the pitfalls of “diy” approaches to disaster recovery · pdf filethe pitfalls of...
TRANSCRIPT
© 2013 IBM Corporation
The Pitfalls of “DIY” Approaches toDisaster Recovery
Business Continuity & Resiliency Services
© 2013 IBM Corporation
Interactivity Tips
1. Ask A Question
2. Download a PDF copy of today’s presentation
3. Social Networking Tools
2
© 2013 IBM Corporation
Business Continuity & Resiliency Services
Our presenters for today
Man BuiExecutive, IBM SmartCloud Resilience Services
3
Rachel DinesSenior Analyst, Forrester Research
Business Continuity & Resiliency Services
© 2013 IBM Corporation
Business Continuity & Resiliency Services
4
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
© 2013 IBM Corporation
Business Continuity & Resiliency Services
Are you overestimating your ability to balance and effectivelymanage risk?
Perception
More than two-thirds of companies include IT riskmanagement in reputational risk management
Companies are confident in their ability to manage IT risksthey view as most damaging to reputation
3 out of 5 companies rate their overall ability to manage ITrisk as strong or very strong
Reality
Only 17 percent rate their company’s ability to manage ITrisk as very strong
Companies are overlooking fundamentals, which suggeststhat their confidence is not necessarily warranted
Only 39 percent of the same companies require vendors,partners and supply chain to be properly vigilant
Find out more by reading our latest study on the reputational risk and IT connection.Download the study at ibm.com/services/riskstudy
5
© 2013 IBM Corporation
Business Continuity & Resiliency Services
Reputation has a definable value — much like brand value — thatcan be diminished by IT risk-related events
6
-21%The economic value of a company’sreputation declines an average of 21% as aresult of an IT breach of customer data*
*“Reputation Impact of a Data Breach: U.S. Study of Executives & Managers,” Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.
“Underestimating the cost of reputational risk greatly exceedsthe cost of protection.”
Finance manager, American financial services company
US$1MEconomic value assigned to corporate brand or reputation*
US$10BUS$1.56BAverage
© 2013 IBM Corporation
Business Continuity & Resiliency Services
7
The impact on “reputation recovery” is measured in months, nothours or days like recovery time objectives (RTO)
Website outage
0-6 months
71%
6-12 months
12%
12+ months
System failure 68%8%
Mobility (BYOD) 68%14%10%
Data loss 64%14%10%
Inadequate continuity plans 54%22%10%
Insufficient DR measures 56%20%11%
New technology 58%13%
Data breach 59%16%13%
Compliance failure 56%19%12%
Poor IT skills / tech support 59%18%11%
6%
15%
15%
2013 IBM Global Reputational Risk and IT Study, January 2012 (ibm.com/services/riskstudy)
© 2013 IBM Corporation
Business Continuity & Resiliency Services
In attempt to gain more control over IT risks, manyorganizations have brought disaster recovery “in-house” but…
are not sure they couldrespond to a real disaster
of firms face a lack offocus on in-house DR
relative to other IT projects
of firms struggle againstlack of funding to keep
DR infrastructure up to date
of do-it-yourselfers havetrouble running enoughDR tests and exercises
of do-it-yourselferslack adequate in-house
DR skills
The Risks of “Do It Yourself” Disaster Recovery, a commissioned study conducted by Forrester Consulting on behalf of IBM, January 20138
Business processes are moretechnology dependent
IT must now support theanytime, anywhere mobile
workforce
What’s prompting the sea change?
Little tolerance for data loss ordowntime
Systems are more complex andheterogeneous
Increasing expectations forsystem availability and
performance
New threat landscapes meanmore potential causes of
downtime
Business pressures IT realities
9
10
Base: 184 IT decision makers at firms with 1000+ employees
Source: Disaster Recovery Journal/Forrester Research Survey, 2011
Implementing effective BC/DR remains a challenge
“Select the top three challenges of implementing and managing effective businesscontinuity at your company”
© 2013 IBM Corporation
Business Continuity & Resiliency Services
11
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
BC/DR is a top technology priority forthe next 12 months…
Base: 1201 IT decisions makers at North American and European enterprises and SMBs
Source: Forrester's Technology Forrsights For Hardware, Q3 201212
… but BC/DR budgets remain a smallportion of overall IT spend
Source: Forrsights Budgets And Priorities Tracker Survey, Q2 2012
Base: 946 Enterprise Budget decision makers in North America and the UK
“In 2012, approximately what percentage of your budget will go tobusiness continuity and disaster recovery?”
Enterprises spend anaverage of 6.2% of IT
budgets on BC/DR
13
14
Allocating BC/DR spend wisely:conduct a risk-cost analysisAnnualized risk cost equation:
Use the annualized risk cost to guide investment in mitigation of therisk (i.e., potential remote access procedures)
Risk Frequency Likely durationCost of
downtime perhour
Annualizedrisk cost
Winter stormwith more than2 feet of snow
3 times per year 8 hours $12,000 $288,000
FrequencyLikely
durationCost of
downtimeAnnualized
risk cost
© 2013 IBM Corporation
Business Continuity & Resiliency Services
15
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
“Where does your firm provision its backup data center(s)?”
Source: Forrsights Hardware Survey, Q3 2012
Base: 542 NA and European Enterprise Hardware decision makers
Many firms today take a hybrid approachto sourcing disaster recovery capabilities
57% of survey respondentsstated that they source DRcapabilities with an equal
mix of both ”in-house” andoutsourced solutions*
16
TCO and testing capabilities are topconsiderations for outsourcing DR
“What would make you consider outsourcing part, or all, of your DR?”
Source: a commissioned study conducted by Forrester Consulting on behalf of IBM, December, 2012
Base: 75 Enterprise Hardware decision makers in the US, UK, and India
17
Seeking more control and fasterrecovery, firms brought DR in-house
Source: a commissioned study conducted by Forrester Consulting on behalf of IBM, December, 2012
“If you brought all or part of your DR in-house in the past five years, whatwas the primary reason?"
Base: 75 Enterprise Hardware decision makers in the US, UK, and India
18
© 2013 IBM Corporation
Business Continuity & Resiliency Services
19
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
Plan tests and exercises: it’s not a one-off event
20
Test types and frequencies
Test type Description Frequency
Walk-throughexercise
Reviewing the layout and contentsof a plan.
As necessary to familiarize responseteams and individuals with a documentedplan or changes to a plan.
Tabletopexercise
Using a scenario, discussing theresponse and recovery activities ofa documented plan.
At least four times per year. Often done asthe precursor to a full exercise.
Componenttest
Physically exercising a componentof a documented plan, usually eithersystems on a single platform orsystems supporting a singlebusiness process.
As necessary as major changes are madeto the IT operating environment orinfrastructure. Depending on criticality,some components may be exercisedmore frequently than others.
Full exercise/simulation
Using a scenario, carrying out theresponse and recovery activities ofa documented plan for the entireorganization.
At least once per year; twice is ideal.
21
Majority of firms who run DR in-housefeel tests are not entirely successful
Source: a commissioned study conducted by Forrester Consulting on behalf of IBM, December, 2012
Base: 75 Enterprise Hardware decision makers in the US, UK, and India
"If you have run a DR test or exercise in the past 12 months, howsuccessful was it?"
67% of companies didnot meet all recoveryobjectives
22
© 2013 IBM Corporation
Business Continuity & Resiliency Services
23
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
24 24
Enterprises dedicate resources tobusiness continuity management
“How many full-time equivalents (FTEs) support business continuitymanagement corporate-wide?”
Base: 184 IT decision makers at firms with 1000+ employees
Source: Disaster Recovery Journal/Forrester Research Survey, 2011
Embed resiliency into everyone’s jobfunction in IT
Servicemanagement
Sourcing andvendormanagement
Sourcing andvendormanagement
ApplicationdevelopmentApplicationdevelopment
EnterprisearchitectureEnterprisearchitecture
• Integrate availability into service level managementprocess
• Reconfirm service-level expectations during normalbusiness operations and during disasters or crisismodes.
• Include resiliency requirements in all RFPs andcontracts.
• Assess the resiliency capabilities of the entiresourcing life cycle, especially software and cloudproviders.
• Develop secure, highly available applications• Include resiliency testing as part of the acceptance
testing process
• Hire availability or resiliency architects lead theresiliency efforts in EA
• Define standard architectures for resilientinfrastructure, assess continuity capabilities duringgating
25
The business must also embrace andembed resiliency
ChiefInformation
SecurityOfficer
Businesscontinuity
director
Head ofinfrastructure
andoperations
Resiliencymanagers
• The VP of I&O isaccountable for and leadsBT resiliency efforts
• Resiliency managersdocument, maintain,and test BT resiliencystrategy.
• The CISO holds BC,BT resiliency, andsecurity together
• The businesscontinuity directorprovides oversight ofBT resiliency
Thebusiness
• Business owners play a rolein documenting, updating,and testing availability andBT resiliency strategies.
26
© 2013 IBM Corporation
Business Continuity & Resiliency Services
27
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
Most companies have declared a disasteror has a major service disruption
Source: a commissioned study conducted by Forrester Consulting on behalf of IBM, December, 2012
Base: 75 Enterprise Hardware decision makers in the US, UK, and India
“Have you declared a disaster or experienced a major service interruptionin the past 12 months? If so, how prepared were you to respond?”
28
Lack of focus, funding, testing, andskills stymy firms who run DR in-house
“What are the top challenges that you are facing with your in-house disaster recovery infrastructure and processes?”
Base: 71 Enterprise Hardware decision makers in the US, UK, and India
Source: a commissioned study conducted by Forrester Consulting on behalf of IBM, December, 201229
Business technology resiliencylifecycle
BusinessImpact
Analysis
RiskAssessment
Strategy &Plan
Development
Plan Testing&
Maintenance
Program
Management
30
© 2013 IBM Corporation
Business Continuity & Resiliency Services
31
Agenda
The link between IT and Reputation
BC/DR budget trends
Provisioning DR sites
DR testing and exercises
Skills and staffing for resilient IT
Continuous improvement and maintenance
Wrap up and recommendations
• More than one-third of respondents in oursurvey indicated this was a challenge for them
Do we have the expertisein-house needed to run
and maintain an effectiveDR program?
• Almost 40% of respondents feel that this is atop challenge they are tackling when runningtheir DR program
Can we ensure theongoing funding to makethe program successful?
• Peer companies indicate that they have over 31FTEs dedicated to their BC/DR programs
Can we dedicate properresources to the
program?
• Not running enough DR tests and exercises is atop challenge for 48% of companies
Can we ensure aconsistent testing and
exercise regimen?
• Lack of focus is the top challenge fororganizations running DR in-house
Will we be able to keepfocus for continuousimprovement on the
program?
Understand the costs and impacts ofrunning DR in-house: ask tough questions
32
© 2013 IBM Corporation
Business Continuity & Resiliency Services
Do-it-yourselfor outsource
It’s not an “all or nothing” choice
of survey respondentssource DR capabilitieswith an equal mix ofin-house andoutsourced resources
The Risks of “Do It Yourself” Disaster Recovery, a commissioned study conducted by Forrester Consulting on behalf of IBM, January 2013
33
© 2013 IBM Corporation
Business Continuity & Resiliency Services
While TCO was cited as the top reason for considering a managed servicesapproach to disaster recovery, there were other considerations identified
The Risks of “Do It Yourself” Disaster Recovery, a commissioned study conducted by Forrester Consulting on behalf of IBM, January 2013
A portal for real-timetesting or failover
Help with transition toservice provider
Flexible contract terms
A mix of traditional andcloud-based DR
#2
#4
#5
#3
34
© 2013 IBM Corporation
Business Continuity & Resiliency Services
It’s time to re-evaluate your DR strategies.Find out more.
Read the Forrester Consultingstudy The Risks of “Do It Yourself”Disaster Recovery1
ibm.co/bewareDIY
The Risks of “Do It Yourself” Disaster Recovery, a commissioned study conducted by Forrester Consulting on behalf of IBM, January 2013
© 2013 IBM Corporation
Business Continuity & Resiliency Services
36
for your interest
Man Bui
+1 678.522.8663
www.ibm.com/services/continuity
Rachel Dines
+1 617.613.6081
www.forrester.com
© 2013 IBM Corporation
37
• Download a copy of today’s slides
• Provide your feedback! Please complete our survey.
• A recorded version of this seminar will be available at
www.eSeminarsLive.com
• View a calendar of our Upcoming Events
Attendee Services