Archives For disaster recovery

2017-03-03_13-54-13NIST Framework: You’ve Heard It, Lot’s of People Refer to It, But Do You Know What the NIST Security Framework is…

If forced to… (sales person to client) could you explain what the NIST Security Framework is?

NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.

How will you answer?

If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…

(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).

Either way, it’s important to know NIST if you’re going to talk security.  So here’s the simple “sales person level” overview…

Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).


In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.

  • What are you trying to protect?
  • What are your relevant threats?
  • How likely are you to be able to detect and respond before damage is done?

These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.

PDR – The Core of NIST, But Selling It Requires Strategy

Understanding PDR. 

The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process.  Your client/prospect won’t know my name, but they can Google NIST.

It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.

But getting buyers to part with money for NIST is a hard hill to climb.  Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.

The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.

If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!

The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).

Finally -Recovery…As in Disaster Recovery

My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.

In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.

However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…

Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).

Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).

© 2017, David Stelzl

Confidentiality, Integrity, and Availability.  These are the three pillars of any security plan – although most people think of hacking when they hear “Security”.  Today I’ll be speaking to business leaders in Cincinnati, Ohio on the topic of data security.  It’s not a technical talk, but rather a look at the trends and concerns, the people behind data theft, and the wrong mindsets most people have around security.  If I had time to rewrite my presentation, I might choose to do more of a briefing on disaster recovery and business continuity.

This week’s storms exposed one wrong mindset – the one where everything looks okay, so it must be.  Every week I hear accounts of security assessments being conducted, where engineers are reporting a lack of data backups and business continuity.  You would think that after so many years of PC computing that companies would have put something in place.  Even some of the larger more sophisticated companies are running daily production with untested, outdated, tape based back up systems.  With today’s mobility technology, G4 cellular capabilities, and high-availability storage, we should be in great shape when something like this hits (at least from a data and system standpoint). But news reports coming out of NY and NJ are telling a different story.  In some cases companies had some, but not all, systems backed up – such as in the case of  In other cases, companies like MailChimp got lucky – their data was in a location that did not get hit – while their other data centers were hit.  In most cases, it’s the midsized and smaller companies where I see no back up, or a simple onsite tape back up, but nothing off site.  With the low-cost solutions available today for cloud based backups, it makes sense that even the smallest companies would invest in this type of technology.

Failure Leads to “Out of Business”

Garter has stated, “2 out of 5 companies that experience a disaster will go out of business over the next 5 years.”  Its interesting that it takes 5 years – in other words, recovery drains the company, sets it back, and slowly kills it.

Business continuity specialists have given a number of statistics on where the failures are.  Somewhat surprisingly, 40% of disasters are related to human error, 40% come from applications failure, and 20% are technology hardware related.  Somewhere in there, about 4% are natural disasters…of course where you live will increase or decrease this number.

Areas of Impact

There are generally four areas to be concerned with…

According to my friends in the business continuity and disaster recovery business, there are four areas that must be handled when disaster strikes.

  • Direct financial losses – sales stop, investments may suffer, and billing doesn’t happen.
  • Production – people can’t work, plants shut down, etc.
  • Brand and reputation – do people still trust you?
  • Regulatory / etc.  – including compliance, credit ratings, etc.

Long term outages will kill a company over time.  Trying to recover data can be time consuming, labor intensive, and very expensive.  One project I worked on years ago put a global manufacturer on hold for three days, sending three shifts home for all three days.  They would have spent far less on a simple backup solution. The cost of their data recovery was big!

You Need a Plan

Business continuity is not a backup application.  It’s a plan – it provides direction on what to do in the event of a disaster.  It specifies the backup and high-availability of systems and data, provides for a way to continue work without coming back to the affected location (at least initially), and calls for some training and testing so that the employees of that company know what must continue to run, and how.  Every company should have this – it might be that only certain functions must continue during the recovery process, but without a plan, it’s impossible to tell.  The plan will guide you in the midst of confusion.

The plan calls for an initial response – like the moment disaster hits, but then lays out a recovery plan that may take months.  I suspect there are many businesses in both NY and NJ that are scrambling right now, wondering what to do.  Some will just call it quits, while others will die a slow death. Some will recover with a plan, and some will get lucky.  As Gartner stated, it may take up to five years to finally see the death of some of these companies.  The ones that planned well will likely make it.  My guess is that there aren’t many small businesses with a solid comeback plan.  Make sure you clients understand the various threats, the need for a plan, and the impact of not having a plan.  Then help them figure out the likelihood of needing various aspects of a plan – they all need something, but they’ll all be different.  Not having a plan is simply a plan to fail.

© 2012, David Stelzl