Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 29, Issue 4

Full Contents Now Available!

DRJ Blogs

This is some blog description about this site

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
Recent blog posts

Posted by on in DRJ Blogs

We’re gearing up for a fantastic 55th conference in Phoenix, Arizona. The entire DRJ team is busy behind-the-scenes making sure everything on our “to do” lists is done and that we’re ready for you from September 18 - 21.


To help you get prepared for DRJ Fall World 2016, we thought it would be useful to highlight sessions, breakout tracks, workshops and pre-/post-conference courses. We appreciate that the conference agenda is packed with information and it can be easy to miss reading about all of the offerings available. 


How mature is your organization when it comes to business continuity & organizational resilience? Does your Business Continuity Management (BCM) program crawl, walk or run? From self-governed to synergistic, we have identified 6 levels of BCM maturity that most companies fall into. What is your organization’s level? Here is our breakdown:

Levels 1-3 represent organizations that have not yet completed the necessary program basics needed to launch a sustainable enterprise Business Continuity Management (BCM) program.

Level 1 - Self-Governed: It’s every man (or woman) for him/herself!

Individual business units and departments are "on their own" to organize, implement, and self-govern their own business continuity or disaster recovery efforts. The state-of-preparedness for disruptive events is low across the organizational enterprise. The organization or individual departments reacts to disruptive events when they occur. There is no real planning involved: business continuity recovery if reactive vs. proactive.


Posted by on in DRJ Blogs

News travel fast. 

“Going to Africa. Hope I don’t get AIDS. Just kidding. I’m white!”

All it took was this one tweet from Justine Sacco, senior director of corporate communications at IAC to her then 170 Twitter followers. Within a matter of minutes, while she was asleep in the plane, Justine became the No.1 worldwide trend on Twitter – not for a good reason as you can imagine.


I walked into the hotel lobby at a client site a few weeks ago to get some tea and review my notes for the day’s meetings.  There was a businessman sitting at a table near the coffee stand, and he was clearly in the middle of an important phone conversation.  From what I could overhear (and he was not being quiet) he was talking with someone in his department (IT) at his head office.  It went something like this:


“Ok, so did you check all the hardware connections?”  pause  “No, that wouldn’t help.  You might have to shutdown and reboot.”  exasperated sigh  “Ok, well I’m in a hotel on the West coast so I can’t come in, but I’ll do what I can to walk you through the steps over the phone.”


The business continuity (BC) planning process can be a daunting challenge. Project planning can play an important role in keeping the process on track & help in your success in protecting your organization from unplanned events that can disrupt operations.  The goal is to identify the right information & determine a process to keep it current and accurate.  Key elements of a business continuity plan include:

  • risk assessment
  • business impact analysis
  • strategy development
  • plan development
  • communications
  • awareness & training
  • coordination with external services

Of course you want the project plan to be successful, so there are 10 things not to do to be more likely to reach your business continuity planning milestones & goals.


Every organization or business, regardless of revenue or staff size, needs to understand what is truly critical to keep operations going, and how long the business can function without certain elements, components or dependencies. This includes considering how long the business can survive both financial losses and reputational losses due to negative public perception. Obviously, not having a disaster recovery plan is a recipe for disaster, but just having a plan is not enough. Make sure that your disaster plan avoids certain pitfalls that may complicate disaster recovery and make it more of a disaster.

Consider this list of what not to do including:


Posted by on in DRJ Blogs


We are pleased to be a part of the DRJ community and look forward to sharing information and creating mutually beneficial opportunities! This is our first blog post on the DRJ site, so we’ll start with a bit of information about our company. But first…


Target, the IRS, Hillary Clinton, Sony, healthcare systems… the list goes on with new stories of cyber security breaches and hacking. A cyber-attack can lead to financial and reputational losses from which it can be difficult to recover.  A cybersecurity breach can  negatively impact your business continuity and force the organization into disaster recovery mode.  Sometimes simple preventive measures can help mitigate risk, before disaster strikes.  Here are 6 hacks you can try to help your organization avoid getting hacked.

  1. Stop insider attacks
  2. “Gone phishing”
  3. Password security
  4. Defend against intrusions at the device level
  5. Avoid band-aid security fixes
  6. Mandatory cybersecurity education

1. Stop insider attacks

Studies estimate that between 40-90% of cyber-attacks originate from inside the organization. This can either be a hack savvy IT professional, a disgruntled employee, or even an accident caused by an uniformed employee.

Hack: Ensure Accountability and Security via Password Policies

Avoid having a universal company passcode to any device, network, application or internet site. Make sure each employee has an individualized login and password to ensure accountability and the give you the power to revoke an individual’s access, without disrupting the rest of the company’s access. Having separate logins also helps you monitor, just who made a change or mistake, regardless of whether it was deliberate or accidental.   Immediately cancel network access and passwords when employees leave the company, to avoid them using passwords to remotely access the network in future.


