the pitfalls of “diy” approaches to disaster recovery · pdf filethe pitfalls of...

© 2013 IBM Corporation

The Pitfalls of “DIY” Approaches toDisaster Recovery

Business Continuity & Resiliency Services


Interactivity Tips

1. Ask A Question

2. Download a PDF copy of today’s presentation

3. Social Networking Tools

2



Our presenters for today

Man BuiExecutive, IBM SmartCloud Resilience Services

3

Rachel DinesSenior Analyst, Forrester Research




4

Agenda

The link between IT and Reputation

BC/DR budget trends

Provisioning DR sites

DR testing and exercises

Skills and staffing for resilient IT

Continuous improvement and maintenance

Wrap up and recommendations



Are you overestimating your ability to balance and effectivelymanage risk?

Perception

More than two-thirds of companies include IT riskmanagement in reputational risk management

Companies are confident in their ability to manage IT risksthey view as most damaging to reputation

3 out of 5 companies rate their overall ability to manage ITrisk as strong or very strong

Reality

Only 17 percent rate their company’s ability to manage ITrisk as very strong

Companies are overlooking fundamentals, which suggeststhat their confidence is not necessarily warranted

Only 39 percent of the same companies require vendors,partners and supply chain to be properly vigilant

Find out more by reading our latest study on the reputational risk and IT connection.Download the study at ibm.com/services/riskstudy

5

http://www.ibm.com/services/riskstudy



Reputation has a definable value — much like brand value — thatcan be diminished by IT risk-related events

6

-21%The economic value of a company’sreputation declines an average of 21% as aresult of an IT breach of customer data*

*“Reputation Impact of a Data Breach: U.S. Study of Executives & Managers,” Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.

“Underestimating the cost of reputational risk greatly exceedsthe cost of protection.”

Finance manager, American financial services company

US$1MEconomic value assigned to corporate brand or reputation*

US$10BUS$1.56BAverage



7

The impact on “reputation recovery” is measured in months, nothours or days like recovery time objectives (RTO)

Website outage

0-6 months

71%

6-12 months

12%

12+ months

System failure 68%8%

Mobility (BYOD) 68%14%10%

Data loss 64%14%10%

Inadequate continuity plans 54%22%10%

Insufficient DR measures 56%20%11%

New technology 58%13%

Data breach 59%16%13%

Compliance failure 56%19%12%

Poor IT skills / tech support 59%18%11%

6%

15%

15%

2013 IBM Global Reputational Risk and IT Study, January 2012 (ibm.com/services/riskstudy)



In attempt to gain more control over IT risks, manyorganizations have brought disaster recovery “in-house” but…

are not sure they couldrespond to a real disaster

of firms face a lack offocus on in-house DR

relative to other IT projects

of firms struggle againstlack of funding to keep

DR infrastructure up to date

of do-it-yourselfers havetrouble running enoughDR tests and exercises

of do-it-yourselferslack adequate in-house

DR skills

The Risks of “Do It Yourself” Disaster Recovery, a commissioned study conducted by Forrester Consulting on behalf of IBM, January 20138

Business processes are moretechnology dependent

IT must now support theanytime, anywhere mobile

workforce

What’s prompting the sea change?

Little tolerance for data loss ordowntime

Systems are more complex andheterogeneous

Increasing expectations forsystem availability and

performance

New threat landscapes meanmore potential causes of

downtime

Business pressures IT realities

9

10

Base: 184 IT decision makers at firms with 1000+ employees

Source: Disaster Recovery Journal/Forrester Research Survey, 2011

Implementing effective BC/DR remains a challenge

“Select the top three challenges of implementing and managing effective businesscontinuity at your company”



11

Agenda


BC/DR budget trends






BC/DR is a top technology priority forthe next 12 months…

Base: 1201 IT decisions makers at North American and European enterprises and SMBs

Source: Forrester's Technology Forrsights For Hardware, Q3 201212

… but BC/DR budgets remain a smallportion of overall IT spend

Source: Forrsights Budgets And Priorities Tracker Survey, Q2 2012

Base: 946 Enterprise Budget decision makers in North America and the UK

“In 2012, approximately what percentage of your budget will go tobusiness continuity and disaster recovery?”

Enterprises spend anaverage of 6.2% of IT

budgets on BC/DR

13

14

Allocating BC/DR spend wisely:conduct a risk-cost analysisAnnualized risk cost equation:

Use the annualized risk cost to guide investment in mitigation of therisk (i.e., potential remote access procedures)

Risk Frequency Likely durationCost of

downtime perhour

Annualizedrisk cost

Winter stormwith more than2 feet of snow

3 times per year 8 hours $12,000 $288,000

FrequencyLikely

durationCost of

downtimeAnnualized

risk cost



15

Agenda


BC/DR budget trends






“Where does your firm provision its backup data center(s)?”

Source: Forrsights Hardware Survey, Q3 2012

Base: 542 NA and European Enterprise Hardware decision makers

Many firms today take a hybrid approachto sourcing disaster recovery capabilities

57% of survey respondentsstated that they source DRcapabilities with an equal

mix of both ”in-house” andoutsourced solutions*

16

TCO and testing capabilities are topconsiderations for outsourcing DR

“What would make you consider outsourcing part, or all, of your DR?”

Source: a commissioned study conducted by Forrester Consulting on behalf of IBM, December, 2012

Base: 75 Enterprise Hardware decision makers in the US, UK, and India

17

Seeking more control and fasterrecovery, firms brought DR in-house


“If you brought all or part of your DR in-house in the past five years, whatwas the primary reason?"


