Business Continuity and Disaster Recovery

[MUSIC] Hello, welcome to another exciting episode here at ITPro.TV. I'm your host, Mike Rodrick, and today we're doing Business Continuity & Disaster Recovery. In studios, we've got none other than Mr. Rob Carson with SemperSec here to help us and talk about business continuity and disaster recovery. And we're gonna talk about in this episode, we're gonna take a look at what we can expect over the next few videos in this series. And before we get started, Rob, let's talk about you and a little bit about your background. Hey, thanks, Mike, and I'm really excited to be here. So my background, originally I was a Marine Corps infantry officer, so I did seven years in the Marine Corps working with Oorah. Oorah? Yeah, Oorah, right? And I spent quite a bit of time with the Iraqi army as well as the leading platoon. So organized chaos, a lot of craziness. So understanding how to fight through different high stress activities. And then after I left that I started as the VP of operations at a small managed security service provider. And then was also a director of security in the back end of the cloud. So unfortunately, or fortunately for you, you get to learn from my lessons learned this week, because none of these things that I'm gonna give you this week are what things I read in a book? They're things that I made the mistakes on and learned my lessons to help you. That makes it a little bit easier for us. We'll let you go through the pain, and then we'll just learn from you. I like that. Absolutely. [LAUGH] Absolutely. All right, so what are we gonna talk about here? I know we've got several episodes we're gonna talk about business continuity, disaster recovery. Break down what our plan is and what we're gonna be going over here. Absolutely, I'd love to. So to get started here, we're gonna talk about how to get Left of Bang, okay? And that's an important piece to think about is what we're doing is, we're thinking about what happens before. How do we plan so that we, when Bang happens, when something, when a disaster happens, and it will, what do we do? We already have that plan in place so that we can act much more efficiently and effectively and not be running around trying to do things at that point, cuz at that point you already have enough to do. We're in the middle of the bang, or we're right at the bang, and it's kinda too late at that point, right? [LAUGH] Exactly, it's not the time to work on marksmanship. It's not the time to figure out which systems to restore in what order, because you should already kinda know that. If you don't, this is what we're gonna talk about. We're gonna build that. And that's one of the great things we're gonna do, is we're actually gonna build a BCP plan during this week. We're gonna go all the way through it, build it straight up. And that way you actually see how it's done from a pract app standpoint, and you're not overcomplicating it. And we'll try to talk about different scales, so what it looks like for an SMB, versus a large enterprise, the differences, because there are. Fantastic, cuz that's one of the things I know when you're getting into this, you can go out and you can find templates and things like that. But if you don't know what information I need to put in here, is this template right for me, it becomes difficult. So having you walk us through that thought process of what do I do to create this BCDR? Where do I even start? So fantastic, we're looking forward to that. No, you need everything. And so let's talk about what as well. So BCP is that framework, right? So business continuity plan, for essential business operation, is when things happen. And what you wanna think about for that is it's not just IT. It could be pandemics. It could be hurricanes. It could be multiple things. One of the last places I was at, we had an office in Seattle. I had to write about volcanoes. Never thought I'd write about volcanoes. But it turns out volcanoes are a thing, if you live in Alaska, you live in Seattle, you live in Hawaii. And then ITDR is when IT happens. And it's gonna happen, cuz it is what it is. And we'll talk about different ways to build those kind of plans as well, cuz those are really a subset of it. And then we're also gonna talk about who. So we're gonna talk about who are the stakeholders involved with each and who you need to involve at different points in the planning process, what rules they have and things like that, and where? So I have a great database that I'll show you later which we can do the research on what is relevant to your location if you're looking from a natural disaster standpoint. So you're not just saying wow, this could happen. We have the FEMA documentation for what they've declared disasters for by region. So you actually have something tangible that's not you going, well, I think this could happen. Well, a lot of things could happen. I could grow hair, but might not. [LAUGH] So let's get there. Yeah, good to have those facts behind us so I'm not wasting time, but I'm being productive and effective. If we don't have a common occurrence of earthquakes in the area, I probably don't need to include that in my BCDR. Exactly. And we're gonna talk about why. Why is an interesting one. Sometimes it's hard to get people to focus on those before the disaster. It always seems to be one of those, man, I wish we would have. But this is an important part and it has to be done before that bang happens, right? Absolutely, and why is huge, because it's hard. One of the challenges you will have is getting people to spend money on something that's gonna sit there just in case. It's like when you buy insurance, right, you pay all this money and nothing happens. But when something does happen, you're really glad you have it. But it may not happen for two or three years. So and the problem with technology, too, as you'll find, is that technology has to be updated. And you have to continue to invest in it and keep it going, especially as you grow. And that's one of the things we'll talk about is how to manage your ITDR while you scale, so that you are in parallel paths moving up. So if your DR capacity is here, and your regular production capacity is here, it moves in those parallel paths. Okay. Cuz if you don't, what happens is you wind up here, and this may not be acceptable. And getting that buy-in from the upper levels, as you were saying, can be challenging when there's really no immediate need for it. That's gotta be tough. Absolutely, and change happens, so you think about a small company, they may not have enough business where it matters. Or so it's like, hey, if the website goes down, website goes down, no big deal. But as you grow, that could actually impact you. So that's why we talk about how you have to constantly evaluate it and test it and does it map to where you are today? And I like what you have on your slide there, too, about prioritizing the information. Not everything in the company needs the same level of protection, is that what we're saying there? That's absolutely true. I mean, from a security standpoint, you can buy employees LifeLock, you can't buy them new jobs. Right, [LAUGH]. So you have to think about, I'm not saying don't protect employees' data. But I'm saying that there are things that are gonna have higher priorities than others, because what keeps the lights on, what keeps the revenue coming. Because at the end of the day, that's what employees want, right? That's what we all want. And that's part of your messaging campaign is, make it relevant to them. We're not doing this just because, we're doing this because we wanna make sure we all stay employed. And change happens, right? The world changes. So how do we do stuff? And we've gone to the cloud but what does the cloud mean from an ITDR standpoint? Cuz I can tell you having sat on the back end of the cloud, it's not all magical gumdrops and unicorns. It sounds like it. Sometimes they make it out to sound that way. Sure does. It's like, take what's in the cloud, it'll be fine. We'll talk about that, how it's maybe not always the case, and what to look for. And we're gonna go into how. How yeah, how do we even start, where do we start? How do we do all of this? Absolutely, and it's gonna be great because we're gonna go in detail how do we do this, who do you involve, what are the messages you want to push out? And you guys get to learn from my lessons of things that, hey, if I had to do it over again, this is how I would have done it. Or here is what you're gonna experience. Here are the problems you're gonna have. You're not alone, you're not special. I hate to say it, I know everyone's special and you all get a trophy. But in this case, these are common challenges that any professional has that you have to work through. Because it can be exciting for about a week, and then guess what happens? The business takes off, you're like, yeah, yeah, yeah, but we gotta go make money. So you gotta make it relevant. All right, Rob, sounds great, exciting stuff. As you can see, we've got a plan for you here in this series coming up with Mr. Rob Carson and SemperSec, and covering that business continuity and disaster recovery. I hope you guys are ready, stay tuned. Signing off for ITPro.TV, I've been your host, Mike Rodrick. And I'm Rob Carson. And we'll see you soon. [MUSIC]