Today's heightened security awareness and business continuity concerns have put a greater emphasis on preventing disaster and ensuring business availability. When mission-critical systems fail, for just a few hours, the damage reverberates from internal systems to stock prices and client confidence.
To get some perspective on how critical business availability is today, TechRepublic spent time discussing disaster recovery with expert Jim Simmons, CEO of SunGard Inc.
Simmons stepped into his role at SunGard, an IT solutions provider for financial institutions and information availability systems and services, in 1999. He led the company’s acquisition of Comdisco last November, and is spearheading the company’s growth in Europe with the purchase of U.K.-based Guardian iT PLC, a leading disaster recovery services firm.
Prior to SunGard, Simmons served as the vice president of Sun Data, Inc. in Atlanta, directing the operations, sales, and administration of its business recovery services division. SunGard Recovery Services, a division of SunGard, later acquired Sun Data.
How 9/11 raised awareness of need for disaster recovery
TechRepublic: Before 9/11, IT organizations were focused on preserving data, and a few—such as online player eBay, financial services companies, hospitals, and the government—realized the importance of having systems readily available, too. If 9/11 hadn't happened, do you think disaster recovery and business continuity would be in the forefront of enterprise concerns?
Simmons: 9/11 did raise awareness. People now have it in their minds to protect their data. But they have underallocated for systems resources. This is painfully apparent where the people aspect comes into focus. What happened at the World Trade Center was a horrible loss of human life. Data loss wasn’t as much of an issue, because the real estate was just too expensive in the Trade Center to store a mass of information on site. Instead, what happened was that companies weren’t prepared to set up workspaces for employees who needed to keep operations running after 9/11. Part of disaster recovery and business continuity involves people and applications. It’s not just about data. Keeping the people and the information connected is key.
TechRepublic: Why haven’t more IT leaders looked at business continuity as a serious issue?
Simmons: The reason is that market forces have created a level of technical complexity that’s made it more difficult. First, today more people need more access to more information than ever before. Twenty years ago, you may have had one mainframe handling orders. But now companies have multiple mission-critical systems that allow end users to place orders, retailers to monitor inventory, and businesses to communicate inventory status with vendors and customers. We’ve been able to put the technology at the end users’ fingertips. Because of this, things have become more complex.
With the increase in technical complexity, what you need to do [to keep mission-critical systems available in a disaster] has become more difficult. Technology advances have automated multiple processes within a single entity. That has created a greater dependency on information, in turn expanding the definition of what constitutes a disaster.
It isn’t that they weren’t interested in information availability before. It’s simply that their interest had not caught up with the rapid level of technology advances.
TechRepublic: What kinds of risks should companies be prepared for? Viruses, Internet security breaches, natural and unnatural disasters, and power failures are all on the list, aren't they?
Simmons: I’ve been doing this for 16 years, and the list of disasters is unbelievably long. It’s virtually impossible to anticipate every scenario. Most companies need to understand how their business functions so that, regardless of the disaster, they’re able to keep their business, their customers, and the information connected.
As the recovery window from disasters begins to shorten, then the definition of a disaster expands. Now anything that interrupts the flow of information can be a disaster. It could be a backhoe cutting the power to your building.
TechRepublic: What are the current inadequacies in IT organizations related to information availability? Might it include single-site systems or inadequate offsite data storage, for instance?
Simmons: Some people think they have a plan when they have data backed up offsite. But what these companies don’t realize is that having a tape backup offsite does no good if the people can’t access the information.
In a study SunGard did a decade ago, 30 percent of companies said they had offsite backup. Today, our survey shows that 70 percent do. For mission-critical applications, it was only 40 percent.
Ten years ago, people were only worried about backing up their general ledger on a big mainframe computer. Today, companies have not kept pace with their needs for data backup and business availability, as there has been an explosion in the use of technology in all kinds of businesses. When it comes to getting the information infrastructure back up, clients are still woefully unprepared.
What is considered critical data?
TechRepublic: How should companies prioritize the data that they want to have available? For instance, personnel data might be less important than time-critical or mission-critical data.
Simmons: Companies generally have to conduct a risk assessment, and that means determining the cost of downtime for a particular business application. It kind of forms a continuum. There are some systems you could live without for two weeks. Some you need in two hours or two days. And for some, it could be two minutes before they start to lose millions. Obviously, it’s implicit that you need to take prudent steps for a two-day scenario or less.
TechRepublic: What might a typical information availability methodology include?
Simmons: Let me give you an example: At the Philadelphia Stock Exchange, every transaction on the floor is instantly duplicated on a SunGard system. If they ever had a loss in that building, they’d never have to go back and recreate those transactions. Recovery time is less than two hours. This is an example of an engineered solution.
It used to be the CIO would ask, "What happens if a fire hits this big data center? What happens if I lose access to my big computers?" Now it’s more like, “How does my business run?” It has evolved from disaster recovery to information availability—keeping information and people—the end user—connected. We’re getting tremendous demand for end user recovery. So it’s not just the computers in the systems anymore, it’s the people.
In 9/11, the information was protected, but it was the clients’ clients that needed that information. In 9/11, we used upwards of 40 percent of our desk and chair capacity—you know, people capacity [to get SunGard client businesses working again]. We used only 10 percent of computing capacity.