Getting BC and DR right
Q:What is the difference between BC and DR?
Michael Davies, MD, ContinuitySA: When you talk to people about DR, they see it as an IT thing, whereas BC is a more encompassing discipline. That includes people, processes and technology. BC is that fuller picture.
Heidi Weyers, Redstor SA: From what we see in our field, DR is about how quickly business-critical systems can be brought up for an organisation to be operational if disaster struck. So several critical systems to point users at if something goes wrong.
Ian Janse van Rensburg, senior manager, VMware: Take Uber as an example. The app is there and working. But the taxis are being attacked. It affects the business on a different level, on a physical level, where the technology is still running. That is BC. From a DR perspective, when a disaster strikes, the companies see if they can recover from that disaster.
Iniel Dreyer, MD, Gabsten Technologies: Business does not necessarily know what IT systems make up a function they must deliver. What's important is to start with the business, and it is IT's responsibility to say what systems are needed in order to meet those requirements. That's where DR comes in. If you start with IT, somewhere there will be a misalignment. It's like insurance: will you pay a million a month to ensure five rand? You must understand the value for business and then look at whether IT can enable that in a cost-effective way that fits into the business' value.
Q: Who is responsible for DR and BC in an organisation?
Jenny Mohanlall, CIO, T-Systems: The accountability lies with the CEO, but the responsibility lies with the EXCO. We all have a fiduciary duty to the company for BC and crisis management. We do have BC managers that will execute the plans, but the EXCO needs to make the decision on how to execute and alignment with strategy.
Grant Morgan, GM, managed services and cloud, MEA, Dimension Data: When the stuff hits the fan and it's really an issue, the CEO will take ultimate responsibility, because they didn't put the people in place who took responsibility and made a plan to recover. Chief risk officers may study the impact and give guidance on that. If my processes fell over tomorrow, what would it cost me and what level of severity may there be? They will disclose that risk as part of their annual statements. Thereafter, you need to get every single process owner and IT guy to make sure that processes are recoverable. That is a much broader set of people taking responsibility for their own areas.
Kevin Hall, national sales manager, Elingo: It could be someone with an overall view of the business, such as a GM or COO looking at operations. There are different tiers to look after, and a lot of that comes from the complexity of the service offered to the customer.
Q:Looking at the recent British Airways systems failure, is comprehending legacy and complexity not a problem?
Claude Schuck, Africa regional manager, Veeam: There is a lot of pressure in the airline world. BA is under pressure to get bums on seats. So I guarantee they have been presented with something around replacing legacy systems. But they worry about bums on seats and the costs of getting people on planes. So they kept saying it was okay for now, okay for now. I guarantee that was the conversation happening.
Michael Davies, ContinuitySA: The BC plans would have been in place. But roles and responsibilities within the chain of command were probably not in place. You have to have the right people, and you get there with simulations.
Claude Schuck, Veeam: Continual testing is important. If you can do it every day, it makes a huge difference. That's something you should be working towards. Looking at British Airways, they must have had a DR plan. But look at that mismatch between their DR and BC. Three days! They may have noticed that had they done more testing.
Q: How can companies get the people element more aligned to DR and BC?
Jenny Mohanlall, T-Systems: It depends on the organisation and how much emphasis is placed on crisis management. It does go way beyond the normal technicalities and infrastructure. It must deal with people as well. People must be constantly informed what the emergency plans are, who needs to execute, who to look at for guidance and where the reporting line is. It is very important to keep everyone informed and communicate constantly.
Q: Can DR and BC be a catalyst for modernisation?
Heidi Weyers, Redstor SA: Yes. We work with that on a daily basis. When you move into organisations, regardless of their size, they have this issue. That's why we have been shifting our focus more toward data management, not just backup and recovery. Organisations don't know how much data they have, how much is legacy and how to differentiate between the two. So it is important to establish that by separating what is business-critical and what they don't need. Planning and identifying all that has become a big role in DR implementation.
Michael Davies, ContinuitySA: A positive side of BC is when you formulate these plans, you go through a whole business impact analysis. You do interviews from the CEO all the way down, and you give that information to them. It is enlightening to them, because it is a hell of a lot of information about their own structures. You should never have a plan that recovers everything instantaneously. That is the worst plan in the world. Certain division don't need data immediately. Your recoverability is based on different units. So a company learns a lot more about itself when building its own resilience.
Q: Are mobile workforces not a problem for proper DR and BC strategy?
Grant Morgan, Dimension Data: In some ways, a mobile workforce makes life a little easier. If you are used to working off your mobile, you probably don't need another office and a fixed computer in order to recover from the situation. But in those situations, we are very reliant on networking from a centralised system. If that goes down, the impact is much greater. We need to create some sort of automation in how we take all the complexity that we deal with, plan very well and leave the execution as much in automation as possible.
