May 12, 2020

Getting a flat tire is a disaster.

Knowing where you keep the spare is disaster recovery.

Changing a tire in under 7 minutes to get right back on the road is business continuity.

In this episode, I interview Cosmo Gazzani, Director of Business Development at Continuity Centers and wekos, about business continuity and the importance of backing up your data.

What we talked about:

  • The nuance between disaster recovery and business continuity
  • How SMBs can know whether they should have an information continuity plan
  • 3 buckets for planning for business continuity
  • How & why to backup your data, even if you’re a one-man show


This post is based on a Virtual CISO podcast with Cosmo Gazzani. To hear this episode, and many more like it, you can subscribe to Virtual CISO here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

John Verry (00:06):

You’re listening to the Virtual CISO podcast, a frank discussion, providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there and welcome to another episode of the Virtual CISO podcast. As you know, I’m your host John Verry and with me as always the Sundance Kid to my Butch Cassidy, really we can’t do better than that, Jeremy’s Sporn.

Jeremy Sporn (00:38):

Hello everyone.

John Verry (00:40):

Did you run out of time preparing?

Jeremy Sporn (00:41):

No, I really just wanted to say “Hello, Butch” to you, to your face. That’s really all I wanted to say. And now my dream has been realized then we can move on.

John Verry (00:50):

Is is this getting even for me for the Wally Pipp one last week as a punishment?

Jeremy Sporn (00:53):

That’s basically it. And this time I make you choose between getting the girl because the Sundance Kid gets the girl or being the leader of the group and I’ll take either, so I saw… That’s fine by me.

John Verry (01:05):

If I knew which one did, which I… Don’t they both die in the end in a bloody shootout?

Jeremy Sporn (01:11):

You got that one right, unfortunately.

John Verry (01:13):

So, we couldn’t have… So… Can we re-record this with names that don’t die in a bloody battle? Like, is that sort of like the Alamo or something that they died at?

Jeremy Sporn (01:20):

Yeah, but were still heroes. It’s 73rd on the best American movies list. So I’m feeling pretty good about our [inaudible 00:01:27] here.

John Verry (01:29):

You know me, I prefer to think of myself as Brad Pitt-ish, but, okay, we’ll save that for another episode. So, did you have a chance to listen to my conversation with Cosmo Gazzani?

Jeremy Sporn (01:40):

I did. And fair warning to anyone who’s going to stick with us and listen to the conversation. Business continuity has to be one of the least sexy topics in information security. But for better or for worse, one of the most important that needs to be addressed cause it’s underserved and it costs companies and people just a lot because of it.

John Verry (02:04):

Yeah, I mean if you look at the statistics, I mean I forget what exactly, I mean he might even bring it up in there, but there’s a, I mean what is it, 50% of companies don’t survive a major business continuity outage or something incredible like that.

Jeremy Sporn (02:15):

Yeah, it’s amazing. I think the exact percentage from FEMA was 40% who experienced an outage that lasts longer than a few days don’t last another year. And so it’s absolutely dreadful. What I think is the most surprising is how matter-of-fact Cosmo can be about BCDR and there’s this kind of this cool thing where he talks about “You just have to ask yourself one question, can your business survive without its data? And if the answer to the question is, you need your data to survive… For your business to survive, then you need to address it.”

Jeremy Sporn (02:51):

And it’s really that simple. And I don’t think you need to overcomplicate any more past that. I think he does a good job of explaining why it’s so key.

John Verry (02:58):

I would agree. And one of the things that I enjoyed about the episode and I think is valuable is we talked about what the terms disaster recovery, business continuity and what I prefer to say is IT continuity. And I think that that is one of those areas that I think is so confusing for a lot of people. So it might be worth listening just to kind of understand that differentiation cause I think it puts different ideas in your head.

Jeremy Sporn (03:20):

I couldn’t agree more. So today guest, Cosmo Gazzani, Director of Business Development Continuity… Excuse me, the Director of Business Development, really a sales guy heart, at Continuity Centers and Wekos. It’s kind of cool because he’s sales guy, he really gets that business side of BCDR and that comes through as well. So anyone who’s not a information security guru and it sits more on that COO, CEO side of things, you’ll appreciate his perspectives.

John Verry (03:47):

Come on, finish your script.

Jeremy Sporn (03:50):

Expect to walk away with an understanding of why BCDR should not be ignored and some simple guidance on how you can improve your BCDR without breaking the bank. You’re welcome, John.

