RealTime IT News

Synthetic, Natural Disasters Spur Recovery Planning

If the events of two years ago this month threw the spotlight on data back-up planning, then the blackout of August 14 exposed the issue of disaster recovery even further.

Regardless of the ramifications of both synthetic and natural disasters that could plague IT networks and threaten the fabric of enterprises large and small, recent studies show that some businesses are still not up to speed when it comes to safeguarding their vital IT assets.

To be sure, a lack of sufficient disaster recovery planning is threatening corporate technology infrastructures, according to a survey of IT managers conducted by Dynamic Markets. The study found that one-third of U.S. respondents say that terrorism first prompted them to create a disaster recovery plan.

Moreover, a quarter of the 837 IT managers surveyed said they were well aware of just how crushing a blow to their businesses it would be if a disaster struck and they did not have a measure of back-up or recovery to compensate for data loss.

Such statistics underscore the importance of storage hardware and software vendors such as EMC, Veritas, IBM and HP, who can hawk their products at a time when disaster recovery sits atop enterprises' to-do or wish lists -- just above solutions to deal with government compliance regulations.

"With the recent Eastern Seaboard blackout and increasing number of virus attacks, the immense susceptibility of data centers has become all too apparent," said Mark Bregman, executive vice president, product operations, Veritas. "The research demonstrates that IT managers perceive these threats and have come to recognize the fundamental importance of proper disaster recovery procedures. Yet, results still show an alarming disregard towards elevating disaster recovery to its rightful position as a top-tier corporate concern."

Tight Budgets

Why is this? And what are the makers of disaster recovery products doing to address this? Enterprise Storage Group Analyst Steve Kenniston, who noted the recent blackout cost New York City businesses more than $1 billion, or $36 million per hour, said vendors have not communicated disaster recovery solutions to customers properly.

"Over the past two years vendors have been doing a lot of preaching to IT to move up the data availability index by deploying technologies such as replication, but have stumbled in helping IT to understand what it takes to implement these solutions..." Kenniston told internetnews.com. "So the view is that these solutions (from the IT perspective) are too complex so they are staying away from them."

Matt Fairbanks, senior manager, Technical Marketing at Veritas, said he agrees with Kenniston to a degree, but noted that budgets with little or no slack play a bigger part in why companies are reticent to leap up and buy infrastructure than a lack of proper education. This, he told internetnews.com, is because most disaster recovery solutions are expensive.

"It's not cheap to replicate data from New York City to Knoxsville," he said. "You have to procure bandwidth and buy redundant systems that are very pricey and proprietary."

"But it's also because business managers had precious little to do with IT policies surrounding disaster recovery," said Fairbanks who attends disaster recovery conferences regularly. "Companies are getting better at recognizing the importance of DR. We see IT directors insisting on deploying disaster recovery and we're seeing senior executives such as CEO and CIOs asking questions, which tells me DR is much more of a priority. But they could do better. There is still a gap between what the CEO expects and what IT thinks it can deliver."

Still, according to the study data, 76 percent of companies said the decision-making process for disaster recovery is limited to IT staff, with only 5 percent of CEOs and other managers making decisions with regard to back-up and recovery.

Forty-seven percent of the participants said financial risk is tied to potential disaster. For example, the IT managers feel terrorism is the most expensive threat that companies have calculated, at $115 million.

But Fairbanks believes improvements can already be seen. Veritas, for example, pushes replication software to lower the cost of customers' systems.

"If you look at companies 10 years ago their disaster recovery plans were to go to their vaults and restore data from tape. go to my vault," he said. "Today you'll still find a lot of that, but now IT managers can also click and migrate data to a remote data center. Replication in government and the financial industry is common -- they are the earliest adopters because they require higher availability but now we're seeing other industries such as medical and pharmaceutical."

Another perspective

Gregg Therkalsen, EMC vice president of business continuity, said a lack of common standards and a gap between CIOs and business executives are big parts of what is holding back greater adoption of disaster recovery plans.

"There's not a common body of measures that constitutes risk management," Therkalsen told internetnews.com. "There's no coherent way for a CIO to have a discussion as to what is an acceptable level of risk. People still struggle with relative risk."

But government institutions and financial enterprises are doing it nonetheless, logically perhaps, because they stand the most to lose. Therkalson admitted cost and complexity are major factors barring proper recovery plans and discussed how a recent financial institution client asked EMC to help it bolster its already comprehensive recovery program.

"They are revisiting the backup in their major global data centers, which rely on EMC replication software," said Therkalsen, who declined to name the customer. "But now they want to broaden their replication strategy to less critical applications."

Their challenge, and one EMC expects to help them meet is to deploy advanced technology, reallocate production load and balance those across the globe. None of this is an easy task, but the organization realizes it needs it.

Which leads to another issue: the separation of knowledge between a business executive, such as a CEO, and a technology chief, such as a CIO. Therkalsen said the onus on communicating the need for adequate disaster recovery capital is on the CIO, who more often than not, is lacking the business strategy chops to explain it to the CEO.

"This is always a controversial issue," Therkalsen said. "I think the CIOs have not taken enough responsibility to communicate risk trade-offs that a CEO can understand. Not enough have gotten the attention of business unit executives and communicated to them what they need. If they communicate the importance, I would think the CEOs would listen. To be fair, a CEO should step forward and say 'I would like to understand relevant risks that could cripple my firm.'"

Still, Therkalsen agrees a cloud of hubris hangs over many IT companies and despite terrorist attacks, blackouts and natural disasters, there hasn't yet been a company that has been truly "brought to its knees by its own complacency."

But, he said, it could very well happen.