Posted by on in DRJ Blogs

This week I attended an excellent conference on Cyber Security. TakeDownCon run by EC-Council and hosted by the UConn School of Business in Stamford, CT provided great speakers with separate tracks for CISOs and technologists. I highly recommend an EC-Council event if you’re looking to learn more about Cyber Security or obtain certifications.

In 2015 over 169 million personal records were exposed as a result of cyber intrusions; the result of more than 780 publicized breaches across education, healthcare, government and financial sectors. The average cost per stolen record exceeded $150. In the healthcare sector the cost per stolen record was $360. Despite the rising threat posed by foreign governments, hacktivists, and cyber criminals only 38% of global organizations report they are prepared to handle a sophisticated cyber attack.

Here are some key takeaways from the conference:


This month I continue the focus on new innovations in data protection and DR. Give a listen to Data Protection Gumbo; an excellent Podcast series by Demetrius Malbrough. Episode 24 is live with expert insight from Shalabh Goyal and Jeannie Liou from Datos IO. Explore how changes in the world of IT are creating the need for new DR solutions. We discuss new innovations for protecting Cloud applications and how the data protection and DR industry will evolve over the next several years. I welcome your feedback and comments.

Podcast - Innovations in Data Protection


Hits: 700

Building engagement is a challenge for almost every organization when it comes to business continuity planning. Sometimes it seems like it would be easier to do the whole plan alone, but we all know that in order to be effective, the organizational resilience plan needs to have input from all parts of the organization.

There are 3 approaches that risk managers and continuity managers consider when trying to build engagement. They are fear, framework, reinforce and support. There are benefits to all, but which approach has the most lasting and productive impact for building enterprise engagement of your business continuity planning process? Here are my thoughts on these 3 approaches. You can decide which works best for your program.


Whether you are starting a program ‘from scratch’ or seeking to re-energize a program that may have lost some of its original focus, there are a few common pitfalls you should be aware of and seek to avoid. The goal is to create a successful business continuity management program that is objective, consistent & repeatable.

Your piece of the ‘resilience program’ may include one, several, or all of the following disciplines: IT disaster recovery, business continuity, emergency management, crisis management, site or operations risk management, and possibly other related activities.

1. We bought a tool – we’re ready to launch!

It is so tempting to think that all we need is “the right tool” and all will be fine. Our plan owners will adopt it and the program will move forward and be sustained over years. If only it were that simple.


Let’s face it. Organizational resilience, business continuity & disaster recovery program management requires buy-in from the entire organization, from the top down, across all departments & across external service partners & providers. Everyone needs to understand how they fit into organizational operations during normal day-to-day operations & also during a disruptive event. Without buy-in, even the best laid resilience plan won’t work.

Ok. So now how do you get buy-in? I suggest these five for building executive buy-in of your organizational resilience management program:

  • Step 1: Define Organizational Resilience specific to your industry/organization
  • Step 2:  Determine a baseline
  • Step 3:  Play by the rules! (Know your regulations)
  • Step 4:  Conduct a business impact analysis
  • Step 5:  Money talks! Quanify the financial impact

Step 1: Define Organizational Resilience or Business Continuity specific to your organization or industry.

Why? Every organization has unique needs & priorities that vary based on the industry, physical location, reliance on resources such as data & supplies or other aspect.  For example, a hospital has an immediate focus on their customers (patients) which a manufacturing company clearly doesn’t need to consider. Just as a manufacturing company may need to take a look at supply chain management more aggressively than a consulting organization does. 


The growth of Cloud, social, and mobile technology is driving increased use of NoSQL databases like Apache Cassandra, mongoDB, Amazon DynamoDB and Google Bigtable. A recent study by ESG revealed that 56% of companies have NoSQL databases in production or deployed as part of a pilot/proof of concept. A similar study by Couchbase revealed that 90% of companies consider NoSQL important or critical to their business. Once the province of Internet innovators like Google, Amazon, Facebook, LinkedIn, and Twitter, the use of NoSQL databases is now widespread across every major industry. Modern applications create new demands that developers and DBAs must address such as:

  • Huge volumes of rapidly changing data including semi-structured, unstructured and polymorphic data.

  • Applications are now delivered as services that must be always on, accessible from mobile devices and scaled globally to millions of users.