John Verry (04:03):

Cosmo, How are you today?

Cosmo Gazzani (04:05):

All right John, how you doing?

John Verry (04:07):

Good to catch up.

Cosmo Gazzani (04:08):


John Verry (04:09):

So Cosmo, we make this easy to start with, right? Give us an idea of… But tell us a little bit about Cosmo and a little bit about what you’re doing right now.

Cosmo Gazzani (04:15):

All right, so my name’s Cosmo Gazzani. I’m a Business Development Director for Continuity Centers and Wekos, combined companies. And we focus in a continuity… Business continuity, disaster recovery…

John Verry (04:27):

Easy for you to say.

Cosmo Gazzani (04:31):

Yeah. So you going [crosstalk 00:04:31] starting off easy.

John Verry (04:31):

I told you that was easy… Oh boy, we’re off to a bad start folks. Hey Jeremy, we got to screen the guests a little bit better moving forward, okay? So, before we get out of this, I’m going to go one more easy Cosmo by if you fail this when we’re done. So, I always like to start like kind of personalized things. So we have a tradition that… I always ask people, “What’s your drink of choice?” And so, whether that’s for thinking, whether that’s for lax and… What’s your drink of choice? Or maybe you’ve got multiple drinks of choice.

Cosmo Gazzani (05:01):

Well, I mean on the strong side… Let’s put it this way. My name is Cosmo Gazzani, right, so you know where I come from, right? Who’s [crosstalk 00:05:08].

John Verry (05:09):

Are we going [inaudible 00:05:09].

Cosmo Gazzani (05:11):

No, not Greek. Italian.

John Verry (05:13):

Oh I can…

Cosmo Gazzani (05:13):

So… Yeah. So from that, yeah, I pretty much have red wine flowing in my veins. My father used to actually be a winemaker. Amateur at that, but still it was winemaker. I mean, we used to drink wine out of jugs today we drink out of bottles and it has become an expensive habit. But that said…

John Verry (05:33):


Cosmo Gazzani (05:33):

Wine. Yeah, yeah.

John Verry (05:36):

[crosstalk 00:05:36] mostly or have you have diversified and do you go to California’s as well?

Cosmo Gazzani (05:41):

Always yeah. All over. Californias, Italians, French? Yeah. I love wine. Let’s put it that way.

John Verry (05:47):

I drink red wine a lot of nights as well. And I will tell you this, is that after having gone to Italy and experiencing wine in a very different way than you experience it here, I will tell you, I think there’s something different about California wines and I don’t know what it is, but I actually prefer Californians and drink… Excuse me, I prefer Italians and drink an awful lot of Italians these days.

Cosmo Gazzani (06:08):

Oh sure. They don’t call it Two-Buck Chuck out there. They call it Two-Buck Chalutz, tastes a lot better.

John Verry (06:13):

The only problem is I can’t afford the ones that I like, from down the Piedmont region, they get kind of expensive for me. So I’m stuck drinking a zin from Italy that I like quite a bit for a reasonable price point. So, let’s get to what we’re… What you we’re here to chat about, right? Your expertise is in, like you said, a business continuity, disaster recovery, things of that nature. And one of things that I see is a confusion is, you hear terms disaster recovery, you hear terms, business continuity, you hear terms IT continuity. Want to clear that up for folks?

Cosmo Gazzani (06:46):

Sure. So, some overlapping definitions there for each one of those terms. Right. But let’s start with disaster recovery. Disaster recovery is really the process of recovering from a disaster and just like the name states, right, first and foremost you need to figure out what the disaster affected, right? That it affected facilities, did it effect your systems, your power, your accessibility to your data. It’s really a process recovering from a disaster as opposed to business continuity, which is basically bringing your business back into operation. So I know that’s still kind of convoluted, but basically what that means is getting your business to the way it was when it when in production, right? How you get back to an operational state, alternate workspaces, valid backups of your data, having those, what processes in place to make sure that your business is back up and running. It involves a lot of testing, a lot of planning, right? So business continuity starts with something called a Business Impact Assessment.

Cosmo Gazzani (07:44):

You’re looking at how your business can run and what the critical needs of your business are to keep it running. Doing the testing and exercises behind that, right? So not just saying, “Yep, here’s what we need to run our business in a case of a disaster or an extended outage”, but testing those points and making sure that you do have a redundancy and robustness behind that.

