Making it a team effort
While most experts advocate creating and maintaining separate disaster and security recovery plans, they also note that both strategies must be periodically examined for potential gaps and conflicts. "The best course of action to have the plans complement one another is to make sure that you have the same team working through both of them," says Steve Rubin, a partner at the Long Island, N.Y., law firm Moritt Hock & Hamroff, and co-chair of its cybersecurity practice group. "Not only will they will be stronger and complement one another, but will also be more effective and resilient in the long run."
Weidner notes that it's okay, however, to have separate teams in charge of security and disaster plans as long as they regularly coordinate their strategies and goals with each other. "Each team, whether supporting security or IT recovery, needs to manage their own specific plan requirements," Weidner says. "However, oversight and governance should be centralized to guarantee events will be supported using the same methodology, such as communications to executive teams, company stakeholders and customers."
Whether planning is handled by one or two teams, the right people need to be brought onboard, Didier says. "Senior management plays a critical role and must oversee the operation," he says.
"The CIO, CISO and network administrators will be integral members of both teams," McFarland observes. However, many disaster recovery team members will have no, or only limited, involvement in the work of the security group, and vice-versa. "For example," McFarland notes, "facilities managers are critical members of a disaster recovery team, but typically not needed in the [security] group unless there was a physical loss or theft of tangible/hardcopy data from an office."
Operations and security teams should review each other’s plans in a controlled and constructive manner to determine how they can be leveraged in support of each other, suggestsMorey Haber, vice president of technology at BeyondTrust. "These policies should not be developed on islands and if possible be tested together," he says. "This helps address extreme edge cases while maintaining separation of duty requirements and building team synergies."
As enterprises learn what works and what doesn’t work in both security and disaster recovery planning, a growing number now realize that security recovery is not disaster recovery and that each has very different needs. "As organizations mature, they learn that the purpose of security incident response is much more nuanced than merely a restoration of business and that many of the functions typically invoked in disaster recovery for business continuity purposes are either not applicable to cyber security events, or in some cases, harmful to security incident response and forensics," Merino says.
Sign up for CIO Asia eNewsletters.