Archives For disaster recovery


How Long Can You Afford To Be Down?

Find Out What It Costs…Before Talking Budget…

MTD – Maximum Tolerable Downtime, is the first thing you should be thinking about. Data theft and misuse are equally important – but downtime (ransomware or failure) is unavoidable.

Remember What Security Trends Reports Where a Few Years Ago..

Older threat reports (Symantec, Verizon, FBI/CSI, etc.) focused on likelihood of an attack. They measured the number of companies hit by malware, reporting spam, or suffering DDOS.

Read today’s reports and you’ll discover something different…

Newer reports focus on types of malware, cost of downtime, cost of data exposure, and whether or not insiders were involved.  In this ongoing discussion on security assessments, DOWNTIME and COST are the focus.

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

The Companies Most Important Assets Used to Be People…Not Anymore

Talk to any DR (disaster recovery) specialist and they’ll tell you, People are (or were) a company’s most important asset.

Not any more.

Now it’s data…Not to minimize the value of a person, but even the WSJ calls DATA the Oil of the New Millennium, not people.

In security, there are three pillars to consider. Confidentiality, Integrity, and Availability. In this article, I’m talking about the third – AVAILABILITY.

80% of Cyber-Breaches Result in Downtime

Every major corporation has been breached at this point…and most smaller firms too. It’s just a matter of time. 8 out of 10 experience down time, and based on Cisco’s graph (from their 2017 Cybersecurity Trends Report), 90% of the 8 will be 8 or more hours…

How much downtime can your client stand on any given system?

Even with data moving to the cloud, downtime is a major factor.  MTD (Maximum Tolerable Downtime) speaks to the old DR metric that asks, how much downtime your firm can stand on any given application before it severely impacts the business.

The actual number has to be given to you as the assessor. You can discover it through observation…

And while it may seem arbitrary, there are numerous studies available online that tell us how likely a business is, to go out of business, given an outage.

Who Knows The Answer And What Does It Mean?

The problem is, most security assessments don’t actually measure tolerable outage, or the likelihood of exceeding executive management’s tolerance.

IT is generally the focus of these assessments…

To the IT Custodian, outage means, working late, not a failing business. The right approach to assessing risk involves assessing those things which create a risk of something bad happening – in this case, business failure, stock price drop, loss of shareholder value, or customer dissatisfaction (to name a few).

Remember, Customer Experience is the New Brand Metric…And downtime kills customer experience.

So who knows the MTD?

The asset owners know…the ones who use the data to drive the business. And different departments will add more or less value to the overall business success – executive management knows who they are. IT, on the other hand, does not. (Just ask any executive).

Ask the end users, and they’ll tell you they can’t stand any downtime!!!

Of course that’s not true. However, any business critical function probably requires more uptime than IT realizes, and is worth spending more to maintain than most executives would like to admit.

Uptime is always a cost-benefit analysis.  The first answer is usually, “No downtime”. Once an estimated cost of zero downtime is displayed, that downtime number suddenly goes up…

Getting Real With Risk And DownTime

What’s really happening here is, when faced with a large financial number, executive management suddenly wants to take on more risk than they can actually stand.

It’s no different than the person with no consistent income getting approved for the sub-prime mortgage, so they can finally get their house.

The house-buyer’s attention is on the house, not the payment.  With downtime, it’s the same. The buyer’s eyes are on spending where it feels good, not minimizing risk.

It’s the assessors job to convince asset owners, downtime is only a matter of time. Remember, most breaches (80%) will result in some downtime. Half will be in the range of one day or less…but about the same number will exceed one day by 1 to (pick a number) of days.

What’s the likelihood of downtime? Close to 80% – given the likelihood of being hit with some form of cyberattack is nearly 100% over some time period.

Solving The Problem

The problem of downtime used to be solved with EMC SRDF (mirrored NAS over a wide area connection), or at minimum, redundant systems running a highly available configuration. These are expensive solutions when talking to mid-market and down…

Does your MSP offering include virtual data servers in a hosted (protected) environment? Are you running a virtualized HA configuration?

What about using a dropbox-like solution in addition to backups?

In a recent sales call, one of my clients had a firewall opportunity. The vendor SE accompanied them on the call. When the client was asked about the need for redundant firewalls, they replied, “Not necessary”.

The vendor SE made a note and moved on…but my client, having been through the Security Sales Mastery Program knew better.

IT can’t answer this question!!! A single FW outage would shut down just about everything – all external communications including cloud app access, email, etc. Can any company actually work without their Internet connection anymore? Probably not…

Suddenly, downtime is a serious issue, and one that demands new services…hosted systems, redundancy, HA Internet access, data in the cloud, and more…The risk assessment, when focused on MTD, is your fastest road to up-selling services to your clients.

