Disaster Recovery Journal Winter 2024

REGISTER TODAY! www.drj.com/spring2025

Winter 2024 u Volume 37, Number 4

The Art of Realistic, Believable Exercise Scenarios

INSIDE ... IT-DR Trends to Concern Business Resiliency Leaders DEI – Back to the Basics BIA Standoff: Value vs. Resistance BC Software Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Get started on your resilience journey today, visit fusionrm.com Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact. Create Clarity Out of Chaos

“Hands down the best business continuity management tool for programmatic growth and scalability.”

“Our team is able to visualise complex relationships and dependencies between lines of business in our organisation. This alone is worth its weight in gold!” Fusion User in the Financial Services Industry

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER

TABLE OF CONTENTS

COVER For Want of a Nail: The Art of Realistic, Believable Exercise

Amy Faulkner amy@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

Scenarios By MARK CARROLL

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Peter Laz, Margaret Millett, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Robbie Atabaigi, Rich Cocchiara, Renuka Darbha, David Halford, John Hill, Ray Holloman, Colleen Huber, Cary Jasgur, Lisa Jones, Melanie Lucht, Melissa Muñiz, Melissa Owings, Bogdana Sardak, Nicole Scott, Paul Striedl, Joy Weddington + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

8

12

28 BIA Standoff: Value vs. Resistance By SAMUEL MCKNIGHT

IT-DR Trends to Concern Business Resiliency Leaders By JASON BUFFINGTON

32 Career Spotlight: Dr. Francisco Molina By MELANIE LUCHT

17

Is It Time for Industry to Adopt a ‘Gold Standard’ When Testing Disaster Recovery Readiness? By STEPHEN YOUNG

34 The Impact of Climate Change on Winter Weather Patterns: What Businesses Need to Know By STACI SAINT-PREUX

19

DEI – Back to the Basics By S. NICOLE SCOTT

36 Is Business Resilience Over-Hyped or a Necessary Evolution? By MAITREYA BUDDHA SAMANTARAY

23 NAS or Object Storage: Make the Best Backup Target Decision By JEROME WENDT

39 A Different Approach to Simulation Exercises By LAWRENCE ROBERT

26 Jump-Start Your Incident Response Program By NEIL K. JONES

DISASTER RECOVERY JOURNAL is copyrighted 1987-2024, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | WINTER 2024 5

FROM THE PRESIDENT’S DESK

Building a Career in Business Resiliency: Opportunities and Insights I n today’s fast-changing business landscape, the demand for skilled professionals in business resiliency is rising. Organizations increasingly recognize the importance of navigating crises, from natural disasters to ing a broad understanding of how departments and processes interconnect. This insight enables them to foresee how disruptions can ripple through an orga nization, affecting production, customer service, revenue, and reputation. This comprehensive perspective positions resil iency professionals as trusted advisors. Their deep understanding of business operations and risks can open doors to roles in risk management, compli

BOB ARNOLD, MBCI Hon.

cyber threats. Though many enter this field from other roles, the potential for growth and meaning ful impact makes business resiliency a compelling career choice. An Unexpected Career Path Few professionals start their careers with busi ness resiliency in mind. Many are “thrust” into these roles from IT, operations, risk management, or emergency response. The field draws on diverse disciplines, and skills like problem-solving, com munication, and risk assessment translate seam lessly. For those familiar with complex systems and contingency planning, the shift to resiliency often feels natural. Once in the field, professionals quickly uncover its depth. Resiliency roles provide a high-level view of operations and insights into how different parts of a business connect. For big-picture thinkers who enjoy strategic planning and cross-functional col laboration, a career in resiliency is both challenging and rewarding. Skills for Success Business resiliency requires a blend of criti cal thinking, adaptability, and composure under pressure. Professionals must creatively identify vulnerabilities and devise solutions to prepare orga nizations for disruptions. Strong communication skills are equally impor tant. Resiliency professionals collaborate across departments—IT, finance, HR, and more—explain ing risks, outlining plans, and advocating for the importance of resilience. Persuasion and influence are key, especially when engaging stakeholders who may not immediately see its value. A Unique Perspective One of the most rewarding aspects of a resiliency career is the vantage point it offers. Resiliency pro fessionals often engage with senior leaders, gain

ance, or even senior leadership. Fostering a Resilient Culture

Beyond technical tasks, business resiliency is about shaping organizational culture. Resiliency professionals help foster a culture of shared respon sibility, embedding resilience into a company’s core values. This involves educating teams, engaging employees, and promoting forward-thinking. A resilient culture equips organizations to adapt to uncertainty, building a stronger, more adaptable workforce. Beyond Certifications While technical expertise and certifications are vital, strategic leadership and advanced decision making set top resiliency professionals apart. Advanced degrees like an MBA or executive courses enhance leadership and strategic planning skills, preparing professionals to align resiliency goals with broader business objectives. This shift from tactical execution to strategic leadership often opens doors to higher-level roles, including C-suite opportunities. Making a Difference A career in business resiliency goes beyond safeguarding operations; it’s about helping orga nizations thrive amid adversity. Resiliency profes sionals play a vital role in building sustainable, adaptable business environments by promoting pro active risk management and fostering preparedness. For those seeking a career with growth potential, meaningful work, and the ability to shape an orga nization’s future, business resiliency offers a unique and impactful path.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | WINTER 2024

