There will probably be two significant developments in 2003, one being the increasing trend for companies to take ownership of their own protection (in lieu of outsourcing to traditional disaster recovery companies) and the other being the growing role of component software products, like application monitoring and replication, in business continuity systems.
Today, those software products are becoming standard infrastructure tools, much like anti-virus and tape backup software. We have certainly experienced a significant trend in companies building disaster recovery (DR) and high-availability (HA) systems. The comparatively low cost of DR and HA systems allows both large and small enterprises to protect a wider range of applications. Fault tolerance is finally becoming a standard line item for production resources.
Ensuring business as usual
Enterprises are recognizing that 24x7 data/application availability is essential to protecting revenue, customer relationships and business reputations. Moreover, with computing systems being so distributed (but interdependent), companies are realizing that there are no non mission-critical systems. As a result, data replication products are emerging as the affordable solution for ensuring 'business as usual' operations, and play a vital role in responding to industry demands.
The past year has found clients trying to achieve 24x7 availability of their data and applications across multiple remote locations. Data replication technology allows businesses to develop a multi-location data protection schema by transferring real-time copies of data over any distance across standard internet-type or network connections.
Due to the high cost associated with traditional disaster recovery (DR) and high-availability (HA) systems, financial institutions often limited protection to ATM-like transactions, and many non-financial institutions simply relied on tape back-up. Today, however, the landscape is changing. The affordability of replication products now allows enterprises to employ DR and HA on other business applications such as CRM systems, Exchange and SQL servers and proprietary databases.
Everything needs protection
In 2001-2002, large companies began understanding that all of their resources were more critical than they imagined. Most have started moving towards managed and monitored storage, with multiple tiers of replication being used for protection. In 2003, probably the greatest change will be that medium to small companies will finally understand that business continuity is not just for large enterprises.
In fact, medium-to-small companies are in reality more dependent on their systems because they have less resiliency in their systems and workforce and can therefore tolerate less disruption. With replication technology now readily available (and cost effective), more and more SME companies will finally commit to protecting their businesses.
On the technology front, the greatest challenge will be for the masses to correctly identify the resources necessary to deploy and maintain business continuity. And as any technology becomes more common, new vendors with substandard products and a myriad of so-called 'experts' will start to show themselves. We cannot forget that this particular area of IT (business continuity) is responsible for ensuring the survivability of our companies, and therefore both the products and the 'experts' should be chosen with care - with validated experience and success being the only appropriate benchmark.
The other likely trend for 2003 may be an unfortunate loss of focus towards business continuity. While the events of 9/11 did not create business continuity needs that were not already there, it has caused many corporate executives to finally understand that they are responsible for ensuring the resilience of their business operations. The challenge will be to remain diligent and resolved towards those efforts. n
Jason Buffington is director, business continuity, for NSI Software (www.nsisoftware.com).
Integrating IT security and BCP
Too often, business continuity and IT security planning are separated when, in fact, the two endeavors and all the constant planning and testing they encompass should be tied together, says Carl Herberger, information security specialist with SunGard Planning Solutions. With the growing dependence on the internet and the increasing number of problems and crimes associated with it, "business continuity and IT security's independent incident response teams will need to converge," notes Herberger.
In integrating BCP and IT security, Herberger points out that companies must look at both in operational planning and consider alternate sites. When engaging in operational planning, he suggests that the BCP and IT security teams look at what triggers an IT security incident and define roles and responsibilities to manage the entire process.
When it comes to considering alternate sites to ensure that IT systems remain up and running during outages, he says that the teams should review such practical considerations as access, authentication capabilities and the ability to audit. In addition, organizations should review the various scenarios for restoring and recovering data. And, test the efficacy of all these plans.
While the process may seem to demand much cooperation and persistence from two seemingly independent groups, the pros of working in concert far outweigh the cons. In the end, by working together the IT security and BCP teams will be able to better "prioritize critical assets, conduct vigilant and proactive risk assessments, and adopt a proactive stance to overall IT security administration," says Herberger.