Disaster strikes - when? That's right: When you least expect it. Which is why planning is essential. It's also why technology leaders are typically the organizational role most likely to be saddled with the responsibility for creating and curating BCP/DR or DRR plans. In this episode, co-hosts Brian Comerford and Nick Lozano discuss the need for business continuity planning as well as outlining the process and providing resources to help begin this leadership challenge. It may seem like an exercise in futility, creating in-depth documentation and risk readiness planning for events you hope never happen. That is, until the day you're reliant on all of that detail-oriented work.

Hosted By:

Brian Comerford
LinkedIn: https://www.linkedin.com/in/briancomerford/

Nick Lozano
LinkedIn: https://www.linkedin.com/in/nick-lozano-97356621/
Twitter: https://twitter.com/NickLLozano

‌Lead.exe is published bi-monthly on the 1st and the 15th of the month.Subscribe and leave us a review to lets us know how we are doing.

Spotify: https://open.spotify.com/show/58U55KZykbYXJhuvtPGmgc

iTunes: https://itunes.apple.com/us/podcast/lead-exe/id1454843941

Google Play: https://www.google.com/podcastsfeed=aHR0cHM6Ly9mZWVkcy5zaW1wbGVjXN0LmNvbS9QZHJGaTAzUQ%3D%3D

Stitcher: https://www.stitcher.com/podcast/leadexe

YouTube: https://www.youtube.com/channel/UCjPXFiYVICXJSBW-ZoHBclg

Send us your feedback at [email protected]

Show Transcript:

Nick Lozano  0:08
Going on Brian is Friday the 13th. It's the 13th of March 2020. Exactly.

Brian Comerford  0:15
And what more appropriate date to be discussing things like Business Continuity Planning and disaster recovery. It's been an interesting escalation of events that we've seen just in one week, let alone the last two or three months with the spread of coronavirus or Cova. 19.

Nick Lozano  0:36
Yeah, now, and I think that's why we kind of broke from our traditional, you know, production schedule of interviewing guests and just decided we were going to have a conversation because, you know, just from Monday, was it Monday the 12th or something Monday, the 12th is the 13th right now, but you know, like the ninth or something the Monday of this week in 2020. You know, things have drastically changed from Monday to Friday in disaster recovery, business continuity, all that stuff is something that should be on top of it leaders mind right now.

Brian Comerford  1:11
Absolutely. And it's it is a complex process. And it's something that is really a key set of responsibilities for leaders in an organization, let alone technology leaders. I think part of the reason that ends up landing in the laps of technology leaders most often it's what I would qualify as the curse of competency, right. We're the department that tends to be responsible for managing the technology, which is a critical component of disaster recovery planning. But it's also that we tend to be very detail oriented and our documentation, as as you know, is required for our own day to day operations. And we also tend to be the ones who are in charge of all the data, right? Yeah. The backup the warm failover you know, All those

Nick Lozano  2:00
things when I get it, you know, most of people's interactions with work, you know, in the office space environment is with computers and technology. Right. So we've kind of had to do it for a long time, especially since we've moved stuff to the cloud. You know, we had data failover backups. So it kind of falls in eyeties lap, because we've been doing it for a long time. Just for the for the IT environment perspective. So a lot of organizations will lean on that experience and expertise, you know, to help drive the conversation, but everyone in leadership be involved should be involved, not just it.

Brian Comerford  2:40
That's exactly correct. It's a shared responsibility. And we're going to talk at length about that today.

Nick Lozano  2:45
Yeah. So with that, let's go on, go ahead to the show.

Brian Comerford  2:56
Welcome to another edition of lead daddy xe I'm Brian comer Ford and Denver, Colorado.

Nick Lozano  3:00
And I'm Lozano in Washington DC and

Brian Comerford  3:03
today we thought we would tackle a timely topic and discuss disaster recovery Business Continuity Planning. Yeah.

Nick Lozano  3:12
I think it's a you know, trying time right now we're recording this on March 13 20 2020, if anyone's listening and coronavirus, Kovac 19. Is that what it is? That's right. Um, has a lot of teams scrambling around to, you know, work on their disaster recovery policies, remote teams, it's it's a lot of stuff that's coming to eyeties plate right now. I was just speaking with with a vendor of mine, and they were talking about, you know, they have customers that are trying to, you know, have remote work enabled for them, but they're nowhere near ready for that. And that's something that you just can't spin up overnight.

