How many IT disasters can you reasonably prepare for? The big “total wipe-out” disasters like the data centre hit by a plane (for those enterprises close to airports), systems rooms flooded out (move it to a higher floor beforehand), or ransomware attacks on your key data (get better IT security and backups) justify time and attention from DR planners.
But what about the myriad smaller vulnerabilities, such as marketing deleting the wrong files for an upcoming webinar or a departmental server for QA going down? Some might say that “planned complacency” is a better business solution – are they right?
The idea of “planned complacency” can also be found in other areas, notably IT security and vulnerability management. There is evidence to support the idea that it is better to leave some IT vulnerabilities un-remediated.
For example, the Verizon Data Breach Investigations Report 2016 indicated that only 200 out of several thousand vulnerabilities reported in the period 2013 to 2015 were exploited in 2016.
Targeting vulnerabilities on high value assets was also increasingly contentious, as breaches were possible by attacking low value assets first. Fixing according to impact has been losing ground to fixing according to exploitation.
Coming back to disaster recovery planning, there is a case to be made for shifting emphasis to accidents (and incidents) known to happen more, rather than exclusively focusing on those with the greatest potential consequences, or trying to plan for anything and everything.
IT security benefits from various automated tools to help pick out the right priorities in this sense, whereas disaster recovery may still have to use manual methods. But if the overall risk to the business can be kept low, while reducing the total time and effort spent on planning and preparing for different eventualities, it sounds like “constructive complacency” might be another viable tool in the DR planner’s toolbox.