If you aren’t testing, then you don’t have a plan … you have a hope (and not much of one).
One of the most consistent complaints I hear among BC/DR professionals is the lack of support from senior leaders to enable more testing for Cyber Resilience or Disaster Recovery. Here are some hard truths
video transcript
If you aren’t testing, then you don’t have a plan … you have a hope
One of the most consistent complaints I hear among BC/DR professionals is the lack of support to do more testing. Part of that is more tabletops, but there’s also the very real requirement to actually assume that part of your infrastructure has failed — and test IT’s ability to bring those affected workloads back online.
DPM’s Organizational Resilience research revealed that “IF” an organization did large scale testing to recover from a cyber/DR event, they averaged one test every 10 months. The good news (of course) is that IT is relatively static, so nothing’s going to change more frequently than every 10 months, right? No, that’s not true.
Turns out that 1/3 of BC/DR professionals surveyed weren’t even aware if such a large‑scale test had even occurred. Think about that: if the professionals who’s full‑time job is to focus on the resilience of your organization are not aware of whether IT has conducted a test of its ability to recover infrastructure at scale from Cyber or DR … then it’s highly probable that test hasn’t occurred — in a third of organizations!
But wait, there’s more. Of the 2/3 of organizations that did a large-scale test, their recovery was measured as several days before that recovery is complete. A previous research project I worked on revealed that when IT was asked how long they thought it would take to recover even just 50 servers (not that big a deal) after a Cyber/DR event, only 32% thought they could do it within one business week (five days). The rest were looking at weeks to recover.
So … here’s your homework. Call a meeting and invite: folks from the IT DR team … from the InfoSec team (for cyber resilience) … and the executive stakeholder responsible for your organization’s overall resilience.
Then ask 4 simple questions:
- When was our last test? When was the last time that we did a large-scale (50 servers or more) test?
- How did that test go?
- What have we improved? What have we improved our abilities since then?
- When is our next test?
Ask those four questions — with the expectation that you will likely be disappointed with what you find. But just like a well-orchestrated recovery test itself, now you know what to fix.
So … let’s say it again : If you aren’t testing, then you don’t have a resilience plan … you have a hope … and not much of one.
Leave your thoughts below
Jason Buffington .com 
Leave a comment