Disaster Recovery Journal Winter 2025

REGISTER TODAY! www.drj.com/spring2026

Winter 2025 u Volume 38, Number 4

What ‘House of Dynamite’ Teaches About Crisis Leadership

INSIDE ... Your Organization Is Not as Resilient as You Believe Career Spotlight: Kiley Stinson of JPMorganChase A Practical Guide to Risk Management in Global Shipping BC Software Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Make confident decisions when it matters most

Scan to book a meeting with us

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com MARKETING & DESIGN LEAD

TABLE OF CONTENTS

COVER What ‘House of Dynamite’ Teaches About Crisis

Nathan Anton nate@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

Leadership By THOMAS MAGEE

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Ann Pickren, Steve Piggott, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Robbie Atabaigi, Scott Balentine, Rich Cocchiara, Adam Ennamli, Sherri Flynn, Corey Hahn, Colleen Huber, Lisa Jones, Melanie Lucht, Melissa Muñiz, Bogdana Sardak, Nicole Scott, Paul Striedl, Joy Weddington + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

8

12 The Quantum Countdown: Why Today’s Encryption Is Already at Risk By JOHN HILL Your Organization Is Not as Resilient as You Believe By JASON BUFFINGTON 22 What Jaguar Land Rover’s Shutdown Reveals About the Next Supply Chain Crisis By JOE SAUNDERS 16

29 Career Spotlight: Kiley Stinson of JPMorganChase By CARY JASGUR

31

A Practical Guide to Risk Management in Global Shipping By WILLIAM POWELL

33 Think That PDF Is Safe? Why Digital Signatures Fail, How AI Strengthens Trust By DEEDEE KATO

24 From Compliance to Capability:

35 Establishing a Resilience Council:

Rethinking Resilience for the Real World By MICHAEL HARDING

Bridging the Gap Between Strategy and Practice By SCOTT BALENTINE

26 Burgeoning Unstructured Data Stores Demand Organizations Tackle Data Protection Differently By JEROME WENDT

44 BC Software Directory

DISASTER RECOVERY JOURNAL is copyrighted 1987-2025, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | WINTER 2025 5

FROM THE PRESIDENT’S DESK

Resilience in Motion: DRJ Prepares for a Transformative 2026 T his issue of Disaster Recovery Journal captures what makes our community so strong, people who are constantly learning, adapting, and pushing forward. Every story we’re continuing to expand how we deliver value to our readers and attendees. For 2026, we’re setting the bar higher once again. DRJ Spring 2026 in Orlando will feature new formats, fresh speakers, and an exciting renewal of our partnership with The BCI. Together, we’re bringing even more focus on operational resilience, actionable frameworks, and global best practices. We’ll

BOB ARNOLD, MBCI Hon.

in these pages reflects the kind of thinking that moves resilience beyond frameworks and into the real world, where decisions, timing, and teamwork make all the difference. We have an outstanding mix of articles this time around. Tom Magee shares lessons on crisis leadership inspired by “House of Dynamite,” showing how training and adaptability shape response. John Hill explores quantum encryption threats and what they mean for future data security, while Jerome Wendt continues to bring valuable insight into modern data protection. Jason Buffington launches his first “Resilient Organization” survey, offering a community wide snapshot of where we stand and where we’re headed. Readers will also find thoughtful pieces on supply chain risk, the steps organizations must take after compliance, and even a look at something as specific and surprisingly risky as PDF signature certification. Our career spotlight highlights Kiley Stinson from JPMorgan Chase, whose path embodies the passion and innovation that drive this profession forward. All of these articles connect back to one theme: resilience is about evolution. It’s not static, and neither are we at DRJ. That’s why

also be rolling out several new initiatives for DRJ Fall 2026 in Dallas later in the year, building on the momentum from our past events and the feedback from our incredible community. At DRJ, our mission has always been to stay one step ahead of what our attendees need. Whether it’s new session styles, stronger content, or deeper collaboration with partners like The BCI, we’re committed to keeping DRJ events relevant, innovative, and impactful. If you’ve attended before, you’ve seen firsthand how much can be learned and shared over just a few days. If you haven’t, 2026 is the perfect time to experience it for yourself. Join us in Orlando this spring, and again in Dallas this fall, to connect with peers, challenge your thinking, and find practical solutions you can put to use immediately. As this issue reminds us, resilience is built on preparation, insight, and connection, and DRJ remains the place where all three come together.