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

8 DISASTER RECOVERY JOURNAL | WINTER 2024

The Art of Realistic, Believable Exercise Scenarios

S

By MARK CARROLL

World events provide an extensive backdrop of opportunity for defining the actual scenario. Under the umbrella of “you can’t make this stuff up” the real world leaves us with rich inventory; a host of situations we can adapt in formulating our tabletop. It’s right there at our fingertips. A firm in Europe impacted by an earthquake while employees were picketing, or an office with a gas leak, resulting in evacuation at the same time as a water main break in front of the building, or a hazardous spill simultaneous with a ransomware event. The list is endless and, sadly, it is com pletely off-the-table for your use or deployment! Why? Well, while reality may portray the inconceivable or implausi ble, your scenario needs to be somewhat realistic and believable. The fact is the old saying, “Life imitates art more than art imi tates life,” is true. Reality can be extreme, but painting examples of extreme situations or conditions as fodder for a tabletop may be handily dismissed by those involved. We can live through the ridiculous, but planning for and using the ridiculous in a tabletop is another story. You’ve been repeating for years, “You can’t make this stuff up because it is not credible.” Take your own advice! Reality trumps. I don’t have to be convinced, believe, or have faith in the gas leak/water main break situation because it is known, documented, actually happened, maybe even to me. It does not have to be evaluated as credible because it is already there by virtue of the fact it took place. It is the real world and a true confirmed known, not a held belief. There is a clear differ ence. The scenario you put forward most likely does not have that factual actuality for your organization, so needs to be viable or believable, especially when those engaged are evaluating in their heads whether it is possible, worth their time, and the discus sion of which would benefit from their active engagement. That crazy complexity you can find or prove is, no doubt, factual, but restricted to the real world. It is out of bounds for your exercise. Sounds crazy but it’s true. So, how do you proceed? The manifestations of the issues posed may and probably need to be diverse to engage all parties, but they need to start with the

uddenly (or not so suddenly) it is that time of the year; the time for you to start to plan the annual senior management tabletop exercise. That’s the four- to eight-hour event where folks at the C-level assemble and wrestle a firm-wide crisis to the ground. Not a simple task, as it includes a host of individual details and the complex ity of scheduling a group of diverse folks with demanding calendars and commitments. Developing an exercise scenario involving

this level of management is itself a major undertaking. It entails formulating a situation to engage all parties continuously over an extended period of time. This may be a cyber event that focuses on IT security but engages HR, finance, or an employee strike that puts the spotlight on physical security but requires the involve ment of audit, health and safety. The options are endless, but the choice needs to ensure everyone at the table has an active role; a true challenge in contributing to and orchestrating an effective exercise. Development of that scenario needs to both include and pre clude history. Huh? The actual event needs to be fresh and not even close to a rinse and repeat from last year or any prior years. What you did in the past as either a subject area or approach is totally out of bounds; precluded outright. Management will not appreciate covering material from a prior exercise and will not respect the work you have done on this exercise if it even leverages what has been done in the past. However, what you surfaced and learned in those events needs to be considered as acted on and resolved. The situation(s) of the past may not be relevant to the new scenario you develop but the learnings and actions could cross over and need to be confirmed as closed out as you move forward. It may even be worth refer encing those advancements or successes as a source of past acco lades in anticipation of similar success in the current event. Even senior management will accept applause (or is that “especially” senior management?).

DISASTER RECOVERY JOURNAL | WINTER 2024 9

same root cause. The various scenario pain points need to flow out of the trunk of the same tree. Separate, unrelated, and distinct events will not appear viable and will result in a loss of attention and heavy critique of the event scenario and its author. For example, due to a water main break, the firm experiences flooding at the facility that results in a building evacuation and factory shutdown. At the same time lightning strikes the facil ity and shorts out the data center due to a power spike. Can these unrelated events truly happen somewhat coincidentally? Of course, but it will be greeted with doubtful and questioning attendee eyes, which could undermine the whole exercise from the outset. The situation cited can and does happen, but you won’t be able to sell it. Conversely, if the building does experience a flood – which not only results in an evacuation but also a flood of the data center (impacting all IT operations) – that is viable. If a flooded data center becomes an electrical hazard due to live wires, that too is credible since it is rooted in the original flood event. Flooding could also cause doors to unlock automatically if electricity is lost (safety precaution) and result in the need to deploy security personnel at portals as a corrective control. This can go on and on and on, rooted in the original, single, flood event. Event linkage is critical and unlike managing my system backups, in this case “air gaps between crisis events are not my friend.” (Sorry, could not resist). The focus on a root cause brings to mind the old proverb, “For Want of a Nail,” citing the loss of a horseshoe nail ultimately resulting in the loss of a kingdom: Maybe this is far-fetched, but domino effects do exist, and you have poetic license to use cascading actions in a reasonable manner for the scenario you write. Recently, I had a sequence of crazy, unrelated events that would be difficult to envision and accept as credible. First, I lost my LinkedIn account. Not sure how exactly but in signing in, I actually signed up and set up with a brand-new empty account. This disabled my existing account. Needless to say, the subse quent days were a painful scramble to get this resolved, involving heavy use of the phone to contact folks who would normally be contacted via LinkedIn. Over the course of five days, it did get resolved as LinkedIn service was excellent, but it was difficult as privacy and security were major (and admittedly proper) road blocks. No more issues … until three days later. My cell phone just plain died; no power, can’t turn it on, can’t charge, etc. Repair folks said the mother board went, and it was a well-documented situation with this version of phone. For want of a nail the shoe was lost. For want of a shoe the horse was lost. For want of a horse the rider was lost. For want of a rider the message was lost. For want of a message the battle was lost. For want of a battle the kingdom was lost. And all for the want of a horseshoe nail.