John Verry (08:06):

Right. So, actually it was interesting because the way you define those actually speaks to why I no longer use the term disaster recovery, business continuity. Because you’re right, they sound so much alike. So the way I communicate it now, and I wonder what you think is, I like the term information continuity and business continuity because I think information continuity is kind of an analog to disaster recovery where it’s the recovery of, call it the recovery of the IT processing capability, right? And then business continuity is the recovery of the other business functions. Fair?

Cosmo Gazzani (08:39):

Oh, absolutely. Yeah. Yeah, absolutely. Quick analogy here, right, between disaster recovery and business continuity. Here’s the disaster that you might experience yourself, right, having a flat tire in a car. You have a spare, you know how to change a tire, and most of us do anyway. I mean…

John Verry (08:55):

I think that might be a little bit of a lost art these days, especially if you’re going to run flats. But okay. Well I’m going to tell with your analogy even if I don’t believe it fully.

Cosmo Gazzani (09:02):

I think you just ruined it, now. You just [crosstalk 00:09:04].

John Verry (09:03):

I did. I’m very…

Cosmo Gazzani (09:05):

That was my DR plan, but anyway…

John Verry (09:08):

People tell me that I pretty much screw everything up so I’m not surprised to screw your story yet, but go ahead. Let’s pretend I didn’t.

Cosmo Gazzani (09:14):

So you know that there’s time that it’s going to take to change that tire and get back on the road, right, and the process that you’re going to implement to get that new tire or your spare back on and get yourself back on the road. That’s the disaster recovery piece of it, right? Your recovery time objective, right. How are you going to get back on that road? The business continuity plan is like, “Hey” you go get that tire and you have it ready. It’s inflated, it’s ready to go. You just put it on, tighten those bolts and get back on the road. A bad disaster recovery plan or bad business continuity plan would be that there… You go get that tire and it’s either missing, it’s not inflated to the proper pressure, right. You put it on and it’s flat as the other tire. And…

John Verry (09:54):

Or you don’t know how to fix it… A flat.

Cosmo Gazzani (09:56):

[crosstalk 00:09:56].

John Verry (09:57):

Yeah, You don’t know where to… Well, you don’t know where to put the jack and I saw that recently on the side of the road. I felt bad for someone I drove by. They didn’t put the Jack under the right…. They have that little notch now in the sides of cars, they put it in the wrong spot and [inaudible 00:10:09] the guy had creased the whole doorway structure, because he put it in the middle of the car. So yeah. So that’s a business continuity plan.

Cosmo Gazzani (10:17):


John Verry (10:18):


Cosmo Gazzani (10:19):

Well it could be AAA right? It could be an alternate plan, run flat tires like you mentioned, etc. etc. Going from there.

John Verry (10:25):

Right. Or like you said, or even having the phone number for AAA. Right. And knowing that the phone number is up to date or knowing that your membership with AAA is still current. Right, those are the kinds of things… Yeah. I actually kind of liked that analogy even though I blew it up a second ago. So, let me ask a question. So, let’s use the term information continuity and business continuity because I think that’s clear. So is information continuity, that DR, that backup, do you consider that just a given for all businesses? A lot of our people that listen to the show are small to medium size enterprises, right? Anywhere from five or 10 people up to 500 or a thousand or 2000 people. Is that idea of IT continuity just a given if you don’t have that, you’re in trouble?

Cosmo Gazzani (11:09):

Absolutely, john. Because, actually one study comes to mind from FEMA. 40% of small businesses that they don’t recover from an extended outage. Right. Due to some kind of disaster or like I said before, extended outage and another 25% of those companies fail within that first year that they’re back in business because they didn’t have a plan. They were out for an extended period of time and weren’t able to get back up and running. And unfortunately the smaller business are a lot more vulnerable than larger businesses. So, that said, keeping a business going is important for survival and a DR, BC plan is imperative, especially for those smaller businesses.

John Verry (11:51):

Got you. So, when you talk… So, when we talk about backups, right, For a typical 100-person firm, is there an easy strategy to deal with that and what would that be? And I would assume that… I would think that the reason why I think it’s almost essential these days is ransomware, right? I mean, if you don’t have a backup plan and you do get hit by ransomware, you’ve got no ability to recover data. And we see company after company just literally closing their doors because they no longer have the data that they need to run the company.

