Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:48 PM
Rachel  Dines
Rachel Dines

Goodbye DR, Hello Resiliency

No enterprise can afford downtime in today's business climate. To stay always-on, you must create an environment of business resiliency that goes beyond business continuity and disaster recovery.

In today's environment of 24-7-365 global operations and competition, downtime means more than immediate lost revenue and productivity--it can also cause lasting damage to your corporate reputation and erode customer confidence in your brand. Enterprises must be always-on and always available to an extended network of customers, employees, and partners. To enable this, organizations must evolve beyond reactive business continuity and IT disaster recovery (BC/DR) to proactive business technology resiliency.

Resiliency is typically defined as "an occurrence of rebounding or springing back." Thus, business resiliency refers to the ability of a business to spring back from a disruption to its operations. Historically, both business continuity and IT disaster recovery have focused on a business' ability to recover from a disruption. Recovery implies that there was downtime during which business operations were unavailable. Resiliency, on the other hand, implies that an event may have affected a business' operations but the business was never completely unavailable.

All organizations experience failures or other impacts to business operations at some point, so it is critical for all services to be both designed for uptime and prepared for failures. That means that infrastructure and operations (I&O) leaders need resiliency, not recovery. Here's why:

--There is little tolerance for downtime of any kind these days. BC/DR has historically focused on events such as natural disasters, extreme weather, pandemics/epidemics, and other events that have a low probability of occurring but a very high impact to the business. However, in today's climate of global competition, downtime--regardless of whether it's due to a natural disaster, a simple hard drive failure, or a security breach--is unacceptable. The business doesn't care what caused the downtime; it simply wants service restored as quickly as possible with as little data loss as possible--regardless of which groups are responsible for the execution.

--More business processes are technology-dependent. For years, businesses made every effort possible to move BC management out of IT because for too long, most BC programs were about business continuity in name only--in reality, they were IT DR programs. However, most businesses have overcompensated to the point where there is minimal integration between BC and IT DR groups. Given that the majority of business processes are technology-enabled--or in many cases technology-dependent--this is untenable. In fact, many processes are so technology-dependent there are no longer manual procedures to fall back on if IT services are unavailable.

--The perceived and actual risks are increasing. According to a joint Forrester and Disaster Recovery Journal survey, 82% of BC decision makers and influencers feel that their organization's risk level is increasing. The top reasons for this include an increasing reliance on technology; greater business complexity; increasing frequency and intensity of natural disasters; and increasing reliance on third parties. These perceptions are not misguided: In the past five years, more than 60% of companies invoked BC plans at least once, and more than 25% invoked these plans three or more times.

[ Is your enterprise prepared in the event of a zero-day attack? Read Zero-Day Attacks Can Impact Business Continuity. ]

Unfortunately, most enterprises treat BC, IT DR, backup, high availability, and security as silos. BC often reports outside of IT to the chief risk officer, chief operations officer, or another executive. The VP of IT operations is often in charge of IT DR and operational recovery (i.e., backup), and the chief information security officer (or equivalent) is responsible for risks such as denial-of-service attacks, breaches, or data leaks.

While each of these separate disciplines requires specialized expertise and its own well-documented response plan, they also have a lot in common. For example, they are inevitably linked together through common processes (e.g., business impact analysis, risk assessments); important points of integration (e.g., joint testing, links between response plans, etc.); and a requirement to see high availability and security embedded into business technology strategy and enterprise architecture. The more these silos come together, the more an organization can achieve business technology resiliency, or spring back from any kind of disruption in a coordinated fashion.

According to Forrester's Business Technology Resiliency Playbook, evolving toward business technology resiliency helps you:

--Streamline redundant processes across risk disciplines. Business owners routinely complain that operational risk and IT managers bombard them with surveys and in-person interviews that ask the same questions over and over again. There is a great opportunity to consolidate separate business impact assessments (BIAs) and risk assessments across BC, IT DR, backup, information security, and other operational risk disciplines. In addition, there is an opportunity to merge incident management and escalation processes as well as the alphabet soup of response plans into a common repository (e.g., business continuity planning, disaster recovery planning, and incident response plans).

--Build resiliency into business process, app dev, and enterprise architecture. One reason resiliency is so often expensive and ineffective is that it's generally bolted on after the fact. Many companies assess the resiliency of the process only after a line-of-business owner designs the business process and recruits partners and IT deploys applications and systems in production. When you have a well-established business technology resiliency program with an appropriate strategy, a road map, and stated stakeholders and influencers, you have a better opportunity to ensure that resiliency is built-in from the start, and that all business processes have documented workarounds.

--Ensure ongoing funding and commitment. Resiliency is not a one-time planning event; it's an ongoing process that requires ongoing resources and funding commitments. Once you conduct your BIA and risk assessment and develop specific strategies and response plans, you need to test and maintain your plans. Additionally, at some point (perhaps annually or biennially) you must repeat the BIA and risk assessments.

Establishing a resiliency culture is also an ongoing effort. In many cases, the most challenging task is sustaining change and maintaining a culture of commitment to embedding resiliency into everything your firm does. When you have a well-defined program with appropriate key performance indicators, you are in a better position to sustain the funding necessary to maintain the program and nurture the culture.

You may feel that resiliency is just a rebranding of BC/DR, to make it appear sexier and allow vendors to creatively sell more of their existing products and services. Forrester contends that it is more than this. Resiliency is tightly aligned to business strategy. It takes a more holistic approach to risk management silos, and it strives to minimize downtime by embedding resiliency and workarounds into everything the organization does--from business processes to corporate and data center site selection to enterprise architecture and application development. A resilient organization is like a spring: It absorbs the impact and bounces back.

Cloud services can play a role in any BC/DR plan. Yet just 23% of 414 business technology pros responding to our 2011 Business Continuity/Disaster Recovery Survey use services as part of their application and data resiliency strategies, even though half (correctly) say it would reduce overall recovery times. Our The Cloud's Role In BC/DR report shows how the combination of cloud backup and IaaS offerings can be a beneficial part of a "DR 2.0" plan. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/17/2012 | 4:45:32 PM
re: Goodbye DR, Hello Resiliency
Rachel great article and I love the resiliency versus recovery angle. The big problem is as you point out having a common vision with policy and process that cross over from IT to risk. I have written more about on the Idera R1Soft blog here: http://blog.r1soft.com/2012/10...
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a service.