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | WINTER 2025

What ‘House of Dynamite’ Teaches About Crisis Leadership By THOMAS MAGEE

8 DISASTER RECOVERY JOURNAL | WINTER 2025

E DITOR’S NOTE: This article discusses key plot points from Netflix’s “House of Dynamite” and includes spoilers. ttt “Life is what happens while you are busy making other plans.” — John Lennon, “Beautiful Boy” Most people – especially continuity professionals – know the truth of that lyric because they have lived it. Who hasn’t buried themselves in a project, only to be redirected elsewhere to put out a fire! Often that other fire occurred under circumstances no one thought possible. People call that a black swan event. The impossible somehow took life and became possible. That term came out in a book called “The Black Swan,” by Nassim Nicholas Taleb in 2010. He is a mathematical statistician. His book pointed out the unthinkable or unlikely often happens to everyone’s surprise. Murphy’s Law tells us the unthinkable will often occur at the worst time for our calendars too. Netflix recently released a movie about that concept called, “House of Dynamite.” The movie is about the US decision-making process around a single missile strike. The film gives us some great lessons about the nuclear war fighting process. It also offers up some great crisis planning vignettes everyone could use. Kathryn Bigelow directed the Netflix film. She also directed “Zero Dark Thirty” and “The Hurt Locker.” Noah Oppenheim, a former producer on the Today Show and president of NBC News, wrote the screenplay. The movie follows the US response to a one-missile-strike scenario. Through the film, you follow the response from the interceptor base in Alaska, to the White House, through StratCom (United States Strategic Command). You even see the government starting to implement their continuity of government and

continuity of operations plans (COOP) too! The movie has won numerous film festival awards. It had a limited run in theaters before debuting on Netflix, Oct. 24, 2025. Reception of the film has been positive, with 78% positive reviews from critics (and 77% from fans) on Rotten Tomatoes. It also gives the public a few visual vignettes about commonly overlooked continuity planning factors. I thought the film was excellent. It is intensely realistic. It shows the decision process throughout the 18-minute attack timeline. It covers the incident through multiple viewpoints. The movie portrays government officials as very professional as they go through the process while also showing the chaos and difficulty in such a scenario. We see how intangible stresses interfere with plan execution. I know every serious organization has an extensive continuity plan – a plan they probably paid some consultant a lot of money to create. They poured a lot of blood, sweat, and tears into plan amendments through many months or years. I would bet those plans still miss some of the intangible pitfalls exhibited in this film. Right at the start, we see a common problem on display – information management, or some would say information overload. Today, technology allows anyone to collect a ton of information very quickly. This abundance of information functions as a blessing and a curse. We see in the movie how the president and other key staff faced that curse. We see how the White House operations center and StratCom staff can collect information about various disasters and military movements of our enemies across the world in mere minutes. Every staff member had an opinion on what was occurring and what the government should do. However, no one knew who fired missile. The technology missed that single piece of information at the wrong time.

I think this highlights a problem many organizations face in crisis. Staff can produce volumes of material, but can they produce the information decision makers need? Does your plan or your staff know how to collect the right information at the right time? The Army has this thing called a Commander’s Critical Information Requirements (CCIR). Every organization has a list of specific needs for a commander’s decision-making activities. Once you find that information, can the staff manage and properly distribute what they find to the right office? Often in exercises, people drill like they live in a perfect world. They have the information they need as they will it. We see throughout the film, leaders never get the complete picture. Can your organization deal with incomplete information? In the movie, we see people scrambling to find the staff subject matter expert on North Korea. No one knew where she was. Everyone hoped she might have the magic key to what was occurring. When they finally found her, she was off on a vacation day at Gettysburg National Park. After wasting precious time, the expert did not have the magic answer. Does the lack of information for your organization stop operations as people search for perfect answers? Do you have a procedure to manage this collection over time? The military calls this a battle rhythm. It is a deliberate, scheduled cycle of activities that synchronizes all actions of an organization, to achieve unity of effort and clarity. This is commonly a regular set of meetings, briefings, or processes that help an organization stay focused and make consistent decisions. The movie shows us the dangers of exclusively relying on top-level people and not the supporting characters. When the right people aren’t there when the crisis hits, things fall apart, and the whole organization suffers. Reality and experience teach us that problems will occur as much as the

DISASTER RECOVERY JOURNAL | WINTER 2025 9

disasters themselves. Disasters rarely check the boss’s staff calendar to hit at the most convenient time. We all know Murphy’s Law will strike at the wrong time, in the middle of the disaster. Organizations will always miss the most critical person when the sky is falling. In the film, we see the president’s staff was missing the national security adviser, the vice president, the national security adviser, and the secretary of state. The secretary of defense checked out of the process by walking off the helicopter deck to his death! Only the deputy national security adviser stepped forward to fill the void. Could your organization suffer a 50% loss of critical staff during an emergency? Is your junior staff capable of stepping forward to even partially fill any gaps? Organizations need to expect critical people to be gone. The junior staff should not be forgotten. Who knows? The next crisis, the whole organization might rest on their shoulders! Do you utilize junior people in exercises? Does the plan make it easy to use non-standard people? At one place I worked, the plan had duty descriptions for every critical person. Then a new person could pull out that duty description to give them at least an idea of where to start working. The movie shows the problem of information flow. Everyone at the top of the pyramid knew the few known facts (a missile was headed toward them). We see a couple of scenes with a FEMA representative. She got the order to activate the COG (Continuity of Government) plan and nothing else. She did not have any information to pass on to other critical staff. The intensity of that moment caused people to forget about the rest of the organization. The rest of the team was lost like a ship at sea. Organizations should remember the rest of the organization during an event, or you won’t have an organization to use.