Cosmo Gazzani (12:22):

Yeah, I mean, as a business owner you have to ask yourself that, right? I mean what’s the most valuable piece of your business? And most of them it is your data, right? It’s not really your facilities, I mean, even though some manufacturing if you’re doing manufacturing or something in the facility, obviously that’s pretty important to run your business. But the data is really the heart and soul of the business and you have to protect it. And the number one way of protecting that data is having a valid backup.

John Verry (12:48):

Got you. Strategies for a value perspective of onsite, offsite cloud. What’s your typical recommendation these days?

Cosmo Gazzani (12:59):

Well, actually both, right? I mean, first and foremost, you probably should have an onsite backup, right, an appliance that’s backing up locally and making sure that you do have, even for those file corruptions or somebody accidentally deletes a critical email or a file, you have that local replication that you can quickly restore that. Then taking that data that’s been replicated on site and copying it offsite, right to either one, two or even three replications, adding additional redundancy into that, geo-diversifying that data and putting it on both coasts or you know, North-South or Mid-Atlantic and getting it replicated even further or made redundant even further. So there is a lot of different redundancies that you can build into that data, but it definitely is important to get it at least offsite.

John Verry (13:49):

Yeah. So, and I would say the other reason why I’m a big fan of offsite is just because anything which is persistently connected to the network is vulnerable to propagation of ransomware or something of that nature. Right. So knowing that you’ve got a non persistently connected cloud instance of that data is going to put you in a position that even if malware ran rampant on your network, you’re still in a position that you’ve got the data that you need. Right?

Cosmo Gazzani (14:11):

Yeah, absolutely. I mean, and, God forbid you might show up and your office could be a smoking hole, right and those servers and that data that’s in there.

John Verry (14:20):

Yeah, that’s another good reason. Or, I mean here in Jersey, it’s not that long ago that we had the hurricane. Sandy and there were a lot of, especially a lot of government municipalities that lost a lot of data due to flooding. So question for you. So one of the things which is a really interesting development is, increasingly, I’m speaking with SMBs, in fact, this afternoon I spoke with a firm, they were 90 people, very significant company, and they have literally no office, right? And they’re cloud-first, right? So everything’s in the cloud pretty much. How does that impact the concept of data recovery or data backups, IT continuity?

Cosmo Gazzani (14:57):

Right, so really taking two different perspectives here. I mean, the first thing is obviously it’s adding up a lot of… Or I should say more robustness to your data, right? Because you’re putting it up in the cloud, it’s dispersed in the cloud. It’s actually probably replicated throughout several different sites in the cloud. It’s definitely making it much more resilient. It’s probably in a facility that’s a lot more resilient also. It could be in a tiered data center, it’s not sitting in your broom closet in your office.

John Verry (15:29):

Yeah, I’ve seen a few of those.

Cosmo Gazzani (15:30):

So that’s the majority sometimes. But yeah, so it’s up there. But with that said, a lot of times it doesn’t mean it’s backed up, right. Because your email is in Office 365, in Microsoft, doesn’t necessarily mean that it’s backed up. I still encourage our customers to do a backup of any cloud instances that they have. Just so that you have that, because, unfortunately that cloud or that instance could go away. Right? I mean, it’s never enough protection there. But that said, I mean obviously, working from almost anywhere is something you could do with the cloud, right? You can access your data from anywhere, wherever you are. Obviously providing you have power, you have connectivity, which a lot of customers say that “Hey, I could work from home.” But unfortunately if it’s a [inaudible 00:16:23] affecting outage, you won’t have power or connectivity from your house or Starbucks or anywhere else where you might work.

Cosmo Gazzani (16:28):

But it has actually improved business continuity for a lot of smaller business and medium and enterprise businesses.

John Verry (16:36):

Yeah. So, I was asking specifically, because it’s intriguing to me about… From an IT continuity, from the data backups perspective. So when you think about that, I do believe that Microsoft probably has that data replicated in multiple places. And I think that you probably can trust Microsoft or Salesforce or someone of that nature and when you get down into a smaller software-as-a-service company. Yeah. I think it’s a very interesting strategy and I’m amazed how rarely we see people that actually are getting backups of data from their sizes. In fact, there are… I’ve been told by multiple people that the SaaS have said that they have no mechanism to provide them with this data. So, it’s interesting, like a lot of our law firm clients run on a platform called NetDocuments.

