Y2K lessons learned
- By Bruce McConnell
- Jan 06, 2002
We live today in a new global risk landscape not unlike a past time
of high uncertainty: the pre-Year 2000 period.
Left unaddressed, the Year 2000 date change would have disrupted firms'
operations and services. Individual preparation and collaboration across
organizational and national boundaries prevented disaster. Those at the
epi.center of destruction last Sept. 11 benefited from those preparations.
After 200,000 phone lines failed in New York, the city and Verizon Communications
restored service using procedures developed for the Year 2000. Thanks to
safeguards developed in 1999, bond markets reopened in two days. The New
York Stock Exchange used Year 2000 testing protocols to validate its back-up
trading system. Many other organizations used Year 2000 procedures to determine
whom to contact, review the backup of systems, set up command centers and
direct evacuations.
Preparation is essential to protect against current cybersecurity risks.
Action is needed in five areas: readiness assessments, risk management strategies,
useable security tools, crisis management networks and public relations.
For the Year 2000, organizations produced comprehensive inventories
of their most important partners, systems and information; the functions
they performed; and the interconnections among them. These inventories must
be updated. Firms also surveyed their suppliers to ensure their readiness.
Today, few organizations are systematically evaluating the computer security
posture of their trading partners. Organizations need to assess their readiness
to prevent and respond to disruptions caused by attacks.
For the date change, organizations identified mission-critical systems
and fixed them first. Today, once systems inventories and supplier risks
have been identified, resources must be allocated to address the most important
risks first. And personnel security and management must be given additional
attention.
For the Year 2000, the computer industry created tools that found and
fixed the bugs. Today, many technical security solutions are available,
but applying them to organizations' particular situations and systems requires
a level of sophistication beyond most network managers.
For the Year 2000, infrastructure owners and operators organized cooperative
networks to share information, exercise contingency plans and coordinate
emergency response. Today, not enough co.operation and information sharing
is occurring, except in the financial services sector, where long-standing
trust relationships support strong coordination. A bill modeled on Year
2000 information-sharing legislation is pending in Congress and deserves
support.
Finally, before the Year 2000, firms and industry groups organized public
information campaigns to reassure shareholders and the public that the impact
of the bug would be minimal. To date, post-Sept. 11 corporate publicity
has expressed compassion. Focus should shift to creating a coherent message
of reassurance.
McConnell, former chief of information policy and technology at the Office
of Management and Budget, is president of McConnell International LLC (www.mcconnellinternational.com).