Is there a way to build in information distribution for the entire organization? The movie shows staff at Fort Greely in Alaska and the Presidential Emergency Operations Center (bunker underneath the White House) starting to crack under the pressure. This, for sure, would occur during such an event due to the immensity of the consequences. Leaders in both locations saw staff members starting to crack. Leaders stepped forward to calm staff during those intense moments, “Remember your training.” Common memories from training gives an organization security in the moment. It also gives people the courage to press-on during a stressful event. Does your organization have leaders who can do that? Do they know when staff have been pushed to the wall? Do you have a training plan people can lean on to get them through the stressful times? Do they have the knowledge to run mental wellness checks on the staff on a regular basis? The best leaders can do intangible things to calm everyone down. No plan will cover these little critical details. Only experience will teach leaders when to give a pep talk and keep the ship afloat. The movie superbly shows the shock in everyone’s faces when the missile interceptor misses the incoming ICBM. They knew – due to the trajectory and speed of the incoming missile – they would not have a second shot. At that point, no one in Alaska or D.C knew what to do next. Plan failures or unforeseen developments occur on a regular basis. Another example happened during Hurricane Katrina. No one foresaw the levy failing, creating a massive flood. Organizations should plan and train on finding these events quickly and responding appropriately. A preset plan won’t get you totally through the crisis. Everyone needs a decision-making

process to accomplish that. The processes will only develop over time and through a lot of training. Organizations need to develop a system to help senior managers make faster, smarter decisions. This system will help organizations overcome the friction and inertia created by the chaos. Parts of the system gathers the data together. Others refine the information and analyze it to ascertain its truthfulness. Then, others can refine that information to help decision makers to come to a better decision. This is done constantly, since the environment will be changing with the chaos. To refine this capacity, organizations must train, train, and train some more. Over time, the process becomes part of your culture. That helps others step into non-familiar roles to help decision makers. I know “House of Dynamite” is just a movie. However, many of us found it very realistic. Through its focus on process, you see certain lessons all organizations – government or private sector – could use to better prepare for the next disaster. The problems seen in this film did not focus on the lack of technology. The issues came from the normal friction that occurs in conflict. The way organizations can override these problems comes from developing people and systems. You will only get that benefit by committing to training over time. v Storm and in Iraq. He has an undergraduate degree in business from the University of Kansas, a master’s degree in public administration from University of Missouri Kansas City, a master’s degree in communications from the University of Kansas, and a master’s degree in history from Arizona State. Magee has also graduated from the DHS FEMA Basic Emergency Managers Academy, the master’s continuity practitioner course, and several Army schools all the way up to combined arms and general staff course. He has authored one book and several articles in multiple publications. Thomas Magee has more than 35 years of experience working as a federal civil servant. He has worked for a wide variety of agencies. Magee also is a retired Army Reserve LTC with experience in Desert

10 DISASTER RECOVERY JOURNAL | WINTER 2025

OPERATE WITH CONFIDENCE, ANYWHERE ON EARTH

CRITICAL EVENT MANAGEMENT TRAVEL RISK MANAGEMENT RISK INTELLIGENCE & ANALYSIS

GLOBAL SECURITY ASSISTANCE MASS NOTIFICATION SYSTEM MEDICAL EVACUATION & ASSISTANCE

www.crisis24.com

How Quantum Computing Will Expose Data Long Thought Secure, and What Resilience Leaders Must Do Before It’s Too Late The Quantum Countdown: Why Today’s Encryption Is Already at Risk

“rainy day” will arrive the moment quantum computers become powerful enough to rip through RSA, ECC, and Diffie-Hellman encryption like tissue paper. You won’t even know it happened. We trust encryption blindly. We assume our HTTPS connections, email servers, encrypted backups, and VPNs are untouchable. That assumption is our Achilles’ heel. We’ve built our digital civilization on algorithms with expiration dates—and the clock is ticking. The Quantum Edge: Why Today’s Encryption Doesn’t Stand a Chance Quantum computing doesn’t just make things faster—it changes the rules entirely. Our current encryption schemes rely on problems so complex, even supercomputers would need millions of years to solve them. That’s been our safety net—until now.