Kevin Hall, Elingo: Although the services are available, connectivity is still a problem. It's good and well if the data is replicated. But to replicate connectivity is creating new challenges. So the service can be available and they have multiple connectivity points, but the issue is the access point to the cloud infrastructure.
Q: Is cloud impacting the approach to DR?
Ian Janse van Rensburg, VMware: Definitely. Cloud providers have done a lot work to make BC a reality for many companies. If you look at services such as Office365, you don't expect that to go down at all. It should just be there. BC is there to serve the user. If the user can't access anything, they are affected. If you look at industry 4.0, more and more people will be affected if something on a smart device doesn't work.
Iniel Dreyer, Gabsten Technologies: Cloud is one of the culprits when it comes to proper planning for BC. A lot of businesses think, `We use cloud tech, so the cloud provider will make sure we can access things'. But what if something goes wrong with the cloud provider? As a business, you still need a plan for how you will access things if the cloud provider fails. A lot of times, those things are not looked at in the fine print. A cloud provider often only has to make the service available. Your data is your problem.
People must be constantly informed what the emergency plans are and where the reporting line is.Jenny Mohanlall, T-Systems
Grant Morgan, Dimension Data: There is a misconception that cloud is DR-ready. Businesses must ask the right questions about what their provider will actually do. But cloud is changing DR. Many cloud solutions are self-orchestrating, and it appeals more to the average SME. It's a great opportunity to use DR more cost-effectively. In the past, you needed to own the infrastructure. Most small businesses couldn't even afford the bandwidth costs between datacentres. But today, that is in abundance, relatively speaking. That further reduces cost. We've seen cost reductions of as much as 70%.
Q: Do SMEs often disregard DR and BC and the risks associated?
Iniel Dreyer, Gabsten Technologies: We're seeing this more and more: the smaller guys get hurt more when disaster strikes. In South Africa, there has been a lackadaisical approach to DR because we don't have hurricanes and tsunamis. But the real threats these days are cyber attacks. Responses will require BC and DR plans to be executed. Bigger businesses have more to throw at those problems than the small guys. So if the small guys focus more on leveraging cloud, understanding what type of data they have, it's a lot quicker for them to recover and be able to compete with the big guys. The small guy losing five customers hurts a lot more than a big guy losing five customers.
It is important to establish that by separating what data is business-critical and what they don't need.Heidi Weyers, Redstor SA
Grant Morgan, Dimension Data: The SMEs are so busy doing the day-to-day, they can't even afford the consultants to do business impact analysis. They don't think of these scenarios because they are so busy growing their business. For example, my dentist was attacked by some ransomware. They paid money and thought they'd get their systems back. It was a direct cost they didn't anticipate and they still didn't get the data back. They have lost all their patient records over the years and lost so much credibility with their clients, it threatens to take them out of business on a simple thing.
Q: Can compliance play a role in prompting good DR and BC strategies?
Claude Schuck, Veeam: I don't think people take it seriously enough. When keeping records, do they know what they are liable for? That's coming up more and more.
Jenny Mohanlall, T-Systems: With regards to actual data, especially for BC, Popi will perhaps promote a lot of DR and BC management. According to legislation, you can't have everything in the cloud. You need on-premise as well for confidential information. So that whole hybrid approach will force companies to have some sort of BC management. Legislation will drive a lot of this conversation. But I don't think there is a lot of awareness and that is probably where we as IT houses need to give more advice around legislation and data protection acts. People are becoming more aware of the risk and compliance perspectives, but it hasn't been given the focus that it needs to have.
It's good and well if the data is replicated. But to replicate connectivity is creating new challenges.Kevin Hall, Elingo
Grant Morgan, Dimension Data: The penalty they will experience is nothing compared to the potential impact of their business. If they have the double whammy of reputational damage plus a fine, that's just more salt in their wounds.
Q: Overall, are South African companies under-appreciating DR and BC?
Iniel Dreyer, Gabsten Technologies: I don't think there is enough emphasis on DR. The problem is that people think it has to be a natural disaster.
Michael Davies, ContinuitySA: We also have plenty of man-made disasters. We had a client at an alternate recovery site for two months, because the sewer pipe in their building basement burst and the building was condemned until it was fixed. Another client was also there for two months, because of strike action. The strikers had barricaded the area. We've had clients come to site due to fires, largely caused by contractors. BC is not just about the data. IT and the data are critical, but if that is all you are looking at, you are not doing BC.
Ian Janse van Rensburg, VMware: BC also includes thinking if your company will be around in ten or 15n years. That's where resilience thinking comes in. It's about how you do business, how you deliver services and if you are still relevant in ten years if you are not innovative. Companies have to think how to innovate for BC, otherwise they will be out of business.
This article was first published in the September 2017 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.