Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Robert L. Mitchell

Reality Check

Schneier on pandemic planning: Why bother?

8 comments

IT TOPICS:Government & Regulation

Security expert Bruce Schneier has special advice for businesses thinking about pandemic planning: Don’t bother.

In a Computerworld story this week, Schneier, chief technology officer at BT Counterpane in Mountain View, Calif. stated that if a pandemic hits the scope of the disaster would be so large that contingency planning by businesses would be useless. The comments were made in the context of a Computerworld story that focused on the results of a study from Ipsos showing that while the risk of pandemic remains, public concern has faded.

Schneier's is using what I would call the nuclear war argument for doing nothing. If there’s a nuclear war nothing will be left anyway, so why waste your time stockpiling food or building fallout shelters? It's entirely out of your control. It's someone else's responsibility. Don't worry about it.

I’m not sure pandemic really falls into the same category. Yes, a global outbreak of bird flu could be catastrophic. Yes, the government would need to spearhead a national response. And anyone reading the scary scenarios set out by public health expert Dr. Michael T. Osterholm in this interview might feel overwhelmed. But a pandemic is likely to play itself out in such a way that companies that prepare come out ahead – and possibly ensure their own survival.

Doing something is better than doing nothing.

Health experts have stated that during a pandemic as much as 40% of the workforce could be out for a period of weeks at a time (for an in-depth look at the issues, see my story, Heads in the Sand: IT isn’t ready for the Bird Flu). That's exactly the problem with planning at the individual business level, says Schneier. “If everyone loses 40% of their workforce it’s a different economy. The world is different. You cannot prepare for the world is different and you’re wasting your time if you try,” Schneier said. Such planning can only be done by governments, not businesses, he says. "That kind of world altering disaster you can’t prepare for and you shouldn’t.”

That said, Schneier isn’t even optimistic that government will be up to the job. “If you’re a politician and you spend money on preparation and nothing happens you’ve wasted your money. As a politician you are much more savvy doing something after the fact.” But that doesn’t mean corporations can step in. “There’s a lot of stuff in play here. But corporations simply can’t deal with the threat. It’s not their threat,” he says.

Not so, counters Michael Rasmussen, an analyst with Forrester Research Inc. who covers governance, risk and compliance research. “There are a lot of things I would agree with Bruce on – this is NOT one of them,” he says. He wouldn’t rely on government do all the planning either, but he thinks there’s plenty that business can do to prepare. “We see many of our clients preparing for a pandemic, as much because they recognize the threat of a disruption caused by absenteeism from any source, not just disease. To that extent, concern about a pandemic has awoken the corporate community to the more generalized risk of people-impacting events that can disrupt business operations.”

A pandemic is likely to occur in waves and affect different regions at different times. At any given time one facility may be in the middle of an outbreak, another may be recovering while a third could be unaffected. Good planning can help businesses adjust resources as needed. Furthermore, no one knows what a pandemic will look like. It doesn’t have to be a doomsday scenario. What if just 10% of employees are out during a pandemic? You still need a plan.

The biggest problem with many existing disaster plans is that they are good at responding to structural disasters but not very good at the extended “labor strike” scenario, where a significant percentage of employees suddenly can’t - or won’t - show up for work. “We see many of our clients preparing for a pandemic, as much because they recognize the threat of a disruption caused by absenteeism from any source, not just disease,” says Steven J. Ross, Firm Director at Audit and Enterprise Risk Services/Security & Privacy Services at Deloitte & Touche.

As an aside, I asked Ross about this week's story. He disagreed with the premise this week’s story that interest in planning for a bird flu outbreak is waning.

While that may be true with the general public, as reflected in the Ipsos poll cited in our story, he says Deloitte’s own survey of enterprises shows that many corporations are in fact paying attention. “The research performed by the Deloitte Center for Health Solutions shows the opposite result: There is a greater understanding of the risk of a pandemic currently (as of the end of 2006) than the year before and a considerably greater number of companies have developed plans for dealing with one.”

But even assuming the worst case scenario, Rasmussen thinks businesses with a plan will come out ahead. “To not prepare means the organization shuts down and the organizations really resembles anarchy. Even if society should be in a state of anarchy itself and government is the sole respondent there needs to be plans in place for bringing the business back as society stabilizes.”

