A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 12: Be the master of disaster (Part 2)
“Exactly!” said Deep Thought. “So once you do know what the question actually is, you’ll know what the answer means.”
Douglas Adams, A Hitchhiker’s Guide to the Galaxy
[ Reading time: 7 minutes ]
Key Acronyms to Remember
- DR: Disaster Recovery
- BC: Business Continuity (covered in the next episode, “Keeping the Lights On”)
- IR: Incident Response (see episode 14, “Who You Gonna Call?”)
Each plays a distinct but interconnected role in ensuring your organisation’s resilience.
When disaster strikes
If you’re activating your DR plan, your organisation is already in a crisis. Stress levels are high as teams scramble to restore systems and operations. As an executive, your role is to manage expectations, protect the IT team from undue blame, and support a structured recovery process.
Avoid the blame game
IT failures are highly visible, making them easy targets for frustration. However, resolving the issue swiftly requires focus—not finger-pointing. Here’s what you need to do:
- Communicate effectively: Keep stakeholders informed to reduce pressure on the IT team.
- Rely on your DR plan: A well-documented plan ensures clarity and prioritisation during recovery.
Prioritising Recovery
To recover effectively, you must know:
- What systems exist (see episode 2, Know Thyself).
- Which systems are critical to restoring operations.
Avoid letting the loudest voices dictate priorities. Instead, base your recovery order on these metrics:
- MTD (Maximum Tolerable Downtime): The longest a system can be offline without critical impact.
- RTO (Recovery Time Objective): The target time to restore a system, which must align with MTD.
- RPO (Recovery Point Objective): The acceptable amount of data loss, guiding backup frequency.
Your DR plan should outline recovery priorities, adapting for seasonal or situational needs (e.g. payroll at month-end, clearing, enrolment, exams or financial year-end).
Testing and Dependencies
Regular recovery testing is essential for accurate timelines. But beware— system dependencies can derail even the best plans. For example:
- Active Directory might need to be restored before the finance team can log in to payroll systems.
- Firewalls or internet access may be prerequisites for other systems.
Your DR plan must document these dependencies and reflect them in recovery time estimates.
Recovery Locations
If physical infrastructure is compromised (e.g., a fire), you need a contingency plan:
- Hot Sites: Fully equipped secondary locations ready for immediate use.
- Cloud Options: Many providers enable restoration directly into their cloud environment—a fast, flexible solution.
A “cloud-first” strategy can enhance resilience, but it must include secure, reliable backups to address threats like cyberattacks.
Post-Recovery Considerations
Disaster recovery doesn’t end when systems are restored. Your team will need:
- Work Recovery Time: Ongoing recovery efforts mean less capacity for regular support.
- Rest and Resilience: Avoid burnout by phasing their return to business-as-usual workloads.
The NHS post-Covid is a cautionary tale: failing to address team exhaustion can have long-term consequences. Plan ahead to ensure sustainable recovery efforts.
In Summary
- Support your IT team: They’re your front line for recovery.
- Define Priorities in Advance: Use MTD, RTO, and RPO to guide decisions.
- Test and Document: Know your systems, their dependencies, and realistic recovery times.
- Plan for People: Resilience isn’t just about systems—it’s about the teams that run them.
Your leadership can make the difference between a smooth recovery and prolonged disruption.
A final [deep] thought
In the next episode, we’ll look at how to put mechanisms in place to ensure your business carries on in the event of a disaster. Keeping the lights on.
Meanwhile, review your organisation’s Information Asset Register. Does it define system criticality, system owners and technical owners? Have these been defined with measures for maximum tolerable downtime, recovery time objectives and recovery point objectives?
Does your Disaster Recovery Plan have one or more recovery priority schedules defined? Do these take account of time-of-year events, like clearing, enrolment, exams, payroll and financial year end? Do recovery times take account of system dependencies?
Had the DR plan assigned responsibility for communications to key stakeholders? What measures do you have in place to protect the recovery team during and after the recovery process?