Tuesday, May 29, 2012

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#1

This is another classic story that may raise a smile for some security pros out there....

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business IT bloke:  The whole IT Supplier's data center is currently down. It has something to do with the earthquake that happened 10 minutes ago. Seems like the data center was badly hit by the quake. I managed to get hold of the service manager and he has arranged an emergency meeting in 15 minutes to update us on the situation.

After 15mins, in the emergency meeting...

Business Owner guy: IT Supplier chap, I understand you have a lot to deal right now, but my application is business critical. When can you get it up again?I'm losing like 10K per minute here!

IT Supplier chap: We will do our best sir, but we have to give priority to our other customers that have disaster recovery SLA with us. I have checked our SLA, since you did not sign up for disaster recovery, we won't be recovering your application anytime soon...

Business Owner guy: This is ridiculous! I remember we stated the need of disaster recovery in our requirements!  Didn't we Mr. Business IT? How come it's not in the SLA?

Business IT bloke: Mr. Business Owner. Yes we did mention in the requirements <*  staring at IT Supplier chap *>

IT Supplier chap: Sirs, yes you did, that's true. But when we came back to you - Business IT with disaster recovery proposal and cost estimation, we heard nothing back. As per our standard operating procedure, if we haven't receive any feedback within 1 month, we will take it as a "no". This condition is clearly stated in our proposal.

Business Owner: <* taking to Business IT bloke *> Sound to me that you screw up. I demand you take full responsibility of this whole fiasco!

Business IT bloke: <* talking to Business Owner *> Wow..wow! Hold your horses! Don't get over excited yet! Yes. We received that proposal and I did forward it to you. I still remember that you made a big fuss about it would cost you an arm and leg and you don't have budget etc etc.. at the end, you just brushed it aside. I still have those emails you wrote about this....

Business Owner guy: <* speechless..... and almost wet his pant as he most certainly losing his job now...*>

Sound familiar? Another Deja Vu right? I was smirking inside throughout the whole episode... "enjoying" the debate, finger pointing and the Tai-Chi (passing the buck) between them.

Moral of the story?
1. Disaster recovery is indeed can be expensive, but it is just like an insurance, you'll thank god you have one when you really NEED it.
2. Perform a comprehensive business impact analysis on your business for business continuity. It will hep you to decide if you really need a disaster recovery service/plan or can accept the risk. If disaster recover is needed, a comprehensive disaster recovery plan needs to be developed and maintained.

PS: The Business Owner finally "purchased" the disaster recovery service.... but his application did not survive the second earthquake. Why? That's would be another story for another time :) 

Ain't security fun? ;)

Acknowlegdment: Picture taken from http://www.flickr.com/photos/fncinsider/5529591463/sizes/m/in/photostream/

No comments:

Post a Comment