During a conversation with a data centre manager in Dubai, the question arose as to what their BC capabilities were and where their DR site was located. His response:
“There is no need for BC plans or a DR site, it is all in God’s hands…if it happens, it happens!”
In many ways, these are the types of responses one comes across when dealing with companies internationally which have different cultures, traditions, beliefs and this directly affects their attitude to risk.
Clearly, having a deep rooted faith in God, this data centre manager thought that a natural disaster is outside of his control. Which is correct. However, security and risk management is precisely about dealing with issues that are outside of your control. It’s the precise reason why no security manager will ever say to his boss that any system or facility is 100% secure because there are too many factors outside of your control.
For example, you can enforce strong passwords on laptops and fully encrypt the hard drive. You can even educate your users on how best to protect the laptop. What you can’t control is a user choosing to ignore your advice, sharing his password or even being bribed into passing over sensitive data.
This can be depicted as two spheres of control. One part which is within your control and the other sphere which is outside of your control.
Good security practices can help you ensure that you can tie down everything within your control whilst recognising there are aspects outside of your control which can impact these.
So the data centre manager is right, a disaster is outside of his control. But building another site is within his sphere of control and would ensure business functions continue as normal through a disaster scenario.