How to assess your company information insurance
A few days ago, my friend Alberto told me that he had dropped his mobile phone, that it had broken and that he was very worried about all the photos he was keeping on his film, as all the memories of his family had been there for a considerable amount of time. Logically, the first thing to do would be to try to fix the mobile, but of course, due to the state of alarm he did not know how long he would be without "his memories" and also the uneasiness he had in case he had no solution.
Alberto didn't know that his mobile had contracted an information insurance with Apple, and that all his data and photos (what he cared most about) would be easily recoverable in a few mouse clicks.
Following this argument we can infer that, if 95% of us have an information insurance contracted for our mobiles, with our company and its most valuable asset (the information it handles) it would be almost compulsory by law to contract an insurance that would keep us safe from any kind of problem related to the loss of information within our company.
All right, let's do it: the first thing we need to know is how we hire that insurance? What types of information insurance are available in the market? How do we decide between one or the other? What information do we want to keep safe? Okay, I work in the IT department and I know what information backup solution I want, but how do I convince my financial director?
Well, going into the matter we have no choice but to define real metrics to be able to technically quantify parameters such as recovery capacity, business impact and financial concerns related to data protection.
Let's go back to 196 BC with a fragment of an ancient Egyptian stele: the famous Rosetta stone. What interests us about it in this context is that we must handle several different metrics (languages) giving each area of the company the ones that really interest it. Make sure that if you are in the IT department of your company and you talk to your CFO of RPO & RTO in your backup planning he will surely not know anything and he will even get annoyed with you because he will think that you are wasting his time.
Therefore, the most convenient thing will be to speak in the right language to make the different departments understand the need to have an efficient and agile backup system.
These are the metrics we must use and understand:
- IT professionals must deal with the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) as a basis for the proper selection of the data protection technology or tool. It will be important for IT managers to be able to negotiate with management and their backup solution providers, service level agreements (SLAs) that match the reality of their systems to correctly adjust the metrics listed in point 2.
- Professionals responsible for operations within the company will be much more concerned with dealing with business impact analysis (BIAs) as well as risk assessments (RA).
- Financial professionals are not going to worry much about backup systems, but they are going to worry about the company's investments and their associated return. That is, they will look at everything through the lens of total cost of ownership (TCO) and return on investment (ROI)
In sum, effective data protection should start with understanding the business processes that depend on your IT infrastructure. Only when we have been able to quantify the impact of a service outage and information loss can we be prepared for disaster with the right solution(s).
There is a popular saying among motorcycle enthusiasts:
"There are only two kinds of bikers: those who have already fallen and those who are going to fall."
Author: Saul Cejudo (linkedin)
References: Data protection by the numbers / brought to you by VEEAM / Dummies a willey brand
Image1: Photo by Markus Spiske on Unsplash
Image2: National Geographic History