John Verry (17:18):

Now I will say that NetDocuments actually has a very elegant solution for ensuring that all of the client matters, right, all of the matters of law, they have a mechanism by which they’ll back it up automatically to another data center for you that you’re in control of. And I think that’s just an awesome solution. And I wish more SaaS’s made it clear and upfront and easy to do.

Cosmo Gazzani (17:35):


John Verry (17:36):

So I think you said earlier, and I don’t want to put words in your mouth, but I don’t think you have a choice, but to have a information backup IT continuity plan as a small business, given the risks that we talked about. When do you get a point that you really need to start thinking about a more formal business continuity plan? Right, now, especially now that you’ve got the coronavirus thing going on, which is a different… So, there’s different drivers, right, that might cause us to get to that point. Where do you think a firm gets to in terms of size or revenue. Do you know when you need a business… If someone’s listening, how do they know if they need a business continuity plan, they should go and ask the IT guy like, “Hey, do we have one of these?”

Cosmo Gazzani (18:16):

Well, you know John, I think every customer should have some idea of where… How to recover from anything that could happen. I don’t know if it’s something about size or or revenue. I mean really, I mean, you have to ask yourself a couple of basic questions. How long can you survive or your business can survive in and outage? And not just looking at the business itself from a revenue perspective, but looking at it from a reputation perspective. Right? I mean, It’s a Wonderful Life comes to mind, right? That movie that comes around Christmas time where they all show up and the bank is closed and they’re all looking to get their money out and [inaudible 00:18:53].

John Verry (18:54):

George Bailey, right?

Cosmo Gazzani (18:56):


John Verry (18:56):

Is that his name?

Cosmo Gazzani (18:58):

I think so. Right?

John Verry (18:58):

Jimmy Stewart, right, it’s George Bailey.

Cosmo Gazzani (18:59):

Yes, exactly.

John Verry (19:01):

And angels got [inaudible 00:19:03] wings.

Cosmo Gazzani (19:03):


John Verry (19:03):

Yes, Bailey. And angel got a wings. Not that I’ve ever seen it before. I mean, I’m not old enough to have seen it. My mother told me about that movie.

Cosmo Gazzani (19:11):

Exactly. No, I mean it’s a holiday classic. So really how long can you survive? Right. Like I said, reputation is involved there. Unless your business is a little lifestyle hobby that you have and it’s just, funding some extra income, I don’t think there’s a lot of those out there, but your business is important and you need to keep it up and running. Right? So how long can you survive? Right? I mean if you, if it’s… Most outages, maybe two or three days, whatever, if you can sustain that, then maybe you don’t need a business continuity plan. Right? But you should still figure out at least protecting your data, figuring out if there is an extended outage, where do I go work, how do I recover my systems? And if my data goes away, how do I start from scratch which hopefully nobody has to make that decision.

Cosmo Gazzani (19:56):

But I don’t think it’s a matter of size or revenue or anything like that. I mean, if you, if you have a business, you have to ask yourself those questions and then make that determination of how formal that business continuity plans should be. But you should have at least an idea of how to keep your business up and running from, even a one-person shop. Right?

John Verry (20:17):

So it’s not size, it’s not revenue, it is based on what you do and what is a period of time that your business not being able to deliver that service or product would be acceptable?

Cosmo Gazzani (20:29):


John Verry (20:30):

Okay. All right. So, from your perspective, how much does that differ for different types of outages? Right. I mean, so we might have a situation where no one can come to work because of the coronavirus. Right? We’re saying that right now in China, I mean some of the pictures of the stores with no one in them is staggering, right? Or there’s no workers that are coming in because of that reason or you’ve got what floods, you’ve got a building being an unenterable based on maybe a chemical spill or a fire. Does it change? Like, does your strategy on what your business continuity plan change based on the types of things that are potentially going to occur?

Cosmo Gazzani (21:11):

I would say yes. I mean, but it can be based on a few different aspects of your business. Right? I mean number one, like you mentioned coronavirus, right, that’s a resource-affecting problem, right? I mean, you’re going to need people to run your business, right? I mean, pandemic, epidemic, whatever. People can’t get to work or maybe they’re too sick to even work. How do you keep your business going that way? It’s a little bit different than, like I said before, your building becomes a smoking hole or is gone, you can’t access it, right? It might be two feet under water. Where do you work from and how do you… How does workplace recovery come into play? And then again, there’s data, right? Again, we keep going back to data. If it’s not… Your primary data store becomes corrupt, how quickly can you recover from your backup?