© 2017, David Stelzl






2017-03-03_13-54-13NIST Framework: You’ve Heard It, Lot’s of People Refer to It, But Do You Know What the NIST Security Framework is…

If forced to… (sales person to client) could you explain what the NIST Security Framework is?

NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.

How will you answer?

If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…

(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).

Either way, it’s important to know NIST if you’re going to talk security.  So here’s the simple “sales person level” overview…

Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).


In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.

  • What are you trying to protect?
  • What are your relevant threats?
  • How likely are you to be able to detect and respond before damage is done?

These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.

PDR – The Core of NIST, But Selling It Requires Strategy

Understanding PDR. 

The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process.  Your client/prospect won’t know my name, but they can Google NIST.

It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.

But getting buyers to part with money for NIST is a hard hill to climb.  Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.

The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.

If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!

The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).

Finally -Recovery…As in Disaster Recovery

My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.

In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.

However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…

Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).

Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).

© 2017, David Stelzl

Confidentiality, Integrity, and Availability.  These are the three pillars of any security plan – although most people think of hacking when they hear “Security”.  Today I’ll be speaking to business leaders in Cincinnati, Ohio on the topic of data security.  It’s not a technical talk, but rather a look at the trends and concerns, the people behind data theft, and the wrong mindsets most people have around security.  If I had time to rewrite my presentation, I might choose to do more of a briefing on disaster recovery and business continuity.

This week’s storms exposed one wrong mindset – the one where everything looks okay, so it must be.  Every week I hear accounts of security assessments being conducted, where engineers are reporting a lack of data backups and business continuity.  You would think that after so many years of PC computing that companies would have put something in place.  Even some of the larger more sophisticated companies are running daily production with untested, outdated, tape based back up systems.  With today’s mobility technology, G4 cellular capabilities, and high-availability storage, we should be in great shape when something like this hits (at least from a data and system standpoint). But news reports coming out of NY and NJ are telling a different story.  In some cases companies had some, but not all, systems backed up – such as in the case of  In other cases, companies like MailChimp got lucky – their data was in a location that did not get hit – while their other data centers were hit.  In most cases, it’s the midsized and smaller companies where I see no back up, or a simple onsite tape back up, but nothing off site.  With the low-cost solutions available today for cloud based backups, it makes sense that even the smallest companies would invest in this type of technology.

Failure Leads to “Out of Business”

Garter has stated, “2 out of 5 companies that experience a disaster will go out of business over the next 5 years.”  Its interesting that it takes 5 years – in other words, recovery drains the company, sets it back, and slowly kills it.

Business continuity specialists have given a number of statistics on where the failures are.  Somewhat surprisingly, 40% of disasters are related to human error, 40% come from applications failure, and 20% are technology hardware related.  Somewhere in there, about 4% are natural disasters…of course where you live will increase or decrease this number.

Areas of Impact

There are generally four areas to be concerned with…

According to my friends in the business continuity and disaster recovery business, there are four areas that must be handled when disaster strikes.

  • Direct financial losses – sales stop, investments may suffer, and billing doesn’t happen.
  • Production – people can’t work, plants shut down, etc.
  • Brand and reputation – do people still trust you?
  • Regulatory / etc.  – including compliance, credit ratings, etc.

Long term outages will kill a company over time.  Trying to recover data can be time consuming, labor intensive, and very expensive.  One project I worked on years ago put a global manufacturer on hold for three days, sending three shifts home for all three days.  They would have spent far less on a simple backup solution. The cost of their data recovery was big!

You Need a Plan

Business continuity is not a backup application.  It’s a plan – it provides direction on what to do in the event of a disaster.  It specifies the backup and high-availability of systems and data, provides for a way to continue work without coming back to the affected location (at least initially), and calls for some training and testing so that the employees of that company know what must continue to run, and how.  Every company should have this – it might be that only certain functions must continue during the recovery process, but without a plan, it’s impossible to tell.  The plan will guide you in the midst of confusion.

The plan calls for an initial response – like the moment disaster hits, but then lays out a recovery plan that may take months.  I suspect there are many businesses in both NY and NJ that are scrambling right now, wondering what to do.  Some will just call it quits, while others will die a slow death. Some will recover with a plan, and some will get lucky.  As Gartner stated, it may take up to five years to finally see the death of some of these companies.  The ones that planned well will likely make it.  My guess is that there aren’t many small businesses with a solid comeback plan.  Make sure you clients understand the various threats, the need for a plan, and the impact of not having a plan.  Then help them figure out the likelihood of needing various aspects of a plan – they all need something, but they’ll all be different.  Not having a plan is simply a plan to fail.

© 2012, David Stelzl