The worst case scenario

A Roundtable with Acronis, Stonesoft Corporation, and Wipro

Business continuity has risen to prominence in recent years as multinational companies appreciate the need to invest in sound planning strategies should the worst happen. BM gathered three experts to discover what Middle East businesses can do to mitigate of threats that could de-rail operations.

“People always think of natural disasters, wars and terrorism as the most common threats. However, sometimes just a combination of smaller incidents may cause major problems”
-Hamid Boughaz

BM. Disaster recovery/business continuity planning has come to the fore in recent years. What has driven its importance for organisations?
Laurent Dedenis. The driving force for the need for disaster recovery planning in recent years has been two fold. First, data is increasingly becoming one of an organisation’s most valued assets. The reliance on critical enterprise software applications such as email, CRM, and workgroup collaboration tools is resulting in the rapid growth of data across all enterprises. Secondly, the retention of this increasing amount of data is fast becoming a requirement in all organisations. Government regulations, as well as company policies requiring data preservation, are expanding in tandem with the proportion of data that must be archived. Both these factors in conjunction with each other mean that organisations are pushing business continuity to the top of their agendas.

Hamid Boughazi. More and more data is being stored in the data centres and the data has become crucial also for the business continuity. At the same time, for security and cost reasons, data storage is getting centralised and more consolidated, which means that the importance of the data has increased. Along with globalisation and the Internet, companies need to access data continuously from all over the globe in order to keep themselves ahead of their competitors. Information cannot be unavailable even for a short period of time and this has raised the need for faster and more automated recovery solutions.

Prasenjit Saha. Catastrophic events such as 9/11 in the US or 26/11 in India has convinced the business community that business continuity planning is a key priority and must be addressed immediately. Moreover, BCP/DRP (business continuity planning/disaster recovery planning) is being mandated by several regulations in the financial environment – SEC (US), MAS (Singapore), Bank Nagara (Malaysia), RBI (India), to mention a few. The operational factors which are bringing business disruptions into the limelight include:

• Global business chains – increasing the risk of disruption.
•  Round-the-clock operations, again resulting in greater risk of disruption.
• A volatile, geo-political environment.
• Increasing customer requirements (to comply to their BCP).
• Moreover, the emergence of gaps in traditional BCP, such as lack of long-term disruption coverage within the plans, require a refocus.

BM. What are the common threats that organisations face today, and are there any unique issue for Middle East?
PS. As mentioned before, the emerging threats include cyber and physical terrorism, Increasingly harsh natural environment (New Orleans floods, Australian bush fires), pandemic risks,  communication and technology failures, and so on. Suddenly, the path to continuity seems like a minefield, fraught with hidden dangers at every step. The volatile geo-political environment in the Middle East makes the region a special risk which requires careful planning to mitigate risks.

HB. People often think of natural disasters, wars and terrorism as the most common threats. However, sometimes just a combination of smaller incidents may cause major problems. For example, a temporary loss of electricity, or an accidental cutting of an underwater backbone network cable, together with a human configuration error may lead into a situation where data or services are inaccessible for a very long time. We have even heard stories about incidents where a simple paper clip under a keyboard button has paralysed a whole railway system for several hours.

LD. The threat of natural disasters will always prevail, as will the fact that hardware will age and with that comes the danger that systems will crash and data will be lost. However, another threat is fast emerging. In addition to the massive amounts of data stored on corporate servers, users’ workstations – desktop and laptop computers – also represent a major source of corporate data storage. Industry estimates indicate that 60 percent of all the data stored by corporations is held on users’ computers.

This means that in many cases an IT department will not necessarily have direct control of a user’s system in order to back it up on a regular basis. In order to ensure that a backup is made, the IT manager must not only pre-schedule the backup, but  must also be able to provide a location for that backup to go if the data resides on a laptop or computer that is not connected to the corporate network. Therefore, users within organisations are fast becoming a big threat to company data.

