Photobank - Fotolia
Strengthen cyber resilience by shifting to a modern DR model
RTO, RPO and uh-oh. Rushed restores can reinfect systems. Update outdated DR practices to avoid these issues and focus resources on the systems that matter most to the business.
Age-old disaster recovery methods suit legacy use cases. Enterprises must evolve toward modern DR and cyber resilience to better ensure continuity of critical IT workloads and survive sophisticated AI-driven attacks.
Disaster recovery practices were once defined by models, such as the Share tiers, which grew out of standardized practices for protecting and restoring mainframe infrastructure and data. Created in 1992 by Share, an IBM mainframe user group, the model consists of eight levels, from Tier 0 to Tier 7, that rank IT systems by their value to the business and align recovery costs accordingly.
While these principles still apply, requirements have changed. Today, DR is about more than recovery time objective (RTO) and recovery point objective (RPO) metrics. The main goal is to quickly restore key business services to a trusted state after cyberattacks, cloud outages or system failures, using methods such as clean-room recovery. To avoid disruptions, organizations must shift from fixed Share tiers to a more flexible model comprising three recovery classes with service-level agreements tied to business impact.
Why disaster recovery needed a new model
This shift from infrastructure tiers to workload-driven requirements for business continuity reflects evolving technology risks.
Modern disaster recovery planning has more to contend with -- ransomware, compromised identities, shared cloud dependencies and control-plane failures, to name a few -- and the added concern that the DR environment itself might be compromised. Cyber resilience now depends as much on business interdependencies and operating models as on data storage or replication.
A workload-first approach aligns with budget demands and constraints. Research from an Omdia technology spending survey published in March 2026 shows that disaster recovery and continuity are the leading IT management investment areas. Omdia is a division of Informa TechTarget.
"The ever-evolving threat landscape, defined by increasingly sophisticated attacks, necessitates spending in both cybersecurity and the tools to recover and restore operations quickly," Omdia analysts wrote in the report. The rapid scaling of IT infrastructure, applications and data is also fueling increased disaster recovery spending in organizations, they noted.
While these areas remain top priorities, ROI and financial metrics are increasingly important. Data leaders need a framework that connects the design of disaster recovery processes to the reality of how they affect the business.
The three recovery classes that now define the DR approach, in alignment with current disaster recovery and cyber-resilience guidance, are outlined below.
1. Basic recoverability
This level is for lower-impact workloads that the business can do without for a short time, such as archives, testing environments, internal knowledge repositories and noncritical departmental tools.
The goal is dependable, low-cost restoration through backups, retention policies and restore testing. RTO and RPO are typically measured in hours or days. Manually restoring data and workloads is acceptable here. Businesses can reduce costs by avoiding unnecessary protections for noncritical systems.
This class is sometimes called cold standby or offline vaulting.
2. Prioritized recovery
This level consists of systems where downtime quickly affects daily operations, including ERP, CRM and financial systems, as well as databases, analytics tools and line‑of‑business applications.
Predictable business continuity is a priority here to avoid disruptions in revenue, operations and customer service. Systems in this class have RTO and RPO targets measured in minutes or hours, which requires more spending on DR.
The technologies and procedures involved can include DRaaS or another form of cloud-assisted recovery, stronger dependency mapping, documented runbooks and faster recovery methods, such as replication, point-in-time snapshots or a preconfigured warm environment.
This class is sometimes called warm standby or pilot light.
3. Assured cyber recovery
This class applies to business-critical workloads where speed is just one factor because the recovery copy, identity layer or orchestration plane might also be compromised. Common examples include identity platforms, payment systems, customer‑facing services, regulated data and other revenue‑critical applications.
The requirement at this level is to recover to a known-good state in isolation to confirm systems are trustworthy before reconnecting to the production environment. RTO and RPO targets are measured in seconds or minutes, which requires the highest level of spending.
DR processes typically include a combination of network and identity isolation, immutable storage or air-gapped backup copies, orchestrated rebuilding of key infrastructure, malware and integrity checks of recovery points, and gated reintegration using runbooks.
This level also goes by other names, such as an isolated recovery environment, a cyber-recovery vault or a clean-room recovery.
A modern take on the Share model
U.S. Securities and Exchange Commission disclosure rules require public companies and organizations in regulated industries to report material cybersecurity incidents and describe their risk management and recovery capabilities. This has raised the bar for cyber resilience governance to make tested, well‑documented disaster recovery programs essential.
Even outside regulated sectors, DR programs must be verified. Any IT purchasing decision should include demonstrations that critical workloads, dependencies and recovery processes will perform under stress.
Consider the old Share model as a starting point. Its strength lies in its recoverability model, but it is limited by its focus on infrastructure. For enterprise buyers and data technology strategists, the key is to correctly classify workloads to the modernized three-layer DR framework. Due to budget constraints, leaders must assign appropriate disaster recovery patterns to justify spending decisions. Ultimately, this amounts to allocating fewer resources to low-impact systems, investing more in critical operations and reserving the highest assurance for workloads that are crucial to business continuity.
Editor's note: TechTarget editors updated this article, originally published in 2021 and written by Paul Kirvan, in March 2026 to add new information and improve timeliness.
Tom Walat is an editor and reporter for TechTarget, where he covers data technologies.
