Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?
Not really, say a variety of disaster and security recovery experts, including Marko Bourne, who leads Booz Allen’s emergency management, disaster assistance and mission assurance practice. "Security and disaster plans are related, but not always the same thing," he observes.
The objectives in disaster recovery and security recovery plans are inherently different and, at times, conflicting, explains Inigo Merino, former senior vice president of Deutsche Bank’s corporate security and business continuity unit and currently CEO of cyber threat detection firm Cienaga Systems.
"The most obvious difference is that disaster recovery is about business continuity, whereas information security is about information asset protection," he notes. "The less evident aspect is that security incident response often requires detailed root cause analysis, evidence collection, preservation and a coordinated and--often--stealthy response."
Such operations usually have to be handled very delicately. "On the other hand, [business continuity plans] are by nature very public events, requiring all hands on deck, large scale communications with the objective of rapid, tactical business resumption," says Merino.
For disaster recovery plans, you almost focus on data quality first and then business processing second," says Scott Carlson, a technical fellow at BeyondTrust, an identity management and vulnerability management products developer. "For security, you rely on capability of protective control with less regard for whether or not you lost past data-- it's much more important to 'protect forward' in a security plan."
Similar, yet different
Many enterprises combine their disaster and security strategies as a matter of convenience, lured by the plans' apparent superficial similarities. "At a high-level, disaster recovery and security plans both do similar activities," says Stieven Weidner, a senior manager with management consulting firm Navigate. "Initially, both plans will have procedures to minimize the impact of an event, followed closely by procedures to recover from the event and, finally, procedures to test and return to production," he notes. Both types of plans also generally include a "lessons learned" process to minimize the possibility of a similar event occurring again.
Yet scratching the surface reveals that disaster and security recovery plans are actually fundamentally different. "[Disaster] recovery plans are focused on recovering IT operations, whereas security plans are focused on preventing or limiting IT interruptions and maintaining IT operations," Weidner notes.
A security recovery plan is designed to stop, learn, and then correct the incident. "A disaster recovery plan may follow similar steps, but nomenclature would not likely use 'detection' to describe a fire or flood event, nor would there be much in the way of analytics," says Peter Fortunato, a manager in the risk and business advisory practice at New England-based accounting firm Baker Newman Noyes."Further, not many disasters require the collection of evidence."
Another risk in merging plans is the possibility of gaining unwanted public attention. "For instance, invoking a disaster recovery plan often requires large-scale notifications going out to key stakeholders," Merino says. "However, this is the last thing you want during an issue requiring investigation, such as a suspected [network] breach, because of the need to collect and preserve the integrity of highly volatile electronic evidence."
Stitching together complex security and disaster recovery rules and procedures can also result in the creation of a needlessly bulky, ambiguous and sometimes contradictory document. "If you try to combine processes and resources into a single plan, it can muddy the waters, oversimplifying or overcomplicating the process," states Dan Didier, vice president of services for GreyCastle Security, a cybersecurity services provider. While some disaster and security recovery processes may be similar, such as ranking an incident's overall impact, other processes are not as easy to combine. "In addition, you are likely to have different resources involved, so training and testing is complicated, as are updates to the plan after the fact," Didier explains.
Fires, storms, blackouts and other physical events are all unpredictable, yet their nature is generally well understood. Security threats, on the other hand, are both unpredictable and, given the rapidly advancing nature of cyber criminality, not generally well understood, either. This means that security recovery strategies must be revisited and updated more frequently than their disaster recovery counterparts,
A security recovery plan is undoubtedly more difficult to keep up-to-date than a disaster recovery plan, says Anthony McFarland, a privacy and data security attorney in the Nashville office of the law firm Bass, Berry and Sims. "New external cyber threats arise weekly," he notes. The list of man-made or natural disasters that could threaten a business, however, is relatively static. "Even when a business expands geographically, the number of new anticipatable disasters is limited, McFarland says.
Response to a disaster must be immediate, yet response to a cyber-event must be even quicker. "This response reality is amplified because a company may have forewarning of a pending disaster, like a tornado, flood or earthquake, but no advance notice of a targeted cyberattack," McFarland says.
"The nature of the threats within security recovery plans are more dynamic than within disaster recovery, and therefore require continual review and update," says Mark Testoni, president and CEO of SAP National Security Services. "For example, recent ransomware attacks, such as WannaCry, are incredibly destructive and require security recovery plans to examine how to effectively respond to new threats and risks."
The discovery process is the most important aspect of both security and disaster planning, Bourne says. "Plans must be adaptable and key leaders must understand what the plans are trying to achieve in order to ensure maximum success," he adds.
Making it a team effort
While most experts advocate creating and maintaining separate disaster and security recovery plans, they also note that both strategies must be periodically examined for potential gaps and conflicts. "The best course of action to have the plans complement one another is to make sure that you have the same team working through both of them," says Steve Rubin, a partner at the Long Island, N.Y., law firm Moritt Hock & Hamroff, and co-chair of its cybersecurity practice group. "Not only will they will be stronger and complement one another, but will also be more effective and resilient in the long run."
Weidner notes that it's okay, however, to have separate teams in charge of security and disaster plans as long as they regularly coordinate their strategies and goals with each other. "Each team, whether supporting security or IT recovery, needs to manage their own specific plan requirements," Weidner says. "However, oversight and governance should be centralized to guarantee events will be supported using the same methodology, such as communications to executive teams, company stakeholders and customers."
Whether planning is handled by one or two teams, the right people need to be brought onboard, Didier says. "Senior management plays a critical role and must oversee the operation," he says.
"The CIO, CISO and network administrators will be integral members of both teams," McFarland observes. However, many disaster recovery team members will have no, or only limited, involvement in the work of the security group, and vice-versa. "For example," McFarland notes, "facilities managers are critical members of a disaster recovery team, but typically not needed in the [security] group unless there was a physical loss or theft of tangible/hardcopy data from an office."
Operations and security teams should review each other’s plans in a controlled and constructive manner to determine how they can be leveraged in support of each other, suggestsMorey Haber, vice president of technology at BeyondTrust. "These policies should not be developed on islands and if possible be tested together," he says. "This helps address extreme edge cases while maintaining separation of duty requirements and building team synergies."
As enterprises learn what works and what doesn’t work in both security and disaster recovery planning, a growing number now realize that security recovery is not disaster recovery and that each has very different needs. "As organizations mature, they learn that the purpose of security incident response is much more nuanced than merely a restoration of business and that many of the functions typically invoked in disaster recovery for business continuity purposes are either not applicable to cyber security events, or in some cases, harmful to security incident response and forensics," Merino says.
"The key to having successful security and disaster recovery plans is to document, manage, test plans and and develop a common governance, communication and escalation methodology," Weidner says. "This unified approach will minimize confusion and decrease the time to recover from events."