Contrary to what the title says, this article is not solely about backup. On some level, it is not about backup at all. It’s more about the necessity to fundamentally understand a problem before one is able to effectively aim for the solution.
Bear with me…
The inspiration to write this article came from a short exchange on LinkedIn. One professional considered complex and simple aspects of GDPR. Among the elements falling in the simple part were: updating and legality of software, permission management, and title backups. The author of the comment was surprised that even these common-sense elements still significantly contribute to violations.
I stuck to the last one and started thinking about how optimally balance operational, tactical, and strategic aspects of it – for it to really work (and I mean “really work!”). Finally, how it translates into an understanding of the need for resources (time, financial, and others).
If we look at the backup as a process, it consists of multiple layers. Not all have to be addressed at once, but all should be at least considered to some extent for the process to be reliable. Here are some fundamental questions one needs to ask, thinking of the backup:
- Which data to secure?
- What media, software, hardware to choose?
- What mode of backup to establish, in relation to the specificity of data?
- How it translates to RTO & RPO (time and point objectives of recovery)?
- If, from where, what type, and for how much – to buy the tools: software, hardware, media, and maybe services?
- How to install, configure and maintain the hardware?
- How to install, configure and maintain the software?
- How to set up the services?
- How should the operational process of backup look like to ensure repeatability and reliability (including responsibilities, sequences, communication, and accountability aspects)?
- How often, in what mode, to test if the backup works?
- How to put it all formalized in DRP (Disaster Recovery Plan)?
- How often, in what mode, to test the DRP?
- If there are external entities involved: how to manage the lifecycle of their contracts?
- How often, in what mode, to revise all these elements?
If you managed to go this far, note the list is by no means exhaustive. It only demonstrates how a seemingly simple element of a company’s ecosystem – is in fact a multi-layer monster of a challenge. And this challenge is expected to be carried out by the way of some “real work”, probably more by specialists than managers, because it’s “only a backup”.
Think of how much time, money, cognitive effort, and other resources it costs to address such an issue in a comprehensive manner. Now, many so-called simple things work in a similar way. If one wants to introduce a sustainable, repeatable, and reliable process (whether IT, GDPR, or any other are) – a decomposition, similar to the one demonstrated above, must take place. Otherwise, no sufficient understanding of the issue will happen, and without this understanding – one will not be able to justify claiming for the resources.
I would like to take you, dear reader, to a constructive conclusion, but first a picture:
The above graphic shows, how various types of professional efforts are distributed for various corporate roles. The lower in the managerial hierarchy – the higher operational effort is required. The higher in the managerial hierarchy – the higher strategic effort is advisable. The share of tactical effort is moderately low on both ends of the managerial hierarchy and slightly grows in the middle.
The final decision to invest is generally an executive effort. Executives also do not have time (and it is not in the organization’s best interest) to cope with too many details. They must be given a recommendation and justification for the investment, a business case. It won’t be reasonable to expect any specialist to deliver such material. Who is left are the experts, but more so – the managers.
The particular class of managers, supported by the experts should be responsible for the decomposition of complex issues, building first an understanding, second a business case, and claiming for the funding. But will all managers manage?