"Never say - redundant. It implies unnecessary. And there's no budget for unnecessary."
I was told this 3 days into my cybersecurity career. And I find it telling that I can quote it verbatim 20 years later.
The word I should have used to describe the spare server - bought just in case one of the others broke - was 'resilience'. "This is our resilience server if one of those fails. It means we can be back operational within 3 hours - rather than 12 days."
This week, I was reminded of this lesson while talking with a new customer. As a founding CEO, she has created and grown a thriving online business. But as a self-professed computer-illiterate, she didn't understand technology.
As soon as I mentioned "risk", she was crystal clear.
"We have a saying in our company - What if a bus comes along?"
The most significant risk to her company was resilience.
Resilience as an idea is simple - it's keeping going - and is measured in downtime. Every business needs to ask - How much time is it OK to be non-operational?
In cybersecurity, we often overcomplicate the idea of resilience. But businesses already deal with it every day.
There are only five tiers of resilience in operations. From the most expensive to the cheapest, they are:
- Synchronous Operation (or no downtime)
- Asynchronous Operation
- Hot Standby
- Cold Standby
- No resilience
Cybersecurity vendors and professionals often start by assuming no downtime or synchronous operations are the answer. But other areas of business rarely operate in this way. A five-minute or even a five-hour delay may be acceptable - it's a business decision.
In challenging economic times, decisions to trim down resilience are inevitable. Knowing what level of downtime is acceptable is essential.
Remember, a 2-minute delay to re-route traffic through a different internet connection may be good enough… And it's likely to only take a few instructions on your existing equipment.
But equally, the delay in budget approval, purchasing, and shipping may extend the disruption and downtime beyond what is tolerable. It's why 20 years ago, we had a "resilience" server.
The cost of another firewall, another server, or another access point often comes at a much higher price than a few hours of non-productivity. But if that's not the case... just buy an extra one.