Brian Comerford  3:55
Yeah, this is exactly accurate. That's why, you know, I remember Sitting down to a very first BCD er, committee. And, you know, that was probably, I don't know, 2007, something like that. And I remember saying isn't isn't the phrase BCP? Dr. And, and someone looked at me and they said, well, business continuity, disaster recovery? No, I don't think there's any PII in there. And I said, well, it's the planning part, planning. And I think that's what's coming to a head right now for a lot of organizations is they're being set into a mad scramble. Because the planning piece is once again, you know, part of what has been overlooked. It's great to have discussions around these things. It's, it's great to have good intent, and to have, you know, third party services where you can replicate out all your disaster recovery documentation. But if there's not actually a plan behind it, you don't actually have a Human Resource matrix for who is in your incident response teams, then when things like this, you know, come into action, it's very hard to know which steps to take, who to contact, what to retrieve, you know, tells you procedurally what should be getting done. And honestly, if if you haven't been planning for some period of time to actually create an environment that allows for, you know, exactly the kind of responsiveness that we're hearing about in the media today, which is, everyone's got to figure out, you know, how do we do, you know, day to day operations for our business without actually physically being in the office. If your organization isn't already poised to be able to do that with an infrastructure that can handle it. It's not something that's going to be slapped together in the period of a week.

Nick Lozano  5:56
Yeah, no, and I guess some of it is if you're a small shop, maybe With like five employees or like a handful, yet you Yeah, you could probably very easily set something up, you know, in a day or two, right and have someone on Amazon workspaces and in all these other products like Basecamp, or something for project management. But when we're talking about, you know, the medium size small businesses, I would say once you're getting around, like 10 users, that that's where you you break the point where you can't really just spin something up overnight and test it right. When it's a handful. It's easy to just set something up and get people off and running. But, but I agree with you that you know, your business planning should start a long time ago. Maybe you don't need to sit down and you know, do like something like a high level IBM would do or something but you should at least stop and think say okay, if we couldn't get to the building today, how would we work and then work your way backwards. Assume that, you know, the office is closed, you can't get to your corporate network, you can't get to your internet. How would your employees work from home and work? backwards from the worst case scenario, you know, maybe you can't, you know, complete every situation, but you can get somebody 60% of the way there where they can work, and business can still happen.

Brian Comerford  7:12
Yeah, absolutely. And it's, you know, when we talk about resources, there's both people and systems. Right. So, resource availability is, you know, it's, it's critical in times of crisis. And so, you know, again, knowing what's sort of the bare minimum workforce that's required, in order for our business to continue to function. And, you know, as well as what are those key systems that absolutely have to be up and running? You know, that's just part of the identification process, and then figuring out how do we create that access? How do we create failover for individuals? You know, I know you, you're in an office in DC that's, you know, in in prime territory and you know, as we have talked about for years post 911. You know, what could happen if someone, you know, did something like, brought explosives into, you know, a public setting took out a portion of the building, maybe, maybe it doesn't, you know, do any damage beyond killing your network circuits. But that met substantial, right? So having having a plan in place, what happens, you know, in these events where you can start to build in layers of redundancy, right. And you can't have unlimited layers of redundancy, you have to have smart layers of redundancy. So yeah, I mean, there's example.

Nick Lozano  8:42
Yeah, there's, I mean, there's cost associated with the right, the more redundancy you want, the more expensive this stuff's going to cost. And, and some organizations just can't afford that right to have that 11 nines or whatever crazy thing Amazon has with their s3 buckets, the lives of one data in like a million years or something like that. Right. But, you know, there's an even trade off, you know, we think of technology, this is a perfect time for firms to think of what they're just what their email is, right? Where's your email hosted? You know, maybe it's time to move it to Microsoft or Rackspace, or, or Google pick any of the number of providers that host exchange or, or any type of email, that's an easy way to easy, you know, thing to cut off and think of your phone system, right? We should, you know, you can move your phone system to the cloud. Now, some of the cloud options are just as good as having your on prem option. And, you know, that's one other thing you can do. You know, these aren't things that you can just spin up overnight and have them by tomorrow. But you know, as it leaders, we should be thinking about how we, how we keep stuff operational for the rest of the staff to keep working. And I think as it people just in general, we're always thinking about that more probably than other business units are, because there's more demand on us to have things on 24 seven right? I don't know if there's any more of a unit, maybe if you have a customer service unit. And you know, they're they're expected to be 24. Seven. But I feel like technology right now the technology departments, IT departments, you know, are under huge demand right now to make sure that their environments are up 24 by seven.