How would Schneier, a risk management expert, respond to all of this? Perhaps pandemic planning would be a good subject to revisit in his blog.

Email this

Digg this

What People Are Saying

Add new comment

I feel Bruce Schneier is

Submitted by Gerold Rupprecht on August 30, 2007 - 3:34 A.M.

I feel Bruce Schneier is correct.

Ask your doctor how he/she can distinguish between bird flu and another type. They cannot or will not do the expensive lab tests. Your ordinary flu has exactly the same symptoms.

In the CDC National Vital Statistics Report volume 51 issue 13, http://www.cdc.gov/nchs/data/nvsr/nvsr52/nvsr52_13.pdf
page 16 shows the actual numbers of deaths from influenza (flu) as being 753 in 2002 per 100,000 population.

This is a far cry from the grouping infuenza and pneumonia where the CDC erroneously states "there were about 36,000 people die from flu" see http://www.cdc.gov/flu/keyfacts.htm

The statistical gathering process at the CDC is faulty to permit the statements they are making.

You are basing your strategy on an institution with questionable professionalism. There is a lot of money as well as political and military interest pushing for these kind of statements (weapons of massive destruction ???)

As a business risk manager, you might want to spend some energy to cover the basics, such as making soap and water available to visitors and employees to wash their hands after using the toilette. You will get more than your money's worth from just this simple step.

For a more caustic opinion check out:
http://www.the7thfire.com/health_and_nutrition/bird_flu_HOAX.htm

When in business you invest where you get your maximum risk weighted return on capital.

This opportunity does not meet my personal criteria. Your mileage might vary.

Reply | Report this comment

It is doubtless true that

Submitted by Anonymous on August 29, 2007 - 2:57 P.M.

It is doubtless true that the reality of a pandemic will not be what anybody's plans currently predict. Some things may turn out better than expected, while others may be worse; some issues may become apparent that were not foreseen during the planning.

No plan survives contact with reality.

But that does not mean that the planning effort is worthless and should not be undertaken. The more solutions you have in place ahead of time, the less will have to be done "on the fly" during the pandemic itself. Moreover, as has already been pointed out, regardless of the actual severity and impact of a pandemic, some preparations are ALWAYS a good idea.

Example- Simple personal hygiene training will pay benefits during a pandemic, but will also reduce absences during seasonal influenza outbreaks, witness what is happening in Australia. We don't know when the next pandemic will start, but the flu season is just around the corner here in North America.

Reply | Report this comment

In 1918, deaths from the flu

Submitted by Anonymous on August 24, 2007 - 9:30 A.M.

In 1918, deaths from the flu were reported for all 48 states within a week. Vaccines will take 4-6 months. So, there is a deadly time gap. Facemasks respirators N-95 or P100 can be purchased ahead of time by every one and companies too. They will also worked against other diseases like SARS that may move very quickly. For example, the timeline on SARS was less than six months. It took from November 2002 to April 2003 to fiqure out that it was coronavirus and most of the deaths had already occurred.

CDC has changed its mind on face masks.
Although they say, "Very little is known about the benefits of wearing facemasks and respirators to help control the spread of pandemic flu. In the absence of clear science, the steps below offer a "best estimate" to help guide decisions. They will be revised as new information becomes available."
A lot of information is known about farmers and medical works to wear respirators - why it is just a leap of 'faith' to think that respirators will protect the citizen of the world - it is beyond me. Reasoning from a medical person taking care of SARs patient or someone with flu as it is now to the jump that respirators will help the public. I do not think this is a big jump. In Hong Kong during the SARs outbreak over 50% of the public were wearing some kind of mask. Is this some secret information? No, I do not think so. The problem is that is a respirator is a good thing, and then they have deal with the problem of getting them to the citizens. That is like telling people they need to use less gasoline. True but not good news.
The 3M Particulate Respirator - 8293 P100, for example is rated now for "40 hours of use or 30 days, whichever is first" according to 3M's web site. So, that might be better than using the N-95 or N-100 that are disposable. The CDC continues with the advice, â€œNeither a facemask nor a respirator will give complete protection from the flu. That is why it is important to wash your hands often, cover your coughs and sneezes with a handkerchief or your arm, and avoid crowds and gatherings during a pandemic. To learn more about these and other issues relating to pandemic influenza, visit http://www.pandemicflu.govâ€ Wash your hands with alcohol hourly.
You can also us ultraviolet light bulbs (UV-C) to kill germs, viruses, mold, spores, fungi, and bacteria as well. UV-C is a proven form of sanitation (Germicidal Irradiation). 254 nanometers is the best. Harmful to look at UV light and UV light cannot pass through glass. Do your own research but using UV-C to clean clothes or food before you bring them into your house might not be a bad idea if people are dying around you. Wash them in to water and some alcohol too. I am not sure on the distance from the light you need to be. If you have HEPA air filters in your house (common with allegories suffers), why not leave them on all of the time until you get vaccinated. CDC speaking about â€œcomplete protectionâ€ but even vaccines will not give everyone complete protection (remember it may take up to 6 months to produce vaccines). Current vaccines for most diseases are never 100% protection. The whole point is to do whatever you can to protect your family. A combination of ways of protecting your family reduces the overall risk â€“ perhaps it is 1% that makes the difference between your loves ones getting sick from a pandemic and not getting sick or dying. Let us hope we never have to find out how well these different types of protection work against a pandemic. On the other hand, there is some risk and so why not be prepared.
Remember in 1918 in some places it took over a week to bury people. During the Tsunami people were using bulldozers to bury people. I wonder if CDC would tell you to wear a respirators then or would they wait for a study to confirm it is a good idea. Do your best to stay protected.

