Disaster recovery and business continuity should never be taken lightly, but sometimes they can be difficult to define and fully quantify. Yet, identifying the elements that are vital to bouncing back quickly from disaster can be the most essential factor in responding effectively during a crisis.
“There’s a key difference between business continuity and disaster recovery,” says Josh De Jong, manager of business development with Symantec’s public sector group. De Jong is a corporate member of the Disaster Recovery Working Group within the National Association of State Chief Information Officers, or NASCIO.
De Jong says disaster recovery pertains to backing up a data center, so that part of the infrastructure can keep working. Business continuity is a broader concept pertaining to how you actually keep your organization going, he explains. The latter requires capabilities such as telework. “All of the data centers in the world are not going to do you a whole lot of good if people can’t work,” De Jong says.
When we speak of a disaster, the possibilities are limitless: tornados, hurricanes, blizzards, floods or other weather-related events — even something as relatively simple as a lightning strike knocking power out over a considerable area so that normal power can’t be restored for several days.
Earthquakes and other major geologic events are also prime candidates that can cause huge stress within the infrastructure, and perhaps limit or prohibit vehicle-traffic flow in certain areas for a lengthy period of time.
Cyber-attacks on entire computer systems and potential terrorist acts are causes for concern. If not for the vigilance of our firewalls and virus scanners, many more of these attacks may have transpired.
“When you talk about business-continuity management, it’s all about managing risk,” says Denise Moore, CIO for the state of Kansas and co-chairwoman of NASCIO’s Disaster Recovery Working Group. She explains the purpose of the committee is to identify the potential impacts that might threaten organizations, noting that this function must be driven and supported from the top.
“One of the key questions is: How can we better use technology to support all aspects of disaster recovery?” asks Teri Takai, CIO for the state of Michigan and president of NASCIO. “How, for example, can we better use technology to be prepared for a pandemic flu?
“And that’s about making sure we have telecommuting policies, making sure individuals are equipped with notebooks as opposed to desktops, making sure we have processes for people to work from home if they need to.”
It is critical to devote adequate funding to the development and continual updating of a truly effective business-continuity plan.
“One of the things we in the IT [information technology] community have to do a better job of is pattern ourselves like an insurance company expresses ‘risk,’ and be able to express it in terms policymakers can understand,” says Takai. “We do a lot of hand-wringing and whining, but we haven’t been able to articulate it in the same way as the professional insurers.”
Getting into the Mindset
- Understand from the beginning that having a practical and effective recovery plan ready to go at a moment’s notice does not come cheap. Be ready to convince state policymakers that funding to establish a business-continuity structure is money wisely spent.
- Merely staging theoretical drills for an imagined disaster is likely to prove ineffective. Train using a realistic simulated disaster situation that allows staff to experience the effort that an effective recovery will require.
- Centralizing a backup data center within proximity of the primary data center is inviting further disaster. What if the primary data center and all of its environs are essentially destroyed? Locate all elements of backup infrastructure away from the primary center to help ensure survival in the event that a specific location is broadly damaged or destroyed.
- Carefully consider your organization’s various functions in terms of relative values — then prioritize those functions, so you’ll know which ones need to be brought back up first. And don’t forget about system interdependencies.