1. Data Center Qualitative
Readiness
The Degree of Readiness
By
Richard A. Jurado, CBCP
2010 - 2012
PRESENTATION SAMPLE
ONLY
2. The Cost of Disasters
Forrester Research
$6.2
Billion Inc., and CRED
from
Tornadic damage survey
Activity
- USA $41.2 Billion 2009
• $102.6 billion economic
@ damage worldwide
335 Disasters • $41.2 billion economic
4 Yrs
$88.7 Billion damage
USA $10.8 billion
2008
China $5.2 billion
France $3.2 billion
Annual Avg’s
$102.6 Billion NOAA 29 Yr Reports
@
392 Disasters
• Missouri Extreme Heat
2000
Data is attracting
attention
Forrester Research, Business Continuity and Disaster Recovery Are Top IT Priorities for 2010 and 2011, Sept 2, 2010
3. 2008 -2010 Preparedness, Security, & Crisis
Communication Survey
Public/Private Sector Top Concerns
Influences on Preparing and Planning
2009 2008
80%
40%
0%
Disasters
Damage (fire,
Pandemic
Failure/Power
Physical
Leak/Chemical
Data Center
Data Breach
Cyber Attack
Labor Dispute
Security
Disruption
Natural
Structural
Telecom
Outage
water)
Spill
Gas
Common Threat Sources
Data provided by Varolii Corporation, 2008 – 2009 and 2009-2010 Preparedness, Security, & Crisis Communication Survey
4. Degree of Coverage
What we can do: What we cannot do:
Deter Common Threats Predict Occurrence of
• Two “Nines” Recoverability Catastrophic Threat
State of the Art • Little to None Recovery
redundancy features Focus
• Preventative/Reactive
Controls Available
Assess Value of Loss
Alternate Recovery Site Revenue
Mitigate Vulnerabilities • Cost/Benefit Analysis
• Broke/Fix controls at the • Return on Investments vs.
ready Loss Tolerance
Data Centers, Alternate
• 52% of critical services Sites,
are DR prepared/ready Equipment/Hardware
Business Expectations
Increase Pool of Business
Continuity Plan Readiness
5. Protection
What’s Being Protected: The Cost of Protection:
Minimize 1/10th of Annual
Consequences Revenue
• $12.6 billion annual • Data Center operating
revenue (2010)* cost $11.6 mil.
• “The Balance” Values Recovery Site - $2.1
Customer Satisfaction mil.
Reputation (Culture
Data Center operations
Compass) - $ $9.5 mil
Product Growth • 52% of Services
Profitability Recovery Ready
2/10 of Annual
• Productivity against Revenue after disaster
adversity recovery
implementation
* Projections from organization financial statement
6. Protection Against Adversity
Minimize Consequences
DC
Operating
Cost 1/10
of Revenue
Primary Recovery 2/10th of Revenue -
Center Daily Operating Cost
after Implementation of
Primary Data Center Recovery
Pr
n
Secondary Data Center tio
of
ita
ta
pu
bi
$12.2
lit
Re
y
Billion 52% Service
Recoverability
Revenue
The Balance Productivity
Core Values Customer Satisfaction Growth
What’s Being Protected?
7. Threat Tolerance and Sustainability
Common Threat Source < 4 Days
• Operational Disruptions
Power Outage Preparedness
Network/Telecom
Preventative/Reactive Controls
Maintenance
• Human Local Broke / Fix (BF) Recovery
Cyber Attack/Data Breach
52% Disaster Recovery Plans
Physical Security
• Natural Recovery Site All other DC’s
Tornado
Flooding
Heat wave
Fires Unprepared
Earthquake (low grade)
Catastrophic Threat Source Lack or Limited Controls
• Terrorist Beyond Local B/F Functionality
• Biological
48% Non DR Plans
• Nuclear (Dirty Bombs,
Reactors) Recovery Site All other DC’s
• Industrial/Chemical Accidents
• Earthquake (high grade) > 7 Days
8. Data Center Sustainability Matrix
Recoverability Extended
99.99 % or 99.9% or 99% or 98% or
< 52.5 Min’s < 8.75 Hrs < 3.65 Days > 7 Days
Customer Satisfaction Alt.
Reputation
Catastrophic
Production Growth
Protection – “The Balance” Values
Profitability 1st
Limited - No Controls to Counteract
2nd
Data Center Sustainability
Customer Satisfaction Alt
Reputation
Natural
Production Growth
52% Plan Readiness 1st
2nd
Customer Satisfaction
Reputation Human All
DC’s +
Alt.
