Disaster Recovery Planning is Necessary for Business Vigilance

Disaster Recovery Planning is Necessary for Business Vigilance

Harold Shannon, vice president of Technology, CoreCivic

Harold Shannon, vice president of Technology, CoreCivic

Harold Shannon was named vice president of Technology and chief information officer in April 2021. Previously, he served as managing director of Program Management at CoreCivic. Shannon joined CoreCivic in 2003 as a project manager in Technology. Since joining CoreCivic, Shannon has continued to serve in various leadership roles, including senior project manager, senior director of Program Management, and senior director of Enterprise, Resource, and Planning (ERP) Applications. Prior to joining CoreCivic, Shannon was a team lead and developer at Accenture, an international consulting firm. Shannon earned his bachelor's degree in computer information systems from Middle Tennessee State University and a master's of business administration from Belmont University. In 2015, Harold completed the Executive Leadership program at Belmont University.

As system disruptive activities continue to impact a business's ability to function, it is critical that organizations prioritize disaster management. Based on Accenture's State of Cybersecurity Resilience 2021 report, cybersecurity attacks have increased by 31 percent year over year. This increase—along with the war in Europe and increased telework for the America's job force—has shifted the focus on disaster recovery to ensure business continuity and protect companies' reputations. Management of your disaster plan can no longer only focus on what you control, but must be extended to your suppliers and partners. There are several methods to support your organization's disaster recovery management strategy, such as implementing a redundant scaled environment, testing this environment, and encouraging your organization to adopt a prepared mindset.

Disaster Recovery Planning (DRP) is the management of network, systems, and data in the event of a disaster. Disaster can include the destruction of any equipment, loss of data center, a cybersecurity incident, or any other disruptive event. Disaster recovery should include cybersecurity incidents because these events are becoming more frequent and destructive. Extending your disaster recovery plan to your suppliers and partners is necessary to ensure control.

A good disaster recovery plan includes detailed instructions on how to respond to an unplanned incident. This plan should include run books, a backup data center (on premise, off premise, and/or in the cloud), and policies and procedures. Additionally, communication plans are critical to your disaster recovery plan because key customers, suppliers, and partners may be impacted. Public companies may have a higher standard of communication because the Security and Exchange Commission (SEC) is requiring greater transparency in this area to protect shareholders value.

“The key to successful DRP is the recovery environment and your ability to scale full services. Many companies have a redundant data center (self-managed or co-location) in the case of a disruptive event”

The goal of DRP is to resume business as quickly as possible without any data loss while maintaining existing functionality. Each organization must validate its disaster recovery plan using table topic exercises, simulation testing (i.e., failover), and overall plan review. This validation should occur at least once a year because environments are constantly changing. The validation of your disaster recovery plan is a crucial step to ensure everyone knows his or her role in the event of a disaster.

Alternative Environment

The key to successful DRP is the recovery environment and your ability to scale full services. Many companies have a redundant data center (self-managed or co-location) in the case of a disruptive event. With the advent of Infrastructure, Platform, and Solution as a service, the cost of maintaining a backup environment has decreased substantially. These environments allow an organization to quickly scale its environment and respond appropriately with minimal effort. Additionally, when the redundant environment is in the cloud, an organization can better manage its cost by reducing its usage when this environment is not activated to the full business scale. This provides an added benefit: a redundant system with scale flexibility and cost management.

Third-Party Disaster Management

Third-party management is critical to a successful disaster recovery plan. According to a report by Ponemon Institute, 51 percent of businesses have suffered a data breach caused by a third party, with 44 percent suffering a breach within the previous 12 months. Seventy four percent of 44 percent of these organizations' data breaches were the result of giving too much privileged access to third parties (Meharchandani, 2021). Every organization should have a detailed risk plan on managing third-party access to and management of your data. It is critical that your organization outline specific data management and security requirements for every vendor based on risk and type of data. The Ponemon Institute report indicated 66 percent of its respondents had not implemented, at minimal, a privileged access management plan. Zero trust is a critical framework for not just managing internal access but external access as well.

DRP Change Management

There are three factors that can limit organizational focus on DRP: resources, cost, and mindsets. Many organizations may refuse their Technology department the needed resources required to plan, test, and support disaster recovery management ahead of an actual disaster. Organizational leaders' leery mindsets toward DRP may also be limited by their understanding of the risks and the criticality of technology to an organization. However, with the heightened cyber security scrutiny, this mindset is changing. Technology is no longer just a cost center—it is critical to every business function and provides a competitive advantage.


DRP should not be afterthought, but a best practice in today's business environment. Your organization must have the right planning, resources, and mindsets to face the challenges posed by this fast pace, at-risk environment.

Zig Ziglar once said, "If you aim at nothing, you will hit it every time."

With disaster management, I believe that you hit what you aim at and if you aim at nothing, you will be unprepared for your next disaster.

Weekly Brief

Read Also

The Cure For 'Quiet Quitting'

Glenn Hasteadt, IT Director, County of Onslow

Tennessee's Evolution to Banking on Data

Christin Lotz, Director at Tennessee Office of Evidence and Impact

Launching the 1950 Census Website: Innovation and Collaboration at the National Archives

Pamela Wright, Chief Innovation Officer, U.S. National Archives and Records Administration

Leverage Technology to Elevate Emergency Management Practices

Cassandra Libal, Director of Emergency Management, Milwaukee County

Changing the Model The Role of the CISO in the Next Generation of Cyber Security

Shane M. Barney, Chief, Information Security Division, USCIS

The Product Verse Project Approach To Government Technology Services

Philip Savino, Director, Information Technology Department, Arapahoe County Government