Posted by on in DRJ Blogs

One of the best ways to attain senior management buy-in, for any project, is a return on investment (ROI) analysis. The same is true for any business continuity management program implementation. Just one problem. With the exception of financial institutions, it is very difficult to show ROI in financial terms (which executives like). With financial institutions, you can come up with a formula for lost interest on loans over time, loss of fees over time and loss of new business over time. Most other companies don’t have such hard and fast methods to determine financial loss. Sometimes, it comes down to ‘best guesstimates’. Picture managers looking towards the heavens as they try to compute unknown numbers, “Let’s see... there’s the cost of temporary workers (how many? I don’t know), potential overtime hours (how many? I don’t know), the cost of vendors picking up our processes (the Business Impact Analysis can help – but the vendors want to make a profit too), cost of Alternate Work Space (how long are we going to be there?), are there any penalties we have to account for, etc. etc. etc.” Sometimes, you just can’t put a dollar figure to it.

A former colleague once said to me, “business continuity requires you to think outside the box, because the box has been blown away.” Because so much of what we do seems to be art, as opposed to cut and dry mathematics, looking at ROI strictly in the financial sense won’t give a complete picture. As Robin Williams' character – Mr. Keaton – said in ‘Dead Poets Society’, "This isn't like laying pipe." Yes, we have standards and processes, tried and true. However, there are just too many unknowables to give a dollar figure saved (or made) for a BCM program. Sure, we can probably do it based on a Business Unit / Critical Process basis. But for an overall program? In some instances, there can be a return on investment but I would think it would be virtually impossible to calculate. As noted earlier, I think it will usually come down to a best guesstimate.


Posted by on in DRJ Blogs

The earthquake in Ecuador has left me thinking about how many of the country’s businesses will survive and if many of them had business continuity plans in place? As quickly as details of the incident came onto the TV, they seem to have vanished again, as the news circus moves on to the deaths of Victoria Wood and Prince.

The earthquake got me thinking about the justification in carrying out business continuity and how we sell it to organizations to ensure that it adds value, and is worth spending the time and money to develop it. For a long time I asked many people, ‘where are the case studies which prove that business continuity works’? I was looking for an example of an organization that has put in place a business continuity program that could prove that they would fail without it. There may be case studies out there, but it seems as an industry, that there is not the well quoted example that everyone refers to. Therefore, case studies are probably not the way to justify implementing business continuity.


Posted by on in DRJ Blogs

Is Your Data Storage Childproof?

The Internet of Things is in its infancy right now, and like most infants, if will make you rethink everything you do, and provide moments of joy and inconvenience in equal measure.

Everything Gets Counted


Originally posted on Rentsys Recovery Services' blog.

Medical Provider Struck by Hackers!

Insurance Giant Suffers Massive Data Breach!

Millions of Patients Have Data Stolen!

It seems like there are new headlines about data breaches in the healthcare industry every month — if not more frequently. In the last few years, electronic protected health information (ePHI) has become the primary target for hackers, and it's easy to see why.

According to a recent report by Reuters, ePHI fetches 10 to 20 times more than credit card data on the black market. That's why organizations that handle healthcare data are prime targets for data breaches and theft. In fact, 28.5 percent of the entire U.S. population was affected by just two — Anthem and Premera — healthcare data breaches that were discovered in 2015.

Starting to feel a little overwhelmed? Don't worry. Here are five things you can do to keep your ePHI safe from prying eyes.

Encrypt Everything

In 2013, two laptops were stolen from a secure office at a hospital in California. The laptops contained ePHI such as financial information, health conditions and demographic information. Unfortunately, the data wasn't encrypted, so the hospital had to notify 729,000 individuals that their ePHI had been compromised. The hospital implemented policies and procedures to reduce risks to the patients' ePHI, but the damage was already done. Had the laptops been encrypted, the hospital could have protected the information.

recent article by Health Data Management points out that it's easy to encrypt everything, since encryption tools are embedded in current operating systems and come with nearly every device. (If a device doesn't have built-in encryption functionality, that's a sign that it's outdated and shouldn't be used to handle ePHI in the first place. We talk about that more below.) Yes, encrypting all your data costs time and money, but it's a drop in the bucket when you compare it to the cost of recovering from a breach.


This is part 1 of a multi-part series on the evolution of analytics in disaster recovery

It may seem odd to discuss the role of analytics in the field of disaster recovery. These disciplines appear to have little in common. Wikipedia describes Disaster Recovery (DR) as a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disasterAnalytics is described as the discovery and communication of meaningful patterns in data.

In this series I'll discuss how analytics will improve resilience, lower risk and enhance business continuity. I'll explore how analytic DR services could come to market, which parties stand to benefit most, and some of the challenges that lie ahead. Part 1 will discuss how analytics will enhance disaster recovery (near term) and a vision in which analytics and automation are combined to improve risk management. 



Your data is doubling every 18 months, your profits aren’t.

This makes data storage a growing part of your business, and it’s being disrupted.