December 2008 Entries
Looking for the Right BC/DR Consultant - What to know - December 19, 2008
Orlando Florida -- Siemens IT Solutions and Services always had a solid business continuity and disaster recovery (BC/DR) plan in place. But it wasn't until 9/11 that BC/DR planners truly understood what was lacking.
"We probably had the larger things covered, but on a moment's notice we were not as well put together as we could have been," says Debbie Hoppenjans, manager of business continuity planning. "It made us, as a company, really take a step back and look at what we would do."
So the company began its search for business continuity consulting services. But it wasn't exactly thrilled with most of its prospects.
"There seem to be a lot of them out there, and from our experience a lot of them are not very good," says CISO Dave Bixler.
Overall, complaints range from a lack of knowledge about the business and miscommunication, to not understanding the scope of the challenge.
"A lot of times the [consulting firms] are so dead-set on upselling," Hoppenjans says. "Any BCP 101 person will tell you that we have to document our plans up to today. So many times you find companies trying to help you plan for years to come." If they don't know your business and what you're going through, "how do you know this is where we need to go?" she adds.
The problem can be traced to the days following 9/11, says Russell Wooldridge, marketing manager at the Disaster Recovery Institute International in Washington, D.C. Many security firms simply added business continuity to their list of services to meet companies' demands, but offered little training and experience to back up their claims, he says.
Business continuity services represent a $3 billion to $4 billion business, according to Gartner. Some 28 percent of companies manage their business continuity plan with the assistance of an external provider, according to a survey of 254 senior executives by consulting firm KPMG. There is a higher reliance on external support—38 percent—in midsize enterprises, and the financial services sector showed the highest preference for external service providers at 41 percent.
Companies have taken giant steps in business continuity preparations, says Brian McCarthy of Sencilo Solutions, a disaster recovery and business continuity consulting firm in Lake Mary, Florida. Larger companies are forming their own DR and BC staff and certifying their skills through disaster recovery groups like The Business Continuity Institute, DRII and the Business Resilience Certification Consortium, to name a few.
"We're not out there as evangelists anymore trying to convince people to do this. There's now a genuine understanding that business continuity [planning] is a part of business, and that's good," McCarthy says. While that creates more competition for consulting firms, these in-house groups still need coaching, assistance and "spot help," he adds.
BC/DR planning consultants include large firms like Accenture, Deloitte, PricewaterhouseCoopers, EDS, Booz Allen Hamilton and IBM Global Services. There are also dozens of boutique consulting firms—regional and niche players that just focus on business continuity planning like Sencilo Solutions.
How can you be sure that the consulting firm has the expertise to fill in your business continuity gaps? Here are five questions to ask when choosing the best business continuity consultant for your company.
1. Do you know what you need?
Good BC/DR planning starts with understanding what your exposures are and making a good decision on recovery strategy. If you've got a solid strategy, developing your plans becomes very straightforward. The solution may not be in place, but it's on the way. Now you can develop plans to execute that strategy.
"The most critical part of the whole process is your business impact analysis, including the risk assessment," McCarthy says. "That's where you need to spend most of your time. If your consultant tells you differently, [that's a problem]. Business impact analysis is the key to your entire plan."
Consultants should also perform a recovery option study to determine these priorities. Some consultants will perform a business impact analysis and identify the exposures and impacts to expect in a disaster. But they won't describe how to solve those problems. Make sure the consultant is willing to outline your recovery options and the amount of time each option will take.
2. Will the firm present several options?
If you go to a company that provides big-name technology solutions and consulting services, "why would it surprise you what their answer should be?" McCarthy says. There are a lot of options out there, and consultants should present several options for business continuity solutions.
"When it comes to business continuity, it's about planning and services, and it should be less about technologies," says Stephanie Balaouras, analyst at Forrester Research.
"It's your strategy for responding to business disruption and covers people, facilities and technologies. It covers everything from pandemic planning to 'Microsoft Exchange is down.'"
Firms that offer BC/DR planning and consulting services should be able to help you do a business impact analysis, identify critical business processes, map all the dependencies and define how critically you need them, and what the impact would be on revenue. "When you understand that, you can build a business case and invest in the right solutions," she adds.
Consultants should first conduct a threat assessment and then put a plan together. "It's a huge, in-depth process" that needs regular reviewing and updating, Balaouras adds.
