You can have everything you need to protect your business, and still fail.
A River Runs Through It
Last weekend while my son and I were enjoying Father’s Day in our canoe we sighted another group that appeared to be doing the same. An experience of this nature, two canoes passing one another silently, normally makes a trip even more pleasant. Something about being on the water appears to put most people at ease and in the best of moods. That was certainly the initial affect of our brief encounter, but then my son and I had the feeling that something was not right.
What Could Possibly Happen?
We had noticed, initially subconsciously I suppose, that the child in the stern of the canoe, whom I would estimate to be 7-9 years of age, had left his PFD (i.e.: “life vest”) unzipped. The style of PFD he wore resembled a sleeveless winter jacket, with a zipper up the entire front. The problem here is quite straightforward. Though the child was wearing the vest, were he to go into the water he would almost certainly have immediately slid out of it. He would go down, the vest would go up. Even if it slid only part way off that could have been as bad or worse, as he may have become tangled in it. Fortunately, none of that actually happened that day.
Having been involved in training what must be hundreds of young people about the basic skills required to enjoy the wilderness — and have fun while being safe — I have been thinking of this very minor encounter quite often over the past few days. Today it is so simple to perform the few very basic tasks required to be safe in most wilderness environments. I also know how quickly things can happen that will put to use safety precautions such as a PFD. With proper precaution, the incidents become experience and life lessons; and perhaps even accomplishments or fun experiences themselves; though they need not become “dangerous”.
What stood out for me in this case was that the family had all of the equipment they needed in order to make the experience completely safe. They simply had not “implemented” it correctly and the child was, therefore, more or less unprotected. As I thought of this whilst in my office it occurred to me that a similar thing can often occur in the context of the delivery or, more likely, the consumption of cloud services.
In a previous post I mentioned that the responsibility for one’s business service remains theirs, even when a service is delivered by a cloud provider. In another I mentioned that we need to continue to think of things of this nature, even when cloud providers (experts) are taking care of things for us. It occurred to me that these things in combination could lead to a similar situation, where a business has everything it needs to be protected and learns during a service disruption (et cetera) that they still were not adequately protected.
It Happens More Than We Might Believe
This realization also brought to mind a conference session I delivered a number of years ago. The topic was backup and recovery. At the beginning of the session I asked three questions. Question 1: “How many of you have a backup plan and backup technology in place?” – Everyone. (No surprise there.) Question 2: “How many of you have tested your backup?” – As I recall, roughly 70%. Question 3: “How many of you have tested your recovery?” – Nobody. Not one person.
While this is a very simple case, I believe the parallel is clear. The people who attended this session had everything they needed to ensure their business was protected (in that specific context) though they may not have been at all protected. Many of us are familiar with cases where organizations had been using the wrong type of backup media in a device (had settings set incorrectly…) for years and found out – at the worst of times – that they had no backup data.
More Critical in the Cloud
This type of situation is not unique to cloud services, though I believe we must be even more diligent with regard to it in cases where cloud services are a part of our strategy; especially when those services are provided off-premise. As I have written previously, we must plan for resilience. We must also ensure that this resilience (data recovery…) is tested not only initially, but also with a frequency that results in an acceptable level of risk to your organization.
Plus C’est Pareil
It is really fairly simple, and it’s nothing new to IT professionals. Though recent news items would suggest that we may not be applying these disciplines as universally in situations where clouds are part of the picture. As with any technology, or safety equipment:
If we return to the life vest example, one simple test when fitting someone with a PFD (life vest) is to try to lift it over the wearer’s head (while their hands are raised above their head…) – while on dry land. Had the family done this, the vest would have shot off quickly and they would have spotted the problem while in a position to address it safely. This would have satisfied the initial test. A secondary “test” would be to visually inspect the vest when the child entered the canoe. (Wow, that’s an impressive way of saying “be sure it’s fastened properly”.)
My point here is not to suggest that your partners and cloud providers do not care about you or your business. I’m sure most do. However, you likely know more about your business, your requirements, and your systems than they will ever know. And, as I’ve mentioned in previous posts, it’s not likely that anyone will care more about — and be more diligent in the protection of, — your business (or your children) than you. Though if I’m on the water with you, I’ll do my best.
*Please consult your local water safety expert for complete instructions on PFD safety checks.