Brian Comerford  10:20
Yeah. And it goes back to the P and BCP. Right, it's the planning, there's, there's a lot that goes into creating and curating a long term plan. And it's the kind of thing that you spent, you spend a lot of effort on, in the hope that you're never going to use it. Right. And so from that perspective, it's the kind of thing that it can be difficult to find someone who's passionate about owning it, because it is, you know, an arduous process and there's a lot of documentation, a lot of discussion and, you know, again, a lot of very, you know, complicated work that It goes into a planning structure that you hope never to execute. But it has to be actually prepared in a way as if you would, in fact have to execute it. And that's why, you know, a lot of organizations and certainly I've had this experience myself, and probably you have, you go through, you know, quarterly tabletop exercises. And those can be, you know, they can be, you know, done at a level of detail. That involves a lot of sites, a lot of different Human Resources, a lot of different systems that you simulate, you know, taking offline, or it can be something that's just conducted more on paper with more groups of people, you know, who may only be in your call tree for your executive management team or your emergency management team. But it's important that you don't just write the plan, and you don't just talk to the various stakeholders about how to put together plan, but then you take the plan, you actually put that thing into action and simulations, the best way to accomplish that.

Nick Lozano  12:08
Yeah, and I completely agree with you. And, you know, it's just not big organizations that should be doing this. Even if you're a three or four person shop, you should probably still be thinking about it. Because as you grow, and you bring on more staff, you need to plan to fail, right? There's gotta be some way in there where you're planning, then you at least want to test test it, right? You don't want the first time you do your continuity plan to be when there's a disaster. Just like, you know, when we're in technology, we don't want to test our backups. When we need our backups, you want to test them before that, right? That's exactly correct. So like you said, it could just be as easy as initially, like, hey, when offices closed, you know, call your manager, this is your managers number and you just do everything down a tree like that. I mean can be you can start just As simple as that, but you should be thinking about those things right? Instead of scrambling at the last minute where all your staff doesn't know who to comment, you know who to call when Who are we waiting for? Now to hear from whether office opened or closed, how do I get ahold of the IT department? Do we have an IT department offer a login. And sometimes large organizations, that's even a tricky thing to write. You might have five different IT departments that handle different lines of business, different silos. And you might not know WATCH IT department to call an IT department might not know which department sends you to, they just know they can't help you. So something as simple as just a phone tree. These are the people you call this is your support team. This is our email providers. Here's our links where you log in is a great way just to start, right.

Brian Comerford  13:53
Yeah, absolutely. And, you know, I think there are some some very deliberate sections that need to be crafted for any successful business continuity plan, right. So, you know, call tree is one of those things, you know, having having something that can be crafted in a way that you can create physical copies of it, that can be easily taken off site for folks. But also that is electronically available, so that, again, from a, you know, a shared knowledge perspective, you've got the ability to have access to this data, wherever you are, and by whatever means, right if, for whatever reason, all your stuffs in the cloud and 11 nines isn't good enough for AWS, you're going to have to find some other path to that information. So you know, here, I just grabbed a physical copy of one of our The business continuity plans that, that I had created that, you know, it's got handy little tabs on one end that actually go through, you know, the various sections. So starting with section one, defining roles and responsibilities, right, who in your organization is responsible for what? disaster response and notification. That's the second section. And this includes things like templates, that you would work with a communications department or you know, someone who has that responsibility in your organization to help craft in advance of said disaster, right. So that you actually have something to start from when organizationally, you come to the conclusion that, hey, it's time to start circulating some of this information either for our clients or our workforce, whatever it may be. And then the third section, call trees. This is something that also took some time. To create these handy little laminated, you know, business card size cards that actually contain all of that information that you want to have. So that, you know, this is something that you can just give to somebody, you know, that they can carry in their purse or their wallet and have very easy access to they can take a snapshot of it, have it on their phone. But, you know, you've got to have all of these things ready and available and multiple formats. So you know, a couple of these other sections that that were created here, and we can kind of go through each of these and talk about them in a little more depth. But the fourth section is recovery resumption and reconstitution. Right. What's the plan to put things together after the disaster has ceased? Because that's the other you know, section that you actually need to spend some time really putting into consideration contact information. In lines of succession, God forbid that there is something that, you know is of the scale of a 911. Where there are actually personnel who have been taken out as a result of whatever the disaster is, you know, that's a, that's a scenario where you really do need to know from a lines of succession perspective, who undertakes the responsibilities of that person, both during the disaster, as well as long term for the organization. After the dust is settled, recovery requirements and vital records. That's what I've got is the sixth section. And, again, you know, vital records there. It's it's more than, you know, we've got a binder of our operating agreement for the organization, right? I mean, this, this has a lot of those things that you know, would fall under the fiduciary responsibility of whatever your organization is for both your employees and your client.