3. Are the consultants certified in business continuity planning?
Certification ensures that business continuity consultants are well-versed in all aspects of BC/DR planning. At Siemens, certification is preferred, not required, "but I would recommend it to anyone," McCarthy says.
A survey by BC Management, a business continuity executive search firm in Huntington Beach, Calif., showed that 75 percent of the respondents were certified, while 25 percent were not. Business continuity certification bodies include BCI, DRII, BRCCI, the University of Virginia and Strohl Systems. Specialized certifications are available for emergency management, risk management, audit, security and technology. DRI International offers certification specifically for business continuity consultants and vendors to ensure that practitioners understand professional practices.
Each subject area includes the professional's role within the area and an outline of recommended knowledge within the subject area. The 10 subject areas cover topics such as risk evaluation and control, business impact analysis, emergency response and operations, awareness programs, training, crisis communication and coordinating with external agencies.
Ask if the consultants you'll be working with are certified in business continuity planning.
4. Are they willing and able to prioritize?
You can save a lot of money by evaluating your BC/DR priorities, Thornton says, adding, "If you need systems back up in six hours—you can, but you'll have to throw a lot of money into that. Instead, consultants should be asking, 'Do you need that? What can you wait a couple of days on, or a week on?' and establish priorities."
Perhaps only 20 percent of the total environment—the most vital systems and applications—must recover in minutes or hours. "I can do that more economically than the whole thing," Thornton says. Different strategies can be deployed for lower priorities. "If I've got three days, I can build that system up very quickly—that's a lot less expensive than equipment that is standing there ready—not to mention the added cost of keeping that equipment current and fresh," he adds.
5. Do they offer BC/DR solutions to fit your budget?
Nearly one-quarter of companies surveyed by KPMG have not been able to justify the costs of business continuity plans. Most of these companies are focused in the large enterprise with 500 to 999 employees, according to the study. Consultants should know your business well enough to understand budget constraints and your immediate BC/DR needs.
"We let the business [units] decide what they want to spend and help coordinate based what the numbers tell us," Hoppenjans explains. "We let [business impact analysis] data tell us what each department is doing as far as BC planning, what their risks and what their vulnerabilities are, and they decide what to spend. Some responses may be customer- or contract-driven."
With all of their questions answered, Siemens IT Solutions and Services found a qualified BC/DR consulting firm and has worked with the firm since 2004.
"You can never know how prepared you are until something happens," McCarthy says. "But I think we're well-equipped with the right tools to guide us through."
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/back-up-restore.php
About Us
Sencilo Solutions is a Florida-based integrator specializing in Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, storage virtualization installation, maintenance and knowledge transfer.
Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral Green Simpana Offerings Projects: BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication thin provisioning DXi Global Compression DDX virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ SSD Solid state disk SANmelody FalconStor tier zero Xiotech ISE nx4 ax4 greenBytes ZFS Sun Top 10 ROBOBak managed services hosting cloud grid Datacore Compellent compellant equallogic lefthand networks don't buy storage stop buying storage itguardian cherub networks Arkeia Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts
Disaster Recovery Planning Starts Before the Disaster - December 19, 2008
Tampa Florida -- The corporate headquarters building for OSI Restaurant Partners is a mere 800 feet from the end of runway at Tampa International Airport. But according to OSI Chief Information Officer Dusty Williams, that's the least of their concerns.
OSI, the company that owns popular restaurant-chain brands such as Outback Steakhouse, Roy's and Carraba's Italian Grill, is smack dab in the eye of the storm zone, in hurricane country. Their 750-person operation in Tampa includes all back office functions, including the financial, legal and real estate divisions. If a hurricane strikes and the building is impacted, the amount of sensitive data that is at stake is immeasurable.
"We're in an A zone as far as flooding is concerned. You don't really want your data center here."
The 2008 Atlantic hurricane season produced a record number of consecutive storms, according to National Oceanic and Atmospheric Administration. The season saw a total of 16 named storms. With water temperatures rising due to climate change, many meteorological experts predict even tougher seasons to come. For companies in a hurricane zone, business continuity and disaster recovery preps need to be in place now, and not when the storm clouds begin churning.
It is that kind of thinking that inspired Williams to find a new home for the data center. In 2003, the main data center in headquarters had no back up power and a business continuity/disaster recovery plan was a vague notion. Williams got initial approval to move OSI's data center to an off-site facility hosted by backup and storage service provider Qwest.
"Typically when we talk BC/DR, it's always around hurricanes. The plan was to move the data center locally to a Qwest facility," said Williams. "The building itself is a category 3 or 4 that is built to sustain hurricane damage and has back up and battery power that we don't have in the headquarters facility."
Within months, the plan was put to the test. Florida experienced a severe hurricane season in 2004. Williams said Hurricane Charley illuminated the fact that they had made the right decision to move data off-site.
"On a Thursday night at 5 o'clock, officials told us they would be shutting power down to the grid we are on. So, if we had not outsourced the data center, we would have been dead in the water. "
Williams said the entire summer of '04 was spent preparing for hurricanes. At least four blew through the area of varying intensity. While no major damage was sustained, when the season was over, it became clear that the BC/DR plan needed to include more than just one off-site data facility. OSI now has a second cyber center in Chicago that includes all critical systems. The company has more than 1200 restaurants around the country. The Chicago center would allow OSI and its restaurants to have operations back up and running within a few hours if the Florida off-site facility went down, according to Williams' estimate.
OSI's BC/DR plan is tested regularly to ensure connectivity to restaurants is maintained. Williams says he tests by bringing the main data center down and bringing the Chicago facility online.
Outsourcing the data center is crucial to any business with a natural disaster risk, according to Iain Hardcastle, senior consultant with professional services firm Deloitte & Touche at their operations in Bermuda. On the small island where his company operates, there is only one power supply. The local office, which stores all data on a SAN, also replicates the information at a local data hosting center.
"The accounting side of our business is managing trust funds and looking after accounts for many name-plate companies. They can be absolutely multimillion-dollar, global clients. They dont care if we have a bit of a weather problem down here."
"Buns on seats" preparations
The data is only one part of the picture when it comes to business continuity in a natural disaster-prone area. If a facility goes down because of power failure or flooding, many organizations need a physical location to place their staff so operations can continue. Deloitte has what Hardcastle refers to as a "buns on seats" office off-island. So, too, does OSI. OSI maintains a comprehensive facility in Atlanta, which they have had to use at least twice in the last 4 years.
"Once we declare a disaster, we have 50 cubes available there," said Williams. "But we have to go up and make sure everything is up and running and ready. So we have people, from an IT perspective, head up 72 hours out ahead of any storm in private aircrafts to make sure everything is ready to go."
Sometimes it isnt just humans that need to be relocated. One year, according to Williams, OSI tried to send a check printer up in a plane so vendor checks could continue to be cut. Unfortunately, the machine didn't fit through the door of the aircraft. The check printer was delivered to Atlanta by van instead.
The process of relocating people, and sometimes equipment is time consuming, labor intensive and costly. The company even has contracting companies on standby for employees that may need assistance with boarding up houses before they depart. As complicated as it all sounds, Williams says, thankfully, most of it can be planned.
"With hurricanes, you have a distinct advantage over an earthquake or a tornado. You really don't know when they will strike."
Can you ever be completely prepared?
Even the most comprehensive BC/DR plan isn't without some risk, according to Hardcastle, who calls the Sencilo Solutions BC/DR plan a "continuously evolving process."
Williams admits he is still troubled at the prospect of keeping track of personnel in a worst case scenario.
"I dont worry as much abut the technical side of it as a do the operations/people side of it. How do you find people?" he said.
OSI says disaster plans are also considered regionally for all of its 1200-plus restaurants and each have special numbers set up so people can dial-in and alert the company as to where they are.
"But you worry about how long that will take if cell service, phone service, is down" said Williams.
And despite the plans put in place at the headquarters building, there will still inevitably be some loss if the facility itself is damaged in high winds or flood waters, said Williams.
"Sometimes people have paper on their desk that they havent put into a system yet. In those cases you need to ensure you have connections with vendors to ask them "How can we get your invoice back in here and get you paid?"
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/back-up-restore.php
About Us
Sencilo Solutions is a Florida-based integrator specializing in Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, storage virtualization installation, maintenance and knowledge transfer.
Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral Green Simpana Offerings Projects: BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication thin provisioning DXi Global Compression DDX virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ SSD Solid state disk SANmelody FalconStor tier zero Xiotech ISE nx4 ax4 greenBytes ZFS Sun Top 10 ROBOBak managed services hosting cloud grid Datacore Compellent compellant equallogic lefthand networks don't buy storage stop buying storage itguardian cherub networks Arkeia Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts
