The corporate disaster recovery team at management consultant and financial adviser Deloitte & Touche are proud of what they have created, locked away inside Cayman’s humble five-story, hurricane-proof Citrus Grove office block.
Established just prior to Hurricane Ivan in September 2004, the company’s disaster recovery center – and its associated cyber-risk and crisis management practice – leads the region in data protection, while the cyber operation is “widely acknowledged as the leading security-consulting practice in the world,” says Raymond Swarts, risk advisory and consulting manager, citing research reports from Gartner Inc.
“The services that we offer to our clients are complemented by our IT managed-service practice,” he says, which offers “holistic” IT services including infrastructure and network management and strategy development.
The locally based risk advisory team is managed by 11 specialists in a range of disciplines: controls, transformation and assurance; governance, risk and regulatory; crisis management and disaster recovery; business-continuity planning; and cyber risk.
The 11 specialists are aided by five information systems security professionals and two “ethical hackers” in the Cayman office. Ethical hackers, also known as “white hats,” are computer security experts certified in penetration testing, seeking vulnerabilities in a network, using the same skills as a malicious invader, but ultimately employed to ensure the security of an organization’s information systems.
Already, for example, GM and Tesla this year inaugurated “bug bounty” payouts to hackers who uncover and report security flaws in a vehicle’s computer systems, while Google will pay $20,000 to anyone who can remotely take over another user’s Google account.
The Cayman group is aided by the company’s “global cyber-risk team,” which, says Swart, “includes more than 900 certified information systems security professionals” – expert in a handful of skills including security and risk management, operations and engineering – and another 1,500 certified information security auditors – themselves expert in audit, control and security of information systems.
“Our unique cyber risk practice covers the full spectrum of information security offerings including security, vigilance and resilience,” he says.
Cyber risk is just one part of the company’s corporate disaster recovery practice, however.
“The DRC practice supports all three aspects of client security by providing a secure, monitored and tested location to protect our clients’ people, systems and data,” Swart says. Physical and electronic records are protected by media storage facilities which offer electronic backup such as tapes, CDs and laptop computers, and both primary and back-up servers.
A set of data suites are customized for particular clients, who can avail themselves of “recovery seating,” an alternative working space for staff when a company’s main offices are unavailable.
Citrus Grove itself, he says, was built to withstand hurricanes and other natural disasters and “has been the location of choice” not just for Deloitte, but also for the governor’s emergency office, international banks and the 911 operations center.
The DRC, he says, “features two factor authentication-access control,” including biometric access control to all data suites. Twenty-four hour closed-circuit television sweeps the facility, which boasts advanced fire detection, gas-based fire suppression, a redundant power source with a 1,200 kilovolt diesel generator and 4,000-gallon fuel tank 18 feet above sea level.
“The data suites are protected by uninterruptable power supplies to ensure our clients’ servers are never without power,” he says.
Deloitte created the center “to help clients prepare for, respond to and emerge stronger from major disastrous events, “ensuring day-to-day security in the face of a hurricane, a telecommunication outage or a cyber incident.
“Being resilient allows an organization’s operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”
Swart is a reluctant to name Deloitte clients, acutely aware that information security includes protection of a client’s people and data, the systems, overall confidentiality and the integrity and availability of operations.
However, he acknowledges the Cayman Islands Monetary Authority as a key client that for years has been “leading by example for the financial institutions in Cayman in ensuring their operational resilience and partnering with the DRC to accomplish their strategy.”
CIMA has launched an industry-wide survey of cyber resilience, inevitably exploring disaster-recovery systems, themselves inevitably dependent on telecommunications resiliency, which was dealt a setback on Aug. 23, when the entire Flow network went down for 10 hours without explanation, drawing the ire of local regulator the Information and Telecommunications Authority.
Deloitte’s DRC, Swart says, offers resilience in that regard because it has “access to all telecommunications providers in Cayman as well as being on the Cayman Islands government fiber network,” meaning, whether there is a hurricane, a telecommunication outage or a cyber incident, a client can readily activate their particular system, seeking either recovery or a transition to their secondary network as a temporary replacement for their primary systems.
“Deloitte integrates our broad functional capabilities – which can be augmented by hardware and software systems owned, used by, or provided by the client – in order to cover the entire crisis-management life cycle,” Swart says, enumerating “readiness, response and recovery.”
“Being resilient allows an organization’s operations to rapidly adapt and respond to internal or external dynamic changes and continue operations with limited impact to the business.
A comprehensive enterprise-resilient program, he says, requires a combination of both traditional and new processes, existing and fresh technology, and that requires firm oversight and practiced governance to gain integration “across business operations, technology, strategy, and risk and compliance environments.”
Swart is particularly proud of Deloitte’s cyber-risk efforts, which he calls “one of the priority services within the Deloitte service portfolio.”
The Gartner endorsement looms large in this regard, underscoring three major components of data recovery.
The cyber-risk enterprise is, secure, he says, “enabling enterprise business innovation by protecting critical assets against known and emerging threats across the ecosystem; it is vigilant, reducing detection time and developing the ability to detect the unknown; and it is resilient, strengthening your ability to recover when incidents occur.”
Most organizations consider security and – increasingly – resilience as chief imperatives for data protection, he says, but the third, vigilance, waxes critical to security efforts “as it becomes increasingly difficult to prevent infiltrations and unauthorized activity … organizations need threat awareness and advanced detection and analytic solutions to rapidly identify unauthorized or anomalous activity in their environments,” Swart says.
Deloitte’s “vigilant services,” he says, “leverage deep experience with analytic and correlation technologies to help clients develop monitoring solutions focused on detecting threats to critical business processes.”