By JOHN HILL W hile organizations obsess over ransomware, phishing, and insider threats, a far more devastating storm is quietly brewing. Nation-states and cybercriminals are stealing encrypted data right now, banking on one terrifying bet: quantum computing will shatter encryption wide open.

protected will become public. It’s called “harvest now, decrypt later”—and it’s the ticking time bomb for which almost no one is prepared. Harvest Now, Decrypt Later: The Silent War Has Already Started This isn’t speculation—it’s happening in real time. Threat actors are intercepting encrypted emails, VPN tunnels, SSL sessions, and backup archives. They’re quietly sweeping up everything they can get their hands on and shelving it for a rainy day. That

When that day comes—sooner than most realize—what you assumed was

12 DISASTER RECOVERY JOURNAL | WINTER 2025

Protecting Performance

Leveraging decades of expertise in data recovery and business resiliency, Recovery Point offers a proactive approach to identifying and safeguarding your most critical data, combined with a secure and tested means of recovery for end-to-end coverage for cyber events.

I CAN SLEEP AT NIGHT. - MANUFACTURING CLIENT

5.0 OVERALL USER RATING

DIRECTOR OF OPERATIONS & INFRASTRUCTURE

877.445.4333

RECOVERYPOINT.COM

Imagine this: a single mouse is dropped into a massive, twisting maze. Traditional computers are like that one mouse—it must explore one corridor at a time, hit a dead end, backtrack, and try again. Eventually, after millions of years, it might find its way out. That’s why RSA and ECC encryption are secure today: the math is simply too big for one “mouse” to solve. Quantum computing shreds that limitation. Now picture a thousand mice dropped into the same maze, each exploring a different path simultaneously. In essence, every qubit acts like its own mouse. Quantum computers can send thousands— eventually millions—of qubits to explore all paths at once, collapsing into the correct solution almost instantly. That’s what superposition and entanglement make possible—testing every potential outcome at once and pinpointing the right one in record time. With just 4,000–6,000 stable qubits, a quantum computer could break 2048-bit RSA encryption in hours. This isn’t theory—it’s mathematics, and the math is advancing faster than most organizations care to admit. The Timeline: Closer Than You Think The Hudson Institute forecasts quantum breakthroughs by 2033. Other experts estimate a 50% chance by 2031. NIST rolled out its post-quantum cryptography (PQC) standards in 2024, and the NSA has already mandated national security systems use quantum safe algorithms by 2035. Organizations now have a five- to 10-year window to act. The data being intercepted and stored today is already compromised. It’s simply waiting in cold storage for quantum to catch up. Every month you delay adds another layer of vulnerable data to the pile. When that decryption day arrives, it’s not just new breaches you’ll face—it’s every breach and data interception you never knew happened.

active. Federal deadlines are in motion. Financial regulators are quietly probing for PQC readiness. Healthcare won’t be far behind. If you wait for the government to tell you it’s time, you’ve already lost the race. The Cost of Inaction: A Future You Can’t Afford Picture it: 2035. A nation-state achieves quantum supremacy. Ten years of encrypted emails, contracts, designs, and patient records—instantly decrypted. Strategic plans, board communications, and legal correspondence surface in the open. Competitors gain insight into M&A negotiations, regulatory strategies, and executive deliberations once thought private. Customers vanish. Regulators pounce. Lawsuits multiply. The board demands answers—not just for the breach, but for the years of warnings ignored. This isn’t science fiction. It’s the logical outcome of doing nothing. Final Words: The Countdown Is Real Resilience isn’t about backup tapes anymore. It’s about protecting trust, brand, and survival. The harvest is happening now. The decryption is coming soon. Quantum readiness isn’t about perfection—it’s about momentum. Get your team aligned. Get your vendors compliant. Start now—or explain later why you didn’t. v As senior director of advisory services at Everbridge, he leads consulting across governance, risk, compliance, cybersecurity, business continuity, and crisis management. Previously serving as chief risk officer, Hill identified more than $1.2B in risk exposures and guided boards through high-stakes investment and regulatory decisions. At Jack Henry & Associates, he resolved an FFIEC enforcement order seven months ahead of schedule while reporting directly to the CEO and board. A regular contributor to the Disaster Recovery Journal and frequent guest on industry podcasts including ByteWise, Hill explores emerging threats such as quantum cryptography, AI dependence, and Shadow IT. As founder of Resiliency Now, he’s known for cutting through compliance theater to deliver programs that actually work, helping organizations build real readiness—not just check boxes. John Hill, MBA, ITIL, CBCP is a board trusted executive leader with more than 25 years helping Fortune 500 companies, financial institutions, and SaaS organizations transform risk into resilience.

What’s at Risk: Secrets with a Shelf Life This isn’t about antivirus software or zero-day exploits. This is about your organization’s crown jewels being compromised retroactively. Healthcare, finance, research, government—all house data with lifespans measured in decades. If your data’s shelf life exceeds 10 years, quantum readiness isn’t optional. It’s existential. Action Plan: What Resilience and Continuity Pros Must Do Now 1. Cryptographic Inventory and Risk Assessment – Inventory every use of public-key cryptography. Map where encryption lives, who controls it, and how long data must remain confidential. 2. Migration to Post-Quantum Cryptography – Adopt NIST-approved standards (CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+). Hybridize classical and quantum-safe approaches. 3. Build Crypto-Agility – Design systems that can replace cryptographic algorithms without rewriting code. 4. Vendor and Supply Chain Management – Demand quantum readiness roadmaps. Bake PQC into SLAs. 5. Backup and Archive Protection – Re-encrypt legacy archives using PQC for high-value data. 6. Secure Communications and Infrastructure – Deploy PQC-enabled VPNs, TLS upgrades, and quantum-safe HSMs. 7. Modernize IAM – Transition to PQC supported certificates and authentication. 8. Governance and Awareness – Make quantum risk a board-level issue, not an IT issue. 9. Testing and Continuous Improvement – Run quantum breach tabletop exercises and refine yearly. Regulatory Pressure Is Coming—Fast The Quantum Computing Cybersecurity Preparedness Act is already

14 DISASTER RECOVERY JOURNAL | WINTER 2025

Take Control When Every Second Counts

With Incident Response From AlertMedia

Keep your teams aligned, informed, and equipped to handle whatever comes next.

Launch Pre-Built Plans in Seconds

Assign Clear Roles & Responsibilities

Monitor Progress in Real Time

Communicate With Impacted Teams

Analyze & Improve With Built-In Reporting

Discover Everything You Can Accomplish With Incident Response Here:

(800) 826-0777 // alertmedia.com // ©2025 AlertMedia

One might wonder if because four different personas were involved in the research, then a few points of view might be skewing the overall result? That turned out to not be the case with the various respondents each averaging within 3% of the overall results, with business continuity leaders being only slightly more optimistic than the other personas. A wider range of responses was observed between those with higher ranking titles (e.g. vice president) versus those with mid-tier responsibilities (e.g. manager or director). This suggests those individuals closer to the implementation/plan specifics or the testing results (i.e., more informed on the details), have a starker view of reality versus the optimism of those higher up in leadership. HOMEWORK: 1. Ask your teams to estimate “What percentage of our business processes are resilient?” for the table. To get a full grasp, consider the unique areas of resilience within your organization and ask two individuals per area, ideally with at least one intermediate layer in between them to create a gap between the “executive” and “implementer” points of view. PRO TIP: Don’t show the results to anyone until you have all eight estimates.

Your Organization Is Not as Resilient as You Believe By JASON BUFFINGTON E DITOR’S NOTE: This is first of three articles covering the confidence resilience leaders have toward their organizations’ ability to persist through a disruptive event and the likely reasons why they feel that way. ttt to be adherent to their organization’s resilience goals, then two out of five business processes will not bounce back on your worst day.

According to your BC/DR professionals, 2/5 of your business processes are not resilient One of the most revealing statistics came when survey respondents were asked, “What percentage of your organization’s key business processes do you believe to actually be resilient in alignment with your resilience goals?” Figure 1 reveals a fairly consistent distribution from worst to best cases, with the average response being 59%. Unfortunately, if roughly three out of five business processes are believed

Figure 1 – BC/DR professionals believe only 59% (3/5) of their organization’s key business processes are actually resilient.

16 DISASTER RECOVERY JOURNAL | WINTER 2025

ENSURING RESILIENCY AGAINST CYBER THREATS Assured is a global data backup and disaster recovery managed service provider. As Rubrik’s largest and most established MSP, we operationalize Rubrik’s Zero Trust Security solutions, delivering data security and protection to customers in over 60 countries worldwide. Our mission is to provide industry leading backup and recovery technology solutions protecting critical data and operations for enterprise and mid-market organizations, mitigating commercial and reputational risks associated with downtime.

DISASTER RECOVERY

OFF-SITE REPLICATION

CYBER RESILIENCY

MANAGED BACKUP

If you are not testing, then you don’t have a plan; you have a hope Other than organizational hierarchy, the other likely reason many have less confidence in their organization’s ability to persist during a crisis might have to do with the lack of testing and or the lackluster results when testing does occur. Looking at IT disaster recovery as one core area to be tested, the survey revealed a stark contrast between how the minority of high priority platforms are tested and the remaining majority of “normal” platforms. For those IT platforms that support high priority business processes, 1/3 of orgs test biannually to ensure their recoverability, half of orgs test annually, leaving barely 1/10 that test recovering their high priority capabilities either ad hoc or not at all. Alternatively, an alarming one out of three orgs do not test the recoverability of their “normal” IT platforms for recoverability even once per year. All these statistics reveal testing isn’t happening as often as it should. Even more troubling, the adjacent question in the survey reveals 32% of the respondents aren’t even aware as to whether large scale recovery tests happen at all. Remember, the survey respondents were directly responsible for either BC, DR, CM, or cyber, but were unaware if a large-scale recoverability test had occurred within their organizations. Candidly, if the professionals closest to resilience initiatives aren’t aware of a large-scale test, then that test likely hasn’t happened in one-third of the organizations. With every IT disruption discussion often coming back to the ever-present threat of ransomware and cyber villains, the survey specifically tested how often a cyber-recovery was tested; with the average being once every 10 months. Consider how much of your business processes and IT frameworks change within one year and now imagine your ransomware recovery plan hasn’t been updated within the same timeframe.

