Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and U.S. regulations are elevating concerns regarding original archival to the level of disaster recovery. However, business executives and CIOs are living in two different worlds when it comes to how they think about disaster recovery, according to a new survey of enterprise executives in the U.S. and Europe, published in July.
The telephone survey, which was sponsored by storage vendor EMC Corp. but conducted by the research firm RoperASW in April and May of this year, asked executives how vulnerable they felt their company was to “losing access to business-critical data” in the event of a disaster.
Just 14 per cent of business leaders felt that their data was “very vulnerable” in the event of a disaster, but almost four times as many IT executives felt that way: 52 per cent of them saw their enterprise data as very vulnerable, according to the study’s authors.
When it came to predicting disaster downtime, the disconnect was less pronounced: 91 per cent of business executives thought they’d be able to resume normal business activities in less than three days after losing access to business-critical data, compared to 78 per cent in IT, while 37 per cent of business executives thought it would take their company eight hours or less to be up and running, compared to 40 per cent on the IT side.
IT and business gap
EMC cites the poll as the first attempt ever to examine the difference between business and IT executives’ attitudes toward disaster recovery, noting that it establishes that the gut perspective was right: the IT and the business executives have been somewhat out of sync.
While the study was based in the U.S. and Europe, the gap between IT and business executives also exists in Canada, says Ross Allen, managing director, EMC Canada.
“Everyone is still doing tape-based back-up off the secondary remote site,” he says. “If you have 10,000 tapes to mount and each takes 10 minutes, just the physical tape mount time makes it not possible to restore within three days.
“Business continuity doesn’t just include online banking records and account management records,” he adds. “It is now a wider scope.” Applications that used to be non-critical now are becoming critical. For example, even email must be archived.
Regulations in the U.S. require data to be archived for seven years in its original, non-tampered storage format, Allen adds. Some documents must be stored indefinitely. In Canada, PIPEDA has brought momentum to addressing archival requirements.
Clearly, a key challenge is choosing a medium that will be accessible many years down the road. “What if music backups were done on 8-track?” Allen asks pointedly.
Allen is keen to point out that EMC’s Centera product provides disk to disk recovering capability, providing accuracy and speed advantages over tape back-up. He argues that tape degenerates, causing data degradation. Also, tape is not fixed content storage, but instead can be written over many times. He says that EMC has committed to ensuring that data can be read on its archival Centera product for 20 years, so data can be stored in its identical format once.
Recovery more critical
Allen notes that business recoverability and back-up capability has increased in importance. “When the written transaction is replaced by the electronic transaction, the fear is that the electronic image can be manipulated and changed as opposed to the forgery based on whiting out someone’s comments on a letter. So hence there is an increased requirement to store that with complete confidence that once it is stored it can never be touched, altered or written over for a specified amount of time. The regulations are intended to ensure the integrity of that media.”
“This report validates that one of the problems in the industry today is that there’s this disconnect,” said Tony Prigmore, a senior analyst with the industry research firm Enterprise Storage Group Inc. “It says one of two things: either IT is correct in their level of concern and the business folks had better get on board,” he explained, “or the business folks are actually listening to IT, and taking a calculated business risk decision to not take any action.”
New regulations, like those covered in the Health Insurance Portability & Accountability Act, the Security and Exchange Act, and even the Sarbanes-Oxley Act will ultimately bring business and IT thinking in line, Prigmore predicted. “This gap that we see in the research has to go away,” he said.
In Europe, this seems already to be the case. When European executives were asked the same questions as their U.S. counterparts, 40 per cent of business leaders felt their data was “very vulnerable,” compared to 44 per cent of IT executives. Twenty five per cent on the business side thought it would take more than three days to recover from a disaster, compared to 26 per cent in IT. And 39 per cent of business people thought the enterprise could be up and running within eight hours, compared to 31 per cent of IT executives.
Two reasons account for the difference between European and U.S. responses, said EMC’s Higgins. First, “the fact that the organizations tend to be a little flatter in the European marketplace probably leads to better communications between the CIOs and business executives,” he said. Second, European history has simply made businesses there more aware of the possibility of a man-made disaster, like a terrorist attack, he said. “They’re just more sensitive to those situations than their American counterparts.”
The survey interviewed 274 executives at U.S. corporations and 254 in European companies, all of which had at least US$1 billion in annual revenue. Executives were chosen from a mix of industries, including health care, financial services, manufacturing, and retail.
With file from Robert McMillan, IDG News Service (San Francisco Bureau)