DISASTER RECOVERY REALITY CHECK: ARE YOU REALLY READY? 12 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16 DISASTER PREPAREDNESS saves time and money if the right skills and plans are in place—and current. BY CRYSTAL BEDELL ILLUSTRATION BY KEN ORVIDAS
When was the last time your organization updated its disaster recovery (Dr) plan or conducted a disaster recovery test? chances are you’ve spent less time and money on Dr or business continuity (Bc) efforts since the economic downturn. But a slow economy is no excuse for neglecting Dr/Bc maintenance. In fact, it’s more important than ever before, because when an incident does occur—be it an earthquake, a fire in the data center or a poor management decision—you need to be able to get your organization back up and running as soon as possible. In a 2010 study by forrester research and Disaster Recovery Journal, respondents were asked to rate their ability to recover their data center in the event of a site failure or a disaster. <strong>The</strong> vast majority said they felt “very prepared” or “prepared.” according to a report co-written by forrester analyst rachel a. Dines, “<strong>The</strong> same study found that disaster recovery spending has declined, testing has remained flat, plan maintenance occurs less frequently, and actual recovery times have increased.” Bottom line: organizations are disillusioned. allen Zuk, owner and managing principle of Sierra Management consulting based in Parsippany, n.J., u.S.a., said he sees a lot of organizations slacking off in the area of Dr. “<strong>The</strong>re’s an attitude of complacency, because nothing has happened in the last three or four years,” says Zuk, referring to a disaster or incident. This complacency can be costly. according to forrester, organizations took 18.5 hours to recover from an event in 2010. consider that the average reported cost of downtime per hour was almost $145,000, and you’re looking at more than $2 million per event. Reality CheCk Getting real about your organization’s disaster preparedness doesn’t have to be costly. With a little foresight, you can actually save time and money. taking the time to set realistic goals—even if it means hiring a consultant to help, is one tip Zuk offers for cost-effective Dr testing. “Don’t try to boil the ocean every time,” he says. Instead of testing every system and application, choose two or three to test each quarter. for those unsure about which ones or how many to test, Zuk encourages clients to reach out to a consultant. “Because we’ve done this so many times, we know how long it will take. <strong>The</strong>re are no surprises. If you plan a 24-hour test and you come up with 52 apps, that’s just not going to happen. a consultant has the insight to help you plan accordingly,” Zuk says. a consultant can also help address skills gaps, which is a common problem for organizations. Perhaps the resident Dr/Bc expert is no longer with the company, and skills have not been replaced. “If we were to take technology out of the equation and focus on your Dr plan, how do you ensure continuity of operations? That takes a unique skill set. <strong>The</strong>re’s a lack of talent being applied to the problem,” says Brandon Dunlap, managing director of research at Brightfly. If the key people are not present for whatever reason when disaster strikes, and if junior staff doesn’t have the appropriate training, it’s going to become a prolonged and painful response. a consultant can help you plan and execute a series of tests, for example, reducing his or her role through each test until the organization feels confident in its ability to execute a test. “your level of dependency is diminishing, and you’re showing an improvement in your own internal staff and their ability,” says Zuk. finally, Zuk recommends taking the opportunity to learn from the results of each test and applying that knowledge to the next one. “Do a post mortem on your tests, and be truthful about it. <strong>The</strong>re’s no failure in it; it’s about what can you learn from what you did. Did you achieve your goal and, if not, let’s understand what went wrong, what didn’t work. Build in that remediation and for the next test, take that with you,” Zuk says. Cloud Computing and dR/BC any Dr/Bc discussion would be remiss if it failed to address the cost-saving role of cloud computing services. Some providers market their services specifically for Dr purposes, but cloud services also support Dr efforts. “<strong>The</strong> whole concept of cloud computing addresses disaster recovery because your services are independent of your offices,” Dunlap says. “<strong>The</strong> days of actually requiring a massive data center to run your business are dwindling. you can push everything up to the cloud for just a few bucks a month.” at that point, the Dr aspect becomes a vendor problem, says Dunlap. But you can’t move your services to the cloud and wipe your hands clean of the issue. “If the provider goes down and you don’t have access, technically, you just had a disaster.” Dunlap advises companies to review contracts with their legal department to ensure that service outages and servicelevel agreements are captured in contractual language. “If your provider goes down or loses your data, what recompense do you have? Will they start paying you $10,000 a day while you’re out of business?” Dunlap says. While many providers do not currently provide the guarantees that organizations require, Dunlap says this is something organizations can look forward to in the coming months and years as it becomes a differentiator of cloud service providers. In the meantime, have an alternative plan for Dr/Bc. BRing expeRienCe to the taBle technology is just one component of Dr/Bc. People and processes also play a significant role. “Business continuity and disaster recovery go well beyond getting your data or your apps back up. What are you going to do about the people that are displaced? What is your process for ISSUE NUMBER 16 InfoSecurIty ProfeSSIonal 13
Change language