The hot new trend in IT disaster recovery for 2023 is . . . a completely invalid concept. The fact is, there are no hot new trends in IT/DR. There is—or should be—only one valid approach to this critical area: doing the fundamental things correctly all year long.
Related on MHA Consulting: BCM Basics: Modern IT/DR Strategies
IT/DR Is About Needs, Not Trends
This time of year is the silly season when it comes to experts making predictions and identifying new trends. The same is true of people making resolutions to do better in parts of their lives.
Trends and resolutions are fine when the topic is fashion or fitness goals, but an organization’s data security, IT operations, and resiliency are too important to let any part of it be controlled by something as random as the turning of the calendar.
It’s true that the world at large is seeing many trends that have a potential to impact organizations’ IT operations—trends such as the rise in cybercrime, extreme weather, global conflict, and supply-chain problems.
However, the correct response to these from the IT/DR perspective remains the same as it has been for many years.
DR is not about trends; it’s about needs.
If there’s one good use to be made of the coming of a new year in terms IT/DR, it’s that it can serve as a prompt for people to take stock of their positions. With that in mind, we’ll make this first post of 2023 about encouraging you to assess your IT/DR situation and reminding you of what to look for.
How to Assess Your DR Position
The starting point in conducting IT/DR and assessing an organization’s IT/DR position is to look at risks, needs, and requirements. Once you have a clear view of those, you can put together and adjust your DR strategy. In reviewing your current position, you should look at business requirements and then identify any gaps (consult your Business Impact Analysis and the IT security assessment of your data security position). Our recommendation is that organizations look hard at true recoverability, especially around any type of cyber event.
Some good questions to ask are: Are your backups and data protection truly secure? Are there any gaps relating to data synchronization? If you only need to recover data for one or two apps, how are you going to get it in sync with all the other apps still continuing to process new data? Are you prepared if you have to recover a significant proportion of your environment due to a cyberattack?
Many organizations haven’t considered these sorts of questions and aren’t prepared.
Modern IT/DR Is About Resiliency
In the contemporary world, IT/DR isn’t just about recovering IT data and operations. The IT department should also work with the business continuity team to help boost the organization’s overall resiliency position.
For this reason, an assessment of the organization’s IT/DR position should look beyond pure IT/DR considerations. Some good questions to ask are: What would the organization need to run manually for an extended period of time, and how would IT support that? What are the absolute minimum technology needs for which no level of manual efforts exists?
IT has a responsibility to make sure the necessary technology is in place to enable the organization to get through an extended outage. Such technology might include alternate wifi capability or communication methods or certain types of monitoring that cannot go down.
Our position is, DR is not about recovery, it’s about resiliency. DR is everything that is necessary to keep the organization functioning from the perspective of IT.
Cyber preparedness is a major component of the overall resiliency position. That preparation needs to be in place ahead of time so it’s available when the event occurs.
The Need for Realistic Testing
There’s one more thing worth considering in assessing your IT/DR position: your testing program.
One point that MHA will be emphasizing with our clients in 2023 is the need to get away from over-planned DR tests and move toward a more realistic, chaos type of test.
If your organization is doing DR testing like it’s a project, then you’re not doing DR testing. Many people plan for weeks or months before doing a DR exercise, and they focus entirely on making it “successful.” An exercise like this shows that you have technical capabilities. It shows little or nothing about your ability to recover from an unexpected disruption. To truly demonstrate your capability, your testing needs to be realistic. This is the only way to show that you could recover during a real event.
A Few Enduring Concepts
Talking about trends is seductive; for some areas, it’s even valid. However, when it comes to IT/DR, the essentials are well-established and haven’t changed recently. Good IT/DR is about knowing and executing on a few enduring concepts.
The starting point in developing or assessing an IT/DR strategy is to look at the organization’s needs, risks, and requirements. It’s important to identify and close gaps, and the assessment should go beyond pure IT/DR to look at what IT needs to do to support the organization’s resiliency overall. The organization that truly wants to demonstrate the ability to recover should move beyond over-planned exercises to more realistic, chaos types of tests.
For more information on IT/DR fundamentals and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: