Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?
Not really, say a variety of disaster and security recovery experts, including Marko Bourne, who leads Booz Allen’s emergency management, disaster assistance and mission assurance practice. “Security and disaster plans are related, but not always the same thing,” he observes.
The objectives in disaster recovery and security recovery plans are inherently different and, at times, conflicting, explains Inigo Merino, former senior vice president of Deutsche Bank’s corporate security and business continuity unit and currently CEO of cyber threat detection firm Cienaga Systems. “The most obvious difference is that disaster recovery is about business continuity, whereas information security is about information asset protection,” he notes. “The less evident aspect is that security incident response often requires detailed root cause analysis, evidence collection, preservation and a coordinated and–often–stealthy response.”
For disaster recovery plans, you almost focus on data quality first and then business processing second,” says Scott Carlson, a technical fellow at BeyondTrust, an identity management and vulnerability management products developer. “For security, you rely on capability of protective control with less regard for whether or not you lost past data– it’s much more important to ‘protect forward’ in a security plan.”
Similar, yet different
Many enterprises combine their disaster and security strategies as a matter of convenience, lured by the plans’ apparent superficial similarities. “At a high-level, disaster recovery and security plans both do similar activities,” says Stieven Weidner, a senior manager with management consulting firm Navigate. “Initially, both plans will have procedures to minimize the impact of an event, followed closely by procedures to recover from the event and, finally, procedures to test and return to production,” he notes. Both types of plans also generally include a “lessons learned” process to minimize the possibility of a similar event occurring again.
Yet scratching the surface reveals that disaster and security recovery plans are actually fundamentally different. “[Disaster] recovery plans are focused on recovering IT operations, whereas security plans are focused on preventing or limiting IT interruptions and maintaining IT operations,” Weidner notes.
A security recovery plan is designed to stop, learn, and then correct the incident. “A disaster recovery plan may follow similar steps, but nomenclature would not likely use ‘detection’ to describe a fire or flood event, nor would there be much in the way of analytics,” says Peter Fortunato, a manager in the risk and business advisory practice at New England-based accounting firm Baker Newman Noyes.”Further, not many disasters require the collection of evidence.”
Another risk in merging plans is the possibility of gaining unwanted public attention. “For instance, invoking a disaster recovery plan often requires large-scale notifications going out to key stakeholders,” Merino says. “However, this is the last thing you want during an issue requiring investigation, such as a suspected [network] breach, because of the need to collect and preserve the integrity of highly volatile electronic evidence.”