Speaking of disaster recovery (the preferred term, with a nuanced
difference, is "business continuity"), how would you stress-test your
plans? Some months ago, I wrote about how the Department of Homeland
Security should learn "best practices" about how to detect potentially
fraudulent/illegitimate activities through studying the data mining and surveillance techniques of the most sophisticated industry
in the world engaged in that very pursuit as an essential core
competence—Las Vegas casinos.
Here’s a similar analogue: The firm that suffered the greatest per capita losses on 9/11 was Cantor-Fitzgerald, tragically (in
retrospect) housed primarily on the 100th and 101st floors of the
North Tower. Now, nearly three years to the day later, you
might imagine they have gotten religion about data recovery and
business continuity.
Indeed they have: They practice "pop
quizzes" of their recovery
procedures, including such practices as:
- never ever "schedule" a drill; when it happens for real, it
will be a surprise - pick your targets carefully: to wit, whomever you think
is least prepared - wait until nights or weekends: the formal work-week makes
up less than 25% of the hours in seven days - assume the worst, namely that systems have to be rebuilt from
scratch.
Now, does anyone else have such a demanding protocol? Hardly
anyone. No schedule, full re-starts, and a never-ending sequence
of pop quizzes. Another benefit: By definition, your
business continuity plans will always be current and you won’t
find yourself, at the worst possible moment, fighting the last
war.
