IT resilience management, planning top of mind for DR pros
Resilience is a key issue for disaster recovery pros. This year, readers sought to build up their skills and learn more about the role of resilience in DR.
IT resilience is a major component of business continuity and disaster recovery. It would be easy early on to mistake it for just another marketing buzzword, but the rise of interest in the practice the past couple of years cements it as a key process for DR teams.
There's never a bad time to learn about core elements of disaster recovery, whether the reader is new to the field and looking for an introduction or interested in a quick refresh. As technology continues to evolve, some of these basics may even change over time, so brush up on DR planning exercises, skills and principles.
Along with some basics of business continuity and disaster recovery (BCDR), IT resilience management was a prime focus among SearchDisasterRecovery readers in 2021. Disaster recovery professionals were drawn to tips that focused on the types of resilience, different DR planning activities that aid resilience and standards to follow.
While BCDR aims to keep operations running and get an organization back on its feet, IT resilience prevents or mitigates interruptions from happening in the first place. Establish IT resilience management practices to help predict and prepare for major threats such as ransomware attacks and natural disasters.
Below are some of the top articles and topics from 2021.
Back to basics
When the initial DR processes were introduced in the 1970s, it's safe to assume things looked different.
The tiers of disaster recovery outline the DR process and can help inform a plan or strategy. Built on the concept of "reliability, availability and serviceability," the tiers of disaster recovery define the different levels of where organizations store data and how they back it up for recovery purposes. The consensus indicates there are seven tiers, plus a "tier zero," where an organization has no off-site data.
Getting to know these tiers can help disaster recovery managers see where their strategy stands and how it can improve.
A different type of management
SearchDisasterRecovery readers this year also sought to learn about another type of management: managing a disaster recovery team. Disaster recovery is a competitive field, so those interviewing for manager roles must go above and beyond typical interview preparation. BCDR requires not only technical knowledge, but interpersonal skills as well, since communication with the organization and the public is critical. Managers must be able to advocate for funding in a time when upper management may still be reluctant to spend on disaster recovery.
When aspiring managers interview for a BCDR role, they should be prepared to answer a wide range of questions. They should have an idea of how much they plan to spend on DR and how they would defend that decision. They must also have a roster of BCDR activities, plans, tests and analyses they will conduct in the role. This includes business impact analyses, risk assessments, crisis communications plans and DR testing.
Interviewees must also be prepared to discuss the impact of downtime and data loss, as well as any certifications they may have.
Tabletop exercises are an excellent resource in BCDR planning. They enable DR teams to run through a recovery plan from start to finish, take on the roles they would need in the event of a crisis and experience firsthand what challenges arise in the process -- all before a disaster strikes. When that disaster is as unpredictable as a ransomware attack, the more preparation, the better.
Disruptive incidents can be unpredictable, so tabletop exercises are a way to experience and mitigate a crisis without actually having one. They help DR teams pinpoint areas that require updates and improvements, and provide a guideline for a step-by-step plan. With ransomware, a tabletop exercise runs through an organization's risk reduction, response, recovery and resumption of normal operations. It also includes an after-action report, which details what went wrong in the response and what worked.
For organizations that need to get started with a ransomware tabletop exercise, the tip includes a free downloadable template, as well as a sample presentation to take employees through the process.
Types of resilience
There are two major types of resilience for DR pros: organizational and operational. Organizational resilience focuses on the overall organization's strategy and ability to function after a crisis. Operational resilience looks at all the moving parts that must work together to protect data and maintain business continuity. Understanding both is key to IT resilience management.
Defining organizational resilience may be aided by examples. As this popular organizational resilience tip points out, the IT response to the COVID-19 pandemic provides numerous examples of this type of resilience. The pivot to remote office work, changes in the service industry and safeguards for essential workers are all examples of organizational resilience, where the overall organization makes changes to continue to function.
To better understand operational resilience, DR teams can reference this framework. When organizations understand the intricacies of how different business functions interact with disaster response, they can better maintain resilience. Communication is critical to maintain operational resilience, since business functions including human resources, crisis communications, finance management and IT disaster recovery all must work together.
Up to standard
IT resilience management efforts benefit greatly from the use of standards. Organizations widely use BCDR and resilience standards to guide a data protection strategy, testing or audits, among other areas.
The International Organization for Standardization has numerous resilience standards applicable to DR teams, including the ISO 223XX series, ISO/IEC 27031:2011 and ISO/IEC 24762:2008. These may look like code to the uninitiated, but each standard addresses a specific area of business continuity, business resilience and disaster recovery. A detailed breakdown of these standards and more can be found in this tip on BCDR and resilience standards.
Also consider the British Standards Institution, the Business Continuity Institute and the National Institute of Standards and Technology.
6 reasons why your business needs a business impact analysis
Where do business continuity plans fit in a ransomware attack?