Home > Uncategorized > Tunnel Vision in Business Continuity and Disaster Recovery

Tunnel Vision in Business Continuity and Disaster Recovery

Business continuity and disaster recovery are two of the most challenging IT areas. I’ve had some experience with business continuity planning, and from what I have seen of it, it is much more difficult than a closely-related area, incident response, with which I have had considerable experience. What makes business continuity and disaster recovery so much more difficult is the sheer number of steps and details involved and the precision with which actions must be performed. I remember, for example, when a friend of mine who was leading a business continuity operation after an outage had occurred got in serious trouble because the data he restored to a system were not exactly the right set. In contrast, I’ve made numerous mistakes in the process of conducting incident response efforts, but have never experienced anywhere near the kind of consequences that he did.
Strangely, a kind of “tunnel vision” appears to have permeated both business continuity and disaster recovery planning. The problem is either inability or unwillingness to anticipate disruptive events that are far out of the ordinary. Examples of such events include the 9/11 terrorist attacks, Hurricane Katrina, and Hurricane Wilma. And although the recent BP oil still catastrophe has not affected IT, it, too, should remind us of how extreme incidents can be. Despite the fact that the probability of incidents such as these occurring is low, the fact that they could happen and have happened more than a few times in the recent past should be a cause for major concern.
Just in case you are wondering, this blog posting is anything but an attack on business continuity and disaster recovery planners, for whom I have a great deal of respect. But I wonder why and how a kind of “tunnel vision” when it comes to anticipating and planning for far out of the ordinary events. I suspect that the fact that such events simply happen so seldomly has much to do with their being overlooked. An earthquake of the magnitude of the one in the Owens Valley in Missouri in the 19th century has occurred in the US only once over the last 150 years, for example. Additionally, I wonder if business continuity and disaster recovery planning professions are hesitant to make executive management aware of worst case scenarios and to ask for the level of funding and staffing needed to effectively deal with such scenarios for fear of being labeled overreactive—“the boy who cried wolf.” Furthermore, I wonder if business continuity and disaster recovery planners also realize that for testing and training staff to be able to practice performing recovery procedures in an environment that would even somewhat resemble a real-life far out of the ordinary event is for all practices impossible. Can you imagine performing disaster recovery procedures during a simulated hurricane of the magnitude of Katrina? I cannot. Perhaps it is wiser to simply turn one’s attention elsewhere—to more likely to occur and more manageable scenarios.
My challenge to business continuity and disaster recovery professionals is to broaden their thinking and planning to include potential far out of the ordinary scenarios that could and very well may occur. Too many companies went out of business or were close to going out of business after 9/11, Katrina and Wilma occurred because these organizations did not envision and adequately plan for events of such scope and magnitude.
But there is also a message for information security professionals (many of whom also engage in business continuity and disaster recovery). What if a far out of the ordinary security-related incident were to occur—one in which, say, the Internet experiences a massive set of denial of service attacks that make it completely unavailable for several straight days? I wonder how many information security practices would be capable of effectively responding to an attack of this nature and magnitude. What if the CEO, CFO, CIO of a corporation were in collusion with numerous internal technical staff members to “own” every server within the corporation? What if super-stealthful malware were installed on every computer within a corporation? I fear that a fair percentage of information security professionals have not envisioned events such as these occurring within their organizations.
Extreme events happen. We at a minimum need to anticipate them, create and frequently test plans for responding to them, and modify the plans whenever doing so is appropriate. We simply cannot afford to have a “tunnel vision” perspective any more.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.