And then Section seven. And my plan is testing, right testing and maintenance. And this is again, part of what no one is ever excited to see an invitation coming from you if you're the if you're the BCP, Dr. keeper in your organization. No one's ever excited to see a tabletop exercise invitation coming. It's like, Oh, great. We're gonna spend a day and a half going through this plan. Making sure that everyone understands what's in it and you know, who's responsible for what and what would we do in these situations, and then we're going to go through something like a pandemic scenario, or a tornado or, you know, shooter in the building any of these different scenarios that are real world things that you do, in fact, have to be prepared for and then finally, having an appendix right a glossary of terms because there's a lot of just as there is in you know it or in many different industry types. There's a lot of stuff Specialized language around, you know, verbiage that you'll find in things like BCP, Dr plans.

Nick Lozano  19:07
Now, I like that. And you know, it is a big component of that, but they shouldn't be your only component of that, that when I've seen teams in the past do this, sometimes they try to push it all to it to develop it. But it really needs human resources and senior leadership, and, you know, department heads from every department, because when a disaster happens, everybody's going to be involved, who's who's in the leadership role? Not just it, it will probably have a big load of just making sure the systems are working, and how do people connect and how do we, how do we contact them, but at a certain point, you know, it needs all of the rest of the leadership team to develop it this. So let's drive it to. We kind of talked about, you know, the disaster recovery portion of it, but what's the leadership components of this? A big thing that I'm hearing is just communication right? There's an expectation of that there should be communication two ways. And in this communication should be called right. In my opinion and like it shouldn't be, you know, ah, you know, like we're you know, we're under pressure, we're under fire that the great thing I always think of when I hear military leaders talk about, you know, when they're leading the infantry teams is that they always talk on the radio in a calm matter, no matter what's going on. Because you want people will be able to understand hear what you're saying and understand what you're saying. And that's what we should do as leaders, right? We should be talking calmly, we should be communicating probably too much right to the point where people don't want to hear from us anymore, but we really need to be upfront with them right away and let them know what we're going on. Hey, we're thinking about you, hey, we're doing XYZ Hey, you know, you know, you should be expecting an email from us to work from home, our doors open. So I feel like communication and probably even Over communication a disaster situation is more needed than men know to limited communication.

Brian Comerford  21:07
I think you're spot on neck, you know, and that that reminded me of something that I read recently in the dichotomy of leadership. You know, there's a there's a story in there, Jocko willing cuz, you know receiving a status report from Leif babban, who is reporting the death of one of their squad. And, you know, Pete spoke exactly to what you're talking about, which is, regardless of the amount of emotion that's in, the communication has to be clear the details have to be there for what the current status is, what can be done now what's the information that the leader then needs to be able to ascertain to be able to act on and despite the amount of emotion that's connected to a high intensity situation like that? The Communist has to be part of the method for conveying, you know, what the next steps are in the process. So that's that, again is, you know, from my perspective, that's part of what the tabletop exercises are so critical for, because it's it's almost, you know, us a martial artists, I'm sure appreciate this, right. It's the type of thing where you're creating that muscle memory, right? Where as soon as you start going into that procedural routine, it's just like your body and your mindset, everything falls into place to be able to handle it, because it's like, there's this unspoken recognition. Oh, this is what this is, again, that we're going through this process again, right. So it's actually creating that familiarity. And, you know, part of what you spoke to earlier that I think is so critical is this is a shared responsibility. There's a lot of leaders from from a variety of functional areas that have to be deeply engaged in this process. And each of them needs to have that acute familiarity as much as no one likes to have it. It's, it's really critical and part of it is, you know, again, to be able to maintain that calmness, when you're under pressure, you have to have enough familiarity with the plan that, you know, in the midst of chaos. You're not searching for your book or trying to go to your mobile app to get to your online document documentation to flip to page 17 to find out who you're supposed to call when the system's down, you know?

Nick Lozano  23:33
Yeah, Corinthian practice is one of those things where people always you know, brush it off like Oh, do we have to do this. But think of it like it just like a fire drill or something right? You practice in a building because as soon as when the when it's going on for real, you just want it to be muscle memory, just a reaction. And you know, like you said, with your with your business continuity plan. You might not remember everything in all those pages. But you You might remember certain scenario partner like, oh, okay, I remember when we did the drill on, you know, an earthquake, I had to go here. So maybe I start here to look for this piece of information. And it's enough that you've been exposed to the situation and the first time you're going through it. It's not one of the disasters happening. It's like you said, you just want a muscle reaction initially, to drive you to the right direction. And when that puts you in the right place, but you just want to go Oh, this is familiar. I should look here instead of going okay. Let me Google this, because I don't know what we're doing right now.

Brian Comerford  24:35
We've got no internet connection.

Nick Lozano  24:38
Yeah, exactly. No, Google, what are we gonna do? Yes, and that that book, the dichotomy leadership, I feel like it's better than their first book, Extreme Ownership, just in my opinion. But when we talk about disaster recovery, that's why I like looking at those military situations because those are high pressure, high stakes. games where people's lives are at risk normally, and to see how they take those and they're like, No, no, you need to be calm, no matter what's going on so that people can hear you and understand you. We know the situation's intense that's going on. But if we can understand you, we can't help you and we want to help you. That's why when I when we look at these disaster recoveries, I like looking at situations like that or how how, you know, New York City handled 911 and everything look at those like your disaster might not be as big as that, but looking to see the things that they did the things that they learned and sometimes the things that they did wrong or good ways for you to us take a step back and look at you know, as the leaders that you know, we should be doing XYZ this work for them might not work for us, but you know, hey, this is out here. This is a real life situation. It's almost like us looking at our white papers right as it people, you know, like it's like don't don't tell me your your software does this prove to me that it does it. It's that type of thing. You know, we should be looking to learn Constantly just like we do with with our technology skills.

Brian Comerford  26:04
Absolutely. And, you know, you think about the evolution of this, you touched on 911. I mean, that's, that's kind of the starting point for the majority of organizations in the world, right, to be thinking about the importance of this type of process. Previously, there, there was the risk management component. And, you know, there, there was loss control in other there are these specialized practice areas that were sort of more tied to, you know, an insurance and risk management practice with clients that had, you know, very high risk types of exposures. But, you know, following 911 that was really the wake up call globally. I think, that indicated, this is something that can happen to any type of business where preparedness needs to be put into place. And, you know, really starting to develop a process around with that. Looks like as well as, you know, understanding the importance of appointing key resources to be curators of this thing long term. Because the, you know, the evolution of a plan is going to look different over two years, let alone 10 years, you're going to have changes in personnel, you're going to have changes in systems updates, you're going to have, you know, you might have mergers and acquisitions that change your topology. There are so many different factors that come into the need to make sure that your plan is actually a living plan, that it's not something static that gets authored and then put onto a shelf. It's something that actually has to become part of somebody's responsibility. It's a it's a key responsibility. You know, from that on the you know, in a in a prior role of mine, you know, governance was in my title, which is why I got the responsibility of starting things on this Not to say, you know, before responsibility but eludes me about the responsibility of really undertaking that type of process.

