Will COVID-19 Finally Change IT Thinking?

By Chuck Fried, CEO, TxMQ

Anyone who works in IT knows that disaster recovery, or DR planning is a constant. DR tests are regularly scheduled, and departments are measured on their relative success or failure of said tests. It’s a relatively straightforward, if not exactly easy, task to prepare for and come up with responses to all the various hypothetical disaster scenarios you can think of. But what about the scenarios you haven’t thought of?

There are only a few events in the history of information technology that have forced us to completely reevaluate how we protect our key systems. 9/11 was one of those milestones. On September 10, 2001 technology systems were still operating much as they had for the previous decade. By the next day — after the attacks on New York and Washington — everything had changed. IT organizations were suddenly tasked with radically improving security, and there is a clear dividing line between how we managed data integrity before and after that terrible day.

The current COVID-19 pandemic is a global tragedy that is still unfolding, but I predict that it will have just as profound an effect on how IT departments function in the future as 9/11 did, if not more so. The attacks on the U.S. never threatened the technical infrastructure of the United States directly, so in a sense what is happening now is even more profound — and will have much bigger long-term ripple effects, both in terms of how we work and how we think about the technology that powers our economy.

Ultimately, the way this crisis has unfolded is incontrovertible evidence that business leaders must finally reevaluate how they manage their company’s technology infrastructure.  We all must be more forward-thinking — more reflective about the ‘what if’ scenarios impacting our businesses. Rather than waiting for compliance or legal to tell us what’s needed, we should jump at this unique chance to rigorously think through previously unthinkable scenarios.

Worst-case scenario

No one expects to have to live through their worst-case scenario, but short of nuclear war, this pandemic is right up there in terms of severity. Over the past few weeks, I’ve read about and spoken to numerous IT and business leaders who say they didn’t see anything like this coming. But to that I say, this is precisely the sort of situation we should all have been prepared for. Planning for “DataCenterDown” is one thing, but what about a different sort of crisis — like no one can come into work, or we have to operate with a 99% reduction in staff? Was that part of any of your tests or simulations?

If you, like so many IT pros, are now perhaps finding yourself at home with some excess time on your hands, now is as good a time as any to dig out those dusty DR manuals and see how well you really prepared for what we’re all experiencing today.

Nearly every organization has experienced a loss of staff, reduced physical access to systems, and a moderate-to-severe slowdown in business in the past few weeks. The result of the lack of preparedness for these events has caused many a calamity, some of which border on the absurd. For instance, some systems are so highly tuned that they will fire off streams of nonsensical alerts if they see transaction volumes outside of normal parameters — including unusually low numbers (as well as the overly high numbers that businesses are usually on the lookout for).

To be sure, there are things we can’t plan for. It’s a truism to say that we can only plan for what we can think of, and we’re bound to miss the unthinkable. Additionally, there’s an intellectual argument to be made that focusing too much on only the worst-case scenarios is poor risk management, and may lead to companies being overly cautious. But the lack of preparedness among many companies today for this virus flies in the face of the brute fact that this scenario was well within our sights.

Just last year Johns Hopkins, in partnership with the Bill and Melinda Gates Foundation and the World Economic Forum, hosted a heavily publicized disaster preparedness program centered around a tabletop pandemic simulation exercise, which they called “Event 201.” Moreover, Gates and others have been spreading the word to anyone who will listen about the possibility of just this situation for years now. If businesses don’t have a response to global pandemic in their disaster recovery plans, it’s not because such an event was unthinkable. It’s because they weren’t paying attention.

Going forward

The good news is that the core institutions of our society — banks, hospitals, postal services — have shown remarkable resilience in the face of this crisis, even if government leaders have been inconsistent. And while many industries have been devastated, in particular travel, tourism and hospitality (especially restaurants and entertainment), we should breathe a sigh of relief that the pandemic has so far not affected a wider swath of businesses.

If there’s one thing we can be sure of amongst all this uncertainty, it’s that this crisis won’t be the last one in our lifetimes (though hopefully it is the worst). Let us hope this course of events will serve as a much overdue wakeup call to businesses that they need to change their thinking and start seriously planning for the unthinkable.