Figure 2 – Testing recoverability of “high priority” and “normal” IT workloads may not be happening as often as you hope.

Figure 3 – Most plans are tested annually.

Do your business expectations align with the technical realities? With the growing recognition for the importance of resilience across both business processes and IT platforms, one would hope the various personas would start to align on realistic expectations for resilience. Unfortunately, the 2025 survey results continue to reveal a significant gap between the organization’s business expectations of how quickly IT systems need to resume some functionality

HOMEWORK: Ask your IT teams: 2. How frequently do we test the

recoverability of our “high priority” IT workloads the organization relies on for our key business processes? 3. How frequently do we do a large-scale recovery test to remediate from a natural disaster? Or a ransomware encryption breach? 4. What were the results of those tests? (this one is the most important dig into)

18 DISASTER RECOVERY JOURNAL | WINTER 2025

Stay Ready, Be Resilient.

BUSINESS-ALIGNED CYBER & OPERATIONAL RESILIENCE STRATEGY, IMPLEMENTATION, & MANAGED SERVICES

As a leading professional services firm, MorganFranklin Consulting specializes in comprehensive solutions for cybersecurity and adjacent services. Our dedicated approach allows us to protect clients' critical assets and enhance their resilience by addressing specific needs, ensuring cost-effective and results driven delivery.

Crisis Management Cyber Resilience Business Continuity & Disaster Recovery

Emergency Preparedness Training & Exercise

Learn more at mfcyber.com

versus the reality of how quickly IT can reconstitute those platforms. When business stakeholders were asked about the resilience expectations of their underlying it systems, they revealed what most IT leaders might consider a daunting challenge: n For high priority workloads, 68% of business leaders expect the IT services to resume functionality within four hours and 97% expected resumption within one day of a disruptive event. n For normal workloads, only 16% expected the same four-hour resilience, but 67% still expected the rest of the IT systems to be running within one day of disruption. For a “typical” natural disaster, it might be reasonable to presume the higher priority (smaller percentage) of IT systems could be brought online within one day, courtesy of either a secondary data center or the use of disaster recovery cloud services. While most organizations

do not have enough secondary infrastructure to reconstitute “the rest” (i.e., the non-high priority) of the IT systems, a cloud infrastructure delivered through a managed service (e.g., disaster recovery as-a-service or DRaaS) could conceivably reconstitute a significantly higher percentage of systems closer to the business expectations. That said, recovery from a cyber-attack such as encryption immediately break most recovery expectations. When recovering from natural disasters, the secondary copies, backups, or replicas, are considered to be valid up until the disruptive event. So, the only challenge is in rapid recovery at scale. For cyber recoveries, the orchestration of rapid recovery at scale is the same, but that process cannot begin until the breach has been stopped and a safe or “clean” copy of the data can be identified; which for too many organizations is an overly manual and imprecise task. Once the clean data has been identified and a clean environment

has been prepared to recover too, then the typical IT DR recovery at scale process can begin. Unfortunately, according to the IT participants within the survey, the average large-scale recovery (not including the time to identify “safe” data) is expected to take 2.6 days: far exceeding the business expectations for resilience. HOMEWORK: Ask your IT infrastructure and cybersecurity teams: 5. If IT needed to recover a significant number of platforms due to a natural disaster, what is our secondary 6. Considering cyber restorations as a superset of an IT natural disaster, what are the processes and timelines for identifying clean data before the secondary systems can begin recovery? ttt This article, the first in a three-part series, is meant to help you create new conversations perhaps by asking hard questions. While the author does not work for a vendor or service provider, he does cover technologies and platforms which can address some of the IT challenges and by extension of the business processes described. Some 502 resilience leaders and professionals were surveyed during the summer of 2025 on a variety of topics related to organizational resilience. Each of the survey respondents had a primary responsibility in either business continuity, disaster recovery, crisis or emergency management, or cyber-preparedness. v infrastructure plan and how long before it would have systems coming back online?

Jason Buffington has more than 35 years of experience in the IT disaster recovery space. He has been a CBCP since 2003, spoken at hundreds of DR and IT events over the years, and published in numerous

periodicals and blog sites. Buffington is the founder of Data Protection Matters, an independent analyst firm that covers data protection, cyber resilience, BaaS & DRaaS, and BC/ DR. Outside of BC/DR, he is an active volunteer leader in Scouting America; “Be Prepared” is their motto too. For more information on the research topics and methodology, please visit https://DataProtectionMatters.com/OR26.