(Who knew?) Suddenly, the heavy activity shifted to LinkedIn as I worked through getting the phone assessed and ultimately replaced. Had these LinkedIn and phone outage windows over lapped it would have been crazy difficult. Did it happen? Yes. Is it readily believable. Well, not really. Again, a reality of life is not always a candidate to be used in a scenario that seems far-fetched. Still, wherever you land regarding a scenario, the requirement to engage all parties persists. That data center flood scenario above has to have a role for finance, HR, audit, etc. In order to be successful, you do need to know exactly who will be attending the senior crisis session. Individuals outside of the senior crisis team may be invited by you or others for their insight. You will need to incorporate a need for their insight and expertise into your scenario, so they will engage and collaborate with those in the exercise. If not, they will either disengage or disrupt. One approach toward this engagement is to identify injects to the scenario that target their areas directly. Recognizing the issues must still be spawned from the original root cause, but the mani festations may need to branch out to somewhat tangential areas: n By way of example(s) in this hybrid working environment, how will the firm ensure everyone evacuated safety from a facility disaster? HR almost always has a role here. n An employee strike is operationally disruptive involving security, facilities, etc. of course, but may involve legal in a union contract review or procurement to look at alternate sourcing. n A chemical spill brings environmental health and safety to the forefront, but engages internal audit in a look at historical facility reviews. The list is endless, but not obvious. To be effective, the sce nario needs to place the issues directly on the shoulders of those involved, even if remotely. Hopefully, the actual scenario dia logue will result in broader engagement. However, this cannot be counted on either. Imperative to a successful event of any kind is the acknowl edgement of critical success factors; elements which are neces sary but not necessarily sufficient for success. In other words, satisfying them gives you a shot at success, but without them you are guaranteed to outright fail. Your exercise has at least two critical success factors; the rea sonableness of the scenario and engaging everyone by addressing broad organizational issues. Missing either of these is a recipe for failure. This is a tall order. Formulating a plausible exercise while keeping all parties engaged positions you for success. Otherwise, you are setting the table for a long day. v Mark Carroll is founder of the graduate degree in enterprise risk manage ment at Boston University, teaching more than 3,000 global graduate stu dents. Carroll is a risk and recovery professional with more than 25 years of experience in the fields of business continuity, disaster recovery, and crisis management. Carroll launched the very first BC and DR programs for BIOGEN, built the global Gillette crisis and continuity program to 150 locations worldwide, and led business continuity globally for Fidelity Enterprise Operations.

10 DISASTER RECOVERY JOURNAL | WINTER 2024

Protecting Performance

75% of organizations have recovery plans. Most prove inadequate. Siloed recovery and resiliency capabilities are now obsolete.

Protect business continuity and performance across your IT ecosystem with technology and experts you can rely on. Trust the predictive and proactive model led by automated insights into potential attacks continuously analyzed, tested, and executed by recovery specialists.

Vendor Agnostic

Expert Recovery

Holistic Strategy

Gartner Leader

877.445.4333

RECOVERYPOINT.COM

IT-DR Trends to Concern Business Resiliency Leaders By JASON BUFFINGTON

F or the last several years, the Data Protection Trends Report has published the unbiased sen timents of IT leaders who were responsible for the backup and (IT) disaster recovery strategies for their organizations. The 2024 report surveyed 1,200 enterprises with some unsettling insights for senior leaders responsible for the business continuity or crisis management of their organizations – especially for C-level executives who may have delegated key aspects of their BC/CM or business resiliency strategies to their IT leaders. What is causing IT outages? Ransomware? Absolutely, but the survey data reveals if organizations have overly conflated their cyber-preparedness with their IT-DR strategy, then they are likely underprepared for the myriad crises that continue to plague organizations of all sizes. Yes, for the fourth year in a row, the survey reveals ransomware and cyber attacks were not only the most common cause of outages, but also the cause of the

hardware and software continue, with very little abatement year over year. n Outages of cloud-hosted resources is actually rising in frequency as most organizations have now embraced a “cloud-first” strategy. In fact, if you consider connectivity issues to the cloud alongside outages caused within the cloud, this concern tops most other areas.

