Deciding whether or not to outsource your disaster recovery planning—and then picking the right vendor—can be a daunting choice. But David Chapa, a senior analyst with Enterprise Strategy Group, gives his tips for what to look for in IT disaster recovery services during a recent interview with SearchDisasterRecovery.com’s John Hilliard. Listen to the podcast of the interview or read the transcript below.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
What should you look for in IT disaster recovery services? Should you expect the provider to send a team to advise your organization in the event of a disaster incident, or are these services focused more on helping you develop a DR plan?
There are certain levels of disaster recovery services that customers are able to subscribe to. Some will be able to walk customers through the process of developing a disaster recovery plan. It really is a difficult task for customers to come up with a DR plan, because really what you need to do is understand who is going to be available and oftentimes, that is a big question. But who is going to be available to execute the plan, and so therefore the plan needs to be written so that individual on that chain is able to recover the system, the application and the data. Let’s say for instance you don’t have your entire staff: You have maybe a junior [systems administrator] who is available to get to the DR site. Well, that junior sys admin needs to be able to recover and execute that plan. So writing a plan that is very effective [that] can be tested and executed to that level is quite important. Now on the other side of the coin, you have services where companies will actually provide resources to help execute those plans at the recovery site as well. So it really is a two-sided coin, really, of what customers can choose from, and there’s a variety of vendors out there.
What kinds of technology should an IT disaster recovery services provider have available for clients? For example, should it have servers available for a client’s use while that client is responding to a disaster scenario?
At this point, the customers are in the driver’s seat… I believe customers need to take a good, hard look at what their requirements would be in the face of disaster. You want to make sure that the systems you have on your local site can be adequately supported at the recovery site. So I think that customers are in the driver’s seat, they need to take a look and they need to identify the highest-priority applications, what server and resources do I require, and do the providers have this available to me.
I do think that when you declare a disaster, it doesn’t mean you have a smoking hole, either, where your building once was. Declaring a disaster means you might have a rack that went completely down. And so, making sure that you can bring that up via either virtualization or physical servers at the recovery site is very important. I tell people this all the time… data is important to recover, absolutely. But when you’re talking about disaster recovery, I really firmly believe, especially with these publicly traded companies, public relation fallout is one of the biggest concerns companies need to be faced with. Because inaccessibility to their website, inaccessibility to their sales order system, could really negatively impact customers’ perception of this company’s reliability.
Let’s play devil’s advocate: I have an IT staff, the equipment and off-site backup. Why would I want to outsource DR? Am I buying basically the experience of an organization that specializes in disaster recovery scenarios?
The reality is, customers can. [One of Chapa’s customers had a capital expenditure] of about $150,000 just to mirror what they had in their environment for the critical applications they felt needed to run in order to maintain the continuity of their business. But I asked the question of labor: Did you factor in labor? The response was, “That’s really difficult to put a finger on, it looks like a smudge on a piece of paper.” So we put a rough estimate in. And I think that’s a key aspect right there: There’s labor, and there’s expertise. When you’re working with a company that provides a service, they have a certain level of expertise in executing these DR plans, assisting customers to properly execute these DR plans… certainly, they’ll manage to a greater level of success if the plan is properly written. So that’s one of the reasons why customers should consider DR services rather than doing it themselves. Because there will be a team there that is experienced, they’ve gone through disasters, they’re not emotionally tied, and when you’re not emotionally tied, you can think much more clearly and help people execute the plan much more effectively.
What does a DR service provider contract generally look like, and what are some issues you need to understand before agreeing to such a deal?
The biggest thing is the service-level agreement (SLA). I have been in this industry a long time, 25 years, and I remember asking those questions 25 years ago. I think today, there are a lot more formalized SLAs in place, but I don’t know if customers have a firm handle of what those look like in their own environment. When you look at a service externally, and that discussion is made, then I think it provides the customer—and the service provider as well—an opportunity to really define what is that service level, what do you really require. And beyond that, the customer needs to take a look at their business.
Business impact analysis is a real key component to helping identify what should the service levels be for these various applications, servers and data that I’m trying to protect. The other thing is, what if you don’t meet the SLA, Mr. Service Provider? Then, what are the repercussions? What are the guarantees that I can get? I think they need to look at that as well. I don’t want to put any numbers in there in terms of negotiating a contract, but I think those are two very important aspects when having those discussions.
The other component is understanding the data center where your data will be residing. Understand the stewards of that data. What do they do as far as checking individuals who have access to their data centers, what kind of background checks do they run, what kind of certifications do they have… those are all questions customers need to ask. As I have written before, treat this as though you are interviewing somebody to work on your staff and have access to your most critical assets: your data.