Companies spent just 3.2 percent of their IT budgets on security (employee education, business continuity, and disaster recovery) in 2001, according to Stamford, Connecticut-based research firm Meta Group Inc. Last year, the outlay was more like 8.2 percent.
"Some CFOs perceive disaster recovery as a sunk cost," says Gary Foster, CTO at Boston-based trade-management services provider Omgeo LLC. "But you have to think worst-case once in a while."
At Edgar Online, a $15 million (in revenues) supplier of public-company data, CFO and COO Greg Adams is doing more than that. He reviews his company's written disaster-recovery plan in detail each year. Adams is also apprised of changes in the plan before he files the company's 10-Qs. "Disaster recovery is critical for us," notes Adams. "If we're down, a lot of money is lost."
After the events of September 11, management at the South Norwalk, Connecticut-based company decided to construct a remote hot-site in Rockville Center, Maryland. The site, which has a backup generator, can restore the company's main systems in a matter of hours. Edgar Online also maintains a New York-based fail-over that immediately kicks in if the company's Website fails.
The system was put to the test last August, when the huge power outage knocked out the electricity at Edgar Online's Rockville office. "During the blackout," recalls Adams, "we had no downtime."
Other companies were not as fortunate. Many businesses, for example, discovered that their remote sites simply weren't remote enough. "It's all right to have a backup center," says Lance Travis, vice president of core research at Boston-based consultancy AMR Research. "But if you're in the same power grid, it doesn't do you any good."
(This article was excerpted from the May 2004 CFO magazine report "In Case of Emergency.")