single most impactful outage of each of the past four years. As business resiliency planners, we are right to be ever mindful of how we ensure the cyber-resilience of our organization. However, the media, the vendor community, and many consultants/ partners have over-rotated. According to the 2024 report: n IT component failures including various

12 DISASTER RECOVERY JOURNAL | WINTER 2024

RESILIENCY eLearning

Business Continuity

Disaster Recovery

Crisis Management

Physical Security

Life Safety

IT Security

For Employees & Recovery Teams

TRAINING THAT WORKS FOR YOU Customized content: reflect your program, methodology, culture, and brand. Track your learners: courses are compatible with your Learning Management System. Subject matter experts: we create the content and you validate the outcome. 3 - 6 week development time: a quick launch builds momentum for your message.

POPULAR COURSES

Active Shooter

Cyber Security Awareness

Awareness Campaign

DR: All Employee Intro

BC: All Employee Intro

Home Prep (no charge)

Business Impact Analysis

End-User Software Training

CM: Introduction

Physical Security

CM: Roles & Responsibilities

Table-Top Exercise

www.ripcordsolutions.com

n Lastly, natural disasters, while not nearly as “glamorous” as cyber, continue with the seasonality many long-tenured BC/ DR experts have always known about and planned for. In other words, while cyberattacks con tinue to gain mindshare, none of the other kinds of crises that debilitate IT, and affect business processes, are receding. The cau tion to BC/CM executive stakeholders is: If you are only worried about flood, Ransomware is a ‘when’ not an ‘if’ That does not mean assured destruction and utter calamity is a “when” not an “if” – just like any other crisis at scale. That said, unless natural disasters, supply chain issues, or the myriad other crises BC/ CM teams have to plan for – ransomware comes with no warning … other than the constant media coverage and articles like this one reminding you of its inevitability. According to the same 2024 research, 25% of enterprises don’t believe they suffered one attack in the preceding 12 months, while 26% acknowledge they were hit four or more times over that same time period. Said another way: That isn’t even the worst of it when you consider cyber villains are often lurk ing and navigating throughout the envi ronment for up to 200 days before they are ever discovered or announce their demands. As such, many of those who believe they haven’t been hit have been breached, but are blissfully unaware. It is important to note that repeat attacks do not entirely imply multiple breaches. As discussed later in this article, many organizations simply fail to completely eradicate the initial malware. Months after the first cyber event is over, the attacker simply checks if any of their technology is still present in the victim’s environment. so you spend all your efforts ensuring protection from water – then you will be completely underprepared when fire strikes. More organizations experienced cyberattacks quarterly, than not at all.

if you have a mature and well-orchestrated IT-DR program. With fire or flood, the sec ondary data is good right up until the origi nal systems became crispy or wet. The IT teams’ mandate is to simply re-home and enable the secondary systems as quickly as possible. Unfortunately, the secondary data from minutes before the ransomware event are likely just as infected as the production instances, so even the triage of those systems affected become a non linear and non-predictable delay before remediation can begin in earnest. There is also the alarming reality cyber villains target your backup repositories in 96% of attacks and are successful in 76% of the attacks to encumber or eliminate your IT teams’ ability to recover your data – increasing the likelihood you’ll have to pay the ransom.

If you paid the school bully your lunch money once, they will be back the next time they are hungry.

In this case, the 2024 Ransomware Trends Report reveals only 37% of orga nizations have the ability to sandbox or quarantine a staged restore via a “clean room” to ensure they do not re-infect the environment. As any seasoned BC/DR professional knows, there is often a signif icant amount of pressure to resume opera tions as quickly as possible. Without the proper orchestration or planning, victims might remove malware from their systems only to inadvertently re-infect themselves during data restorations. There is an unfortunate nuance in recovering from ransomware at scale, even

14 DISASTER RECOVERY JOURNAL | WINTER 2024

The Global Leader in Organizational Resilience

BusineSs Continuity/Continuity of Operations information security Critical Environments

Incident Response Crisis Management & Communications

Legal, Audit, & Compliance Organizational Behavior Risk Management Supply Chain Resilience

Financial Health & Visibility Human Resources Management ICT Continuity

we educate. we credential. we lead.

Building Resilient Communities, One Organization at a Time

www.build-resilience.org | info@theICOR.org | 1-866-765-8321

which is less than the “every six months” in 2023 or “every five months” in 2022. When IT leaders were asked what per centage of their production systems was recoverable within expected SLA’s during their last IT-DR test, only 58% of systems came online within their timeframe. While others likely simply resumed slower, one has to presume some percentage weren’t recoverable at all. IT-DR SLAs are not meeting expectations As resiliency professionals, we know the secret to any successful resiliency plan is in the consistency by which it can be executed (barring unforeseen circum stance variation). Surprisingly, only 37% of IT teams utilize orchestrated workflows as part of their systems’ recovery pro

