Skip to content
Tiatra, LLCTiatra, LLC
Tiatra, LLC
Information Technology Solutions for Washington, DC Government Agencies
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact
 
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact

Business continuity planning: A proactive approach to threat management

Current headlines from Ukraine have many companies concerned about the safety of employees or contractors residing there. Events like this highlight the importance of developing contingency plans based on events in the world that can impact businesses.

Business continuity is an essential part of the planning process for CIOs and CTOs. Black swan events can impact businesses in significant ways. Some of these events cannot be anticipated – but some can be planned for, even expected, beforehand. Business continuity is about assessing the threat landscape and having plans in place. This helps address foreseeable threats and builds operational resiliency against threats.

The threat landscape

A best practice for leadership teams is to constantly think about the threat landscape, identify potential problems, and prepare for them. Not doing so can result in significant financial impact on companies.

A non-exhaustive set of events that may need to be planned for are:

  • Geopolitical threats (e.g., the Russian invasion of Ukraine)
  • Natural disasters (e.g., earthquakes)
  • Directed threats (e.g., ransomware)
  • Regulatory changes

Some of these threats require implementation and execution up front. Others require a plan in place to ensure the team knows what the key objectives are and actions to be taken in the face of a threat. CIOs and CTOs need to constantly monitor the threat landscape and update them as necessary. Inspections like SOC-2 certifications are good forcing functions that allow an external inspection of some of the threat surfaces.

Planning for geopolitical threats

At my company, Inflection,planning for possible business disruptions related to Ukraine started a year and a half ahead of the actual conflict. We formulated a set of principles and built out a plan based on those principles. In this case, the key principles we used were:

  • Build a geo-diverse team. In addition to Ukraine, we built a substantial presence in the US and Brazil.
  • Build work diversity. Rather than having complete functional silos in each region, we asked teams to collaborate across regions. There are downsides to this (additional communication, for example) but it was the right tradeoff for us.
  • Prioritize employee and contractor safety. We know that a geopolitical event might have additional financial implications to ensure safety, and we were OK with spending additional monies to ensure safety. Inflection offered three months of living expenses to team members in Ukraine to move to a different location, in addition to taking care of logistics like payroll.
  • Emphasize written over verbal communication. As an example, every engineering decision of significance goes through a rigorous architecture decisioning process.

These proactive steps allowed us to prioritize employee safety while ensuring business continuity. In addition to these principles, there was a detailed plan to ensure how we would cover for employees unavailable for extended periods of time.

Continuity planning in practice: a deep dive on software availability planning

An example of proactive planning is related to natural disasters. What is your organization’s plan if a disaster (e.g., an earthquake) were to strike the region in which your data center is located and cause a network partition? The example below will work through the thinking assuming you are using a public cloud vendor.

A starting point for planning availability is the promise you make to customers regarding uptime. The standard SaaS uptime benchmark is 99.95% availability, which corresponds to 4h 22m 58s of allowed unavailability annually. In planning this out, you need to think about:

  • What is your RTO (Recovery Time Objective) and RPO (Recovery Point Objective) when an incident does happen? An agreement on these metrics is required to make tradeoff decisions.
  • Do you have maintenance windows? If so, subtract that from the unavailability budget. (You should also be asking yourself why you have a maintenance window.)
  • What is the underlying assurance from the platform you are on? Cloud vendors typically do not offer any uptime guarantees.
  • What should your plan be if an availability zone (a data center) loses availability?
  • What should your plan be if a region (multiple availability zones) suffers an outage?
  • What is your plan if the vendor (multiple regions) is unavailable?

There are different cost-complexity tradeoffs for these questions. Smaller companies may choose to avoid greater complexity, whereas that might not be an option for larger enterprises.

The goal of planning is to have a clear posture for each of these questions.

Should you support high availability via multiple availability zones? For most organizations, this is a simple decision: Supporting multiple availability zones in AWS is not complex and can be done with relatively little expense and complexity.

What should you do if there is a regional outage – a disaster recovery (DR) situation? Doing cross-regional synchronization is complex and expensive. Fewer organizations choose to do this. Instead, you could choose to back up your data to another region, and have your RTO/RPO reflect the fact that your tradeoff is longer recovery for a simpler architecture.

