Securing The Super Bowls Of Sports

If your CIO doubles as your CFO, you might be a small or midsize business (SMB).

Steve Snodgrass fills both roles at Granite Rock, a 600-person construction supplier. The CIO/CFO, like a lot of his SMB peers, works with a tight budget, a downsized IT staff, and increasing requests from the business. "We're what I would call a classic midmarket company," Snodgrass said in an interview.

For some SMBs, that mix means cutting corners on things that have a blurrier link to the bottom line, like disaster recovery (DR) planning. Yet Snodgrass keeps DR top of mind because, well, he has to--Granite Rock operates on the San Andreas Fault, where an earthquake isn't just possible--it's probable. "One of the challenges for us as a company is to have a disaster recovery plan that works and is affordable," Snodgrass said.

Snodgrass and Granite Rock began facing that challenge back in 2000--largely by accident--when the company decided to outsource its enterprise resource planning (ERP) system to WTS, which is now part of Velocity. The reason? The Bay Area firm was dealing with a dot-com talent drain. A full backup and recovery plan came about over time as its outsourcing decision evolved. Today, Granite Rock's ERP system is hosted in Seattle and fully recoverable from another secure site in Denver should anything go wrong. If disaster strikes in San Francisco--or Seattle, for that matter--Granite Rock can continue to pay employees, bill customers, and keep critical operations running.

[ Intellectual property and mobile top the list of SMB security concerns. To learn more, see Top SMB Security Worries: Intellectual Property, Mobile. ]

Whether or not you're in a high-risk area, Snodgrass's approach offers some DR wisdom for fellow SMB IT pros to consider in their own organization.

1. Become a pragmatist. Granite Rock doesn't have the budget or IT staff to ensure that every application and system is fully recoverable, so Snodgrass doesn't bother trying to achieve 100% readiness. Recovering the ERP platform is priority one, so that's where he and his team has put its focus over time. Granite Rock does some less comprehensive DR planning for other important applications--its Microsoft Exchange server, for example--and it makes educated decisions about which areas to ignore. An earthquake would knock out the weighing systems Granite Rock uses when customers place orders for tons of rocks--but Snodgrass isn't losing sleep over that. The wide-area networks those systems rely on would also be down, so recovery is moot.

"Redundancy wouldn't get you anything," Snodgrass said. "We take a pragmatic approach: What are systems you can't afford to live without, and what are systems you could live without?"

2. Lose the cloud fear.Snodgrass is quick to acknowledge that his company's DR readiness began somewhat serendipitously. But the decision to move a business-critical application offsite was key; fellow execs that have shunned cloud platforms for security or other reasons. Snodgrass doesn't think those fears are unfounded, but notes that moving to hosted platforms can help IT pros create a DR plan without separate costs. "We embrace it," Snodgrass said. That doesn't mean he does so with a blind eye--it's just that the benefits outweigh the risks. "Are there security and trust issues? Absolutely."

3. Stop fretting over ROI. When it comes to proving a return on his IT investments, Snodgrass is in a unique position: because he's also the CFO, he is, at least in part, proving ROI to himself. Yet when it comes to DR, Snodgrass thinks SMBs should become less obsessed with ROI in the traditional sense. "One of the major flaws of the IT industry is that there aren't a lot of solutions that have a tangible return," Snodgrass said. That's a problem if you're making a financial case for DR in your organization--a case Snodgrass said will likely be met with skepticism by the CFO and other stakeholders. Instead, he advocates a different approach: Describe your DR plan as an insurance policy.

"There's no rate of return on insurance," Snodgrass said. "If you don't have a [disaster] that's insured, it's just an ongoing cost to the business." And yet when something does go wrong, the uninsured business might soon be out of business.

4. Put the plan through its paces. The most common DR pitfall in Snodgrass's view--aside from ignoring it entirely--is to invest in a plan and then not test it. "It's one thing to have a disaster recovery plan; it's another to know that it actually works," Snodgrass. That means testing it in simulated disaster conditions. Granite Rock, for example, practices recovering and restoring its offsite tape backups so that the team isn't trying the somewhat laborious process for the first time in an actual disaster scenario.

Equally important: Testing should be an ongoing process, not a one-time task. The reason is simple: "It's a moving target," Snodgrass said. "IT is always adding services, and the business is always demanding services. That's a real challenge for a midmarket company."

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)