By James A. Martin
In a survey conducted for Sungard AS earlier this year, 500 U.S. C-suite executives were asked about their enterprise’s resilience. The results may surprise you.
When asked which attributes are needed to be a resilient business, 33% (the highest percentage) of respondents said they believe a company needs the ability to identify emerging threats and understand their impact. The second most-cited resilience attribute (at 31%) was preparedness.
There’s no question that identifying emerging threats, understanding their impact, and being prepared are essential to achieving enterprise resilience. What might seem surprising, however, is that the percentages of executives who feel these attributes are important for resilience are fairly low, at 33% and 31%, respectively.
...now more than ever, enterprises need to place a major emphasis on DR and resilience, as we’re seeing more cybersecurity threats as well as extreme weather events like hurricanes and wildfires. And that’s only expected to continue to grow.
Put another way: Why didn’t 50% or more of respondents say they believe identifying emerging threats, understanding their impact, and being prepared are important attributes for resilience?
Sungard AS executives share their thoughts on potential reasons why the survey percentages are low, as well as what CISOs, CIOs and other professionals can do to bolster their organisation’s disaster recovery (DR) plans and business resilience.
1. Some assume that if you’re in the cloud, you’re resilient by default.
Perhaps one reason for the low percentages is the assumption that if you operate your infrastructure in the public cloud, you don’t have to worry about damaging, disruptive outages and, by extension, investing resources in DR and resilience, says Kaushik Ray, Senior Vice President of Global Client Service Management for Sungard AS.
In reality, public cloud infrastructures have outages that can cause disruptions at the enterprises that rely upon them. According to one estimate, Microsoft Azure had 1,934 hours of self-reported downtime from early 2018 through May 3, 2019, compared to 361 hours for Google Cloud Platform (GCP) and Amazon Web Services (AWS) at 338 hours. In one example, a June 2019 GCP outage lasted at least five hours and disrupted internet-based services such as Shopify and Snap.
Some believe that because they can spin up public cloud virtual machine instances on demand, they don’t need to invest in DR or resilience, says Chris Fielding, CIO of Sungard AS. “That assumption is particularly evident at young, cloud-native startups. But it’s not as simple as that. There’s a lot of preparation needed to properly set up your environment for true continuity and resilience.”
Notes TechCrunch: “Most companies have put their entire backend in the hands of one (public cloud) company and while the benefits outweigh the risks most of the time, it’s worthwhile to at least think about contingency planning. As the world becomes more networked…it’s going to be more important for companies to have a back-up plan in place in case these services go down.”
2. DR and resilience can suffer from tight budgets.
Enterprise IT is often forced to do more with less — less money, in particular.
“When money is tight, some companies de-emphasize the importance of spending on DR and resilience,” Ray notes. For example, to save money, some enterprises may only pay for one public cloud availability zone.
“DR is like a life insurance policy for some,” he adds, “and there are still a lot of people who don’t want to spend money on life insurance.”
3. It’s not easy to decide where to spend limited funds.
When money is tight, DR and resilience can be seen as “nice-to-have” instead of “must-have.” “If you only have $1 to spend, how do you spend it?,” Ray wonders. “Preparing for natural disasters or cyberattacks, or investing in new technologies to grow the business?” Too often, the former must yield to the latter.
“But now more than ever, enterprises need to place a major emphasis on DR and resilience, as we’re seeing more cybersecurity threats as well as extreme weather events like hurricanes and wildfires,” Ray adds. “And that’s only expected to continue to grow.”
For the record, the World Economic Forum (WEF) 2019 Global Risks Report ranks extreme weather events, failure of climate-change mitigation and adaptation, and natural disasters as the top three most likely global risks, followed by data fraud or theft and cyberattacks in fourth and fifth place, respectively.
As a comparison, none of those risks made the top five list ten years ago, when WEF’s 2009 report ranked the likeliest global risks as asset price collapse, a slowing Chinese economy, chronic disease, global governance gaps, and retrenchment from globalisation.
4. The ramifications of a disruptive event aren’t always publicized.
Though we often read about data breaches and cyberattacks at major enterprises, the fallout from those events isn’t always disclosed and reported, Fielding says. In turn, that can lead to complacency among C-suite executives about the potential impact their enterprises may face from disruptive events. There’s even a belief that cyberattacks are inevitable but most companies will soon be OK afterwards. (See "How to Combat Data Breach Fatigue at Your Enterprise.”)
Only when the fallout from a cyberattack is widely reported — as was the case with shipping giant Maersk in 2017 — do most C-suite executives sit up and take notice, Fielding adds.
Map out everything.
Technology is constantly evolving and as a result, enterprises are frequently adding more cloud-based services to their stack. “But when you have a Software as a Service solution for all your different areas, the number of external dependencies you have grows exponentially,” Ray says. “That means your potential points of failure grow exponentially, too. If one fails, the other services that are integrated with it may fail, too.”
As a result, Ray recommends enterprises map out in detail all the systems in use, who manages them, how they’re integrated, and other details, for a comprehensive view of potential points of failure. Performing a Business Impact Analysis can help you map out interdependencies, so you can better understand the potential impact of disruptions to business activities that support critical products and services.
“Many people we talk to say they don’t test the ability of their systems to withstand disruptive events,” Ray says, often because of the assumptions they have about cloud infrastructures or because of limited staffing and financial resources.
Ray recommends putting your systems through a battery of tests regularly — twice yearly at a minimum. “You don’t have to bring all critical functions down at once to test, because the chances are, a failure won’t affect all your critical functions at once,” he explains. “It’s usually one app stack that fails, so testing parts of your system at a time makes sense and is also less disruptive.”
Taking the First Step Toward Resilience
The ability to identify emerging threats, understand their impact, and be prepared will always be at the foundation of enterprise DR and resilience. But how do you begin to build that foundation?
“Understand that technology and IT will continue to evolve,” Ray says. “Your business will only be more dependent on them in the future, which makes it increasingly difficult to separate IT from your business. At the same time, understand that there will always be disasters and disruptions that threaten your IT systems — and therefore, they’re a threat to your business, too. Knowing and accepting this is the first step toward building a resilient enterprise.”
James A. Martin has written about security and other technology topics for CIO, CSO, Computerworld, PC World, and others.