Nick Lozano  28:08
You're voluntold

Brian Comerford  28:13
Yes, exactly correct. Yeah,

Nick Lozano  28:14
I agree. And thinking about it now, you know, 911 was almost 20 years ago. And we have people coming into the workforce now. for them. It's it's a history lesson, right? It's not they don't remember it. They don't remember going through it. Especially as we have this Gen Z starting to come up and graduate from college and join the workforce. And, you know, even with it, some of these jobs, you don't even need a college degree. You can get away with a certificate of a CCNA or certified security engineer. So we might even have people straight out of high school where it's just it's it's a history lesson. And even for us who went through 911 this this corvin 19 is a good example to say hey, you know, I know we did disaster recovery plan but 911 Was 20 years ago, we just can't keep shuffling this disaster recovery plan that we have and keep pushing it down and pushing it down and pushing it down. We need to test it and make sure that this is updated. Just like we wouldn't buy a computer from 20 years ago and say, you know, it still works. It's over there in the corner. You know,

Brian Comerford  29:17
it might be mega ram

Nick Lozano  29:21
might work, it might turn on and she had to possibly buy but, you know, as leaders, we should always be thinking of the worst thing Do we need to think about the worst thing every day? No, but it should at least be visited at least once a quarter maybe once a year at the least right? To see where disaster recovery plans are and whether they work or not. Do we have the right people in place? And now with everything being remote, it's like well, okay, so if we shift are the remote teams then who do I remote people call for support, you know, they just can't turn around and go Hey, Nick, I need help with my computer. You know, now they need to know who they need to help because They might be working at two o'clock in the morning. So I think it's important as leaders that, you know, in all facets that we should be thinking about this. And this is a good reminder, you know, now, as a lot of the world is kind of shifting and telling their workforces to go remote, that you should be thinking about, how do we work remotely?

Brian Comerford  30:21
Those are great points. And, you know, I think what may be going through the minds of some organizations today who have never undertaken this process, and suddenly are forced into a position to recognize the importance of it, where do you start? Right? So there's a lot of services out there, and there's a lot of consulting groups. And, you know, obviously, you know, the front end costs for putting something together like this is going to be one of those expenses that probably most organizations hadn't originally budgeted for, but it is something that you have to consider as an ongoing expense for your organization. And if you do go the path of engaging a consultant, or a firm who specializes in this type of thing, who can get you up and running? The good news about that is they can kind of help supercharge the process, right, they can come pre packaged with a template for this is what the development of a plan looks like, here are the pieces and parts that are typically required. Here's, you know, what the process is going to look like to create and curate the plan, so that you can have something that does become a living document. And then you know, what's the process look like? Practically going through tabletop exercises, and sometimes even helping to facilitate you know what those exercises should look like so that going through your first round of it, you've got a clear understanding of how these things should function. There's also services you know, for both storing your information so that you've got a company That is a repository that has whatever the high resiliency is, you know, probably four nines Murrell, right? But something that that does provide you both an online repository that's highly redundant in itself. And then you know, typically has some kind of mobile app capability that comes with it. So it's easy to be able to retrieve your documents presuming that you've still got mobile phone connectivity. And then, you know, as well as services for bringing resources, both human resources and computer resources, from off site to a pre designated location. So you if if you actually went through a physical disaster, like like an earthquake or a flood, and everything's been taken out, and, you know, physically it's impossible for your workforce to actually even get back into your operational facility. Then you've got to figure out another place that you can work right and if your organization does allow for work for home from home, but it's not feasible for whatever reason for all of your teams to be doing that there are organizations that can do things like bring in trailers where you've got something like a mobile office you know we've we've all seen the trailers on construction sites where things get moved around and I think

