Data Guardians: The BCM Pro’s Role in Helping Business Units Protect Their Data

Every organization backs up its data, but not all do so in a manner that is validated or rationally tailored to their needs. Business continuity professionals can help their organizations raise their data protection game by acting as educators, advocates, and brokers on this issue between the business departments and IT. 

Related on BCMMETRICS: Getting in Sync: Eliminating Recovery Strategy Gaps between BC and IT

A Data Security Conversation with a Client 

Here’s a conversation I have frequently with my clients: 

Herrera: How are you doing on backing up your data? 

Client: Perfect! I have all types of backups. 

Herrera: Great. How often is the data and the integrity of the data truly validated? 

Client: [Silence.] 

These days, you could sooner find a person who would admit to not brushing their teeth than you could find a company that would admit to not backing up their data. But not all data backups are created equal.  

Data Loss Happens All the Time 

Organizations lose data all the time. Occasionally this is due to dramatic events like ransomware attacks. More often it’s the result of everyday glitches like accidental deletions, corruption in the database, and hardware failures. 

Almost as commonly as they experience a loss of data, organizations turn to their backups and find they are inadequate in terms of keeping their losses within acceptable limits. 

Some of my clients do a beautiful job with their data backups. This proves that this important activity can be handled successfully. But the more common situation is the one described above. 

BCM Professionals as Data Guardians

In this context, the role of the BCM professional is to act as data guardians, advocating for the protection of the information that the organization needs in order to function. 

The business continuity management (BCM) professional has a stake in the issue of data protection since it impacts the organization’s ability to keep its mission-critical operations running. The BCM pro is entitled and obligated to investigate this matter and press for the mitigation of any gaps discovered.  

More specifically, the BCM pro’s role is to inquire into the data protection situation for each department, facilitate communication on this issue between the business departments and IT, educate the parties about the issue, advocate for the adoption of sound data protection practices, and serve as a liaison between the business departments and IT in closing any gaps. 

Five Steps the BCM Professional Should Take

The BCM professional, as usual, does not have hands-on control, but he or she can and should educate colleagues and advocate that steps be taken to improve data protection and boost the organization’s resiliency. 

What steps should the BCM office take to try to get the other departments to improve at data protection? There are five of them: 

1. Encourage the business departments to learn how their data is backed up. Most people in the business departments have no idea how IT backs up their data. The departments should be encouraged to take an ownership position with regard to their data. It’s their information. They created or obtained it. They need it to do their job. They should feel protective toward it. They should educate themselves about how IT looks after it. Knowing how their data is backed up can bring many benefits. It can shape their behavior in ways that reduce the likelihood of data loss, help them be realistic about what can be recovered in the event of a loss, and enable them to talk intelligently with IT. It’s also a necessary starting point for strengthening their department’s data protection regimen. 

2. Encourage each business department to identify how much data it can permanently lose and continue operating. Every department needs to figure out its maximum allowable data loss. This is usually measured in an increment of time, e.g., 15 minutes, four hours, or 24 hours. Factors driving this limit can include legal or regulatory requirements or work volume issues. 

3. Facilitate an exchange of information between the department and IT about the maximum allowable data loss, the reasons for it, and the current level of data protection offered by IT. This is a matter of the department saying what it needs in terms of data protection and IT saying what it can currently do for the department. If these are in alignment, great. If not, it’s on to Step 4. 

4. Help the department and IT come into alignment on the level of data protection the department receives. This is easier said than done in many cases. Sometimes IT takes pride in its systems and procedures and is resistant to the idea that it provides insufficient backup protection. (This is commonly expressed as, “Have the people in that department lost their minds?”) Sometimes IT lacks sufficient storage space or other resources to provide the level of protection desired. In some situations, it might easily be able to meet the department’s needs. In others, the department might need to implement some kind of workaround to close the gap (such as by logging some information manually as a backup in case data is lost). The diplomatic and well-informed BC professional can make an important contribution by helping the parties negotiate their differences and close the gap. 

5. Encourage the department and IT to validate the data backup and any workarounds. It’s not enough to have a backup. The backup has to be tested and proven to work. During a data loss is the worst possible time to find out the measures you’ve been relying on all this time to safeguard your data don’t actually function the way they are supposed to. 

By taking these five steps, the BCM office can do its best to push the organization to raise its data protection game. 

Advocating for Better Data Protection 

These days every organization backs up its data, but relatively few do so in a manner that is rationally tailored to their needs or tested and validated to be sure it works. The BCM professional can help by becoming advocates for better data protection.  

In this role, the BCM pro can and should inquire into the data protection situation for key departments, facilitate communication on this issue between the departments and IT, advocate for the adoption of sound data protection practices, and serve as a liaison between the business departments and IT in closing any gaps between the department’s needs and IT’s capabilities. 

Further Reading

For more information on data protection, data security, and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting: 

• Getting in Sync: Eliminating Recovery Strategy Gaps between BC and IT 
• Finding an Executive Sponsor for Your BCM Program: A Date with an Angel 
• Put Your Program on the Map: A BCM Roadmap for 2022 
• 1 Program, 6 Plans: The Half Dozen Plans Every BCM Program Should Have 
• Be Ransomware Resilient: Know How to Operate Manually