Want IT resiliency? Look to both security and disaster recovery
Security, protection from hackers and ransomware, disaster preparedness and disaster recovery are all means to the goal of resilient IT infrastructure and business processes.
We Floridians dread hurricane season. Storm predictors will issue 2018 forecasts, prognosticating the number of storms that will form in the Atlantic, how powerful they'll be and how many will make landfall. We've come to take these with a grain of salt, however. It isn't that we're lackadaisical. But if you look at 2017, they said it would be a calm year with few storms. Tell that to the Florida Keys, Puerto Rico, the U.S. Virgin Islands and Houston.
The truth is weather-related disasters are no longer just a possibility. They're a certain probability. And while the frequency of storm events may not be significantly greater than in past years, the severity has been increasing. That's why I chuckle when I hear people talk about their high-availability server configurations as a substitute for disaster recovery (DR) planning. It's also why I bristle when others boast about their survivability thanks to a subscription with some DR as a service. That may work, of course, but only if the cloud service provider isn't in the building next door or the same zip code or region where it will be subject to the same disaster as the overly confident client.
The good news is IT leaders are finally acknowledging the inadequacy of their DR plans and the importance of IT resiliency, according to a survey of more than 5,600 IT professionals conducted for Syncsort and published in January. The "2018 State of Resilience Report" found that nearly half of survey respondents' businesses had experienced a disastrous interruption resulting in a loss of data that spanned from an hour or less (35%) to a few hours (28%) to a day or more (31%).
The report also found that only half of the businesses surveyed met their recovery time objectives, and 85% said they had no recovery plan or were "less than 100% confident" in the plan they had. This confidence crisis is probably due to a lack of testing. While these stats are similar to what we've seen in past studies, the reasons for the lack of preparedness appear to be changing.
A lack of preparedness
Terry Plath, Syncsort's vice president for global services, noted the biggest challenge confronting preparedness is no longer denial of the possibility of disaster. Now, the great challenge is the reluctance of business management to fund IT personnel and training to prevent and deal with disaster. This may partly be the result of the hype around high-availability (HA) architecture, which is great for circumventing certain risks, but offers nothing in response to the potential for facility or regional disasters to occur. Perhaps management has mistakenly bought into the idea that HA negates the need for DR because it provides adequate IT resiliency against the 90% of downtime thought to derive from hardware, software and user errors or faults.
Truth is, the separation of information security and DR never made much sense.
It probably doesn't help that so many hosting service companies have been hanging out shingles bragging about the wonders of cloud-based DR and framing recovery strategies as services you can simply subscribe to or download from your local app store. If a cloud service is sufficiently distant to prevent it from being consumed by the same hurricane, fire or flood, it's probably too distant to provide the kind of low-latency and low-jitter communications links that enable the efficient operation of high-volume, transaction-heavy workloads and guarantee access to complete and up-to-date recovery data repositories.
Of course, while management may not want to cultivate staff expertise for DR and IT resiliency, it doesn't much like downtime either. Availability has become the top measure of IT performance, according to the Syncsort study. That was closely followed by application performance and customer satisfaction as the metrics that matter most. DR training, planning and testing may have a better chance of being funded if IT professionals frame them as availability rather than disaster recovery programs.
Reframe the exercise
Another approach to getting management buy-in for DR and continuity planning might be to recast the exercise in terms of security, rather than DR. According to the survey, security (49%) will be the top IT initiative in the 2018 to 2019 timeframe, beating out DR and HA (47%) by a couple of percentage points.
When it comes to IT resiliency, the front office is more concerned about hackers and ransomware than they are about fires, floods and storms. Senior management seems to perceive security as a local matter, requiring a local capability, rather than a downloadable app or something that can be outsourced to a cloud service provider.
Truth is, the separation of information security and DR never made much sense. Now is the time to use whichever one resonates most with your bean counters and make the winner do a good job of achieving both goals. Resilience is resilience, and these days, it's looking more like the choice comes down to IT resiliency or bust. Stay safe this hurricane season.
