How we think of IT security is changing. Traditionally, corporate security measures have been centered around data protection. With data seen as the lifeblood of most organizations, this focus is understandable, but it only provides an incomplete picture.
Today, organizations face constant security threats and sustain devastating impacts. The average cost of a data breach now exceeds $4 million, and 83% of organizations report that they have suffered multiple breaches.
Beyond that, evidence points to these widespread incidents contributing to rising costs in goods and services. This information comes from a 2022 study conducted by Ponemon Institute and sponsored and published by IBM Security.
Certainly, we see the headlines and ponder the sobering numbers associated with breaches and cyberattacks—a lack of awareness was never the issue. However, to address these substantial challenges and truly move forward, our conversations about IT security and data protection must change.
Of course, securing data is critical. Having multiple, protected, safe copies of your data should be a priority, but this represents the bare minimum of what must be accomplished. There is much more to consider. Are you conducting backups? Are you testing them? Have you restored them? Have you validated each copy of your data to ensure it has not been corrupted or degraded?
Now, what about infrastructure and workloads? These too must be protected as the lines that existed between data loss and infrastructure loss have vanished. Merely copying data and securing the SQL database is no longer sufficient. What if SQL itself is compromised? Again, the conversation has changed. Businesses must examine their actions and strategically plan responses to possible complications before they occur.
In short, every step must be taken, and every area must be considered. Look at it this way: Making sure your car is outfitted with a working spare tire is worthwhile, but if you don’t also pack a jack and a pry bar, you don’t have a functional security solution.
Understanding the need to protect the environment as a whole—data, workloads, and infrastructure (including infrastructure as code)—leads into other conversations, which are perhaps the most important of all. This starts with the idea that the worthy objectives of protecting your environment and providing the capabilities to quickly recover from an outage, breach, or attack often exist in conflict.
What we now refer to as resilience was previously known as high availability (HA). Resilience/HA is well-equipped to protect against the flaws of infrastructure, but it was never designed to protect against ransomware, malware, data corruption, and other malicious agents. By its nature, HA expands the footprint of breakable things and/or corruptible data, because if it’s broken or corrupted in Site A, it’s broken in Site B.
On the flip side, disaster recovery solutions allow you to get back to business as quickly as possible. But by its nature, a faster recovery process requires a reduced level of security. For instance, air-gapped backups are the hottest trend in storage, but the drawback is the data, be it physical or logical, cannot be immediately recovered. The inherent security of air-gapped solutions presents an inhibitor to getting operations back up and running.
The good news is the challenges these two realities present can be overcome. Businesses are not compelled to choose between resilience and recovery; it is certainly possible, and often advisable, to prioritize both. However, how you get there requires two entirely different conversations.
Common Elements of a Data Protection Strategy
Every organization should create a data protection strategy that includes a set of clearly stated goals and the desired business outcomes. This information should be communicated across the organization, and not simply within IT. All employees, including end users, should understand what data protection strategies look like as they pertain to their specific responsibilities.
Crafting a strategy starts with understanding your business and its unique operations, with the ultimate goal of strengthening the partnership between IT and the business. Every business, regardless of size or complexity, should conduct an audit or assessment of its organization and the various systems that need protection. This may require some conversation with the line(s) of business about revenue and the costs of interruptions of service.
Once a formal strategy is in place, testing should occur on a regular basis. The type of testing can vary. Some Evolving Solutions clients will walk through disaster recovery scenarios—we refer to these as tabletop exercises. These exercises are minimally disruptive to ongoing business operations and can yield valuable information. For instance, during these exercises, one client noticed two administrators were constantly fielding questions and realized additional IT assistance would be required.
Some additional thoughts on strategy: Anyone can do it, but it takes time. I know of small clients whose operations are highly redundant and available, and I know of very large clients who experience availability, reliability, and redundancy issues because they’ve not thought through everything. This is understandable, because as the business grows, IT systems become more complex, and unless there is a strategy for growth, this complexity becomes organic rather than architected. However, no one has everything in place immediately, this process requires patience and persistence.
Finally, be open to seeking assistance. If you lack in-house expertise, consider working with a provider or a trusted partner. Allowing fresh eyes to examine a project or initiative often provides new insights to existing issues.
Separate No Longer
The conversation has changed, and the lines that existed for so long are now gone. IT and business should no longer be viewed as distinct entities. IT must align with the business and enable the business. And equally, the lines of business need to communicate their requirements back to IT, particularly in terms of revenue and cost and the needs of risk avoidance. In order to protect data, allowing the business to function and prosper in a world where outages, breaches, and cyberattacks are all but inevitable, they must work in tandem. Businesses must recognize the breadth and value of services IT can provide, while IT must understand how its operations can impact the business as a whole. IT and business have become one and the same.