Budget Ax Falls on Disaster Recovery

Execs figure cutting DR for new projects will save half their cost. But to a security manager, it feels like living on the edge.

I just came back from an all-day budgetary bloodbath. Not unexpectedly, my capital budget for 2009 for 2009 is basically zero.

What I had not expected was the gutting of the disaster recovery budget. Until now, the cost of disaster recovery has always been included in any new project or implementation. Anytime we have built a new production service that is mission-critical to the business, we have also built a duplicate in our secondary data center. No more. Now our executive management team wants to stop funding the extra cost of DR systems.

In this day and age, I can't imagine any large company relying on a single point of failure for business-critical services. But that's exactly what our executives want to do. In their minds, duplicating our systems in a data center that may never get used essentially doubles the cost of any implementation.

So, as they reviewed our expenditures in search of ways to save significant money, they hit on cutting out DR for new installations, believing that this will cut the costs of new implementations in half.

I believe that DR is an investment in keeping the company alive in the event of a severe outage. It's an insurance policy, and like any other insurance, you pay upfront so that you don't suffer severe losses later. The ability to switch operations to an alternate data center is indispensable at any company where critical system outages can cost millions of dollars an hour. Hurricanes, earthquakes and terrorist attacks are just some of the disasters that can occur with little or no warning. They're all facts of life, though we wish they weren't, and their consequences can be devastating -- for businesses as well as people. Many companies have even been forced to go out of business in the wake of a disaster.

At my company, the battle over DR was fought and won a long time ago, so it's disheartening that the concept is once again being questioned. The executives are asking what value we get from servers that don't do anything unless something really bad happens. The way they figure it, we can deploy twice as many services without DR as we can with DR, so why not spend what little budget we have on rolling out new applications without the added cost -- and protection -- of backup servers?

Hard Choices

I say we're better off rolling out half the services and making them robust. But right now, I'm outvoted. In this dismal economy, we have to make hard choices, but this feels like taking two steps backward. If we stop building DR systems, when are we going to start again? And when -- if ever -- are we going to go back and build DR systems for the applications we roll out in 2009?

It looks like I'm not going to be able to get a budget for any new security services, either. About the best I can do is replace existing security services with cheaper options. In a way, that's a good thing, because it gives me the opportunity to improve some areas of our security infrastructure that aren't giving us the results I'm looking for. But not adding anything new will mean our security posture is going to stall for now. We're going to have to tread water for a while and do the best with what we have.

Things could be worse, I'm sure, but they could be better, too. At least we're going to be able to keep what we have for now, except for disaster recovery. I know many people are in worse situations, but that doesn't really make me feel any better about this. This year is shaping up to be tough. I hope things get better for all of us soon.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.

Join in

To join in the discussions about security, go to computerworld.com/blogs/security.


Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon