I had an interesting conversation with a client the other day about recovery planning. We’d been talking about recovery strategies from the point of view of what I fondly call the “smoking crater” scenario.
Just like individuals, an organization can talk itself into or out of anything. And the likelihood of an actual “smoking crater” disaster is really low, which could lead to a false sense of security and the decision to forgo recovery planning as unnecessary.
The reason we use the scenario of a smoking crater in recovery planning is that it facilitates talking through any and all impacts. If you have to recover your business from scratch, what do you do and how do you do it?
But if you take the scenario literally, you lose the perspective of what could actually happen and related impacts that have a much higher probability, such as a hurricane or tornado, a fire in a neighboring building that causes collateral damage to your building or just precludes your access to your facility, a pandemic, getting nailed by ransomware, etc.
People often think that recovery planning is like an insurance policy: “We’ll throw a few bucks at it since we know we’ll never need it.” The right way to look at recovery planning is: Can you afford not to have a recovery capability?
With more and more organizations sending their computing systems and data to the cloud, more and more people are convincing themselves since they’ve got the inherent resiliency of the cloud they don’t need to worry about recovering those systems. But that’s just another way of talking themselves out of taking on yet another task with limited resources. Because if they had considered disasters from a functional and not a system perspective, they probably wouldn’t be leaving themselves open to the actual impacts of a disaster, rather than looking at the unlikely event of a smoking crater. Remember the forest and the trees?
Recovery planning is not something you want to talk yourself out of. It’s also not something you should need to talk yourself into. It’s as necessary and fundamental to the survival of your business as doing data backups.
Everybody’s been doing data backups since the ’60s. Why? Because everyone understands the need to ensure data availability. Yet having the data does no good if your people and/or your processes aren’t recovered and available.
I’m not saying every organization needs to have all its functions up-and-running within four hours. What I’m advocating is to decide on and plan for the recovery capability you truly need based on well-considered discussions about what makes sense, given your unique operational requirements, ability to execute and financial constraints.
Because the mantra of recovery planning is and always will be: the shorter the recovery timeframe, the fewer strategies you have available in your toolbox and the more expensive those strategies are. From there, you consciously and rationally choose what’s best.
How can you afford not to?
To ensure that your recovery planning and incident response will include all the necessary procedures, contingencies and dimensions, contact Pivot Point Security.
For more information:
- Keeping Disaster Recovery Planning Simple
- Organizational Resilience
- Operational Testing of Your Recovery Plan (Part 1)
- Operational Testing of Your Recovery Plan (Part 2)
- Why Cyber Incident Response and Business Continuity Must Be Tightly Coordinated
- Accounting for Your Employees in an Emergency
Chances are, you won't know how effective your plan is until you test it.