What constitutes best practice? According to Steven Aiello, security & compliance practice director at AHEAD: “When we think about building resiliency into environments, backup and recovery are important, but backing up the right data is what separates good strategies from bad ones.”
Aiello believes that the industry standard for evaluating security within vendor risk management was never designed to deal with massive supply chain attacks. As organizations look to create a culture of cyber-resiliency, they must accept the “need for bulletproof glass as thick as the bullet’s strength to stop it.”
Digital Journal caught up with Aiello to find out what makes for best practices ahead of World Backup Day 2021.
Digital Journal: How can businesses determine what’s truly important to the business?
Steven Aiello: Many organizations are trying to do too much. When you think of an organization that has petabytes and petabytes of data –which is very common for larger enterprises –there must be an understanding of which data is actually important. For example, maybe only 20% of its backed-up data is ever accessed, while the other 80% sits dormant. So, it first comes down to understanding which data is even being used, then determining within that subset which data should be backed up by knowing what value is being extracted from backup initiatives. If you’re just backing up thousands of word documents that no one has touched in years, there’s not a lot of value there.
DJ: How can forms drive consensus based on data?
Aiello: To understand what is valuable to the company, you must drive consensus. For example, if we’re talking about a large organization that deals with Payment Card Industry standards (PCI)—the directive from PCI is to delete data as soon as it is no longer needed. How do you decide what’s relevant to the business? There could be other business concerns that make backing up certain data more valuable such as legal considerations. To drive consensus, the organization must understand factors such as risk tolerance, the likelihood of an event that would require the data, the likelihood of an attack that would put the data at risk and the cost of storing data.
Ask questions like: ‘How many data requests have you had in the past few years?’; ‘How much would it have cost if you weren’t able to access the data?’; ‘Is it worth the cost of data storage to have this information readily accessible?’
DJ: What makes for a good plan?
Aiello: Once an organization understands what is important and has a consensus around exactly what data is necessary, it can then build a plan for backing up the right data in the right way. A plan can be made based on tactical aspects of the business, like recovery time objectives, recovery point objectives and costs. The overall effort to backup data will then be easier because there’s an infinitely more manageable data store than what you started with.
At the end of the day, the culture within an organization must be willing to make decisions based on business data.