cesses. Some 37% can test their “recipe” for server/application recovery, examine which workflow steps exposed errors, and then optimize the workflow for higher reliability in the future. The other 63% are conducting manual recovery steps per workload, each SLA adherence will vary by test, with little to no opportunity to improve the potential agility in future exercises or actual events. In fact, when enterprise IT leaders were asked how long they would anticipate the IT-DR recovery of a relatively simple 50-server environment (which isn’t a lot in an enterprise environment), only 32% believed they could recover those 50 serv ers within a single business week. Conclusions and recommendations There are more statistics related to the potential for IT teams to meet the recov ery expectations during “typical” disaster recoveries as well as ransomware events in the research cited above, including (data protection trends) and (ransomware trends). In the meantime, as business resil iency leaders, here are a few questions to discuss with your DR constituents in IT: 1. How do we ensure our backups are not affected when ransomware hits our production systems? 2. When was the last time we tested at scale (e.g. 50 servers or more)? 3. How much of the per-workload recovery is orchestrated with workflows that can be assessed and optimized? 4. Do we have a “clean room” or other staged restoration capability to reduce the risk of re-infection during restoration from a cyberattack? 5. When were these IT-DR capabilities last externally audited against our expected SLAs and recovery plans? That last one ought to make the other four much more instructive. v Jason Buffington has spent 35 years in IT disaster recovery. He first earned his CBCP in 2003, spoken at numerous DR and IT events over the years, and has been pub lished in DRJournal and other periodicals. He is a VP of strategy at Veeam Software and his blogs can be found on http://ITDRblog.com.

IT teams are testing DR less With as much hype as ransomware has in the media, as well as various regulatory mandates for cyber-resilience and board level directives, one would assume testing of IT systems’ recovery at scale would be on the rise. Unfortunately, the 2024 statis tics do not show that. Many BC/CM teams saw additional testing and plan develop ment efforts in the years immediately after COVID, based on teams’ bandwidth and an inherent recognition of the organiza tion’s depending on IT systems, even as some of those IT systems evolved from datacenter centric to new architectures in support of remote workforces. Research from 2024 reveals IT teams are only testing recovery-at-scale (e.g. IT disaster recovery) every eight months,

16 DISASTER RECOVERY JOURNAL | WINTER 2024

Is It Time for Industry to Adopt a ‘Gold Standard’ When Testing Disaster Recovery Readiness? By STEPHEN YOUNG C onfidence in your disaster recov ery planning and your data recov ery capability is non-negotiable in today’s business environment where cybersecurity attacks, systems failure and even human error are becoming increasingly frequent. If there is the slightest doubt, it opens the door to potential problems, which need to be identified – and managed accordingly – before disaster strikes. Establishing a well-structured recovery environment to optimize data recovery testing that can be conducted in the least disruptive way to the business, is critical. With poorly structured and unmeasured disaster recovery testing, without full failover potential while conducting tests, severe weaknesses could be hidden when confronted with a genuine disaster sce nario. Proper and through testing is often

deprioritized as organizations try to stay on top of other challenges and the essen tials of day-to-day business. In a recent UK study, one in five senior-level IT pro fessionals admit to testing their data and disaster recovery systems once a year or less. Just 5% of respondents say they test every month. Setting a testing standard The challenge for organizations is that many of today’s technologies deployed to recover systems and data – as the result of a disaster – do not allow for non-disrup tive testing. While elements of testing can be carried out, it can never be thorough enough without significant disruption to the business and, as a result, could deliver a compromised test. Any uncertainty about recoverability then places the commercial viability of a business in jeopardy in the event of a major data disaster.

DISASTER RECOVERY JOURNAL | WINTER 2024 17

more frequently, backup data as well (in an industry survey, 94% of respondents on average, indicated their backups were also attacked and 57% of those backup com promises were successful). To tackle a multi-faceted attack like this, and successfully bring systems back online, IT teams need to be fully conver sant with recovery systems and confident in their ability to recover their data. The fact that around half of respondents are not confident in their own recovery sys tems suggests a lack of exposure to the full gamut of a recovery situation and what their systems can deliver. fully stress-tested. Setting a standard that is recorded and reported ensures that technically the recovery can be delivered when needed. It also reassures stakeholders the organization is fully protected and raises the question about how senior technical staff report business readiness to recover from an attack or serious data disaster. “ Few organizations get a second chance for disaster recovery when there are serious flaws in the technology, planning and orchestration for recovery, which have not been

