The Second Law of Thermodynamics tells us that the total entropy can only increase over time for an isolated system. In other words, contrary to what we may believe or may simply hope, things fall apart. It’s not an accident. It’s a law of physics, and its awful simplicity is clear and frightening.
We label the terrible natural events like storms, hurricanes, fires, and earthquakes as freaks of nature— “worst in a century,” a “500-year storm,” an “unprecedented event”—and yet such disasters happen again and again. Disaster is normal. Order is the exception, and we must work tirelessly to create order and to maintain it.
Executives often ask me, “We’ve got both a disaster recovery plan and a business continuity plan. How is resilience different from what we already have?” I tell them that both disaster recovery and business continuity are answers to what happens when entropy strikes, things fall apart, and business is interrupted. Resilience is strategy using a set of tools and approaches that make it harder for things to fall apart, and easier and faster to put them back together when they do.
None of us escapes entropy. But we can put up a good fight:
- Disaster Recovery is focused on IT and data. It is first and foremost about replicating and storing data in redundant ways that preserve it from total destruction. Eliminating downtime and making data immediately and entirely accessible following a disaster or other disruptive incident, whether of human or natural origin, is paramount.
- Business Continuity is focused on doing business—that is, on employees and processes. The International Organization for Standardization defines business continuity as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident” (ISO 22301:2012). This is a start, but businesses should strive for continuity that maintains those “acceptable predefined levels” both during and following a disaster.
- Resilience is a set of policies, tools, procedures, knowledge, and plans designed to create and maintain vital digital infrastructure and systems that resist, even minimize the disruptive impact of natural or human-induced disasters.
Before I try to persuade a CEO or board member to add resilience to their organization’s disaster recovery and business continuity strategies, I ask them to make certain that their existing disaster recovery and business continuity plans and policies have strong, sharp teeth:
- Disaster Recovery would be easy if we had the magical power to turn back time. The alternative is to maintain real-time backups to the cloud or other off-site servers and to back up data at regular intervals. Few business losses are worse than the permanent destruction of irreplaceable data. But, to minimize disruption, you must not only preserve data, but be able to recover and restore it very quickly. Onsite or nearby data backup promotes rapid restoration, but it may not protect data against disasters that have more than local impact—a major storm or earthquake, for example. Remote backups, perhaps to a private cloud provider, are best. A fully mirrored remote site with hot backup/restore capabilities is the disaster recovery gold standard for any data-intensive business. The 9/11 attack on the United States revealed just how important disaster recovery was for the financial markets.
- Business Continuity plans and policies must govern management oversight for disaster situations. An adequate business continuity plan includes specific steps not only for recovery but also for continuing principal business processes, such as manufacturing, sales, distribution, customer support, payroll and billing. Business continuity procedures must be in place and published to the organization before disaster strikes. Employees need to know who to call in an emergency. They need to know their own area of responsibility—what to do and where to go.
Knowledge is key. A disaster is bad but being a CEO and getting the 3 a.m. disaster call, only to discover that the disaster recovery and business continuity you thought you had was mostly wishful thinking, is far worse.
Effective, actionable disaster recovery and business continuity are hallmarks of a resilient business, a business that can roll with punches and keep going. But true resilience in an organization runs deeper than both disaster recovery and business continuity.
Resilience cannot, and therefore does not, promise to avoid disaster—whether natural or human-induced—but to minimize disruptive effects by ensuring physical and digital infrastructures capable of absorbing harm and bouncing back. Resilience acknowledges the normality of disaster. It is a proactive approach to the bad things that inevitability happens. And not necessarily knowing what the disaster might be.
Resilience is rooted in knowledge. Where digital infrastructure is concerned, resilience is knowing your digital network intimately, understanding all the points of access and the user privileges associated with them, understanding the networks with which you connect, and knowing where and how your data is stored. Digital resilience is not strictly about digital infrastructure. It is also a matter of understanding the nature of your data, from transactional data that must be accessed interactively every minute of every day, to intellectual property, which needs to be guarded like the gold in Fort Knox. When you understand your data, you can prioritize it in efficient and prudent terms of accessibility versus security. To the degree that you are smart about understanding access and prioritizing data, you minimize the destructive and disruptive impact of the most common category of disaster in our time: digital network breaches.
Disaster is inevitable and, therefore, normal. Disaster happens, and it damages or destroys your business. Or it does not. Such binary clarity needs to be met with clarity of proactive planning and efficient response. The resilient answer to disaster brings both. Anything less than this is chaos for real. It is the chaos of surrender.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.