Showing results for 
Search instead for 
Did you mean: 

What Does True Operational Resiliency Look Like?

Level 1

The Oxford Languages dictionary defines resilience as "the capacity to recover quickly from difficulties; toughness."

That definition aligns well with how we at Veritas think about operational resiliency. 2020 provided many opportunities to test how "tough" enterprises are and how well they can bounce back and keep their business running in the face of adverse events out of their control. A global pandemic forces millions of workers to do their job remotely. Wildfires force mass evacuations and widespread business disruption. More and more sophisticated forms of ransomware continue to proliferate.

When we recently published the 2020 Ransomware Resiliency Report, we identified what we called a "resiliency gap." Enterprises have been adopting digital transformation platforms at scale – with the challenges of 2020 being a further catalyst. But they have not been standardizing on a single platform for operational resiliency.

As their resiliency gap widens, enterprises are increasingly at risk of encountering business downtime and incurring data loss, compliance violations, financial losses, and significant and possibly lasting damage to their reputation. Closing their operational resiliency gap is not simply an IT priority; it has become a business imperative.

But this begs the question: how do enterprises know when they have taken the steps necessary to close their resiliency gap? What's our vision for an ideal state of operational resiliency?

No enterprise will ever be 100 percent completely immune to the unpredictable events like we experienced in 2020. People make mistakes, unpredictable events happen. It's better to think of operational resiliency efforts as an ultra-marathon without a finish line.

Here are some of the indicators that your enterprise has effectively closed its resiliency gap:

  • You have achieved near-zero RPO and RTO. One of the measures of recovery point objective (RPO) is how much data your company would lose following a disaster. A key finding in the ransomware resiliency survey was that globally respondents estimated they would not recover 20 percent of their data in the event of a complete data loss. Think of all the critical business data—including some with personally identifiable information under GDPR—that might be included in that 20 percent loss? Enterprises should ideally have that number closer to 0 percent. Veritas' survey also uncovered some startling findings related to recovery time objective (RTO). Globally, 70 percent of respondents whose company had faced at least one ransomware attack said their business was disrupted for more than a day. Most enterprises strive for an RTO of about four hours for mission-critical applications, given the astronomical costs of business downtime. Robust backup and protection of your on-premises and cloud storage can significantly reduce your RTO and RPO.
  • You have three or more copies of your data, including one offline. The "3-2-1" backup rule is a key pillar of operational resiliency. It means that you have at least three copies of your data, using at least two different storage mediums, with one copy offsite and offline. The rationale is that this approach protects your enterprise from a series of unpredictable events – natural disasters, a fire in a data center, hard drive failures, data breaches, cloud outages. Another factor is that ransomware attacks aren't just targeting your data – they're also targeting your backup systems. The 3-2-1 approach ensures that if a significant portion of your data is impacted, you're more likely to recover most of your data because you have multiple layers of protection. Just 17 percent of enterprises in Veritas' survey said they follow the 3-2-1 approach. And this is concerning as it opens organizations up to further business risk.
  • When hit by a successful ransomware attack, you have options to get your business running again without paying the ransom. Sixty percent of respondents whose company had faced at least one attack paid all or part of the ransom, per Veritas' survey. 60 percent! That percentage should be far lower. Experts recommend not paying the ransom in most cases, as it further encourages hackers to continue to attack and try to extort, and you're not assured of a Black Hat being able to decrypt your data if you do pay. We recognize that paying or not paying is an individual company decision, given that some companies have ransomware insurance or other unique situations. But the key point is that companies are paying the ransom because they effectively are out of options. Being in a more advanced state of operational resiliency puts you, the enterprise, in a stronger position to negotiate the best possible outcome for your enterprise. That may be paying only part of the ransom, or mitigating the reputational backlash, or accelerating your recovery. The best case scenario is you fully recover without paying any of the ransom.

Closing your resiliency gap and achieving greater operational resiliency is not only a siloed IT security issue. You need IT organizations and business units to work together to ensure greater availability of applications and data no matter the environment – virtual, physical, or multi-cloud. It means your systems are more agile and able to respond to changes in requirements. And your data integrity never falters.