Cosmo Gazzani (21:57):

That brings up a good point, just because you have a backup doesn’t mean that instantaneously you can recover from it, right? I mean, it’s going to take time. And, if you’re a trader or a financial company and you can’t recover that data quickly and that’s critical to run your business, that’s something you had to take into consideration, right? That recovery time objective, how quickly can you get that data back up and running? So every… All these different types of silos here, you have to have a plan for each one of those.

John Verry (22:30):


Cosmo Gazzani (22:30):

So each one is a little bit different,

John Verry (22:33):

Right. So, let’s say that we agree that we need a plan, right? The process of that plan is, give me like a 10,000 foot view of how you go about developing a business continuity plan.

Cosmo Gazzani (22:48):

Well, you start with… Obviously, again, it’s people, your systems and your workplace, I think is the top three areas that you need to focus in, right? I mean, let’s work… You can start with workplace. Can you operate from dispersed locations away from a central site? If you’re a call center or service desk, sometimes you need to collaborate amongst each others, it might not be… You might not be able to run from different locations, right? So you have to find a place where you can all work together and that’s where workplace recovery comes in. Your data, like I said… I think we spoke about that already. How quickly can we get it back up? What applications are critical, how many of those applications that you need and how much of that data you need to run your business, right?

Cosmo Gazzani (23:34):

At least from a point of… You could do your day-to-day business, right? I mean it might… You might not have all the luxuries of having all your applications running at the same time, but it could be your collaboration, your payroll, the top two or three or four applications that you need to run your business. How quickly can you get those back online? And that’s a key component that you need to measure and figure out for your plan. And lastly, is people, right? I mean, how many people do I need to keep the lights on, right? To keep business running? Do I need all, like you mentioned your business you spoke about before, 90 people to run in a recovery type of situation. Or can I run with a what, a tiger team of 10 or 15 that I have set up to kind of run the business sort of like in a disabled state?

John Verry (24:22):

Got you. So, if I over-simplified it right, this business continuity plan is, it’s something which is going to be our roadmap in the event that crap hits the fan, right? It’s going to be “Who do I need to get in touch with? How do I get in touch with them?” For different scenarios, certain different systems, different people not being available. It’s going to give me the logical branches to follow, to get to a point where my business, while it might not be fully functional, right, it’s not going to be fully crippled and then it’s going to give me a strategy to recover the business in accordance with business criticality of the different functions.

Cosmo Gazzani (25:01):


John Verry (25:01):

Cool. Anything we didn’t touch on when it comes to DRBCP? You mentioned workspace recovery, so define workspace recovery, because that’s something that I don’t think most people think about when they think about business continuity.

Cosmo Gazzani (25:14):

Yeah, so workplace recoveries is really having a place to go and run your business, right? It’s usually in a robust facility that has backup power, N+ power, meaning, they have generators, they have ways of keeping the lights on there, they have multiple points of connectivity. Could have multiple carriers. Your typical data centers and robust facilities that have those types of functions are great for workplace recovery, right? At Continuity Centers, that’s one of our primary businesses, right? We have facilities throughout the United States that we can provide workplace for customers. So that’s really what you have to look at. I mean, obviously a Starbucks or your home might not be available.

John Verry (26:01):

Yeah. It’s funny, really funny. I’ve never really thought of it that way. Typically when I think of recovery… Workspace recovery, I think of companies that, let’s say have a call center or they’ve got a reason why everyone has to work from one location. When I think about it, our business continuity plan basically says some people can work from wherever they are because we’re largely cloud based and as long as we can get to a PC and get to our cloud based services and get to… And have a phone, we’re okay. But without power, none of that stuff really works. So actually that’s kind of an interesting… Even companies that are largely dispersed and have that type of a concept, having a place to go where they know there’s going to be power and internet connectivity might actually be more important.

John Verry (26:39):

I never thought about that. So that’s pretty cool. So I always to ask a fun question. So I’m going to ask you… I used to ask this question about a CISO, but I’ll give it to you but a DRBCP lead. So, yeah, if you think about either a fictional character or a real person, what would make somebody either a fantastic and amazing or a horrible DRBCP lead and why?

Cosmo Gazzani (27:02):

So we have to think of, I guess guys that had a pretty good plan, right? So I’m almost afraid to bring this guy’s name up, but Rudy Giuliani back in [crosstalk 00:27:13], he really stepped up as a leader for two or three days after that that terrible event happened in New York. He helped mobilize a lot of teams. He took that role as a leadership and I was very impressed with that whole activity of bringing the city back together after that horrible event. Another good character, and I mean more on the light side I guess would be like Courageous Cat. A lot of listeners probably are not old enough to remember that guy.