Each day that passes after a test has been conducted, the possibility of a corruption, error or something more malicious being silently introduced to the system and data increases. This could then go completely unidentified by the team responsible. If the tests are not thorough and frequent, the risk increases significantly. Perhaps, and by no means set in stone, a “gold standard” for disaster recovery test ing could be twice-yearly, non-invasive full failover tests. These would be sup ported by monthly system boot tests and data integrity checks. In addition to rigorous data validation, testing the ability of workloads (applica tions and data) for failover capabilities needs to be designed into your disaster recovery plan. It should also allow for network and connectivity testing, a criti cal and often overlooked component in the testing process, but an element that so much depends on. Importantly, these tests need to be thorough, frequent, profession ally executed and measured. Skilling up Organizational technical teams tasked with maintaining the IT infrastructure for business-as-usual services often have skillsets aligned to the daily demands of the business. But the skills and experience to bring systems and the business back online after a disaster vary from the day to-day, so it’s not uncommon for IT staff to be unaccustomed with the demands suddenly placed on them in an extremely stressful situation. This is highlighted in the survey where close to 40% of CIOs, CTOs, and IT man agers describe a lack of technical skills as a major concern. Around 40% also say that they are not entirely confident in the backup and recovery technologies deployed, a factor possibly attributed to the lack of skills and experience of evaluating and managing disaster recovery systems in a real-world business environment. When a disaster manifests as an aggres sive ransomware attack, a very different approach is required, demanding experi ence, confidence and an ability to adapt as the situation unfolds. An attack may have compromised production data, and,

You gain experience and confidence from testing and doing it frequently and thoroughly, leaving no opportunity for surprises or discovering weaknesses when they are least expected. Testing under stress conditions Few organizations get a second chance for disaster recovery when there are seri ous flaws in the technology, planning and orchestration for recovery, which have not been fully stress-tested. Setting a standard that is recorded and reported ensures that technically the recovery can be delivered when needed. It also reassures stakehold ers the organization is fully protected and raises the question about how senior technical staff report business readiness to recover from an attack or serious data disaster. Any testing “gold standard” adopted is not always achievable with the tech nology deployed. But what it does is to set a metric, which when accomplished, puts the business in a much better state of readiness to recover from a cyberattack or indeed any other disaster. If the ‘gold stan dard’ cannot be achieved, organizations should consider reviewing their recovery technologies, and planning, and establish why not. Data recovery and disaster recovery technologies are available today with many solutions allowing non-disruptive and frequent testing. Whether it’s the technology preventing non-disruptive testing, resources or the recovery plan not factoring in this crucial phase of the process, it must be accepted that a busi ness’s readiness for absolute recovery is a choice. You either choose it or you don’t. v

“

Stephen Young is the executive director of Assurestor. He is a seasoned business owner and entrepreneur, innovation in tech nology has been central to his career for more than 30 years. Across varying facets

of IT, Young’s experience covers infrastructure, software development, data centres, service and support, IT gover nance combined with management, finance and business development. With roots in software development and ser vice and support, Young’s commitment to detail, thorough ness and uncompromising customer support has been a continuous thread through his businesses and has been a major factor to their success.

18 DISASTER RECOVERY JOURNAL | WINTER 2024

DEI – Back to the Basics By S. NICOLE SCOTT I f speaking about our differ ences makes you “uncom fortable,” I recommend you continue to scroll on. I wish you an enjoyable and productive day. Diversity is defined as the condition of having or being composed of differing ele ments; especially the inclusion of people of different races, cultures, etc. in a group or an

Now that we have a clear, correct, plain and simple English definition of those words, let’s begin to discuss why DEI is important in organizations and ultimately, during a crisis. DEI is not just about black, white, male or female, abilities and preferences. It is also about a business being able to thrive with multi-generational and multi cultural environments. Diversity refers to those who is repre sent your workforce. n Gender Diversity : What makes up the composition of men, women, and nonbinary people in a population? n Age Diversity : Are people in a group from mostly one generation, or is there a mix of ages? n Ethnic Diversity : Do people in a group share common national or cultural traditions, or do they represent different backgrounds?

If you are ready to have an “uncomfortably comfortable” dis cussion, then you are my people. Let’s discuss, shall we? My dearest reader, whether you call it DEI, EDI, IDE, IED – no matter how you arrange and re-arrange the letters – the purpose and the meaning behind them mean the same. Webster’s Dictionary defines diversity , equity and inclusion as the following:

organization. Equity is defined as justice according to natural law or right; specifically free dom from bias or favoritism; something that is equitable. Inclusion is defined as the act or practice of including and accommodat ing people who have historically been excluded (as because of their race, gender, sexuality, or ability).

DISASTER RECOVERY JOURNAL | WINTER 2024 19

n Physical Ability and Neurodiversity : Are the perspectives of people with disabilities, whether apparent or not, accounted for? Equity refers to fair treatment for all people, so the norms, practices, and poli cies put into place ensure identity is not predictive of opportunities or workplace

outcomes. Equity differs from equality in a subtle but essential way. While equal ity assumes all people should be treated the same, equity considers a person’s unique circumstances, adjusting treatment accordingly so the end result is, in fact, equal. Equity means, ALL employees have what they need (via accommoda

tions) to work and manage their respon sibilities during significant disruptions or crisis. Inclusion refers to the experiences of the workforce and the degree to which organizations embrace all employees and enable them to make meaningful contri butions. Companies intending to recruit a diverse workforce must also strive to develop a sufficiently inclusive culture, so all employees feel their voices will be heard. You may be asking , why is DEI a concept and best practice that is rec ommended for successful operational resilience (OR), business continuity (BC), disaster recovery (DR) and other related programs? Plain and simple, because you must ensure the safety and well-being of ALL employees in the organization and ensure business operations can continue during a disruption and crisis. You cannot do that if you do not have a clear understanding and cultural considerations of ALL employees and their dynamic backgrounds. As business resilience practitioners, we are obligated to ensure all employees with known and unknown abilities, various languages, genders, races, and preferences will be safe and able to manage critical business operations during a crisis. If your organization’s structure includes a global staff, then you will need to ensure your BC/DR program takes into consideration the language and cultural norms of those employees in that specific country. Do not assume they have the same risk and crisis postures, evacua tion practices, and communication habits as your organization’s headquarters or primary country. When possible, you should verify their cultural norms and include those requirements in your BC/ DR continuity plans. If you have a seasoned staff, you will need to take this into consideration when you are developing and exercising evacuation plans. Some populations and employees with varying abilities may not be able to evacuate as quickly as you expect. Verifying and practicing will be

20 DISASTER RECOVERY JOURNAL | WINTER 2024

As business resilience practitioners, we are obligated to ensure all employees with known and unknown abilities, various languages, genders, races, and preferences will be safe and able to manage critical business operations during a crisis. “

Talent. “DEI is good business. It doesn’t have to be at the expense of financial outcomes. … This isn’t an issue where leaders can say, ‘We can’t do diversity right now, because we’re under a lot of pressure.’ Diversity is one of the things you’ve got to be mindful of in every context.” DEI is not about an organization’s financial standing or status. It is clearly about being able to sustain during a crisis with the proper support for all employees. Diversity is not only about race. It can be about diversity of thought; diversity of the way we work; and diversity in how we handle stress during a crisis. Communication barriers, risks toler ance, and work practices are not things you want to “discover” in the middle of a crisis. When we embrace diversity, we embrace an environment that allows “diversity of thought.” This type of environment enhances efficiency, innova tion, and productivity. These are all very beneficial attributes during a crisis. Equity signifies that no matter your gender, race, inability or ability, nation ality, everyone is welcome. They will be valued, safe and equally, and treated fairly. Inclusion is my “Kumbaya” word. Inclusion brings everyone to the table! The same table, in the same room. Inclusion means all needs, thoughts, and ideas are welcomed, heard, and consid ered. Collaboration and connections will soar. Partnerships will excel. Cultural norms will be shared and embraced. This allows for a more robust alliance environ ment. This means we will do well when a crisis hits the business and work collab oratively to ensure each other’s safety and well-being. The continuity of the business will survive and thrive. Instead of redefining DEI to fit into a specific culture or even our own biased perspective, how about we keep it to the true essence and definitions of what DEI truly are? We mortals should not try to “rede fine” what and why these three letters exist. History has taught us, these three letters pulled together exist because “

beneficial to your programs to ensure they can evacuate promptly and safely. If you have someone who is deaf or blind (even color blind – known or unknown) do you take that into consid eration when you are creating continuity and recovery plans for incidents and crisis reflecting sounds and images using tech software? If you use suppliers or vendors in other countries, you must understand their business practices and cultural norms to ensure their services will not stop or slow down during a crisis. Supply chain and third-party risks in various countries should be high on your radar as you manage your BC/DR programs. McKinsey and Co. stated in a recent article, “Diversity, equity, and inclusion are three closely linked values held by many organizations that are working to be supportive of different groups of individ uals, including people of different races, ethnicities, religions, abilities, genders, and sexual orientations.” Simply stated, employees are what makes a business operational. A success ful business that values and supports its employees’ differences will profit from the substantial benefits of its diversity. Without the employees, who will facilitate critical business operations, activate the continuity plans, and recover systems during the crisis? An employer should ensure (before the crisis) that all employees are consid ered, and accommodations are met so the employee can be safe and maintain

operations when a disruption happens. These accommodations should be for known and unknown, visible and invis ible abilities and cultural practices. Create a resilience program that is diverse, fit for purpose, and fit for all. Kilroy J. Oldster said, “Death is the great equalizer of human beings. Death is the boundary that we need to measure the precious texture of our lives.” A crisis is also a great equalizer. When things are calm, all is well. When a crisis happens, we get to witness how equal and resilient we really are. Through the adversity of a crisis, we truly learn a lot about ourselves individu ally as well as our organizations. Imagine what we could accomplish if we freed ourselves of our biases, expanded the aperture of our thoughts, and allowed for the contributions from each of our team mates. If you need realistic examples, look at the recent U.S. Hurricane season and destruction. Those hurricanes did not discriminate. Rescue efforts are not focused on one specific race or gender. Discrimination has NO place during a crisis. They should not have a place in your organization’s business continu ity and disaster recovery programs and procedures either. “Even during a crisis, when leaders might be tempted to shelve DEI efforts to ensure the company’s financial survival, there is value to prioritizing diversity, equity, and inclusion,” said McKinsey’s Bryan Hancock at McKinsey Talks

