By Sean Robson
Time is money and the modern enterprise cannot afford to have its systems down for any significant time. IT managers must comprehensively plan and prepare for disaster
Time is money and the modern enterprise cannot afford to have its systems down for any significant time. IT managers must comprehensively plan and prepare for disaster while ensuring business continuity. Sean Robson asks just what they are doing to prepare and what is out there to assist them in their task.Disasters, both natural and man-made, are very real possibilities in the IT sector and these accidents can have detrimental and often far-reaching effects on the business and its critical operations. IT managers must have an adequate disaster recovery (DR) plan in place to ensure the enterprise is able to resume critical functions, usually in a timeframe that clients and managers expect to be measured in hours.
Planning for a disaster often begins with trying to foresee what challenges and obstacles could affect the enterprise systems. This is no easy task for IT managers and DR solutions vendors alike, who do not always agree on what should be planned for.
It’s very difficult to plan for everything. What I would say is to plan for the worst case. If you plan for the worst case then you will be able to get out of everything. So if you try to customise for all disasters then it will not work.
Anthony Harrison, manager for systems engineering at Symantec believes that while the region is fairly well insulated against exposure to natural disasters, challenges relating to man-made disasters may vary.
"The main issue is around power. The pace of the growth of areas like the UAE and the amount of building going on means that sometimes the infrastructure simply can't keep pace with the rate of development and there is just not enough power to cater for it all," notes Harrison.
Mohammed Al Khatib, chief information officer at the Amman Stock Exchange says that planning must start with considering all possibilities.
"Firstly, you have to identify possible disasters. This could be anything from losing the primary datacentre, regardless of cause, possible inaccessibility to the site, sabotage or even losing the whole building," says Al Khatib.
Even with all possibilities considered, companies should plan for the ‘worst case scenario', instead of trying to account for each possible scenario, says Waseem Salim, business marketing manager, at HP MEA. A ‘worst case' preparation will allow companies to recover from the most catastrophic situations he says.
However, according to Salim, IT managers should also be wary of handing off too much power to vendors rather than conducting their own assessment. "I have seen many IT managers actually approaching DR in the wrong way.
They are going to vendors and saying we need IT solutions with big disaster recovery but this is the wrong way because it gives the power to the vendors and they will dictate what they will give you. The most important thing to do is to go through the proper assessment," he says.
It is also important that DR is not undertaken as an add-on, but is planned from the very start of all projects. T Nagarajan, IT manager at vehicle distributor AAB Qatar explains: "Before we go with any new projects the best thing to do is to have the DR in place as part of the project implementation.
When it comes to DR you should assume everything is going to fail. It might be systems, telephone lines, networks, even the roads leading to the datacentre."
"Most IT managers know they need to plan for [DR], but many businesses plan for DR only after they have got their operations up and running," says Andy Clark, enterprise system specialist at Sun Microsystems MENA. "The attitude is often one of production first, DR later. This clearly creates a window of exposure, and can be a weak point for a lot of companies."
DR should also be based on processes, rather than granular preparations for specific failures.
Tareque Choudhury, head of BT's security practice for MEA says most IT managers plan for technical disasters such as hardware failures or communications failure. "What they fail to prepare for is the processes behind the incident response and the incident management. DR is more a business continuity issue which encompasses people, processes and technologies. Right now people are just focusing on hardware," he says.
While many of the players in the disaster recovery and business continuity space believe that regional IT professionals are aware of the need for planning there are still areas that are lacking, such as an unwillingness to commit resources to carry out regular DR testing.
But attitudes are gradually changing as IT managers and senior enterprise staff realise the value of having an effective DR plan in place.
"Things have moved forward quite a lot over the last three years, IT staff are more up to date with emerging disaster recovery technologies, and realise the criticality of recovering services after a failure. This shift in attitude has seen significant investments being made by organisations around the region," says Mohamed Hamedi, CEO of Sphere Networks. Checking the boxes
When it comes to designing a DR plan there are a number of elements to be considered. These aspects will determine how quickly the business is able to recover from a disaster, however it's not usual to see the aspects differ from individual situation to individual situation.
For Ahmed Al Mulla, vice president of information technology at Dubai Aluminium putting together a DR plan consists of a series of factors.
It is reviewed for adequacy and effectiveness after each scheduled BC/DR test is carried out or when there is a major incident once the situation is resolved or when there is a change to the IT infrastructure in the organisation.
"We begin with risk assessment and treatment plans, then there is the business impact assessment for all services provided by IT before we go onto defining our recovery time objectives and recovery process objectives and this is followed by contingency planning," says Al Mulla.
"We also incorporate workarounds, backup schedules, offsite storage of back-up, testing, vital records, retention policy, security and finally vendor assistance in our plans. In a nutshell Dubai Aluminium is a single site company and the strategy adopted was to have a ‘Highly Available' infrastructure for all business critical services and components identified during the business impact analysis," Al Mulla continues.
Mohammed Shah, vice president of technology infrastructure and services for Knowledge Economic City Developer company in KSA has his own take on the necessary requirements.
The most important elements are to ensure there is minimal disruption by incorporating solutions in your plan allowing you to have fast switching into disaster recovery mode and which enable you to continue business transactions in as smoothly a manner as possible," he says.
Challenges and changes
Even when all the elements of a DR plan are identified and in place the IT staff may face a number of challenges in the actual drawing up of this plan. One common issue that users face, especially in the current economic climate, is garnering management support and buy-in.
Many CIOs find that they need to involve other departments in their organisation for DR planning, in order to get both their buy in on the importance of DR, and senior management sign off on the expense.
"You need to be able to demonstrate the value of your proposal. Getting the funding for something like that is always a challenge," says Bassem Aboukhater, regional IT director MENA at Leo Burnett.
Rao agrees, "Budget approval is the prime concern as well as getting the right technology which should match to the legacy hardware and the compatibility."
One user though has not struggled with management buy-in and having to explain immediate return on investment.
"My CEO always says that if you only use it once in ten years then you have achieved your returns. DR is not always a tangible cost, more important for us is our reputation and retaining the trust of the market," enthuses ASE's Al Khatib.
The most important elements are to ensure there is a minimal disruption by incorporating solutions in your plan allowing you to have fast switching into disaster recovery mode and enable you to continue business transactions.
Once an organisation has gone forward and drawn up the DR plan it is simply not a case of sitting back and waiting for the disaster to occur. It must regularly test and update its plan in order to prepare for the eventualities that ineivitable lie in wait down the road.
"You must continuously update and test the plans because six months down the line certain areas may be invalid. I test my DR plan on a regular basis because otherwise I will not know if something is no longer working or has become a danger to me," says Nagarajan.
"The framework is reviewed at least once every year. Besides this, it is reviewed for adequacy and effectiveness after each scheduled BC/DR test is carried out or when there is a major incident or disaster, once the situation is resolved or even when there is a change to the critical IT infrastructure in the organisation," comments Al Mulla.
DR and BC should no longer be regarded as an optional extra in an operational plan and neither should it be driven as purely an IT related function. Never before has DR been more relevant and so IT departments, together with senior management and the assistance of partners should work together to ensure that when the inevitable disaster does occur that they have planned for it thoroughly.