fire extinguisher hanging on a white wall
PHOTO: Andrei Slobtsov

Digital transformation, specifically the technical advancements and changes that result from such efforts, has been impacting the practice of business continuity planning for years. I would know because I was in the business of business continuity and disaster recovery for more than a decade before shifting gears to focus on productivity, collaboration, advancing the benefits of the digital workplace, and now helping companies navigate large-scale transformations.

I’ve assessed all manner of risks, conducted hundreds of business impact analyses, developed strategies for mitigating specific and general disruption scenarios, ensured plans were written, tested, maintained and executed when needed. I’ve written pandemic plans — the kind of plans that hopefully organizations had in place before the current state of affairs kicked into high gear (if it even has kicked into high gear yet).

The above are all hallmarks of standard business continuity planning and management methodologies. And while they are still viable today and will continue to be tomorrow, it should be clear that organizations further along on their digital transformation journeys have been able to deal with the current crisis better than those that have lagged behind.

The ship has not fully sailed, however. As the saying goes, “the best time to plant a tree is 20 years ago. The second best time is now.” Let’s look at just three examples of how your organization can start today.

Alternate Sites vs. Cloud Computing and Remote Work

Setting up hot sites, warm sites and cold sites are core response tactics used in traditional contingency plans. These alternative computing and work locations were particularly necessary when nearly everyone worked in an office building on desktop computers that needed to connect to nearby servers. If the servers were not nearby, severe limitations for use would incur. These recovery sites combined data center space and work space where IT teams could rebuild core infrastructure and application services and connect essential users to those computing resources. The “hotter” the site, the more services were set up and waiting to be utilized to cut down on recovery times. 

Cloud computing has flipped this aspect of continuity planning and recovery on its head. Yes, there are undoubtedly still use cases for recovery sites, but those are fewer and more far between than they were 20 or even 10 years ago. Companies not yet in the cloud have a massive burden they continue to saddle themselves with that prevents them from being able to respond to catastrophic events in a timely manner. Uptime is the new recovery time. And, by new, I mean that ship sailed years ago.

Beyond the need to recover infrastructure and application services, cloud computing decoupled the proximity required for traditional client/server architectures. This change freed users from the confines of the office desk and locked-down desktop computers. Remote work, however — for as long as we’ve been talking about it — has yet to be a mainstream, primary mode of working. Organizations with remote work capabilities in place have much less dependence on traditional alternate recovery sites and found themselves in much better positions as the prolonged global pandemic set in.

Related Article: CIOs Share Business Continuity Plans Amid COVID-19 Pandemic

Perimeter Security vs. Zero Trust

With the large-scale forced remote work adoption over the past few weeks, one of the biggest hurdles that unprepared organizations had to overcome was extending their security measures beyond the traditional walls of the office. Achieving business continuity through relocating the workforce was previously very controlled and orchestrated. A central element of that process was establishing alternate sites with the same security mechanisms as were in place for normal locations. In other words, when recovering to an alternate recovery site, establishing traditional security measures isn’t that difficult — it is just a part of the process. Work from home scenarios as a business continuity strategy were far less common.

When work from home was considered in business continuity plans, strategies included having employees take home their laptops, with printed out plans and checklists kept in different locations (at work, home, and in the car was the typical rule of three), and ensuring VPN capacity could withstand the influx of remote connections, to name a few. It doesn't have to work that way today, but sadly it isn’t far from what some organizations are dealing with.

Digitally dexterous organizations were in a much better position to have reacted swiftly, or even not at all, to the changing demands brought on by a suddenly remote workforce. Modern security management allows for the connecting of non-corporate owned devices, access to data and resources off of the corporate network, availability of communication and collaboration tools to support distributed team productivity, and more intelligent control through methods like conditional access.

The shift from traditional perimeter security architectures to modern zero trust models was a key part of remote enablement. Perimeter security methods focus on hardening the external attack surface (i.e., the network perimeter) and thereby protecting the assets contained within. Zero trust models embrace three main concepts: First and foremost, “trust but verify” is replaced with always verify — this is where conditional access comes into play. Second, access rights and what a user is authorized for must be more granular and leverage least privileged access policies. Third, organizations must assume they are in a state of perpetual breach and that perimeter controls are inadequate, requiring narrow “protect surface” controls instead of broad “attack surface” controls.

For organizations that have already adopted zero trust, security hasn’t been as large of an issue over the past few weeks.

Related Article: Putting Our Collaboration Tools to the Test

Brick and Mortar vs. Digital Business Models

Finally, as we all know and have been reminded repeatedly over the years, digital transformation is rooted in changing business models to take advantage of new technologies, expectations and capabilities. The primary directive of business continuity planning is to keep the business running and meeting the needs of shareholders and stakeholders, both internal and external. For a majority of businesses, that means keeping the cash flowing. Traditional disaster recovery measures therefore sought to ensure mission-critical systems were online for transactional processing and related business functions.

Organizations that have shifted their business models to embrace digital — both in products and delivery — are in much different positions today than those that remained reliant on historical and traditional models. In this particular situation, the threat exposure for digital businesses is significantly lower than those of conventional brick and mortar varieties, as the former can still operate in much the same way as they did prior to shelter in place measures went into effect. Organizations serving digitally based or augmented products are seeing increases in sales and usage while those that do not are scrambling to find ways to weather the storm.

Related Article: Dealing With the 'Soft' Challenges of Remote Work

Moral of the Story

In these challenging times, we all need to do everything we can to help one another, support our communities, and not lose sight of the bigger picture (which isn’t digital transformation). We should never waste an opportunity to learn and grow, and in some cases, act. Unfortunately, for many organizations the need to act and to act quickly is not just a priority but a necessity for survival. The key is to act now — there is still time.

There will always be reasons to delay, to avoid taking a risk, to hold off on taking the next step for one reason or a hundred. Change is progress. Risks are opportunities. The organizations that will recover the fastest after all this is over will be the ones that either had a head start in their digital transformation journeys or those that pivoted to fully embrace the advantages and benefits to be had.