DISASTER RECOVERY JOURNAL | WINTER 2024 21

n Profitability : McKinsey Research concluded that companies in the top 25% for ethnic and cultural diversity were 36% more profitable than those in the bottom quarter, and when women are well represented in the C-suite, profits can be almost 50% higher. n Productivity : The Academy of Management Journal research concludes that “racial diversity in upper and lower management results in greater employee productivity.” In addition, according to Forbes, inclusive teams “make better business decisions up to 87% of the time, and they make those decisions twice as fast within half as many meetings.” n Employee recruitment and retention : Glassdoor statistics reference that 76% of employees and jobseekers say diversity “is an important factor when evaluating companies and job offers.” n Job performance : A report from Forrester states when employees feel a sense of belonging at work, it leads to a 56% increase in job performance. That sense of belonging, feeling represented, and feeling respected creates a sense of satisfaction and improves performance – 91 % of employees who feel they belong are engaged, compared to 20% of those who feel they don’t. n Innovation : Forbes research concluded that 85% of business leaders believe that “a diverse and inclusive workforce is crucial to encouraging different perspectives and ideas that drive innovation.” Another study found that people need to feel safe and supported to contribute innovative, creative ideas. And companies with higher diversity levels see 19% higher innovation revenues. Based on those statistics, I am not sure why these three letters continue to make some people uncomfortable. However, the lack of these three letters in an orga nization makes a larger population even more uncomfortable, feel more under valued, and even more unseen. It allows for the potential of unequal and unfair treatment. In a crisis scenario, this could develop into an internal, cultural crisis situation due to a lack of DEI support.

information and resources have not been fairly and equitably dispersed among all human beings on the Earth. DEI, at its core, includes all gender rights and fair ness, cultural norms (what other countries consider right and normal), and disabili ties (whether visible and invisible). I have worked in the government and for global companies for many years. By no fault of my own, I have been faced with the reality of American social norms and the biases some are taught at an early age at home, in school, and their com munity settings. At times, these biases could become detrimental during a crisis. Some organizations set “representation targets” as a way to satisfy “diversity hire” requirements and not have a lawsuit brought against them. However, some leaders never intend to utilize the gifts of those diverse employees. They hired them, to check a box for HR and legal purposes. This is unfortunate because most of the time, the diverse genius they hired could potentially excel the organiza tion and their teams into record numbers, if given the opportunity. It does not matter your religious preferences, political affiliation, whether you are wealthy, poor, vegan, meat lover, pescatarian, gray, yellow, brown, blue, purple, female, male, have a cat, have a dog, have a ferret or a parakeet. When you have diversity in your organization, you are privileged to have diversity of thoughts, diversity of cultural norms, diversity of backgrounds, diversity of opportunities to grow, mature, and improve your operational resilience. Global research shows that diverse companies are more innovative and profitable. Having a mixture of employ ees of varying backgrounds and maturity will give you an advantage on growth opportunities. The newer generation will bring the latest and most innovative ideas. The seasoned generation will have the institutional knowledge with the tried and-true best practices. An organization that has a combined diverse, equitable, and inclusive workforce wins! In case you need more convincing, here are some winning stats:

Don’t shy away from diversity, equity, and inclusion. Don’t try to drop one of the letters to make others feel warm and fuzzy. If an organization does not embrace DEI, then it will unfortunately (or maybe fortunately) be left behind. That organization will not grow and mature as rapidly as other organizations. They will miss out on opportunities to hire some of the sharpest minds with the most intriguing, innovative ideas that are going to be the leading subject matter experts of the next century. If you are okay with being on the sideline in the next 10 years (or even out of business), continue to try and “re-define” and elimi nate letters in this extraordinary and very much vital movement. My recommendation is to embrace DEI. Find opportunities within your orga nizations and in your BC/DR programs, operations, and recovery processes, to highlight, mature, and include DEI efforts. During a crisis, it is “all hands on-deck” and it definitely helps if all employees can collaborate and commu nicate in an efficient manner. That may need to be in their preferred methods and cultural norms. v management, and risk management. She has lived and worked in many different regions of the country, which has allowed her to support companies in various industries, including global operations. Through this eclectic array of experiences, Scott has been able to work with diverse teams and has cultivated a unique perspective that helps her build mature, holistic, and successful programs and operationalize industry best practices. Scott has worked with organizations such as PNC Bank, NASA, the U.S. Office of the Secretary of Defense, the U.S. Department of Veteran Affairs, Microsoft, and NTT DATA. She is the founder and CEO of Devine Direction, LLC, a business strategy and consulting firm specializing in governance, business strategies, program management, technical solutions, business continuity, disaster recovery, and risk management. Scott excels in building vigorous, diverse, highly productive, and dynamic global teams. She enjoys fostering collaborative relationships and believes that true success comes from having a diverse group of people from various backgrounds and experiences interested in a common goal – achieving success. Scott is active in the BC/DR community and a member of the Disaster Recovery Journal Editorial Advisory Board. S. Nicole Scott, CSSGB, MBCI, PMP, is a thought leader with more than 20 years of experience in strategic planning, gov ernance, business resiliency, disaster recovery, program management, change

22 DISASTER RECOVERY JOURNAL | WINTER 2024