18



19

Agenda


BC/DR budget trends






Plan tests and exercises: it’s not a one-off event

20

Test types and frequencies

Test type Description Frequency

Walk-throughexercise

Reviewing the layout and contentsof a plan.

As necessary to familiarize responseteams and individuals with a documentedplan or changes to a plan.

Tabletopexercise

Using a scenario, discussing theresponse and recovery activities ofa documented plan.

At least four times per year. Often done asthe precursor to a full exercise.

Componenttest

Physically exercising a componentof a documented plan, usually eithersystems on a single platform orsystems supporting a singlebusiness process.

As necessary as major changes are madeto the IT operating environment orinfrastructure. Depending on criticality,some components may be exercisedmore frequently than others.

Full exercise/simulation

Using a scenario, carrying out theresponse and recovery activities ofa documented plan for the entireorganization.

At least once per year; twice is ideal.

21

Majority of firms who run DR in-housefeel tests are not entirely successful



"If you have run a DR test or exercise in the past 12 months, howsuccessful was it?"

67% of companies didnot meet all recoveryobjectives

22



23

Agenda


BC/DR budget trends






24 24

Enterprises dedicate resources tobusiness continuity management

“How many full-time equivalents (FTEs) support business continuitymanagement corporate-wide?”

Base: 184 IT decision makers at firms with 1000+ employees

Source: Disaster Recovery Journal/Forrester Research Survey, 2011

Embed resiliency into everyone’s jobfunction in IT

Servicemanagement

Sourcing andvendormanagement

Sourcing andvendormanagement

ApplicationdevelopmentApplicationdevelopment

EnterprisearchitectureEnterprisearchitecture

• Integrate availability into service level managementprocess

• Reconfirm service-level expectations during normalbusiness operations and during disasters or crisismodes.

• Include resiliency requirements in all RFPs andcontracts.

• Assess the resiliency capabilities of the entiresourcing life cycle, especially software and cloudproviders.

• Develop secure, highly available applications• Include resiliency testing as part of the acceptance

testing process

• Hire availability or resiliency architects lead theresiliency efforts in EA

• Define standard architectures for resilientinfrastructure, assess continuity capabilities duringgating

25

The business must also embrace andembed resiliency

ChiefInformation

SecurityOfficer

Businesscontinuity

director

Head ofinfrastructure

andoperations

Resiliencymanagers

• The VP of I&O isaccountable for and leadsBT resiliency efforts

• Resiliency managersdocument, maintain,and test BT resiliencystrategy.

• The CISO holds BC,BT resiliency, andsecurity together

• The businesscontinuity directorprovides oversight ofBT resiliency

Thebusiness

• Business owners play a rolein documenting, updating,and testing availability andBT resiliency strategies.

26



27

Agenda


BC/DR budget trends






Most companies have declared a disasteror has a major service disruption



“Have you declared a disaster or experienced a major service interruptionin the past 12 months? If so, how prepared were you to respond?”

28

Lack of focus, funding, testing, andskills stymy firms who run DR in-house

“What are the top challenges that you are facing with your in-house disaster recovery infrastructure and processes?”



Business technology resiliencylifecycle

BusinessImpact

Analysis

RiskAssessment

Strategy &Plan

Development

Plan Testing&

Maintenance

Program

Management

30



31

Agenda


BC/DR budget trends






• More than one-third of respondents in oursurvey indicated this was a challenge for them

Do we have the expertisein-house needed to run

and maintain an effectiveDR program?

• Almost 40% of respondents feel that this is atop challenge they are tackling when runningtheir DR program

Can we ensure theongoing funding to makethe program successful?

• Peer companies indicate that they have over 31FTEs dedicated to their BC/DR programs

Can we dedicate properresources to the

program?

• Not running enough DR tests and exercises is atop challenge for 48% of companies

Can we ensure aconsistent testing and

exercise regimen?

• Lack of focus is the top challenge fororganizations running DR in-house

Will we be able to keepfocus for continuousimprovement on the

program?

Understand the costs and impacts ofrunning DR in-house: ask tough questions

32



Do-it-yourselfor outsource

It’s not an “all or nothing” choice

of survey respondentssource DR capabilitieswith an equal mix ofin-house andoutsourced resources


33



While TCO was cited as the top reason for considering a managed servicesapproach to disaster recovery, there were other considerations identified


A portal for real-timetesting or failover

Help with transition toservice provider

Flexible contract terms

A mix of traditional andcloud-based DR

#2

#4

#5

#3

34



It’s time to re-evaluate your DR strategies.Find out more.

Read the Forrester Consultingstudy The Risks of “Do It Yourself”Disaster Recovery1

ibm.co/bewareDIY


http://www.ibm.co/bewareDIY



36

for your interest

Man Bui

+1 678.522.8663

[email protected]

www.ibm.com/services/continuity

Rachel Dines

+1 617.613.6081

[email protected]

www.forrester.com

http://www.ibm.com/services/continuity

http://www.forrester.com


37

• Download a copy of today’s slides

• Provide your feedback! Please complete our survey.

• A recorded version of this seminar will be available at

www.eSeminarsLive.com

• View a calendar of our Upcoming Events

Attendee Services

the pitfalls of “diy” approaches to disaster recovery · pdf filethe pitfalls of...

Documents