Reply | Report this comment

ALvin wrote: "For the time

Submitted by Old School on August 16, 2007 - 4:02 P.M.

ALvin wrote:
"For the time and money spent to make sure your company is "disaster proof", that money could be better spent elsewhere."

Well, they say a fool and his money...

I think the message here is that a possible pandemic is merely a wake-up call. Whether it's bird flu or something else that strikes us somewhere down the road, many of us have not given much thought to the creation of a Continuity of Operations Plan. Succession of authority, "necessary" job identification and cross-training are merely ways we can protect ourselves against most -- maybe all -- disasters, not just a pandemic.

Personally, I'll listen to the Gartners and the Deloitte folks. They're usually pretty smart cookies.

Reply | Report this comment

If you have read Mr.

Submitted by ALvin on July 26, 2007 - 9:26 A.M.

If you have read Mr. Schneier blog, he bases his decisions on whether something gets good value for the money you spend. How often are companies crippled based on a virus or natural disaster or terrorist attack? I bet the percentage is very small. For the time and money spent to make sure your company is "disaster proof", that money could be better spent elsewhere. Not to mention nothing is disaster proof, there is always something we are not prepared for.

Reply | Report this comment

IT folks, computer world

Submitted by Kobie on July 18, 2007 - 11:52 A.M.

IT folks, computer world
IT folks have burned the midnight oil many times doing what others said can not be done. When Katrina hit many had already jumped to "hot site" while other ISPs kept web cams running just to show they could do it.

Unlike Y2K or Katrina this does not have a definite date. Unlike Sept-11th there will not rescue workers poring in to help - just news pouring out.

When you look at succession plans remeber what the CEO of CitiCorp Said - we have plans for CEO, CIO etc but not for the person filling the ATM.

Business plans should include who will keep the lights on and servers spinning AC humming and routers routing.

Hope this helps.

Kobie

Reply | Report this comment

Businesses can be leaders in

Submitted by Kathy on July 18, 2007 - 9:37 A.M.

Businesses can be leaders in their community. If businesses become prepared for continuity during catastrophic events, people will remember that.

Their preparation and attention to these details will set an example for the individual to prepare.

For a business, the optimal outcome would be for both the business and the employee to be prepared so that absenteeism can be minimized. Mitigation tactics in the home and community will mean that fewer people will have to be out due to illness or the illness of a family member. These employees will still need an income and will therefore come to work. Mitigation tactics in the workplace to prevent cross infections will continue the cycle.

Fewer infections, fewer absent employees, greater productivity.

Reply | Report this comment

Mr. Schneier should stick to

Submitted by Anonymous on July 17, 2007 - 6:59 P.M.

Mr. Schneier should stick to what he knows best - IT and leave the business planning to those who are involved in dealing with the tactical, operational and strategic planning aspects. You can and should be developing contingency plans to deal with a pandemic - to include succession plans and realignment plans to migrate your business into demand areas. An assessment of your product/service mix to determine if they will be in demand during a pandemic could be the make or break for your company.

Reply | Report this comment