John Verry (27:43):

Yeah there’s… Anyone who’s listening right now is like Googling “Courageous Cat”.

Cosmo Gazzani (27:49):

You know, courageous cat he was so much a Batman, but it was a cat and a mouse. Courageous Cat and Minute Mouse. And Courageous Cat was a cartoon character that basically had a belt full of different guns and these guns, all did somethings special…

John Verry (28:00):

That sounds a lot like Batman.

Cosmo Gazzani (28:02):


John Verry (28:02):


Cosmo Gazzani (28:03):

Same thing. But that was the original Batman. Then it got old and crazy and…

John Verry (28:06):

So you’re saying Batman ripped off Courageous Cat, is that what I’m hearing?

Cosmo Gazzani (28:09):

Yes. I think so.

John Verry (28:10):

All right.

Cosmo Gazzani (28:10):

Kind of similar. Similar because… I mean I remember Batman from the TV show and again I’m making myself feel so old here, but the original TV show when the Joker or the penguins showed up, the whole screen would go “slanty” which meant crooked. I had to learn that myself. But those were the crux and it was crooked screens. There was no guessing. The new Marvel shows now you have to watch the whole thing, it’s like “What just happened here?” It’s way too much complexity.

John Verry (28:39):

You’ve got to interpret. I mean, them good old days… The good old days [inaudible 00:28:40]. So going back to Rudy Giuliani and not from politics perspective because I don’t want to talk politics… But I do think that a lot of people would say that New York City did a remarkably good job of recovering. What was it? Is it that they had a good preparation? I mean is that really what it was? I mean, I know that New York City, having done a lot of work for the City of New York, they put a lot of time, energy and effort into those types of things.

John Verry (29:07):

Do you think that was really what… Was it a preparation thing that made them be so successful?

Cosmo Gazzani (29:12):

Yeah, yeah. I mean, I think… I worked down in that area during the first attack when fertilizer bomb exploded in the basement of the World Trade Center there and same type of stuff. I mean, it was pretty scary. And I think that that was an eyeopener for a lot of emergency crews in New York and the response units and they were pretty prepped. I mean obviously now is probably a lot more planning into that, but I think there was a lot of… A lot of people coming together and working together and working as a team and just the camaraderie and all the different pieces that happened after that event. Really remarkable. And that’s… I mean, kind of on a smaller level, but that’s really what a good business continuity plan is, right? If you can execute it and bring your business back into functionality or productivity as quickly and as efficiently as possible.

Cosmo Gazzani (30:12):

I mean, that’s really what notes a good business continuity planning. And you won’t be able to know that until you really test it. Right? So that’s a key point of any plan is to test it and make sure that it works.

John Verry (30:24):

Right? Right. So, I just want you to know that I am never going to be able to see Rudy Giuliani again without thinking of Courageous Cat. So thanks for putting that thought in my head.

Cosmo Gazzani (30:34):

How about the bad guy, you didn’t ask me about the guys who didn’t have a plan?

John Verry (30:37):

Oh, all right. Sorry, I didn’t know you had more to give. All right, let’s go.

Cosmo Gazzani (30:41):

This is the last piece here, the Titanic, right? I mean, think of that. And I think it was Edward John Smith was a captain of the Titanic and that was terrible. That was a terrible disaster. I mean, a lot of people perished and they didn’t have enough lifeboats. Right. And that’s a key thing, right? I mean, not having a workplace recovery is not like not having enough lifeboats for certain companies that need a workplace to work together. People were leaving the boat from what I read and these lifeboats weren’t fully…

John Verry (31:14):

It’s a terrible story.

Cosmo Gazzani (31:16):

Leaving people behind. And that’s not a good execution of a plant, right? I mean that’s just…

John Verry (31:21):

Well, they didn’t. Like you said, they didn’t have a plan.

Cosmo Gazzani (31:23):

No, exactly.

John Verry (31:24):

Yeah. That’s actually a really fantastic example that I never thought of, so that one actually, that one I’m going to steal from you. I’m going to tell them it was my idea.

Cosmo Gazzani (31:33):

I got one more for you on the bad side.

John Verry (31:35):

You said one more and I already gave you one more. One more.

