The 2006 hurricane season has drawn to an end. The failure of severe weather events to materialize (in the Gulf and Atlantic Coasts of the U.S, at least) has generated some disgruntlement among the talking heads in the media, who were all set with special graphic effects, theme music, weatherproof cameras and rain slickers for the next Hurricane Wilma, Katrina, or Rita.
Not surprisingly, the National Hurricane Center (NHC) has been subtly criticized in the press for predicting an active storm season that never happened—ignoring the truth that there are no actuarial tables for hurricanes and no way of knowing, even with 120 years of data, where, when, or if a storm will hit. The media isn’t alone in its criticism. Elsewhere, at least one hedge fund company, betting on oil price spikes in the wake of predicted storms, has shuttered its operations. And, in the face of a quiet season, property and casualty insurance companies are making out like bandits, recording billions of dollars in profits from increased premiums charged to customers in at-risk areas— leading certain consumer groups to ask whether the fix is in and whether NHC is in cahoots with the insurance industry.
This is all nonsense, of course. But it has a way of making the front-office question the efficacy of your Disaster Recovery (DR)/business continuity planning efforts. Have the provisions you’ve undertaken in your shops to protect critical data been without merit? The sane answer, of course, should be “No.”
DR and business continuity shouldn’t be predicated on threats, but on asset value. Focusing on threats can get you into trouble on multiple levels. For one, management may begin to perceive investments in DR as just so much more insurance. This view typically leads to funding cuts when threat perception wanes. Simply put, it’s anathema to a business person to spend money on a capability that, in the best of circumstances, will never need to be used.
Basing a recovery capability on threats—whether you’re doing DR planning, security planning, or compliance planning—is a fundamentally flawed approach. Threat-based plans aren’t (and can’t be) strategic. Plans created based on threats must be completely redesigned whenever threat perception changes. This week, you work on the scenario of a hurricane disaster, next week on the scenario of a building fire, and the following week on the threat of a terrorist event. With the scenario constantly changing, you end up spending way too much money on DR.
The right way to approach DR is to begin by classifying your data based on its importance to the organization; identify critical assets and less critical ones, and those that aren’t critical at all. That gives you some basis for matching appropriate recovery capabilities (as well as security controls and compliance audit points) to the right data assets.
Data inherits its importance from the business process it serves. If the process is important, so is the data it uses and probably the data it produces. So, analyzing and classifying data from the business process perspective is the foundation of effective protection strategy.
Short shrift is too often paid to the business process analysis and data classification effort in DR planning. Especially in the mainframe world, we tend to focus on “practical matters” such as securing a hotsite recovery facility and setting up network logistics to enable us to failover to an alternative location when our primary location is compromised. I’m not suggesting these logistical preparations are without merit, only that they are overly expensive in the absence of effective preparatory analysis and classification.
Truth be told, usually only a subset of your applications are mission-critical. And only a subset of your data stores serve mission-critical apps. So, your recovery plan doesn’t necessarily require a one-for-one replacement of infrastructure, but rather a much smaller subset of your normal operating environment, designed to support the activity of a skeleton crew of users. Without analysis, you don’t have a clue how to build a minimum equipment configuration, so provisions for recovery cost too much.
Next to personnel, data is your only irreplaceable asset and successful recovery comes down to correcting an unplanned interruption in access to a valid set of critical data within an acceptable amount of time. The cause of the interruption is irrelevant and distracting during the recovery effort.
For 2007, I recommend you resolve to right-size your DR plan—not because there will be a huge uptick in storm activity (there might be, there might not be), but because undertaking analysis and classification will set you on a road to strategic provisioning of protection capabilities, which will serve not only the DR planning effort, but also security planning and compliance planning. Best to you in 2007! Z