CIO Strategy Notes: 7 Best Practices for Implementing a DR in the Cloud Strategy
Industry-wide billions of dollars have been invested in IT Disaster Recovery (DR) as part of Business Continuity planning over the past couple of decades. However, well-orchestrated and tested DR plans continue to remain one of the primary challenges facing CIOs. If you're a corporate shareholder, you need to know that the business can continue in the face of a man-made or natural disaster. Board members, while managing multiple responsibilities, which span the fiduciary to corporate oversight to CEO advisory support and much more, also must be able to assure shareholders and the market that the company would not be in ruins, post-disaster. So there’s a lot resting on the CIOs shoulders regarding disaster recovery plans and the cloud can make these efforts much more attainable. A large part to the challenge is because data (be in customer, transaction, log, financial or other data) is now a core asset. Therefore DR is no longer just about system recovery, but also about data recovery.
Discussions with companies reveal that only about 50-60% of enterprises have disaster recovery plans. And the plan that they have only covers a few applications. Very often, these plans are neither maintained to reflect the ever changing infrastructure nor are they tested. Yet, application downtime lasting more than four hours often translates into lost revenue, decreased employee productivity and potentially severe damage to the corporate brand. CIOs site both complexity and the cost of implementing DR as reasons not to do so.
The public cloud has come to the rescue of CIOs when it comes to DR. It has completely changed the game in helping CIOs not only get a handle on both cost and complexity but also has allowed them to extend DR to a broader array of systems, applications and data, therefore making their business recovery plans more robust. The impact of the cloud was in full display when you compare the recovery from hurricane Katrina and then from hurricane Sandy.
Having talked to a number of CIOs over the years, I would like to share some of the best practices the more savvy ones have employed to deploy a cloud disaster recovery plan:
- Get Personally Involved: If you don’t have a hands-on role in driving DR planning and testing, you’re basically gambling with your corporate assets every day. So don’t leave your DR planning to a few IT guys sitting in a back room somewhere. Make DR Planning a strategic IT imperative; in fact, make it a business imperative and ensure your business colleagues are proactively informed of your plans. Allow them to give feedback, but you have to lead this effort.
- Begin with a Risk Analysis: DR planning should always begin with a risk analysis. Risks run the gamut from natural to man-made disasters. Man-made? Yes: everything from disgruntled employees to accidents to bone-headed administrator moves to whether you are using SaaS applications (which most organizations these days do) provider system outages. Then assign a likelihood of occurrence to these disasters. And finally define your plan for mitigating these risks. For instance, in the case of a power loss, what does your enterprise need in terms of backup power? Your cloud-based DR and BC plans should also include a systems prioritization strategy – categorizing your systems by criticality – everything from systems, where downtime can put the business at serious risk to those that can be down for a long time before any major issues impact the business.
- Deal with Resistance: Let’s face it; your IT department is probably filled with some pretty seriously structured thinkers. That’s why you hired them. Teams are in place to deploy rock-solid, secure and stable infrastructures… and they don’t want to mess with that. Many IT team leads contend that their issue with DR in the cloud is security. When someone plays the ‘security’ card, CIOs need to respond that it comes down to a matter of trust. Every day we make decisions on the service providers that enterprise’s use. Everything from technology providers, outsourcers, HR and financial partners to outside legal counsel. Your company always vets these third-party providers and the secure interactions between them and your enterprise. This should be no different. The argument gets easier if you are already consuming SaaS applications like email, Office Productivity Tools or ERP tools.
- Tie Your Cloud and Virtualization Efforts Together: Although disaster recovery planning is critical to business continuity, rarely does it appear high on the list of budgetary priorities. So many CIOs piggyback DR costs – planning, solution selection, deployment and testing as part of some other IT effort. If this is where you find yourself, we recommend piggybacking on your virtualization efforts. There are two main benefits from tying your cloud and virtualization efforts together: 1) Virtualization gets you portability of applications, and 2) the pay-as-you-go cloud economic model gives you an affordable offsite option in which you don’t have to build a second data center or rent expensive co-location space anymore. When you look at the combined value of the above, CIOs have a very attractive option for an off-site DR strategy for applications. BUT you need one more thing to tie it all together: a solid recovery option that ensures applications and data ported to the cloud are recoverable in the time required to ensure business continuance. This means investing in cross platform orchestration capabilities to recover all the different data and applications the business requires.
- Make Mobile a Central Element in Your Disaster Recovery Plan: With more than 70% of employees currently relying on one or more mobile device(s) to do their jobs, mobility has become a top concern for CIOs. Add to this the BYOD movement and enterprises are facing a mobility crisis. Gartner predicts that by 2017 50% of all employers will require employees to bring their own mobile devices into the workplace further complicating DR for mobile. Suddenly, the risk of corporate data loss from personal devices is a major issue, because in addition to all the above factors you also have to consider devise loss into your planning. But organizations face a conundrum. Enterprises don’t want to back up personal data on corporate servers, yet the need for DR for mobile devices is critical. We recommend that CIOs work with corporate counsel to develop an AUP (acceptable use policy) for employees. These policies typically provide a framework for what the enterprise can and cannot do with an employee-owned device – whether it is for e-Discovery or an employee issue.
- Don’t Let DR Testing Impact Morale: DR testing can impact the morale of your DR planning and testing teams. Cut that off at the pass. Set expectations with your team that you expect issues and that the testing is critical to uncovering these issues. Regular check-points with your team regarding testing are recommended to head off any morale issues that may arise. Over the long term, building a culture, where DR testing is no different from testing an application before it is rolled into production, helps alleviate any stigma.
- Be Confident You Are Recoverable: Get to the point where you have the confidence to stand up in front of your board and say that you have a comprehensive disaster recovery plan. Let them know risks are mitigated and business continuity has a strong foundation.
There are numerous risks and contingencies that need to be accounted for when creating a disaster recovery plan. But savvy CIOs are looking to the cloud and virtualization to more easily meet their DR needs. When speaking with your CEO, demonstrate what the costs and lost revenue would be as a result of not being able to continue to run the business in the face of a natural or man-made outage. Generally citing real world example from your own experiences or your peers in the industry helps. Whatever your needs or technology of choice, DR and BC planning must become part of the fabric of running your business.