Nick Lozano  33:22
one of the great things with that now too is you know, I'm not going to call we work a tech company but but something like a we work where code these core in spaces have popped up that have commercial grade internet. You could even be getting your employees a subscription to that one around a Regis or something like that just so they have an office to go to and and internet and power if they don't happen to have it. Because chances are pretty good commercial buildings probably going to have power and internet before a home would. That's just generally no they have higher bills on all things. So the power companies and the total Goes tend to take care of those people first before they take care of the, the home networks. But you know that that has driven that great possibility to do that. And I've seen or even seen organizations before this disaster portion, when they're looking to renew their leases for office space, they're like, well, we're just going to get some small office space with hotelling. And then get the rest of our employees say, hey, if you don't want to come in, we'll get you a subscription to a we work. And you can work at we work and have the nice coffee, and have all this stuff at your co working space and have you know, gathering in a social environment, but you don't have to come to the office. And that saved some companies tons of money when you think about how expensive commercial real estate is. So I mean, that's another thing you look at when you look at disaster recovery, though, the pop up of that type of stuff has made it easier where you don't have to drop in a whole trailer if you're a smaller firm and can't afford you know, the trailer to come in and do it. And like you said, I think you just take your your common your lowest common denominator Say what do we need to operate physically and you work backwards from there. Maybe you bring someone in a disaster recovery expert without buying things right away, figure out what you actually need, instead of trying to say, Well, you know, let's go spend all this money in Amazon workspaces with all this redundancy. When maybe depending on your organization, you only need email and like a base camp or something like that. It all depends. Everyone's needs gonna be completely different, depending on how your organization operates. But I would say before you got there and you spend all that money on these tools. You should bring somebody in or at least run through an exercise internally of what do we really need to keep it going at a bare minimum and start from there.

Brian Comerford  35:44
That's a great point neck and you know, part of the exercise early on where you're identifying key resources is to go through that prioritization. Right. It's a it's a ranking exercise where you really determine what are your key business applications. The funny thing is, I think for a lot of organizations, it might not be the first thing that leaps to mind. But email really is probably the number one most critical business application for a lot of organizations. It's, you know, how you're communicating with your clients. It's how you're communicating with folks within the workforce. And, you know, really being able to have some type of cloud enablement or redundancy built in for your email capabilities. You know, that's, that's often one of those first steps. That's an easy sell, you know, as you're trying to build a business case for why why to invest in that sort of thing? Yeah, there's

Nick Lozano  36:40
no migration are super cheap now, too. I mean, like, everyone's moving their email to the cloud. So like, you can get vendors like Rackspace that will do it for a couple of dollars email account and set you up. I mean, it's, it's a low barrier to entry one.

Brian Comerford  36:56
Yeah, it's certainly an easier process than something like You know, a specialized industry Class II RP, where you've got something that is really, you know, unique to your business type or your industry type. You know, it tends to come with its own special sauce. And sometimes that comes with, you know, very specialized type of hardware that goes with as well. Those things, start adding a layer of complexity where you may, in fact, rank that as one of your top, you know, two or five most critical business applications. But to your point earlier about, you know, how cost intensive this whole thing can be, you have to start to really determine what is ultimately, you know, the long term investment that we're going to have to make to get the type of redundancy that's required. So that, you know, you have an idea of what it is, are we recovering from backup and, you know, our recovery time objective is set to two days, or is it something where this is so critical that anything more than two hours means Our company is going to start hemorrhaging money.

Nick Lozano  38:02
Yeah. And that's going to be different for every organization, a service based organization can get away with just email. A product based manufacturing company has a much different business continuity plan than then, you know, a service based company. But I would say our key takeaways from today, or is that you need to at least start planning. And now this this corvid things, a good reminder that, you know, a lot of organizations probably haven't looked at how their disaster recovery plans were implemented since 911. Because that was probably one of the best big last, you know, global impact events that kind of cost us to do all this stuff. But it you know, if you're not thinking about it, now, you You definitely shouldn't be. You should have started days ago, you know, the best time to start on it was yesterday in the past, but the next best time is right here and right now, right.

Brian Comerford  38:58
Great point. And with that I think we've had a inadequate conclusion for today's episode, but it's I think it's additionally appropriate that you and I ended up recording this on Friday the 13th.

Nick Lozano  39:11
And you know, it, it's, you know, we wanted to stop and do a special episode, right, just because of what what's going on. It's a bit different than some of our other episodes. But you know, I think on it, there's, this is a topic that's probably, they're probably in the trenches right now, trying to get all this stuff to work. Like I said, earlier, we hopped on the call, I was talking to a vendor, you know, an IT vendor, and they're like, they have customers calling them and telling them that they need to be set up for remote work when nothing's been planned. Ever. Their environments aren't built for it. But you know, it should be on the top of all our leaders minds it and we know just leadership in general.

Brian Comerford  39:51
Couldn't agree more.

Nick Lozano  39:54
I guess we'll have a good one. We'll talk to you again. Later, Brian.

Brian Comerford  39:58
Have a good one. Stay safe.