BM. What is the likely barrier stopping management from putting adequate plans in place; is it costs, apathy or combination of reasons?
HB. Most likely, the most common reason is that disaster recovery/business continuity people are not able to communicate the benefits of their work in terms that business people understand. The business people see just huge amount of costs that do not seem to be related or have any effect on running the actual business. The business people can understand ROI calculations, but disaster recovery/business continuity ROI calculations have many variables that are either very difficult to valuate in advance or their probability of realisation is very small. This means that accurate ROI payback calculations often cannot be established with any degree of certainty.

It is more realistic to use a justification strategy based on a balanced set of quantifiable returns and risk reductions, as well as unquantifiable expected value. Disaster recovery/business continuity specialists should strive to capture the unquantifiable benefits in a clear, concise manner to effectively communicate it to the business decision-makers. And even when this is done, the risks are often underestimated, compared to the costs of the solutions. People often also tend to trust the currently used technology too much and deny or downplay the possibility of disasters happening to them.

LD. Most companies now recognise the need to have effective business continuity plans in place. Even if companies are under pressure to make budget cuts, few will reduce spending on their disaster recovery solutions. People realise that without their data, companies cannot function.

In fact, as the credit crunch bites companies who are desperate to conserve budgets will try to stretch the life out of their existing hardware. In order to survive, it is critical that they underpin this approach with a sound backup and recovery strategy. Relying on ageing hardware without ‘life insurance’ can result in disaster.

PS. I see this as a combination of multiple aspects. Traditionally, business continuity management has taken a backseat to business imperatives – both from a cost as well as management ‘bandwidth’ point of view. However, the recent focus on preparedness against critical disaster scenarios require a changed mindset and approach to manage the ‘unacceptable’ risks to business continuity. 

BM. How do you see this whole issue intensifying in the future?
LD. Many users treat their storage space like petrol. They know that the resource will run out but they continue to consume it at a vast rate in denial that it is limited. However, in today’s climate people can no longer justify the budget to quench this thirst for storage capacity. Customers need help in prioritising data and managing growth. The cost of storage could prove prohibitive to a company’s success, therefore the adoption of solutions to help reduce the cost and rate of storage could provide critical in 2009.

PS. Business continuity planning and disaster recovery planning will be mandatory in many areas, such as utilities, telecoms, banking and other critical sectors. Indeed, analysts predict that BCP will be accepted as a cost to doing business and will be required to be embedded in every business process. It will evolve from a competitive advantage to a ‘utility’ status, which means that any business without a demons-ratably sound BCP/DRP will lose investor confidence.

HB. Companies will become more dependent on continuous access to networks and data in the future, but fortunately, technology is also developing at the same time. For example, virtualisation allows companies to use old, but still good and operational, server hardware in disaster recovery sites, thus lowering the costs of establishing and running them. In the future we will see simpler and more robust solutions which are easier to adapt for users’ needs. The high-availability and disaster recovery will also become standard features, like they are already in some products.

The Panel:
Hamid Boughazi is the Middle East and Gulf Region Area Manager for Stonesoft Corporation. A graduate computer science engineer from Algiers University for Science & Technology (USTHB), Boughazi has worked as CIO at National Mapping Agency, as Presales Engineer and Project Manager at Digital Equipment Corporation and Schlumberger, and as Public Sector Lead at Microsoft. Boughazi received an MBA from the University of Montreal (UQAM) in 2004.

With over 15 years’ experience in start-up management experience, Laurent Dedenis, Vice Present EMEA, Acronis, is responsible for driving growth in EMEA and oversees distribution strategy and sales and marketing. Dedenis joined Acronis in 2004, establishing its Singapore office. He was previously general manager of Microsoft Solomon Software Asia and held international managerial positions in the SWsoft group.

Prasenjit Saha is Vice President and Global Head of Enterprise Security Solutions at Wipro Technologies. He has a total of about 18 years of experience, which includes heading practice groups, consulting, managing software projects and development and technical support and pre-sales. His experience in security stretches back 10 years, when he co-founded Wipro's Security Practice in 1997.