Five Best Practices for an Incident Response Plan
Use these five best practices to create or update an IT security incident response plan.
Determine the ROI of Data Protection
Return on investment or ROI. Don’t ask the C-suite for funding for anything unless you can back up the request with a projected positive ROI. Unfortunately, that’s not an easy task when it comes to data protection — but it can be done.
The Conundrum of Data Protection ROI
Most everyone in the business world knows that data protection, which encompasses data security, data privacy and disaster recovery, is essential. After all, few companies could exist, much less succeed, without their data. But determining the costs of losing that data —or even not having access to it for a short time — can be difficult. That in turn makes it almost impossible to get a clear picture of the value of preventing the loss of data access or the data itself.
From an IT perspective, we can calculate the hourly costs of trying to fix an outage including labor, materials and external services. There are plenty of formulas and online calculators that can help do that.
But many IT departments lack the “bigger picture” operational data, which is where the costs really start adding up.
We can probably get some numbers that tell us the cost of employees in other departments sitting idly based on their hourly wages. But what about the loss of revenue if employees can’t make sales, process orders, create products or deliver services? What about fees incurred because of making late payments or not fulfilling service level agreements? What about costs due to non-compliance penalties?
How do you measure the loss of customers? When an outage occurs, most customers don’t care about it. They just want their product or service. If you can’t deliver, they’ll find someone who can. How do you calculate the damage to your company’s reputation once your outage hits social media and the criticisms build up? Suddenly you’ve not only lost current customers. You’ve also lost prospective customers.
What about the loss of data or access to data within your company that you don’t even know about because of “shadow IT”? And don’t forget you’re still paying to keep the lights on even though most of your organization’s employees can’t get any work done. You’re still paying rent and/or maintenance on your physical plant as well as on all the equipment you lease, etc.
Look Outside of IT
In the eBook, “Understanding Your Data Protection ROI for Dummies” by Veeam, the author suggests that one way to start determining the ROI of data protection is to talk with a broad cross section of operations stakeholders and technical professionals. That will help provide a more complete view of what is affected during an outage or business disruption — and the associated costs.
You can use information from your discussions to identify core teams and their processes and then map them to IT dependencies. From there, conduct a risk analysis, looking at the likelihood of different events that could cause downtime. Also conduct a business impact analysis, which is quantifying the potential costs of each event. There are plenty of online resources to help you with both exercises. (Watch for an upcoming blog on these exercises as well.)
Involve stakeholders from outside of IT in both exercises. You’ll get a much better idea of both the risks and costs.
The author notes that the end goal is to be able to answer these questions:
- What is the actual cost of the problem of downtime and data loss with the current data protection strategy?
- What are the organization’s most pressing areas of concern or vulnerability that should be covered by data protection strategy?
- What is the organization’s commitment to do better?
Although the eBook’s suggestions don’t offer a definitive way to calculate the ROI of data protection, they do provide a way of getting closer to a more complete understanding of the total costs associated with downtime and data loss. With that you can better determine the savings to be had by mitigating downtime or data loss — and that can make for a compelling ROI of data protection.
The Bottom Line
As noted in Veeam’s eBook, “System downtime, whether it affects an individual user or an entire company, means lost money.” And in business, protecting against whatever can have a negative affect on a company’s bottom line is a worthwhile investment.
Related Blog Posts
Expand from Network Security to Cloud Security
Learn how to expand from on-prem network security to cloud security with these best practices and resources.
Safer Internet Day Starts with Strong IT Security
Safer Internet Day offers a reminder of steps your organization can take to enhance its IT security and combat DDoS attacks and other forms of cybercrime.