Customer Satisfaction
All
Broke/
Fix
Internal
DC’s
$ $$ $$$ $$$$ = One off
supportability
Cost of Outage
We often ask ourselves “what degree of readiness are we at to circumvent threats against our organization?” This question is the most challenging for BCM SME. What we attempt to provide you today is just a short assessment to answer that question.
First we need to examine a snapshot of economic affect caused by disasters. A research analysis by the Forrester Research firm, reviewed data complied by the Centre for Research on the Epidemiology of Disasters (CRED) stressing that, “we are now beginning to understand the economic impact of disasters and events”. Between 2000 and 2008, an average of 392 disasters per year resulted in an annual average of $102.6 billion in economic losses (Worldwide) In 2009, the average has reduced slightly, but the economic dollar loss still remain high, especially for the US – noting $6.2 billion economic loss due to tornado activity. Further, the National Oceanic and Atmospheric Administration (NOAA) cites a 29 year period report covering 1980 – 2009, showing $88.7 billion in damages due to extreme heat/drought in the state of Missouri for 1988, 2002, 2005, and 2007. Numerous entities (government, non profits, organizations, media) are being drawn to information provided by authoritative resources and recognizing the affects disastrous events have within the business environment.
From a granular perspective, our business constituents are focused on the most common threats in which to induce Business Continuity. The Varolii Corporation conducted an industry survey in 2008 and 2009 to discovery what influences effects or are being addressed within the business environment. (Industry respondents – 415 to 727 with a varying percentage of employee base.) For comparison to a typical organization, 19% to 21% (1000 to 5000 employees), 11% to 12%(20K employees) and 30% to 43% with more than 20 locations) While Natural Disasters continue to be on the mindset of business as the key disrupter of operations, what has dynamically changed in one year is the addition of Pandemic and Cyber Attack awareness. Natural Disasters, Structural Damage, and Physical Security concerns remain somewhat static, while Data Center Disruptions, Power Outages, and Security Breach have reduced by an average of 22%. The survey data offers an great illustration that having data center management and controls in place increases their operational stability . However, Natural, Structural and Physical elements still remain a high level concern to be continuously addressed.
With that in mind, let us ask ourselves the Degree of Coverage: “What we can do”, and “what we cannot do” WHAT WE CAN DO Using authoritative data on common threats for the US and UK that focused on our primary concerns for data center operations, we recognize that we have controls in place, state of the art data centers and alternative recovery services to establish recovery status of less then 4 days or 99% achievable recovery. Vulnerabilities are mitigated utilizing “broke/fix” approach plans that are “at the ready” with many high-level systems, including a 52% system readiness that have comprehensive DR plans WHAT WE CANNOT DO However, we have not been able to calculate or provide stable analysis of catastrophic events and our strength in recovery. We have not been able to calculate the cost/loss analysis acceptable by the organization, as well as the business expectations We cannot imposed extensively to the organization to increase its BCDR plan readiness and an adoptive culture or policy
LAYER OF PROTECTION Yet, what we offer is some layer of protection to minimize the consequences towards the organizations multi billion dollar revenue We can offer some layer of protection to the core values of the organization This layer of protection provides a safeguard (in a minimal degree) to productivity verse adversity The cost of protection! = a mere fraction of the revenue cost. With at least 52% of services ready, the protection in place could achieve a greater percentage of revenue recovery than not having any protection at all.
Yet, what we offer is some layer of protection to minimize the consequences towards EHI multi billion dollar revenue We can offer some layer of protection to the core values of EHI This layer of protection provides a safeguard (in a minimal degree) to productivity verse adversity The cost of protection! = a mere fraction of the revenue cost. With at least 52% of services ready, the protection in place could achieve a greater percentage of revenue recovery than not having any protection at all.
We have assessed, based on the common threat sources, that with the existing controls and plan readiness in place the data centers and alternate sites can achieve at least a recovery within the established service level agreement policy guidelines. But this does not mean all systems or applications will be fully functional, since 48% of the organizations systems still lack disaster recovery plans and local broke / fix recovery plans. Also, in the event of a catastrophic event, we lack specific controls or influence over these events. However, with the use of the our “state of the art data centers”, we foresee at least some available functionality, in some form of “ad hoc” recovery.
In summary, the following matrix provides the overall view of our data centers readiness and its protection it offers based on the level of recoverability. However, there are cost and supportiveness involved to move beyond what we can achieve now. The question remains “what degree of readiness are we comfortable with to circumvent threats against our organization?”