20 DISASTER RECOVERY JOURNAL | WINTER 2025

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

What Jaguar Land Rover’s Shutdown Reveals About the Next Supply Chain Crisis Jaguar Land Rover’s Cyberattack Demonstrates How Complex Supply Chains Amplify Consequences and What Could Happen If Attackers Target Automotive Software Next

By JOE SAUNDERS

W

hen Jaguar Land Rover shut down its IT network and manufacturing this fall, the world saw the tangible costs of a motivated cyberattack.

across the automotive ecosystem. The five-week shutdown revealed what many in the industry already suspected: automotive supply chains are highly interconnected and fragile. A single disruption can ripple through factories, logistics networks, and suppliers, with economic implications far beyond the walls of a single company. While the JLR attack relied on social engineering to gain access to IT systems, it underscores a deeper strategic

concern. The next attack could come through the software supply chain, where compromised components could have consequences far more dangerous than temporary factory downtime. The JLR Attack The attack against JLR demonstrates how disruption spreads across industrial networks. After gaining access, the attackers moved laterally from IT systems into OT, affecting the factory floor and stealing company data.

Production lines halted, thousands of workers were idled, and the UK government stepped in with a £1.5 billion loan guarantee to stabilize suppliers. According to estimates, the total economic impact approached nearly $2.5 billion, affecting thousands of organizations

22 DISASTER RECOVERY JOURNAL | WINTER 2025

is not just to prevent intrusions, but to design systems that contain them. Software should be compartmentalized with least-privilege permissions, network segmentation, and rapid isolation capabilities. Routine exercises that simulate supplier compromise can help quantify potential blast radius and strengthen incident response coordination. n Implement Resilience Engineering : Cyber resilience must become as integral to manufacturing as mechanical redundancy. That means planning for controlled resets, hardware and software rollback paths, and “safe modes” that can decouple digital systems from physical operations in an emergency. The Economic, Strategic, and Safety Stakes Jaguar Land Rover’s shutdown is a case study in economic and operational fragility. The next crisis may not stop at the factory gate. Software supply chain attacks could compromise vehicles themselves, disrupt production silently, and create pathways for future exploitation. The stakes are economic, strategic, and, ultimately, safety-critical. The complexity of automotive supply chains—and software supply chains in particular—is only going to increase. Vehicles will become more connected and software-defined. The question is whether we build security into that complexity now, or wait for attackers to make their next move. v Martin, GE Vernova, and Vertiv as well as the US Army, US Navy, US Air Force, and dozens of other organizations, RunSafe Security identifies risk in your software supply chain, prevents exploitation of embedded systems, and monitors software for indicators of compromise and bugs. Saunders is also chairman of Ask Sage, a cloud agnostic and large language model agnostic platform that is transforming how government and business operate. He previously served as a management consultant for PricewaterhouseCoopers, a director at Thomson Reuters Special Services, and member of the management team of TARGUSinfo (sold Neustar for $800M). Saunders is a frequently sought-after speaker and panelist. Joe Saunders is founder and CEO of RunSafe Security. He leads a team of former national security cyber experts on a mission to make critical infrastructure safe. Working with companies such as Lockheed

The attackers achieved a nationwide economic impact, showing the potential for adversaries to exploit dependencies and interconnections in highly integrated manufacturing ecosystems. The more complex the supply chain, the greater the amplification of risk. Why Automotive Software Supply Chains Are at Risk Next The JLR attack exposed one layer of supply chain risk. The next may be buried in the software that runs today’s vehicles. Modern vehicles rely on hundreds of millions of lines of code, distributed across four or more layers of suppliers, including in-house development teams, third-party vendors, component manufacturers, and open-source software projects. Within that ecosystem, tens of thousands of developers contribute to the code that ultimately runs inside vehicles. Each addition, dependency, and update introduces potential exposure. This layered complexity creates a perfect environment for inherited vulnerabilities and invisible dependencies. When code from different origins merges into the same production line, a single compromise at any layer can affect the entire system. Without transparency into where components come from, what they contain, and which vulnerabilities they carry, automakers have little ability to assess their actual security posture. The implications go well beyond production downtime. A vulnerability buried in a software component could allow attackers to disable or manipulate critical functions, like braking or steering, putting safety, not just productivity, at risk. The JLR shutdown showed what a motivated attacker can achieve by disrupting IT and OT networks. A software supply chain attack puts both the safety of drivers and vehicles on the line. Motivated Attackers Are Watching and Waiting The threat group that has claimed responsibility for the JLR attack, Scattered Lapsus$ Hunters, has demonstrated patience and strategic targeting. Earlier this year, the same actors struck other organizations, gathering intelligence

