I love movies. One of my favorites is A Few Good Men starring Jack Nicholson and Tom Cruise. In the movie’s climactic scene, Cruise, a military lawyer, demands the truth from Nicholson’s Col. Jessup character. In what has become one of Nicholson’s most famous movie lines, he intensely blurts out, “you can’t handle the truth!” In my 30+ years of working with technology, most of it around the financial services industry, I often find this statement bouncing around in the back of my mind as I’m talking with IT professionals.
When it comes to resiliency, can they handle the truth? As we think about resiliency and strategies for recovery, we must put in place solutions that protect us from both natural disasters and cyber security threats. It’s not a coincidence that September is National Preparedness Month followed immediately by National Cyber Security Awareness Month in October. Risks are risks, regardless of where they are coming from.
So, about this truth thing. You may be thinking, “what’s so hard about that?” While the truth is the truth, I think we can probably all think of examples of situations we’ve seen where what was said to us was truthful, it just may not have contained 100% of the relevant facts. Let me give you an example:
- Financial Institution – Location A
- 15 physical servers
- 75 virtual servers
- Supporting ~ 15TB of data
Location A represents the production Microsoft® Windows® environment in their data center. At some point in time, Management has decided the FI needs the ability to recover this environment much quicker than their current strategy. One day, an executive says, “we need our servers replicated at a remote location and the ability to recover them also housed there.” That statement makes it way to IT, where they put together a budget of say $150,000 to accomplish that.
As the story unfolds, it turns out that purchase request is more than the executive wants to spend this year, so the budget is reduced, thus reducing what can be accomplished. IT, doing their best to deliver on the Executive’s original request creates an environment with the funds they’ve been given that replicates all of the data to a remote location, but they don’t have enough funds to duplicate all of the hardware.
- Financial Institution – Location B
- 5 physical Servers
- Able to support 30 virtual servers
- Supporting ~ 15TB of data
The truth is for this to work exactly as the executive expects, we would anticipate that Location A and Location B to be identical, wouldn’t we? IT is expected to deliver, and they have, it just isn’t 100% of what is needed if Location A is completely gone. The truth is, details matter. This version of the truth creates a lose/lose when Location A is wiped out and Location B is unable to deliver.
When it comes to cyber resiliency, the number of possible examples like the previous story increases exponentially at each turn. These cracks in the truth can be hiding in your Intrusion Prevention, Intrusion Detection, firewall rules, network topology, connectivity redundancy, levels of trust and authentication, and even the policies and procedures that govern all of your infrastructure and cyber resiliency strategy.
The truth is, your FI probably isn’t doing enough today towards resiliency. It’s not a project with a beginning and an end, where someday you get to proclaim – it’s complete and we’re resilient. Resiliency is a thought process, and a commitment to always working towards being better and making incremental improvements year after year. Whether natural or manmade, the threats are real. Every day that something doesn’t happen brings you one day closer to the day that it will. You can’t bargain with them, you can’t reason with them. They will not stop until … oh wait, that’s another movie!
When it comes to resiliency, and what you really need to be doing, can you handle the truth?
Like this article? Subscribe to the Strategically Speaking blog to gain access to weekly articles from our industry leaders right from your inbox!