Perfection is the enemy of progress."  Don't wait for the results of your hardware inventory before negotiating a "hot site" contract.  Your equipment will change before you reach final terms.

If you need special equipment, i.e., devices that are not part of the standard hot site configuration, buy the hardware yourself and pay the hot site for storage and maintenance.  It's cheaper.

If your company requires prospective vendors to respond to an RFP (request for proposal), don't "reinvent the wheel."  Ask the hot site company for a "sample" RFP, something they’ve already completed for another client.  Remember, most RFPs are essentially the same.

Everything in the hot site contract costs money.  If, for example, you don't need 48 hours of test time per year, negotiate a lower figure.

Just like prescription medicines, generic is cheaper.  Try not to insist on specific equipment manufacturers.  If the gear's compatible, use the hot site brand.  Again, it's cheaper.

Be clear on "terms and conditions," including early termination, testing, exclusivity, technology, liabilities, usage prioritization, automatic renewal, and disaster determination.

Remember, with regard to "liabilities", no amount of compensation will be enough if the hot site fails.  Just get over it!

The most important metric to a hot site vendor is "contract value," or the yearly value of the contract times the number of years the contract's in force.  That's why hot sites are always anxious to renew, or extend, existing contracts.

 In renewing a hot site contract, the goal is to pay the same (or perhaps a bit more) but get "more stuff" in return, like free consulting, software, or support for international operations.

You can't outsmart a hot site company concerning contract terms.    Experience is always on their side.

The bottom line on "bells and whistles:"  If it's easier for them, it's cheaper for you.

Don't assume your company's safe.  It's not! 

 While, currently, there's no way to stop a "denial of service" attack, they can be "mitigated"; but you'll need an expert to do it.

Put one person in charge of information security management.

Assess your external and internal security posture.  Eighty (80) percent of all security breaches come from inside the company.  Remember, employees have grievances and access—frequently a deadly combination.

Recognize your limitations and consider outsourcing your security concerns.  If, for example, your company lacks the security apparatus to host a web site, let an experienced—and competent—web site hosting firm do it for you.

 Like most predators, hackers attack easy targets.  First line of defense:  Make sure the "other guy" is more vulnerable than you.

Prosecute security violations.  Let hackers know they can wind up in jail.

In negotiating SLAs (service level agreements) establish a "level of expectation" relative to security.

"Social engineering" is a key element in the "security war."  As with drugs, it's important to attack demand, as well as supply.

Build security recovery into your business continuity plan.

But remember, protection is cheaper than recovery.     

The cost of workplace violence is in the billions of dollars each year.

Different crisis response units have different agendas.  The police, for example, are concerned—first and foremost—about life, not money.  They're also concerned about protecting the integrity of a "crime scene," a responsibility that might impede a company's recovery efforts.

Companies should conduct job skill inventories.  When filling a role like "fire warden," for example, they may find that one or more of their employees are volunteer firefighters.

Invest in security but invest in the right kind of security.  For example, placing unmonitored cameras in schools is a waste of money.

The three key components of crisis management are:  Planning, Mitigation, and Recovery.  

The three prominent business continuity certification organizations are: