Disaster Recovery Journal Summer 2025

REGISTER TODAY! www.drj.com/fall2025

Summer 2025 u Volume 38, Number 2

Strategic Resilience: The New Frontier in Preparedness

INSIDE ... The Role of AI in Resilience Cyberattacks: An Unnatural Disaster Disaster vs. Cyber Recovery Consultant Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Move on from manual BC Plan inFusion transforms static Business Continuity plans into dynamic, actionable data in minutes. Embrace the power of AI with Fusion.

Visit fusionrm.com to find out more

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER

TABLE OF CONTENTS

COVER Strategic Resilience: The New Frontier in Preparedness By BOB KLEMME

Amy Faulkner amy@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Peter Laz, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Robbie Atabaigi, Rich Cocchiara, Renuka Darbha, Sherri Flynn, Corey Hahn, Colleen Huber, Lisa Jones, Melanie Lucht, Melissa Muñiz, Melissa Owings, Bogdana Sardak, Nicole Scott, Paul Striedl, Joy Weddington + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

8

16

31

The Role of AI in Resilience By MICHAEL C. REDMOND

NAS Solutions Ramp Up to Take on Today’s Enterprise Workloads By JEROME WENDT

21

Cyberattacks: An Unnatural Disaster By JOHN WILSON

34 Disaster-Proofing for Immigrant Entrepreneurs By JULIANA ARDILA

23 Disaster vs. Cyber Recovery By CHRIS MONTGOMERY

35 2025 Forecast: A Perfect Storm for Privacy Technology By DAVID ARCHER

25 Career Spotlight: Jason Harrell

38 Consultant Directory

27

Best Practices for Multi-Hazard Early Warning Systems By GERMAN VARGAS PEDROZA

DISASTER RECOVERY JOURNAL is copyrighted 1987-2025, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | SUMMER 2025 5

FROM THE PRESIDENT’S DESK

From Business Continuity to Operational Resilience: It’s Time to Evolve T he world is changing fast. From daily headlines to boardroom conversations, the message is clear: the way we’ve always done things is no longer good enough. Whether it’s cyberattacks crippling supply chains, the ripple effect of AI-driven misin formation, increasingly intense weather events, or the pressure of global political instability, the risks we face today are layered, com plex, and evolving at a blistering pace.

BOB ARNOLD, MBCI Hon.

helping organizations forecast risk, automate response, and even recover faster. But it also introduces new vulnerabilities. If we’re not actively incorporating AI into our planning and testing processes, we’re already behind. Similarly, zero trust architecture has emerged as the future of data protection. For resilience teams, that means a new level of collabora tion with security and infrastructure leaders to ensure sensitive systems are protected without creating bottlenecks in crisis response. Strategic Resilience Is the Goal At DRJ, we’re seeing more professionals embrace what we call strategic resilience. It’s the idea that resilience is not just a technical exercise. It’s a strategic advantage. Resilient organizations can recover faster, serve customers better, and maintain trust in the face of chaos. They can pivot, respond, and even gain ground while competitors are stuck reacting. Our readers and attendees are already pushing in this direction. From leveraging multi-hazard early warning systems to implementing cloud native backup tools for enterprise workloads, the evolution is underway. But we need to keep moving forward, especially in this perfect storm of emerging threats and technology shifts. Lessons From Leaders One of the best parts of my job is talking to people who are driv ing change across industries. One of them is Jason Harrell (featured in this issue on Page 25), whose journey from engineering to opera tional resilience has been nothing short of inspiring. He understands the future of business protection goes far beyond tech. It’s about people, culture, and leadership. We need more professionals like Jason—people who can navigate the complexity of risk while communicating with clarity and purpose. People who understand both the strategic and technical sides of resil ience. That’s what DRJ is here to cultivate. The Time to Adapt Is Now If there’s one message with which I’d leave you, it’s this: don’t wait. The threats we’re facing aren’t slowing down. The expectations from leadership are rising. The pace of change isn’t going to let up. We have a responsibility, not just to our organizations but to our teams, customers, and communities, to be ready. That means being open to new tools, new ideas, and new ways of working. It means bridging the gap between continuity and resilience. Most of all, it means showing up as strategic leaders in our field. Let’s continue to raise the bar. Let’s redefine what it means to be prepared. Let’s build organizations that don’t just survive disruption but come back stronger every time. See you at DRJ Fall 2025 in Dallas.

As business continuity professionals, we’ve always been tasked with preparing our organizations for disruption. Today, that job looks different. We can’t rely on old frameworks, templates, or ways of think ing. The playbooks written a decade ago can’t keep up with the velocity and unpredictability of today’s threats. It’s time to shift our focus fully and intentionally toward operational resilience. What’s the Difference? Business continuity, as we’ve known it, has done a great job ensur ing organizations have plans in place to resume operations after dis ruption. Operational resilience goes a step further. It’s not just about recovery. It’s about withstanding, adapting, and growing stronger through disruption. It’s a mindset shift, and more importantly, it’s a business shift. Operational resilience is about building organizations that can bend without breaking. It means embedding agility, flexibility, and sustain ability into how we design systems, train teams, and make decisions. DRJ’s Role in the Shift At DRJ, we’ve made it our mission to help professionals not only keep up but get ahead. Our events, publications, and partnerships are centered on pushing the boundaries of what it means to be prepared. That’s why, in close alignment with our strategic partners at The BC I, we are championing the move from continuity to resilience. Together, we’re working to help planners translate risk into the language execu tives understand so resilience becomes a business driver, not just a compliance checkbox. We’re also focused on helping professionals elevate their internal value. If your organization sees you as the “plan owner” or the “disaster recovery person,” you may not have the influence you need to shape true strategy. But if you can position yourself as the voice of resil ience—someone who helps protect brand, revenue, and reputation— you raise your stock across the organization. The Modern Risk Landscape Today’s risks require new tools, new partnerships, and a new mindset. Cybersecurity is no longer just an IT issue. A major cyber incident is a business crisis. Cyberattacks are the new natural disasters, and we must treat them as such. That’s why more organizations are realizing the need to close the gap between cyber response and traditional disas ter recovery. We can’t have parallel systems anymore. These functions must work hand-in-hand. Another major shift is the role of artificial intelligence. AI is now

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | SUMMER 2025

Protecting Performance

Leveraging decades of expertise in data recovery and business resiliency, Recovery Point offers a proactive approach to identifying and safeguarding your most critical data, combined with a secure and tested means of recovery for end-to-end coverage for cyber events.

I CAN SLEEP AT NIGHT. DIRECTOR OF OPERATIONS & INFRASTRUCTURE - MANUFACTURING CLIENT

5.0 OVERALL USER RATING

877.445.4333

RECOVERYPOINT.COM

Strategic Resilience: The New Frontier in Preparedness By BOB KLEMME

8 DISASTER RECOVERY JOURNAL | SUMMER 2025

H ere’s a new idea for threat facing your orga nization. There is a good chance many people in your organization have no idea what that threat is. This is my goal: to help your organi zation become more resilient in the face of strategic threats. I call this concept strategic resilience. You and your team are in the right place to drive meaningful results, just like you help your organi zation prepare for major disasters and respond to any kind of crisis. This article will outline how to increase strategic resilience. In step one, I will describe and define strategic resilience, and then in step two, I will outline the components of a strategic resilience program. First, some background. Before start ing my own consulting firm, I spent 20 years working for Verizon Wireless. They were one of my clients when I worked for a global professional services firm. Funny how that works. My entire career has been focused on increasing the technical, operational, and strategic resilience of organizations. Step One: Defining and Understanding the Concept of Strategic Resilience There are risks to your organization that transcend the normal operational risks we have helped our organizations manage since the early days after 9/11 made “BCP” an acronym of interest to every board of directors. For example, you don’t want to be director of business continuity or VP of operational resilience at Blockbuster as Netflix is going online, at Sears prior to Walmart, or at Borders before Amazon. You get the picture. These old companies are gone. Disrupted. So much for busi ness continuity. Let’s pause here for a moment. How seriously do you take your role, as a resil ience professional? Is this your responsi bility? operational resilience and business continuity profes sionals: go talk with your chief strategy officer. They know the biggest strategic

In my first 16 years as an operations focused resilience professional at Verizon, never once did I speak with our chief strategy officer. It made sense at the time. I was only focused on the things that could disrupt our operations. Things like power outages, fiber cuts, natural disas ters, active assailants, human error, etc. The strategy team wasn’t responsible for any of those things, and I had plenty of work already. Then I decided to advance my career and step into Verizon’s strategy depart ment. It opened an entirely new view of the world. Look at those biggest strate gic risks! My units for measuring risk changed from thousands and millions of dollars to billions. I had been missing the big picture, threats that could sink the entire company. Ouch! I had work to do. If one definition of resilience is posi tive adaptation despite adversity, then strategic resilience is positive adapta tion despite strategic adversity. We can consider strategic adversity to be anything that can disrupt your organization’s abil ity to achieve its strategic goals.

window. Some strategic issues are urgent and time sensitive. It won’t be comfortable. People will ask, “Who you do think you are, and why are you poking around in these quiet hall ways?” Tell them you are a resilience pro fessional, and you are here to learn more about the strategic risks to your organiza tion. Even if someone else is working on strategic risks and opportunities, it will be a good connection. They could probably use some help. It’s a fair question to ask: “Who is responsible for managing the strategic risks to your organization?” Perhaps this responsibility belongs to the chief strat egy officer. Perhaps the CEO or board of directors, maybe the VP of enterprise risk or internal audit. I am less concerned with where the responsibility falls in an organization, and more concerned the work is done well, with the right execu tive visibility. Here is a diagram that positions stra tegic resilience in relation to the ongo ing evolution of business continuity and operational risk programs.

This is what we do as resilience professionals. We help our organizations with the risks that are most significant. And like me, you probably take your role seriously. We don’t ask for money unless we really need it, unless the risk is real. When we call, the execs know something urgent needs their attention. This credibil ity we have built is pure gold, built over the course of many years of operational planning and crisis response. Let’s help with the big strategic risks too.

Welcome to the world of strategy. If you have succeeded in the world of business continuity, where the profession is often interpreted in 10 different ways by 10 people, you are perfectly suited for the job of strategic resilience. Even better, you can bring operational rigor to a team that may benefit from making decisions when the clock is ticking loudly, like during a crisis, not just for the annual budget cycle or five-year planning

DISASTER RECOVERY JOURNAL | SUMMER 2025 9

goal of this component is to identify the mission critical initiatives that must be accomplished this quarter or this year. If these are not accomplished, your organi zation’s big goals will be in jeopardy and at risk of failure. Perhaps there is a big product launch planned, or large acquisition, or joint ven ture to announce, or even retiring a key supplier. Your leaders know the many, perhaps hundreds of initiatives to accom plish. They are likely prioritized, with owners assigned, and status reports filed regularly. This is normal work, right? Here’s a challenge that impacts almost all organizations: how to focus resources on the right activities. Many organiza tions excel at this, announcing the Top-5 priorities at kick-off meetings each year. That’s fine. We’re not here to critique … yet. However, we have seen how many of these initiatives are disparate and conflict ing. That is a separate problem, beyond the scope here. For now, our goal is to simply identify the most important initia tives. To accomplish this, we engage leaders from across the business to identify their priority initiatives, using a standardized approach for all departments and teams. This sounds like our traditional opera tions-focused business impact analysis. Indeed, but with different questions, and different measures to prioritize and filter. In some cases, organizations have done this work already, so we use what they have in place. No need to reinvent.

Step Two: Outlining Components of a Strategic Resilience Program The components of a strategic resil ience program include the: strategic response team, strategic impact analysis, strategic continuity plans, and validation. Sounds familiar, right? That’s because it is, and it works. We are adapting proven tools for a different challenge, for differ ent risks. Strategic Response Team Think about the strategic response team. Who must be involved when a stra tegic crisis occurs? Now think about your existing executive crisis management team. Do you see a Venn diagram form ing? Not all roles are required on both teams, and it is possible you have never spoken with some of the people who will need to be on the strategic response team. Here’s a diagram describing which roles may belong on each team.

Strategic Continuity Plans Strategic continuity plans provide teams with a mechanism to identify the risks to their mission critical initiatives. Like with the operations side of the house, we approach the owners of these initiatives, who are clearly busy, and who know the entire organization is counting on them to succeed. Yes, we are here to help. Smile. The strategic continuity plan identifies what must happen, by when, and what resources are needed. It identi fies and prioritizes the risks, along with the steps and resources needed to mitigate these risks. The most sophisticated teams can pinpoint which leading indicators must be monitored, and have pre-cleared with management, the latitude to execute the plan when needed. All of this saves time. It increases the likelihood of success when strategic initiatives are threatened. If it weren’t important, we wouldn’t be concerned. However, these activities are mission critical, so we do something about it. Just like on the operations side, resilience professionals help organizations plan for the uncertain future. So far, so good, but there’s a catch when it comes to strategic continuity plans. Unlike operations-focused BC/ DR plans, these strategic continuity plans don’t require investments in backup generators, cyber defenses, or system work-around procedures. These plans may require reallocating significant resources from one project to another in mid-stream. Or they may require engag ing a new partner at significant cost, to pull the team over the finish line. Or they may require doubling down on a contro versial and unproven innovation, when it becomes clear the industry is shifting in that direction. These are decisions at the top executive level, not to be taken lightly. The good news is that some of your leaders are keenly aware of these strategic risks. This strategic resilience program provides them the opportunity to explore and prepare for these risks in a healthy way, without diminishing their vigor and commitment to the chosen path.

There is flexibility here, just like with your crisis management teams, with teams designed to suit your unique organization and structure. And this is also where your knowledge of the people, the organization and your credibility as a non-partisan participant helps build the team. This is also a great team to bring together, for a new type of crisis exercise: using a strategic threat scenario instead of a traditional operations-focused threat. More on that later. Strategic Impact Analysis The strategic impact analysis compo nent is also familiar, but different. The

10 DISASTER RECOVERY JOURNAL | SUMMER 2025

informative and efficient. They are famil iar and within your team’s current cone of responsibility. Go for it. I’d even propose your team starts here, as previously men tioned. We used to do this as consultants to large Fortune 500 clients. Start with a brief executive exercise. It provides visibility at the top. If the team performs well and things look good, then we have confidence and can proceed elsewhere. However, if the leaders become uncom fortable with the organization’s level of preparedness during a strategy-focused crisis exercise, this drives healthy action. This begins the journey to increase your organization’s strategic resilience. To conduct a strategy-focused crisis exercise, start by making friends in the strategy department. Here we will talk with your chief strategy officer, a list of questions ready, after prudent research and interaction with the right people beforehand. The goal is to identify the biggest strategic risks facing your organi zation. You could probably type this into your favorite generative AI tool, but we can do better than that, by building good working relationships. Take this list of strategic threats and turn them into a tabletop scenario. Run them the opportunity to explore and prepare for these risks in a healthy way, without diminishing their vigor and commitment to the chosen path. “ The good news is that some of your leaders are keenly aware of these strategic risks. This strategic resilience program provides

Sometimes unexpected things happen. Our role is to help leaders plan ahead, to build capability and confidence, regard less of the weather, disaster, or strategic threat. Validation As we know, a plan needs to be tested to confirm it will work when needed. Otherwise, it is destined towards the now figurative pile of three-ring binders on the shelf, collecting dust and scorn. With validation comes more challenges, but it can be done with confidence. There are two approaches for validation: the first is based on results, and the second is exercises. When using results for validation, think about the familiar hurricane maps. These use sophisticated sensors and data models to forecast the path of the storm, three days, five days, two weeks out. These depict a cone of uncertainty to indicate the range of likely outcomes for the storm’s path. After the storm makes landfall, we know with 100% certainty whether the model and projected path were accurate. Results, after the fact, will also indicate whether our strategic conti nuity plan was valid. As uncomfortable as it sounds, we can simply wait and watch the results. Perhaps our plan will be right, perhaps wrong. Perhaps our plan wins in the

short-term but loses in the long-term. Using results as validation, the clock wins with 100% certainty. Just like with the hurricane map, eventually we know where it lands, and can assess which city evacuated promptly and which city was delayed. If one of our mission-critical strategic initiatives needs to be accom plished by a certain date, we will know on that date, with 100% clarity whether we achieved it or not, regardless of risks and threats. Some organizations use an objec tives and key results (OKR) approach to bring clarity to this process. Using metrics and results to validate our strategic continuity plan is mandatory. Using the proper metrics in the proper timeframes is vital, because what we measure drives behavior. And this process may raise productive questions about employee incentives, executive contract terms, stock options, and activist inves tors who may have different objectives than other stakeholders. The key here: identify and measure the right results that align with your organization’s mission. Even better, measure leading indicators of strategic risk to help your organization adapt faster than the competition, and long before landfall. The other way to validate strategic continuity plans and strategic response teams is through exercises. Exercises are

“

12 DISASTER RECOVERY JOURNAL | SUMMER 2025

ENSURING RESILIENCY AGAINST CYBER THREATS Assured is a global data backup and disaster recovery managed service provider. As Rubrik’s largest and most established MSP, we operationalize Rubrik’s Zero Trust Security solutions, delivering data security and protection to customers in over 60 countries worldwide. Our mission is to provide industry leading backup and recovery technology solutions protecting critical data and operations for enterprise and mid-market organizations, mitigating commercial and reputational risks associated with downtime.

DISASTER RECOVERY

OFF-SITE REPLICATION

CYBER RESILIENCY

MANAGED BACKUP

it like every other crisis scenario your team has conducted for the past hundred years. And since we have an all-hazards plan, let’s try on these strategic threats for size! OK, we’re adding some humor here, despite the stress and gravity of the deci sions this team would be facing. Like with any exercise, it is being conducted on a blue-sky day, where

we have the luxury of planning ahead, before the threat is real. We should feel good about that, and be able to lighten the mood. You are a trusted professional, helping guide and lead busy executives through an exercise that could poke at the heart of the organization. We need to trust one another’s intent and focus on the big mission to get stronger and not sink into

silliness. We are doing this work because it is mission critical. We are doing this because we do not intend to fail on our watch. We intend to win. This requires emotional intelligence, the ability to be humble when facing the future, and the ability to chart a path forward with the strength of a team. The better and faster we can do this, the more resilient we become. Exercises are an important way to test your strategic continuity plans. These also present themselves in a similar way to traditional operations-focused tests of BC/DR plans. Use creativity and common sense to decide what will most benefit the team, whether a table-top scenario or functional exercise. Next Steps Implementing a full strategic resil ience program should only be considered by organizations that have capable and mature operational resilience and BC/DR programs in place. However, building a strategic resilience program does not need to become a new mountain to climb. Just like BC/DR programs, strategic resilience provides capabilities that can start small and evolve organically within your organization. Every organization is unique. Like BC/DR, the concepts can be incorporated into daily work activities, making an organization stronger just by adopting the concepts, one component at a time, one team at a time. Each compo nent adds new value. As resilience professionals, we want to be aware of all threats to our organiza tions. Since strategic threats are likely to significantly impact all organizations, let’s expand the frontier of our profession to include strategic resilience capabilities as part of our value and purpose. v

Bob Klemme is managing director and founder of Trailmark Co., a consulting firm focused on increasing the strategic resilience of organizations. He managed the BC/DR program at Verizon Wireless

and subsequently developed an approach for managing strategic innovation risks for Verizon’s strategy depart ment. Prior to Verizon, Klemme was a consultant with PricewaterhouseCoopers.

14 DISASTER RECOVERY JOURNAL | SUMMER 2025

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

The Role of AI in Resilience

enhances BCM by automating risk assess ments and improving decision-making. For example, AI-powered tools can ana lyze historical data and real-time trends to identify potential vulnerabilities, such as supply chain disruptions or system fail ures. These tools can simulate scenarios and recommend strategies, enabling pro active planning. Additionally, AI can optimize resource allocation during a crisis. For instance, machine learning algorithms can prioritize tasks, suggest the best course of action, and streamline recovery efforts. AI-driven chatbots are also employed to communi cate with stakeholders, providing timely updates and minimizing confusion during critical incidents. AI in Cybersecurity and Information Security In cybersecurity, AI is a game-changer. With cyber threats becoming increas

By MICHAEL C. REDMOND

A

rtificial intelligence (AI) has become a cornerstone in enhanc ing business operations and resilience across various indus tries. In the domains of business

recognize patterns, and provide predictive insights has enabled organizations to be better prepared for disruptions, safeguard critical assets, and recover efficiently. AI in Business Continuity Management Business continuity management (BCM) ensures organizations can operate during and recover from disruptions. AI

continuity management, information and cybersecurity, and emergency manage ment, AI is playing a transformative role. Its ability to process vast amounts of data,

16 DISASTER RECOVERY JOURNAL | SUMMER 2025

The Global Leader in Organizational Resilience

BusineSs Continuity/Continuity of Operations information security Critical Environments

Incident Response Crisis Management & Communications

Legal, Audit, & Compliance Organizational Behavior Risk Management Supply Chain Resilience

Financial Health & Visibility Human Resources Management ICT Continuity

we educate. we credential. we lead.

Building Resilient Communities, One Organization at a Time

www.build-resilience.org | info@theICOR.org | 1-866-765-8321

ingly sophisticated, traditional defenses often fall short. AI-based systems enhance cybersecurity by detecting anomalies and responding to threats in real time. Machine learning models are trained to identify pat terns in network traffic, flagging potential intrusions or malicious activity before considerable damage occurs. AI is also crucial for post-incident anal ysis. It can sift through logs and datasets to trace the root cause of breaches, help ing organizations fortify defenses against future attacks. Furthermore, AI-powered threat intelligence platforms aggregate data from multiple sources, enabling orga nizations to stay ahead of emerging risks. For businesses adhering to strict regulations, AI simplifies compliance. Automated compliance monitoring sys tems ensure adherence to standards like GDPR or ISO certifications by continu ously scanning systems for noncompli ance issues. AI in Emergency Management AI excels in facilitating rapid responses and optimizing resource allocation, making it invaluable for emergency

management. By analyzing meteorologi cal and environmental data, AI-powered models can forecast natural disasters like hurricanes or floods, enabling authori ties to provide early warnings and design effective evacuation strategies. During emergencies, AI enables real time monitoring and coordination. For example, drone technology powered by AI provides aerial assessments of affected areas, helping emergency responders allo cate resources where they’re most needed. AI-powered communication systems can manage emergency hotlines, ensuring affected individuals receive assistance promptly. AI supports recovery efforts by track ing and analyzing the aftermath of disas ters. By identifying affected infrastructure and populations, AI helps organizations and governments prioritize rebuilding efforts effectively. Key Challenges in Utilizing AI The use of AI in business continuity, cybersecurity, and emergency manage ment offers exciting potential, but it also comes with challenges organizations

must address to fully leverage its benefits. Here’s an exploration of some key chal lenges: 1. Data integrity and privacy AI systems depend on vast quantities of data to function effectively. In busi ness continuity and cybersecurity, sen sitive and mission-critical data is often required. Ensuring the accuracy, security, and privacy of this data is paramount, as any compromise can lead to incorrect decision-making or increased vulnerabili ties. Additionally, the need to comply with regulations like GDPR or HIPAA further AI solutions can be expensive to imple ment, particularly for small and medium sized enterprises. The cost of acquiring AI tools, integrating them with legacy sys tems, training staff, and maintaining these systems can strain budgets. This creates a disparity where only well-resourced orga nizations can take full advantage of AI advancements. 3. Cybersecurity risks Ironically, while AI is a powerful tool complicates data handling. 2. Implementation costs

18 DISASTER RECOVERY JOURNAL | SUMMER 2025

green IT

consolidation portfolio computing vmware itil security GRC forrester wave service desk portal outsourcing vtl business continuity opsware asset management host disaster recovery email in the cloud change management virtualization web 2.0 metrics storage risk IT service community cloud computing

Research – Resources – Solutions Forrester delivers independent action-oriented insight to solve your biggest challenges. Visit us at www.forrester.com/drjournal to learn how our research, consulting, and executive programs will help you succeed.

Making Leaders Successful Every Day

for combating cyber threats, it can also become a target for hackers. Malicious actors can manipulate AI algorithms through data poisoning or exploit vulner abilities in AI-driven systems. This pres ents a new layer of risk organizations must continuously monitor and mitigate. 4. Overreliance and human oversight AI is fallible. Overreliance on AI sys tems without adequate human oversight can lead to complacency and poor deci sion-making, particularly during critical incidents. Human expertise and judgment remain essential for validating AI recom mendations and responding to unforeseen challenges. 5. Ethical concerns AI systems can unintentionally perpet uate biases in the data they are trained on, resulting in skewed outcomes. For exam ple, biased AI algorithms could prioritize resources unfairly during a disaster or fail to detect certain threats in cybersecurity. Addressing these ethical concerns requires careful monitoring and adjustment of AI models. 6. Integration challenges Integrating AI into existing systems can be complex, especially for organizations relying on older technologies. The process often requires significant updates, time, and resources. Furthermore, employees need training to adapt to new AI tools, and resistance to change can slow adoption. 7. Evolving threats and adaptation In cybersecurity and emergency man agement, threats and risks evolve rapidly. AI systems need constant updates and retraining to remain effective. Keeping up with the pace of these changes can be resource-intensive and challenging. 8. Transparency and trust AI algorithms often operate as “black boxes,” making it difficult for users to understand how decisions are made. This lack of transparency can erode trust in AI-driven solutions, particularly in high stakes environments like disaster response or cyber incident management. Utilizing AI Is Not Without Challenges AI offers remarkable benefits across business continuity management, cyber

security, and emergency management. However, its integration into these fields is not without challenges. Organizations must navigate complexities related to tech nology, ethical considerations, and opera tional hurdles to maximize AI’s potential. 1. Data quality and availability In all three fields, insufficient or poor quality data can hinder AI performance, leading to inaccurate predictions or unre liable recommendations. Additionally, collecting and sharing sensitive data for cybersecurity or emergency response raises privacy concerns, especially when regulations like GDPR or HIPAA are involved. 2. Cost and accessibility The cost of acquiring advanced AI tools, training employees, and maintaining systems can be prohibitive. Limited access to AI expertise and resources further exac erbates this challenge, creating disparities in how organizations benefit from AI. 3. Complexity and integration Integrating AI into existing systems is often complicated. Legacy infrastructure in emergency management or business continuity planning may not be compat ible with AI technologies, requiring costly upgrades. Additionally, organizations may face difficulties in training staff to effec tively utilize AI tools, which can lead to underutilization. 4. Ethical concerns and bias In cybersecurity, for example, biased AI algorithms may fail to detect certain types of threats. In emergency management, biased AI predictions could lead to ineq uitable resource allocation during crises. Organizations must address these ethical challenges to ensure fairness and transpar ency in AI-driven decision-making. 5. Cybersecurity risks Ironically, while AI bolsters cybersecu rity defenses, it can also become a target for cyberattacks. Hackers may exploit vulnerabilities in AI systems, manipu late data inputs, or even poison machine learning algorithms. Ensuring AI security requires continuous monitoring and robust defenses, adding complexity to the cyber security landscape.

6. Overreliance on AI AI is a powerful tool, but it is fallible. Overreliance on AI can lead to compla cency, where organizations fail to maintain traditional expertise or human oversight. In emergency management, for example, blindly trusting AI-driven predictions without cross-validation can result in mis guided responses. 7. Regulatory and compliance challenges AI implementation must align with regulatory standards in each domain. For example, AI-driven cybersecurity tools must comply with data protection regu lations, while emergency management systems may face scrutiny regarding ethical use. Navigating these regulatory landscapes can be complex and time-con suming. 8. Adaptation to rapid changes AI systems need constant updating to remain effective. In cybersecurity, new threats emerge rapidly, requiring continu ous training of AI algorithms. Similarly, emergency management AI models must be updated to reflect evolving disaster pat terns and risk profiles. Conclusion The adoption of AI in business con tinuity, cybersecurity, and emergency management is accompanied by several technical, ethical, and operational chal lenges. Overcoming these challenges requires a balanced approach that com bines robust planning, investment in education and training, and maintaining a human touch to complement AI’s capa bilities. By doing so, organizations can harness AI’s potential while mitigating its risks. v

Michael C. Redmond, Ph.D., MBA, CEM, FBCI, MBCP, is a globally recognized expert in business continuity management, cyber security, and emergency management, with more than two decades of experience. As

CEO of Redmond Worldwide, she advises organizations on strategies to enhance resilience and security. She is an ISO certification instructor and has served as acting CISO/ deputy CISO for organizations such as Metro Louisville. Redmond frequently speaks on AI’s role in business opera tions, showcasing her thought leadership and commitment to advancing industry standards.

20 DISASTER RECOVERY JOURNAL | SUMMER 2025

Cyberattacks: An Unnatural Disaster By JOHN WILSON T his morning, my local San Francisco Bay Area news asked a familiar question: Did you feel it? There was a magnitude 3.9 earthquake a few miles east of me. No, I didn’t feel the tiny quake, but the news reminded me that a more significant shaker could strike at any time. As I watched the news while sip ping my morning coffee, my wife brought me a letter that had arrived the night before. It was another all-too-familiar bit of news: My name, address, and driver’s license number had been leaked in a data breach. There are many parallels between natural disasters and cyberattacks. For example, both can shut down your busi ness by disrupting your supply chain,

preventing you from processing orders due to IT outages, or severing business critical lines of communication. Natural disasters can be categorized by the amount of warning available before they strike. Earthquakes typi cally occur with no warning. Tornadoes and wildfires usually give potential victims a few minutes to evacuate or take shelter. Hurricanes and volca noes generally provide several days of preparation time. At first glance, cyberattacks would seem to fall into the “earthquake” category. After all, cyberattacks seemingly occur without warning, right? The reality is more nuanced. A distributed denial-of-service (DDoS) attack—such as the one that impacted X on March 10—likely does fall into the earthquake category. Any company can be the victim of a DDoS attack at

DISASTER RECOVERY JOURNAL | SUMMER 2025 21

any time with virtually zero warning. However, just as earthquakes are more common along the Ring of Fire, com panies that have taken a controversial public stance on a hot-button political issue are more likely to be targeted. Credential phishing can fall into the “earthquake” or “tornado” cat egory depending on how quickly the perpetrator attempts to monetize the stolen credentials. Giving up your bank account login details can lead to an empty account in seconds. Or the attacker may sell the credentials on the dark web, giving you time to change your password and enable multi-factor authentication (MFA) before any damage occurs. Ransomware attacks fall into the “hurricane” category because most take two months or longer from initial access until the ransomware is deployed. If you can detect the initial access and reconnaissance phases of the attack, you have the opportunity to avoid the encryption and data exfiltra tion phases entirely by eradicating the remote access trojan (RAT) early. Despite what a friendly cyberse curity sales executive may say, you cannot prevent cyberattacks any more than you can prevent natural disasters. Instead, focus on preparation strategies to reduce the harm when the inevitable happens. I live in Silicon Valley, just a few miles from the San Andreas Fault. The knickknacks on my mantle are secured. I keep a flashlight in my nightstand and a gas shut-off wrench at the ready because I know it’s only a matter of time before the next big one hits. The cybersecurity equivalent to those preparations would be a DDoS mitigation service. These sit in front of your web server and absorb malicious traffic while allowing legitimate traffic to flow. DDoS mitigation costs money, so the decision to implement one comes down to risk assessment. I have two brothers who live in a part of the

country where earthquakes are rare. They don’t secure their knickknacks, and I’d be surprised if they owned a gas shut-off wrench. If you transact millions monthly through your website and your CEO recently took a controversial stand, you’re in a high-risk situation that warrants a DDoS mitigation service. If you sell a few hundred dollars’ worth of cat-themed T-shirts and mugs each month, it’s prob ably not worth the cost. Credential phishing can impact anyone and strike at any time. The best preparation for this unnatural disaster is a multilayered approach. First, implement technical mitigations such as a spam filter and MFA—much like maintaining defen sible space around your home during wildfire season. Next, educate your users. Many companies offer phishing simula tion and training programs. This is like teaching your family about wildfire risks, having a go-bag ready, and planning alter nate evacuation routes. Finally, implement a “report phish” button. This allows employees to flag suspicious messages for analysis— whether in-house or via a third party. Two critical things must happen here: First, provide feedback to the reporting user to encourage future reports. Second, once a message is confirmed as malicious, use a claw-back mechanism to purge simi lar messages from all mailboxes. That second step is vital—phishing messages are rarely sent to just one recipient. Think of it like spotting a wildfire in your back yard—you wouldn’t just evacuate quietly. You’d alert the fire department and warn your neighbors. This brings me to ransomware—the cyber equivalent of a hurricane. Before satellites and computer models, hur ricanes struck with little warning and devastating impact. Many companies still face this problem today, discovering attacks only after receiving a ransom note and losing access to critical files. But we now have the cyber equivalent of weather satellites. Every ransomware attack starts with reconnaissance and initial access, followed by lateral movement and privi

lege escalation, long before encryption or exfiltration. By monitoring your network traffic with intrusion detection systems (IDS) and reviewing log files for anomalies, you can detect attacks early. You can do this in-house with a security informa tion and event management (SIEM) system or outsource it using endpoint detection and response (EDR), man aged detection and response (MDR), or extended detection and response (XDR) services. Suppose you have SIEM or XDR in place. You’re safe now, right? Not quite. At this point, you have the equiv alent of the Weather Channel warning you of an 80% chance of landfall. You still need to act. Should you evacuate? Board up windows? Stock up on sup plies? Similarly, you must act on the alerts from your SIEM or XDR solution to avoid the damage phase of a ransom ware attack. We’ve all participated in fire drills— mandatory in school and common in office buildings. The cyber equivalent is offensive security. Start with vulner ability scans on your internet-facing infrastructure, then move to penetration testing and red teaming as budget and risk profile allow. You cannot stop every cyberattack, just as you cannot stop natural disas ters. But you can prepare. It begins with understanding your risks and imple menting a holistic strategy to reduce the likelihood and impact of those risks. As Louis Pasteur said, “Chance favors the prepared mind.” v

John Wilson, senior fellow of threat research at Fortra, specializes in cyber crime investigations and threat intel ligence. Since 2006, he has led efforts to combat phishing, business email

compromise (BEC), and botnet activity. He contin ues to research emerging threats and conduct active defense experiments, including a 2023 collaboration with Microsoft to disrupt the illicit use of Cobalt Strike. Wilson holds a B.S. in computer science and engineer ing from MIT and has presented at RSA, FS-ISAC, Aviation ISAC, NCFTA Disruption, and the Microsoft Digital Crimes Consortium.

22 DISASTER RECOVERY JOURNAL | SUMMER 2025

Disaster vs. Cyber Recovery Closing the Gap to Bolster Resiliency

B

By CHRIS MONTGOMERY

efore the cloud, IT resil ience was defined by an organization’s ability to maintain operations during events like natural disas ters, power outages, van dalism or any other incident knocking out access to underlying technology they

what it means to be resilient, forcing busi nesses to establish their own cyber recov ery plans alongside historical disaster recovery strategies that might trace to the pre-cloud era. Of the two, cyber recovery remains the bigger challenge. In fact, 70% of busi nesses think it’s more problematic than disaster recovery, according to a recent survey conducted with 500 IT and cyber security professionals from midmar ket and enterprise organizations across North America, Western Europe and Asia Pacific. Having an effective cyber recovery strategy in the cloud era is crucial to the

continuity of a business. Whether it’s a cyberattack or an update gone awry, enter prises must prepare for digital disruptions that could take critical services offline for extended periods of time — amounting to potentially hundreds of millions of dollars in damages. As reliance on data and AI technologies continues to grow, the risks of extended downtime will escalate. That doesn’t mean disaster recov ery isn’t still difficult — or important. However, with 52% of organizations still basing their cyber recovery strategies on longstanding disaster recovery plans, it’s key businesses understand the differ ences and similarities between the two.

owned and operated. Increasingly, enterprises must consider not just the IT hardware they own and operate, but also the vast environment of services that reside in external cloud envi ronments. This breakdown of the historic “perimeter” security model has altered

DISASTER RECOVERY JOURNAL | SUMMER 2025 23

Ultimately, a company’s ability to respond will be contingent on how well it tests and fine-tunes recovery protocols in advance of a breakdown — whether from a natural disaster or a criminal hack. Bridging the Understanding Gap While executive leaders and board members have grown to understand disas ter recovery, the concept of cyber recovery can muddle that understanding. IT leaders need to differentiate between the two and make a compelling business case to ensure the unique risks of cyber threats are effec tively managed. To secure investment in cyber recov ery initiatives, IT leaders should focus on these three key points in their business case: n Quantify the cyber risk exposure : Present clear data on the potential financial and operational impact of cyber incidents, including how cyber threats can lead to extended downtimes, data breaches, and significant financial losses beyond what traditional disaster recovery plans cover. n Highlight the limitations of traditional disaster recovery : Explain how traditional disaster recovery strategies are insufficient against sophisticated cyberattacks that target backups and infrastructure, emphasizing the need for specialized cyber recovery measures. n Demonstrate return on investment through resilience : Show how investing in cyber recovery enhances overall business resilience, reduces recovery times, protects the organization’s reputation, and meets compliance and regulatory requirements, while also To strengthen cyber recovery strategies and bridge the gap with disaster recovery plans, enterprises should focus on these key actions to enhance their overall IT resiliency. Actual Typhoon vs. Salt Typhoon When an IT incident occurs, com panies must operate on the assumption fostering trust with customers and partners, thereby providing a strong return on investment.

every technology is compromised. It’s the biggest difference between cyber and disaster recovery strategies. A disaster recovery plan might assume the problem can be isolated to only the hardware and software directly affected by the calam ity. Under the increasingly common threat of cyberattacks, hackers are targeting the assets businesses need to quickly get back online. In fact, 92% of businesses that have incurred attacks say the hackers spe cifically targeted data backups. It’s crucial to make sure backups are stored in a secure, isolated environ ment and are being continually tested to ensure they’re free from malware. That way, companies can more confidently execute their cyber recovery strategies. With isolated backups, data recovery experts can get clean data to the applica tion teams faster, helping them quickly get the actual end systems up and run ning again. Test, Test, Test Too many organizations, though, still lack the clean environments needed to safely and cost-effectively verify the effectiveness of plans in advance of an incident. Even with the right technology in place, if procedures aren’t pressure tested in advance, organizations often run into real-time issues that prolong recovery, amplifying the financial and reputational risks the business faces. In disaster recovery, businesses often have a much clearer idea of the expected impact. The company would know in advance, for example, which services would be affected if a hurricane hit a spe cific region or if a data center was taken offline because of a power outage. With cyber recovery, however, the impact is much more uncertain. After an attack or some other cloud-impacted mishap, enterprises typically aren’t imme diately aware of the extent of the damage. Because many digital applications work in tandem with one another, the impact of any incident can spread far beyond a single infected system. This is why businesses need a secure and cost-effective way to test their

recovery plans against different poten tial situations. And while it’s unlikely any real-world incident ultimately plays out exactly like a test environment, the skills and processes developed during training exercises will help specialists respond with greater agility and flexibil ity. The Talent Challenge Finding specialists who can create and test a cyber recovery plan is getting much more challenging for businesses. According to the survey, 59% of respon dents cited finding and retaining cyber recovery staffers as a key hurdle, com pared to the 15% who cited staffing as a challenge for disaster recovery. Without the right skills, it’s harder for businesses to create and test the resiliency of their IT environments. This is where technology can play a critical role. Cloud-based cleanrooms provide instant access to isolated environ ments, alleviating understaffed internal teams from the expensive and arduous process of building their own testing center. Cyber recovery can build upon and complement the best practices of disas ter recovery. But cyber recovery poses its own additional challenges. Recognizing these unique difficulties and adopting measures to help address them lets busi nesses operate with the confidence that, whether it’s a natural disaster or a hacker attack, they’re prepared to get back online. v broad background in technology, Montgomery has honed his expertise in cybersecurity, risk management, organiza tional change management, and digital transformation. He advises boards, leadership teams, elected officials, and policymakers in both public and private sectors, offering strategic guidance on cyber resilience and moderniza tion. His expertise and strategic insights have made him a respected leader and valuable resource, helping orga nizations navigate the complex landscape of cyber threats and technological advancements. To view findings from the survey mentioned in this article, please see https:// www.commvault.com/resources/ebook/cyber-recovery demands-a-different-approach-from-disaster-recovery. Chris Montgomery is a nationally recog nized cybersecurity strategist with more than 30 years of experience in the technol ogy sector, including pivotal roles as a CIO, CTO and CISO. An Air Force veteran with a

24 DISASTER RECOVERY JOURNAL | SUMMER 2025