Business Continuity in 2022
I believe Business Continuity (BC)/Disaster Recovery(DR) planning needs a higher priority and a different approach than in years past. The world is unpredictable on the one hand with wars, pandemics, and conspiracies, while sophisticated hackers and cybercriminals are wreaking havoc everywhere.
For completeness, I’ve summarized the major aspects of BC/DR below:
- Documentation: An early milestone is completing a Business Impact Assessment (BIA) that enumerates critical business processes and any dependencies and their associated Recovery Point Objective (RPO) and Recovery Time Objective (RTO) metrics. Once the BIA is completed, a BC plan can be written. This document outlines exactly how the company will continue operating during an unplanned service disruption. The third prong is a more procedurally-focused disaster recovery (DR) document to accompany the BC plan.
- Execution: This phase focuses on automating the creation and updating of DR environments and scenarios per the DR plan.
- Testing and Validation: This phase focuses on executing DR simulations and actual tests, including automated testing wherever possible and creating operational acceptance criteria to measure the system’s readiness after failover processes are complete.
I have been a Business Continuity consultant for many years and have observed the following more often than not when evaluating a company’s BC/DR posture:
- Lack of oversight and visibility. BC/DR is understaffed and does not have the organizational structure needed for success. I typically suggest that these programs become a top-line responsibility of the Chief Information Security Officer (CISO) if there is one. I further recommend that the BC/DR team be a cross-functional team with members from IT, compliance, and the primary business units.
- Minimal documentation. The BIA has not been performed or is outdated. This analysis is crucial to determine RTO and RPO metrics that inform a strategy for the areas that need to be recovered and the designated timeframe for recovery.
- Lack of understanding of the criticality BC/DR is to a company’s long-term success. Often these programs are viewed as not important until an event occurs where the lack of preparedness leads to a poor outcome.
For companies that have a BC/DR program in place, the approaches I typically see have these features:
- Backups are regularly performed. For systems hosted in public clouds, sometimes the backups are copied to an alternate region, sometimes not. For on-premises systems, backups are mostly copied offsite. Validation via appropriate restoration activities is ad-hoc.
- Third-party SaaS systems are rarely included in any BC plans. If a company has a vendor management program, third-party systems will likely be included in vendor-related risk management activities. However, that does not obviate the need for inclusion in BC/DR plans.
- Overall, there is insufficient documentation, testing, and validation.
My BC/DR Advice in 2022
- Seriously prioritize an enterprise-wide BC/DR project to include appropriate visibility, leadership, budget, and staff. Allocate time and resources for all BC/DR planning, execution, and validation aspects.
- Reduce on-premises footprint. To the extent possible, prioritize third-party SaaS solutions over on-premises alternatives. Consider a virtual desktop solution to replace corporate desktops and laptops wherever possible.
- For all systems (company-owned and third party), each system needs an appropriate continuity strategy based on its criticality, evaluated at four levels: 1) short period of downtime, 2) extended downtime, 3) the service’s operating environment becomes inaccessible for a prolonged period, 4) Backups are corrupt or demolished
- Regarding company-owned and operated cloud-hosted systems, a multi-cloud DR plan is needed. Previously, I believed recovering to an alternate region was adequate. However, I have changed my thinking about this. Note: having a system run in multiple availability zones makes it highly available but is not a sanctioned DR approach.
- All third-party systems need to be included in every aspect of BC/DR planning.