that could serve future objectives. They have leveraged stolen credentials, social engineering, and compromised platforms to infiltrate multiple companies worldwide, from Google to Cloudflare to Palo Alto Networks. These campaigns illustrate that attackers are motivated, well-resourced, and persistent. They observe, map, and collect intelligence, pre-positioning themselves for maximum disruption. The JLR shutdown is a preview of what is possible when operational dependencies intersect with attacker patience and ambition. A software supply chain compromise could provide adversaries with long-term access and intelligence, enabling attacks that could affect production, vehicles, and even national transportation infrastructure. Next Steps for Supply Chain Security The automotive industry can either continue with opacity and hope to not be the victim of an attack, or invest in transparency and resilience. To move toward resilience, automakers and suppliers can take several steps. n Implement Software Bill of Materials (SBOMs) : Every tier of software manufacturer should provide transparency into components and dependencies through build-time SBOMs. Understanding the security posture of your suppliers, including the country of origin of a component, is just as important as assessing your own. Without visibility into components and dependencies, automakers cannot accurately assess exposure or respond when a vulnerability is disclosed. Transparency at scale enables faster patching, reduces uncertainty, and builds collective resilience. n Establish Shared Threat Intelligence : Shared data on vulnerabilities, threat indicators, and exploit attempts can help the entire automotive ecosystem detect and contain attacks before they spread. n Assume Breach, But Limit Spread :

Every company in the supply chain must operate under the assumption compromise is inevitable. The goal

DISASTER RECOVERY JOURNAL | WINTER 2025 23

By MICHAEL HARDING M ost organizations can show you their plans. Fewer can prove they work. For too long, resilience has been measured by compliance – the presence of documents, the completion of exercises, or the passing of audits. In today’s complex risk landscape, that is not enough. True resilience is not about how complete your plan looks; it is about how confidently your organization can continue operations when things do not go to plan. This article explores how continuity and crisis leaders can shift from reactive compliance to proactive capability, where readiness is measured by outcomes, not outputs. 1. The Compliance Trap Many programs plateau once their documentation is “complete.” Plans are updated, boxes are checked, and reports are filed. But resilience is not a binder on a shelf – it is the ability of people, systems, and processes to adapt under stress. When programs are built around compliance instead of capability, they often fail in execution. The reason is simple: compliance measures process; capability measures performance. It is performance – not paperwork – that matters when the crisis hits. From Compliance to Capability: Rethinking Resilience for the Real World

programs occurs when recovery targets are defined without regard to the organization’s risk appetite. A function might list a four-hour recovery as its objective, but if leadership’s tolerance or infrastructure can only realistically support 12 hours, that’s not preparedness – it’s misalignment. Use the language of risk to bridge the gap: n Map each critical function to its risk tolerance n Quantify capability gaps as business risks, not technical issues n Present continuity trade-offs in terms of exposure and decision cost When resilience data reflects leadership’s own priorities, it stops being background noise and starts driving informed decisions.

2. Redefine What You Measure If your metrics are limited to “plan reviews completed” or “exercises conducted,” you are not measuring resilience; you are measuring activity. Instead, define success in terms of capability outcomes, such as: n How long can we continue core operations during a disruption? n Are our recovery targets achievable given current resources? n How effective is decision-making when the plan does not fit? These questions move resilience from compliance oversight to business insight. They also help leadership see continuity not as an obligation, but as an enabler of confidence. 3. Align Resilience with Risk Appetite A common breakdown in continuity

24 DISASTER RECOVERY JOURNAL | WINTER 2025

operations – not just recover from them. The question is not whether you are compliant. It is whether you are capable. uuu The views expressed in this article are solely those of the author and do not represent the views of his employer.

4. From Plans to Performance Every plan has an expiration date – it is the moment people stop practicing it. Organizations that succeed under stress share a simple trait: they have trained their teams to make decisions, not just follow instructions. Replace static table-top exercises with dynamic simulations that challenge timing, judgment, and communication. Measure not only whether teams follow procedure, but whether they adapt when the unexpected occurs. This is how capability is built – through repetition, ownership, and trust. Documentation is only the artifact of that effort, not its outcome. 5. Integrate, Do Not Isolate Resilience, risk, crisis management, and IT disaster recovery are often run in silos – each with its own metrics, stakeholders, and language. However, resilience is not a department; it is an organizational state of readiness. Cross-functional collaboration turns fragmented efforts into capability ecosystems. When risk data, continuity metrics, and crisis response planning intersect, leadership gains the clarity to act decisively when it matters most. 6. Measure What Matters The most mature programs know where they stand – not through checklists, but through measurable capability maturity. Use consistent criteria to evaluate governance, integration, testing, communication, and culture. Then, track improvement over time. Resilience is not static; neither should be your measure it. A good rule of thumb: if your metrics do not inform investment or decision making, they are not worth tracking. Conclusion: Build Confidence, Not Just Compliance Compliance builds documentation. Capability builds confidence. In a world where disruptions are inevitable, the organizations that thrive will be those which measure, test, and improve their true ability to continue

v Michael Harding is a Marine veteran with more than 20 years of global experience in business continuity, crisis management, and organizational resilience. He special izes in aligning continuity capability with risk appetite and leadership decision-making to strengthen readiness.

DISASTER RECOVERY JOURNAL | WINTER 2025 25