If the events of two years ago this month threw the spotlight on data back-up planning, then the blackout of August 14 exposed the issue of disaster recovery even further.
Regardless of the ramifications of both synthetic and natural disasters that
could plague IT networks and threaten the fabric of enterprises large and small,
recent studies show that some businesses are still not
up to speed when it comes to safeguarding their vital IT assets.
To be sure, a lack of sufficient disaster recovery planning is threatening
corporate technology infrastructures, according to a survey of IT managers
conducted by Dynamic Markets. The study found that one-third of U.S.
respondents say that terrorism first prompted them to create a disaster
recovery plan.
Moreover, a quarter of the 837 IT managers surveyed said they were well
aware of just how crushing a blow to their businesses it would be if a
disaster struck and they did not have a measure of back-up or recovery to
compensate for data loss.
Such statistics underscore the importance of storage hardware and software
vendors such as EMC, Veritas, IBM and HP, who can hawk their products at a
time when disaster recovery sits atop enterprises’ to-do or wish lists —
just above solutions to deal with government compliance regulations.
“With the recent Eastern Seaboard blackout and increasing number of virus
attacks, the immense susceptibility of data centers has become all too
apparent,” said Mark Bregman, executive vice president, product operations,
Veritas. “The research demonstrates that IT managers perceive these threats
and have come to recognize the fundamental importance of proper disaster
recovery procedures. Yet, results still show an alarming disregard towards
elevating disaster recovery to its rightful position as a top-tier corporate
concern.”
Tight Budgets
Why is this? And what are the makers of disaster recovery products doing to
address this? Enterprise Storage Group Analyst Steve Kenniston, who noted
the recent blackout cost New York City businesses more than $1 billion, or
$36 million per hour, said vendors have not communicated disaster recovery
solutions to customers properly.
“Over the past two years vendors have been doing a lot of preaching to IT to
move up the data availability index by
deploying technologies such as replication, but have stumbled in helping IT
to understand what it takes to implement these solutions…” Kenniston told
internetnews.com. “So the view is that these solutions (from the IT
perspective) are too complex so they are staying away from them.”
Matt Fairbanks, senior manager, Technical Marketing at Veritas, said he
agrees with Kenniston to a degree, but noted that budgets with little or no
slack play a bigger part in why companies are reticent to leap up and buy
infrastructure than a lack of proper education. This, he told
internetnews.com, is because most disaster recovery solutions are
expensive.
“It’s not cheap to replicate data from New York City to Knoxsville,” he
said. “You have to procure bandwidth and buy redundant systems that are very
pricey and proprietary.”
“But it’s also because business managers had precious little to do with IT
policies surrounding disaster recovery,” said Fairbanks who attends disaster
recovery conferences regularly. “Companies are getting better at recognizing
the importance of DR. We see IT directors insisting on deploying disaster
recovery and we’re seeing senior executives such as CEO and CIOs asking
questions, which tells me DR is much more of a priority. But they could do
better. There is still a gap between what the CEO expects and what IT thinks
it can deliver.”
Still, according to the study data, 76 percent of companies said the
decision-making process for disaster recovery is limited to IT staff, with
only 5 percent of CEOs and other managers making decisions with regard to
back-up and recovery.
Forty-seven percent of the participants said financial risk is tied to potential
disaster. For example, the IT managers feel terrorism is the most expensive
threat that companies have calculated, at $115 million.
But Fairbanks believes improvements can already be seen. Veritas, for
example, pushes replication software to lower the cost of customers’
systems.
“If you look at companies 10 years ago their disaster recovery plans were to
go to their vaults and restore data from tape. go to my vault,” he said.
“Today you’ll still find a lot of that, but now IT managers can also click
and migrate data to a remote data center. Replication in government and the
financial industry is common — they are the earliest adopters because they
require higher availability but now we’re seeing other industries such as
medical and pharmaceutical.”
Another perspective
Gregg Therkalsen, EMC vice president of business continuity, said a lack of
common standards and a gap between CIOs and business executives are big
parts of what is holding back greater adoption of disaster recovery plans.
“There’s not a common body of measures that constitutes risk management,”
Therkalsen told internetnews.com. “There’s no coherent way for a CIO
to have a discussion as to what is an acceptable level of risk. People still
struggle with relative risk.”
But government institutions and financial enterprises are doing it
nonetheless, logically perhaps, because they stand the most to lose.
Therkalson admitted cost and complexity are major factors barring proper
recovery plans and discussed how a recent financial institution client asked
EMC to help it bolster its already comprehensive recovery program.
“They are revisiting the backup in their major global data centers, which
rely on EMC replication software,” said Therkalsen, who declined to name the
customer. “But now they want to broaden their replication strategy to less
critical applications.”
Their challenge, and one EMC expects to help them meet is to deploy advanced
technology, reallocate production load and balance those across the globe.
None of this is an easy task, but the organization realizes it needs it.
Which leads to another issue: the separation of knowledge between a business
executive, such as a CEO, and a technology chief, such as a CIO. Therkalsen
said the onus on communicating the need for adequate disaster recovery
capital is on the CIO, who more often than not, is lacking the business
strategy chops to explain it to the CEO.
“This is always a controversial issue,” Therkalsen said. “I think the CIOs
have not taken enough responsibility to communicate risk trade-offs that a
CEO can understand. Not enough have gotten the attention of business unit
executives and communicated to them what they need. If they communicate the
importance, I would think the CEOs would listen. To be fair, a CEO should
step forward and say ‘I would like to understand relevant risks that could
cripple my firm.'”
Still, Therkalsen agrees a cloud of hubris hangs over many IT companies and
despite terrorist attacks, blackouts and natural disasters, there hasn’t yet
been a company that has been truly “brought to its knees by its own
complacency.”
But, he said, it could very well happen.