xv
Foreword
Foreword by Mr. Paul Kurtz
Paul B. Kurtz is currently the executive director of the Cyber Security Industry
Alliance. Most recently, Paul was special assistant to the President and senior
director for critical infrastructure protection on the White House’s Homeland
Security Council (HSC), where he was responsible for both physical and cyber-
space security. Before joining HSC in 2003, Kurtz served on the White House’s
National Security Council (NSC) as senior director for national security of the
Office of Cyberspace Security and a member of the President’s Critical Infra-
structure Protection Board, where he developed the international component of
the National Strategy to Secure Cyberspace. Previously, he was a director for
counter-terrorism in the NSC’s Office of Transnational Threats from 1999 to
2001. Prior to his White House work, Kurtz served in several bureaus in the
State Department, specializing in weapons of mass destruction non-proliferation
policy and strategic arms control. He also served as political advisor to Opera-
tion Provide Comfort in Incirlik, Turkey and as science attaché in Vienna, Aus-
tria. He participated in several arms control inspection teams, traveling to Iraq
and North Korea. Kurtz received his Bachelor’s degree from Holy Cross College
and his Master’s degree in International Public Policy from Johns Hopkins Uni-
versity’s School of Advanced International Studies.
Planning for recovery from a disaster is now commonly recognized as an
essential component in the management of risk. Businesses today have
become accustomed to planning for commercial risks, such as the sudden
failure of a critical parts supplier, an unexpected debt or liability, labor
strikes, or the discovery of a serious fault in a retail product. Planning for a
terrorist incident is, in many ways, very similar. Nearly one in five busi-
nesses suffer a major disruption every year. Business continuity planning is
a means of ensuring that essential functions of your business survive a ter-
xvi Foreword by Mr. Paul Kurtz
rorist incident, natural disaster, or other disruption. It is crucial for any
business or organization to plan its survival following the loss or denial of
access to buildings, a significant number of staff, their IT systems, impor-
tant records and information, or myriad other assets they depend upon to
operate successfully.
I have learned in my career that one can never plan enough to mitigate
all of the effects of a disaster. I have been privileged to participate in strate-
gic planning for many unforeseen events; such experiences expose the mag-
nitude and scope of devastation and destruction with which people close to
the event must contend. In the middle of such unforeseen events, there is
little one can do to stop an explosion, a volcano, flood, fire, or myriad other
things that we see happen every day in our instant-news environment.
What one must realize is that the distinguishing factor between coping suc-
cessfully with such events or being totally overwhelmed and unable to cope
at all is the amount of planning and preparation that takes place before the
event occurs. This, of course, does not mean preparation and planning will
insulate those who take such steps from the explosion’s effects, or from the
waters of a flood, but it does mean that their likelihood of preventing
greater damage or of lessening the effects of damage is greater than that of
someone who did nothing. While no amount of planning can magically
defray the effects of a disaster, planning and preparation can help reduce the
after-effects and aid in recovery after such events.
In Business Continuity and Disaster Recovery for InfoSec Managers, Drs.
Rittinghouse and Ransome present a thorough, well-structured explanation
of the need for taking such preventative measures. They have carefully
crafted a presentation of the material that is crucial to help any organization
develop a set of contingency plans that will assist in the recovery process.
The book is clearly business oriented, and from the very first page, the
authors emphasize the need to understand what can happen and why the
organizations that survive such events are the ones that have prepared for
their mitigation and recovery. They candidly point out that organizations
that fail to do so generally do not survive the effects of an event.
In Chapter 1, they present the issue of planning, distinguishing between
the contingency and continuity planning processes and explaining each facet
of planning that an organization must undertake to create a successful Busi-
ness Continuity Plan. They even cover the steps necessary to organize a
project team to build the plan. In Chapter 2, the process of risk assessment is
covered thoroughly. It is impossible to cover every conceivable aspect of busi-
ness risk assessment in any book, but the authors have presented a cogent
approach for businesses that allows planning teams to look at what is possible
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