What if there is a complete outage for a cloud vendor? Doing cross-vendor deployments is extremely complex and expensive. In most cases, a backup of your data to a different cloud provider is sufficient. But if you are operating a large enterprise, you will probably want to be in multiple cloud vendors both for cost and scale reasons.

Taking all of this into account, a plan needs to be formulated and agreed upon by company executives. Communication plans need to be put in place when an event does occur (e.g., how will we inform customers?), and most importantly, the plans need to be tested. These plans will be meaningless unless they are practiced regularly.

At Inflection, we chose to make the following decisions:

  • Support high availability by deploying to multiple availability zones. The loss of a single data center is imperceptible to customers.
  • Synchronize data between multiple regions to support an RPO of less than 24 hours and an RTO of less than 72 hours for a regional disaster.
  • Synchronize data to a secondary cloud vendor to ensure that in case of a cloud provider full outage, we can still recover.
  • Finally, we practice database restoration annually, and test DR every quarter.

Planning for directed threats

Threats like ransomware have increased significantly in the past few years. These threats need to be met head on. At Inflection, we do so by:

  • Getting SOC-2 certified and ensuring our processes compare with the best in the industry
  • Ensuring that data at rest and transit are always encrypted
  • Engaging with bug bounty programs
  • Having external agencies run penetration tests
  • Ensuring that employee machines are encrypted and have proper software protection against malware, phishing, and other attacks
  • Insuring ourselves

Pre-mortems

A useful exercise for leaders to consider is a “pre-mortem.” In thinking about business continuity, it is best to be proactive rather than reactive.

A pre-mortem is the opposite of a post-mortem (more details in my writeup on Root Cause Analysis). While a post-mortem allows us to analyze what went wrong – after it has already happened – a pre-mortem asks, “What could go wrong? How could we prevent that from happening?” Pre-mortems allow deeper planning of business continuity and a “don’t make me think” approach to reacting to actual incidents because they were already planned for.

Conclusion

Planning business continuity is a requirement for executives. Companies who wait until disaster strikes will not be able to react quickly. Your executive team must agree on the principles and cost/complexity tradeoffs.


Read More from This Article: Business continuity planning: A proactive approach to threat management
Source: News

Category: NewsApril 5, 2022
Tags: art

Post navigation

PreviousPrevious post:Digital Transformation Success: It’s All About Simplicity Through PartnershipsNextNext post:Southampton FC’s IT director changes formation

Related posts

휴먼컨설팅그룹, HR 솔루션 ‘휴넬’ 업그레이드 발표
May 9, 2025
Epicor expands AI offerings, launches new green initiative
May 9, 2025
MS도 합류··· 구글의 A2A 프로토콜, AI 에이전트 분야의 공용어 될까?
May 9, 2025
오픈AI, 아시아 4국에 데이터 레지던시 도입··· 한국 기업 데이터는 한국 서버에 저장
May 9, 2025
SAS supercharges Viya platform with AI agents, copilots, and synthetic data tools
May 8, 2025
IBM aims to set industry standard for enterprise AI with ITBench SaaS launch
May 8, 2025
Recent Posts
  • 휴먼컨설팅그룹, HR 솔루션 ‘휴넬’ 업그레이드 발표
  • Epicor expands AI offerings, launches new green initiative
  • MS도 합류··· 구글의 A2A 프로토콜, AI 에이전트 분야의 공용어 될까?
  • 오픈AI, 아시아 4국에 데이터 레지던시 도입··· 한국 기업 데이터는 한국 서버에 저장
  • SAS supercharges Viya platform with AI agents, copilots, and synthetic data tools
Recent Comments
    Archives
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023
    • June 2023
    • May 2023
    • April 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    Categories
    • News
    Meta
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Tiatra LLC.

    Tiatra, LLC, based in the Washington, DC metropolitan area, proudly serves federal government agencies, organizations that work with the government and other commercial businesses and organizations. Tiatra specializes in a broad range of information technology (IT) development and management services incorporating solid engineering, attention to client needs, and meeting or exceeding any security parameters required. Our small yet innovative company is structured with a full complement of the necessary technical experts, working with hands-on management, to provide a high level of service and competitive pricing for your systems and engineering requirements.

    Find us on:

    FacebookTwitterLinkedin

    Submitclear

    Tiatra, LLC
    Copyright 2016. All rights reserved.