Q: How did September 11th affect the way you approach disaster recovery? What changes have you made in your continuity planning as a result?
A: The greatest impact of September 11th on disaster recovery was the realisation that we need to look at recovery not just as a technology issue but as a business issue. Does the term recovered mean that systems are up and operational, data from the most recent backup tape has been restored, and you can now input data? Or is something missing? Companies that worked in the financial world were a large part of the World Trade Center. For these businesses, their plans need to include not only how to bring the technology back online but how to get the data current.
Another issue that surfaced shortly after the attacks on September 11th was: Where do people work now? The World Trade Center had provided more than 20 million square feet of office space, and after September 11th there was only 10 million square feet of office space available in Manhattan. The issue of where employees go immediately after a disaster and where they will be housed during recovery must be addressed before something happens, not after.
The last issue that surfaced after September 11th was employee disaster education. This education must occur at all levels within the company. Employees must know exactly what they are supposed to do in case of a disaster, and be drilled in those activities to reinforce it.
Q: What are the top mistakes that CSOs make in disaster recovery?
A: There are several major mistakes made in disaster recovery today. These include: -Inadequate planning: Have you identified all critical systems, and do you have detailed plans to recover them to the current day? -Failure to bring the business into the planning and testing of your recovery efforts. -Failure to gain support from senior-level managers on the need for recovery. The largest problems here are: -Not demonstrating the level of effort required for full recovery. -Not conducting a business impact analysis and addressing all gaps in your recovery model. -Not building adequate recovery plans that outline your recovery time objective, critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster. -Not having proper funding that will allow for a minimum of semiannual testing.
Q: What advice would you give to security executives who need to convince their CEO or board of the need for disaster recovery plans and capabilities? What arguments are most effective with an executive audience?
A: If the events of September 11th were not enough to convince your CEO or board members that there is a need to develop disaster recovery plans and capabilities, then I don't know what will be enough. You must address the need for disaster recovery through analysis and documentation of the potential financial losses your company would risk if something happened and you were unable to recover. Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. How to convince the senior leadership to fund your activities will become clear when you apply the financial losses per day for each occurrence. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can show them how much risk they are taking.
Mike Hager is vice president of network security and disaster recovery for OppenheimerFunds.