Cosmo Gazzani (31:40):

Well, I [crosstalk 00:31:41] two, you got to make it even.

John Verry (31:42):

Make it then. [crosstalk 00:31:42] was so good. Are you sure? You’re probably going to screw this up.

Cosmo Gazzani (31:45):

Well, this is kind of like…

John Verry (31:46):

It was a high watermark. You don’t want to end there?

Cosmo Gazzani (31:49):

On the vein of the same… Similar to Courageous Cat. Wile E. Coyote. He didn’t have a plan.

John Verry (31:59):

Yes, he did. It said Acme on the front cover, I’m sure of it.

Cosmo Gazzani (32:04):

Yeah, think of all the money he spent on all that stuff have probably bought a huge dinner, right, instead of trying to catch that damn Road Runner. But, you know if you strap a rocket onto your back and [inaudible 00:32:14] , it’s not going to end well, so that’s a bad DR leader right there.

John Verry (32:20):

All right, well. And on that note, as Jeremy Clarkson would say, “And on that bombshell.” So, last question for you. So, you speak every day like we do here with the folks in the SMB, SME space. Any interesting topics you think we should think about for other episodes?

Cosmo Gazzani (32:41):

Yeah, they, well, I mean if you’re in IT, you’ve heard of IOT, right? I mean in internet of threats. I’m sorry, it’s the internet of things.

John Verry (32:50):

By the way, it’s also the internet of threats. I wasn’t going to correct him cause I actually think threats and things are probably pretty analogous at this point.

Cosmo Gazzani (32:59):

Yeah. I think we’re bringing a lot more technology into our own lives and into our businesses, right? And bringing this artificial intelligence and IOT and things that are automatically happening for us, it’s more things to watch and more things to pay attention to. And I think that that’s super important and that… And think about even, from a DR perspective and a business continuity, if a lot of your businesses running automatically without manual intervention and that stuff goes away, you’re going to have to be manual again. If you’re like me, I won’t be able… If my GPS goes away, I probably won’t be able to find my way to the corner of my block. But I’d become so reliant on that technology you don’t even think about it. But the more technology…

John Verry (33:47):

Or you can call Courageous Cat. You can call Courageous Cat, you’ll be fine.

Cosmo Gazzani (33:54):

Yeah. Absolutely.

John Verry (33:54):

So, yeah, I couldn’t agree with you more on the IOT. And actually it’s fascinating to me, in the last… If you talk two years ago, we really weren’t… Didn’t have many conversations around IOT. We’ve got two or three huge projects going on right now that are just absolutely fascinating. So I agree with you completely. And I don’t think people understand the level of impact that IOT has on their everyday life. I mean, just with the stupid stuff in your house. I mean, if you look at, and I won’t use the word because she might wake up or he might wake up, but all of these smart speakers and devices that we have in our house, in the smart thermostats and the smart phones and the… I mean, yeah, they’re all devices that are communicating up to the internet.

John Verry (34:31):

Your car is communicating to the internet, right? The cars are starting to communicate with each other in smart car technology. And then you get into the internet of bodies, which is even more amazing, is that all of these wearable devices, implantable devices, injectable devices, right. They’re all visible on the internet. So now there’s a new whole field called the internet of bodies and talking about the threats associated with that. So that’s a good one. And we definitely have some stuff planned for that, so that’s cool. So thank you for coming on. Genuinely appreciate it. Before we leave. If folks wanted to get in touch with yourself, they want to get in touch with Business Continuity Centers, Wekos, how would they do that?

Cosmo Gazzani (35:08):

Well, my email address is [email protected]. That’s the shorter version. I could do that’s the quickest way. I think that’s, we could set up that way. I mean check out our website,, there’s links there to go to Again, it’s kind of split up between disaster recovery, business continuity, and then the managed services side. So we take care of the production as well as the backup and replication side too. So, it’s about resiliency. Really, that’s… When you think DR and then the business continuity and even your production side, it’s all about being resilient.

John Verry (35:45):

So it’s really interesting that you should say that. And that’s a good… It’s a good note to leave on is that that seems to be the emphasis now. So if you look at all the new guidance coming out of the government, especially around the OCIE and SEC guidance, that’s the term that they’re using now, is resilient. Because I think resilient combines the concepts of secure and available. So I think that’s a good note to leave on. Thanks Cosmo.

John Verry (36:09):

You’ve been listening to the Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.