taking vendors to task over protocols that
do not meet their basic needs.
We will see government taking a more active role in
this arena and this has been precipitated by the
9/11 event. Don’t be surprised if you see more
legislation.
Businesses initially reacted to this event with more
physical security, then relaxed somewhat but the
cyber issues are still there and the SNMPv1 issue
was another reminder of work to be done.
Q: What 10 tips can you provide to others that
helped you in your path to success? What would you
do different looking back in hindsight?
A: What helped me in my path was:
- Being prepared – to take advantage of
opportunities
- Kept learning – in addition to courses for
your career path, be curious, and find out
‘why?’.
- If I didn’t know I’d ask - be willing to
make mistakes, some of the best training is
gleaned through mistakes.
- Return calls – if you can’t do it have
someone get back to the caller.
- Networking – I didn’t have one mentor but I
learned from both the best and the worst of
those I interfaced with. Don’t forget to say
thank you.
- Knowing where to find things- you may not be
able to or even have to remember everything but
you should know where to look it up.
- Saying yes to more work.
- Knowing when to let go – when it is time to
move on.
- Being willing to compromise – giving up that
movie with friends to put in a few more hours at
work.
- Being customer focused - it doesn’t matter
what type of business you are in – the customer
is why you are there. Do not forget them.
In hindsight:
I would ensure a more balanced life, there are
sacrifices we all make; try to make the right ones.
Saying no to the wrong things is as important as
saying yes to the right things.
Q: I can see that you’re an active professional and
that your work occupies much of your time. What are
your five ways you can relax?
A: I’m still working on that. Over the years, I have
skied, played squash, cycled, worked out but it is
too easy to skip the exercise for a few more hours
at work. I am a voracious reader though and that
will remove work from my brain’s center stage. I do
relax with family members and enjoy cooking those
family dinners.
Q: Businesses are seeing many technologies in their
strategic paths? What advice, regarding security,
would you give to businesses as they plan their own
evolution in the next five years? Do you have
specific technologies and processes they should
watch out for and implement?
A: The technologies a business chooses should be
based on need not on the ‘fad of the day’. I would
want to know the need or the reason for the
perceived need before making recommendations.
Security advice is to have a well-developed and
communicated security program. One corporation made
security targets a significant part of their
executives’ personal objectives for the year. You
need that kind of commitment for security, DRP and
BCP programs to succeed.
The only generic recommendation on technology and
processes, I would make is to the uninformed user at
home on their PCs with constantly linked high-speed
connections. They need to be aware of the lack of
security and their vulnerability on the Internet.
They need to look at either a hardware or software
firewall and at encryption for sending files. There
are some good ones in the industry and I would
recommend that they obtain some – and turn off the
PC when not in use.
Q: If you were doing the interview, what two
interview questions would you ask of someone in your
position and what would be your answers?
A: You have asked the best questions. It really
depends on what knowledge one wants as to what
questions one would ask - are you looking for a
career in this field, are you representing a company
interested in putting together a security program,
are you in the process of contracting for hotsite
services and what questions do you need to ask? So
for this interview, you have asked the best
questions.
Q: It’s a blank slate, what added comments would you
like to give?
A: There is so much one could say about security,
disaster recovery and business continuity planning-
they are all fascinating subjects (spoken like a
true programmer). These are definitely growing
fields and for those who would like to pursue a
career or implement these programs you need both the
technology and social skills to succeed.
Thank you Stephen for this opportunity to talk about
these subjects.
**You are most welcome Dexada. Thank you for sharing
with us, your vast experience, wisdom and knowledge. |
|
|