Another risk in merging plans is the possibility of gaining unwanted public attention. "For instance, invoking a disaster recovery plan often requires large-scale notifications going out to key stakeholders," Merino says. "However, this is the last thing you want during an issue requiring investigation, such as a suspected [network] breach, because of the need to collect and preserve the integrity of highly volatile electronic evidence."
Stitching together complex security and disaster recovery rules and procedures can also result in the creation of a needlessly bulky, ambiguous and sometimes contradictory document. "If you try to combine processes and resources into a single plan, it can muddy the waters, oversimplifying or overcomplicating the process," states Dan Didier, vice president of services for GreyCastle Security, a cybersecurity services provider. While some disaster and security recovery processes may be similar, such as ranking an incident's overall impact, other processes are not as easy to combine. "In addition, you are likely to have different resources involved, so training and testing is complicated, as are updates to the plan after the fact," Didier explains.
Fires, storms, blackouts and other physical events are all unpredictable, yet their nature is generally well understood. Security threats, on the other hand, are both unpredictable and, given the rapidly advancing nature of cyber criminality, not generally well understood, either. This means that security recovery strategies must be revisited and updated more frequently than their disaster recovery counterparts,
A security recovery plan is undoubtedly more difficult to keep up-to-date than a disaster recovery plan, says Anthony McFarland, a privacy and data security attorney in the Nashville office of the law firm Bass, Berry and Sims. "New external cyber threats arise weekly," he notes. The list of man-made or natural disasters that could threaten a business, however, is relatively static. "Even when a business expands geographically, the number of new anticipatable disasters is limited, McFarland says.
Response to a disaster must be immediate, yet response to a cyber-event must be even quicker. "This response reality is amplified because a company may have forewarning of a pending disaster, like a tornado, flood or earthquake, but no advance notice of a targeted cyberattack," McFarland says.
"The nature of the threats within security recovery plans are more dynamic than within disaster recovery, and therefore require continual review and update," says Mark Testoni, president and CEO of SAP National Security Services. "For example, recent ransomware attacks, such as WannaCry, are incredibly destructive and require security recovery plans to examine how to effectively respond to new threats and risks."
The discovery process is the most important aspect of both security and disaster planning, Bourne says. "Plans must be adaptable and key leaders must understand what the plans are trying to achieve in order to ensure maximum success," he adds.
Sign up for CIO Asia eNewsletters.