From protecting mainframes to recovering from cyberattacks, the methods for business continuity and disaster recovery have changed, but the practice remains vital.
The IT business continuity and disaster recovery profession has come a long way.
In the 1970s, much of the focus was on protecting large data centers with many mainframe system components. In the 1980s, business continuity really hit it big, with such elements as business impact analyses getting their start. Jump ahead to today's IT business continuity and disaster recovery (BC/DR), and we see a prevalence of standards and cloud-based products that can help an organization of any size be ready to recover if necessary.
In this podcast, Paul Kirvan, an IT consultant, auditor, expert in BC/DR issues and contributor to SearchDisasterRecovery, details the past, present and future of BC/DR.
Advances in technology have certainly aided IT business continuity and disaster recovery. Managed services and cloud DR are making the process easier. During a disaster, with the right product, your organization can fail over its critical operations into the cloud and work as if nothing is wrong. At the same time, the cloud is capable of putting dedicated BC/DR professionals out of work. "Cloud technologies are probably a blessing and a curse, depending on your job function," Kirvan said.
And as technology has improved, the volume and force of possible disasters and attacks on business have increased. Cyberattacks especially have intensified recently with the pervasiveness of ransomware. Small businesses especially need to be wary of ransomware, as one attack on an organization that's not ready can be the end of that company. It's now more important than ever for all organizations to have some sort of IT business continuity and disaster recovery plan.
Interested in learning more about the history of BC/DR, how it has evolved and what organizations are doing now to ensure they can bounce back from an incident? This podcast and the transcript below will give you a window into the important issues.
Editor's note: The following transcript has been edited for clarity and condensed.
How would you sum up the last year in BC/DR?
Paul Kirvan: I believe the profession is continuing to be accepted as a part of managing an organization. Small to medium businesses still have a hard time justifying BC and DR, unless a disruptive event forces them to implement a program. However, larger firms continue to accept the importance and value of BC/DR.
In the public sector, continuity of operations experienced greater acceptance than business continuity did in the private sector. Several federal government requirements, such as Federal Continuity Directives 1 and 2, have been adopted by most or all federal agencies. Similar activities are occurring in state, regional, county and, to a lesser extent, local governments. An increasing number of state and local regulations are appearing that emphasize the importance of protecting government agencies and their systems and data.
We saw a solid increase in the acceptance and use of cloud-based or managed services that facilitate data backup and recovery, along with application systems for failover and failback. The use of hot and cold sites -- long the mainstay of the industry, especially for large, multinational organizations -- continues, but cloud-based products are gaining momentum, even in very large organizations. Many federal government agencies use cloud-based systems, as well as data protection and recovery products, from cloud providers. Very large organizations use hybrid arrangements, with a combination of brick-and-mortar and cloud products.
Perhaps the most important development for IT business continuity and disaster recovery is the rapid growth in importance of cybersecurity strategies and the associated technology solutions. This doesn't necessarily mean that BC/DR is being supplanted by cybersecurity, but cyberevents appear to occur more frequently than traditional business-disrupting events, such as fires, floods, severe weather, power outages and other situations.
I expect the BC/DR industry to move forward at a steady but gradual rate, as it has over the past decades, and if cloud technologies and managed services become the de facto approach to continuity of business, BC and DR may no longer be needed, at least in their present forms.
How have these advances in technology, such as managed DR and BC services, as well as cloud-based DR, changed the profession?
Kirvan: When used properly -- and assuming a needs analysis has been performed -- managed services and cloud-based BC/DR products can significantly improve an organization's resilience and its ability to respond quickly to a potentially disastrous event. Managed services can become an organization's entire BC/DR capability, or they can supplement existing manual and semiautomated processes. Managed services now make it easier for businesses of virtually any size to have the protection they need for their critical operations and data.
Will automation of IT business continuity and disaster recovery eliminate the need for practitioners of these activities? In years to come, it's quite likely that all or most BC/DR functions will be automated. The big unknown will be the people in an organization. How will they respond to a disaster? How soon will they be able to return to work?
Organizations using managed services may not have to worry as much in the future about reputational damage, as their operations can be restored almost immediately. Again, reputational risk will increasingly be a function of the people, as any issues with technology and business processes will be largely automated and recoverable virtually anywhere. It will also be important to have several employees trained in emergency response activities to ensure that employees are safe.
Do you think BC/DR professionals rely too much on cloud technologies?
Kirvan: At the moment, there seems to be a healthy acceptance of cloud-based technology by IT departments. Whether IT management uses cloud-based BC/DR capabilities is another thing. I believe savvy BC/DR professionals will embrace these technologies, so long as they have access to the resources they are managing. BC/DR activities have traditionally been process-heavy, with lots of reports, interviews, exercises and documentation.
Managed and cloud services should help add value to the BC/DR professional's efforts in an organization. Naturally, the dark side of this is that BC/DR professionals could lose their jobs due to their being replaced by cloud services. If the IT department believes it can use managed service resources for BC/DR initiatives, it's likely to do so.
Further, if IT management believes that having an as-a-service arrangement for BC/DR will be sufficient to ensure the protection and recoverability of its critical systems and data, I believe they are likely to pursue that direction. And so, with regard to IT business continuity and disaster recovery, cloud technologies are probably a blessing and a curse, depending on your job function.
How will the increased focus on cybersecurity and protection of organizations from cyberattacks impact BC?
Kirvan: Cyberattacks get the headlines, particularly because they can impact thousands and even millions of people. While we are still likely to have wildfires, mudslides, earthquakes, burst water mains, snowstorms, hurricanes and tornadoes, we rarely hear about the use of business continuity plans in media reports. Clearly, many businesses are affected by such events, but the media focus is usually on the human impact, especially when reporting serious injuries and fatalities.
Cyberattacks are true business continuity events, but in practice, the two disciplines -- cybersecurity and business continuity -- still occupy separate silos. We can only hope that senior management can be convinced that both activities are essential to their organizations. Ideally, the two disciplines ought to be under the same roof. Whether that happens in practice remains to be seen.
How do you see ransomware recovery techniques evolving over the next year or two?
Kirvan: Ransomware will no doubt get more sophisticated as those who threaten organizations will probably be more bold and aggressive in their tactics. Just as security software vendors try to keep ahead of viruses, phishing schemes, denial-of-service attacks and other mainstream cyberthreats, antiransomware products will need to be more sophisticated.
Network perimeters will also need to be more robust and secure to prevent ransomware attacks, as well as other cyberevents. This will mean more powerful firewalls, intrusion detection systems, intrusion prevention systems and other solutions will be needed to counter the threats from inside and outside a company's perimeter.
Ransomware and other cyberattacks are not likely to stop; if anything, they will probably increase over the coming years. Social media will increasingly be an important way for cyberattacks to occur. Finally, the growing interest in internet of things technology will probably provide yet another avenue for cyberattacks.
Finally, is there anything else you wanted to mention about IT business continuity and disaster recovery that we didn't touch on?
Kirvan: The number of standards and regulations addressing business continuity and cybersecurity continue to grow, particularly at an international level. For example, the International Organization for Standardization, or ISO, has introduced a number of new entries in its ISO 223XX series of business continuity and resilience standards. These are all valuable resources to BC/DR professionals and underscore the global recognition that business continuity and disaster recovery are important activities.
In the United States, the National Institute of Standards and Technology has introduced a number of new standards for cybersecurity in its special publications series.
The good news here is that the issues we address in our various professions are still important, and the presence of new standards underscores that fact.