IT Strategy for Businesses Small and Large

It is important for businesses to have a well planned and executed Information Technology (IT) strategy to ensure networks and servers are always running and access to critical data is never lost. Below is an excerpt from Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses by Donna R. Childs, which introduces the basics of creating an IT strategy.

Your information technology (IT) strategy is critical to your disaster preparedness and recovery efforts. Most businesses have an in-house IT staff or a relationship with an external consultant that built their systems. Such relationships are valuable and it is not in the interest of a small business to abandon them in frustration. The IT team that built your system knows it in detail and has made decisions based on the specifications that your business had required. They may have been instructed to implement a certain feature "exactly this way." Should you terminate this relationship in haste and replace your existing team with a new IT solutions provider, you will incur additional costs and will likely once again be disappointed with the results.

Remember the expression from the movie Cool Hand Luke: "What we have here is a failure to communicate." It can be very frustrating for IT professionals to try to implement a systems solution at the direction of business people who don't understand the technical constraints or the inherent contradictions or unreasonableness in what they are asking. At the same time, it is very disappointing for business people to invest significant sums of capital in IT capacity only to find that the result is not what they had anticipated. In such situations, what you need to do is to make sensible and powerful changes that will be welcomed as improvements without embarrassing or blaming the existing IT members for their decisions.

A good IT solution provides contingent capacity, is simple, and easy to operate. Creating or reviewing for contingency includes analyzing the current infrastructure, determining how the system is used, understanding current and future needs from a high-level perspective, and observing if those needs are being met and if they will be met in the future. The exercise of developing a contingency plan opens the door for a productive dialogue with your IT staff, as well as your customers, suppliers, and business partners who should all be a part of your contingency efforts. The result of this dialogue will be, I hope, a simplified and streamlined technical architecture that leads to more cost-effective solutions and additional contingent capacity. This is a far more effective solution to your business than mindlessly importing the solution developed for large corporation XYZ. Generally, a solution developed for a large corporation and then scaled down for use by a small business fails to yield the desired results.

Small business requirements for IT contingency and solutions differ substantially from those of large businesses. We see too often good solutions that have been developed for large customers simply downsized and implemented in small businesses. In most cases, they are not cost-effective, are sufficiently inflexible, and difficult to use in your day-to-day operations. And, I am sorry to report that should you find your small business in disaster recovery mode, the system you imported from a large corporation will become an impediment to your recovery efforts. The good news is that you can learn from the mistakes of other small businesses that imported solutions that were inappropriate for their needs, and develop your own, much simpler solution, at greatly reduced expense.

In developing a disaster recovery plan, businesses often put in place IT systems that anticipate and prepare for the worst case scenarios, such as the total destruction of their business facilities. They assume that all less severe disasters are subsumed and automatically protected by such a system. In fact, I have read such advice in a number of general books about disaster recovery! This assumption generally holds true, but it should not be the basis of your contingency planning. Do you intend to initiate a full-blown disaster recovery action plan each time you experience a small deviation in normal operations? Is it a cost - effective way to run your operations? It is much more sensible for small businesses to have a good solution implemented that deals efficiently with the most common "small" disaster types, such as human error, and therefore provides a swift recovery. Of course, you also want to have some protection in place against the worst case scenarios, such as a severe terrorism attack, but it is unlikely that most of the readers of this book will ever be required to implement such recovery operations. Small businesses typically need a modest, cost-sensitive solution that deals with their specific daily operations issues. This typically means developing a solution that provides for immediate recovery from modest disasters, even at the expense of slightly extending the period of recovery from severe disasters.

It is, of course, a very different approach from the one implemented by large-scale corporations. They need more complex solutions to protect themselves against severe disasters, such as terrorist attacks. In such disasters, their very existence is at stake. Imagine the situation faced by IT teams of the large money-center banks in Manhattan on September 11, 2001. They have an enormous volume of financial transactions to process, and so fast recovery from severe disasters is mandatory for them. You won't be surprised to learn that backup facilities in Jersey City were humming on September 11, taking over the responsibility of processing banking transactions from their Manhattan-based colleagues. At the same time, however, these large corporations don ' t expend much effort worrying about protecting against human errors, such as the mistaken deletion of a computer file. Should such human errors interfere with their operations, they can simply correct the problem by mobilizing the manpower of their vast IT departments.

To find out what you as a small business really need to feel comfortable, and to make IT infrastructure a cornerstone of your business, start with finding good answers to the questions related to protect yourself against the six disaster types already presented. The following are some sample questions; you will probably have to add your own questions to this outline:

  • Human Error: How do your employees store their data? Is a standard naming scheme in place? Do you have version control for documents in place? How do you share data between groups? How much do you want to invest in user training versus protecting data through more technology expenses? How quickly must lost data be restored?
  • Equipment Failure: Which are your most critical systems? What performance do you require from each system? What are acceptable downtimes to your business in case of malfunctions? Which infrastructure elements need special protection? Do you have a dedicated budget for spare parts and equipment replacements?
  • Third-Party Failure: How essential is e-mail (and reliable Internet connectivity) to your business? How long could you work without your phone? How often do you expect power outages and how long would they last?
  • Environmental Hazards: Did you check your offices for environmental toxins? Is your lighting system compatible with your computer screens? How did you prepare for office safety against contamination by hazardous materials? Which systems must be available remotely if you were to leave the office right away?
  • Fire and Other Disasters: Do you have backups at a safe remote location? Do you have special equipment to detect fires and to automatically shutdown your equipment? Is your staff aware of the emergency shutdown operations? Do you have fire protection containers for important or valuable items?
  • Terrorism and Sabotage: What is your emergency plan? Will it ensure safety of your trade secrets? Are you secured against a targeted hacker or virus attack? How do you protect your business from any disgruntled former employees?

These are the questions you should ask yourself. Did you find some that caught your attention? Are you beginning to think about answers to these questions? As you continue to read, we will ask more questions, and even answer some of them.

This exercise, the process of asking questions, is often an eye-opening one for many small businesses. You will realize for which types of disasters you have adequate protection and to which ones you are vulnerable. As you work through this exercise, you begin to see how your business processes and critical tasks are connected to your IT infrastructure, and how you can achieve a better link between critical tasks and information systems. You will also be able to view your IT infrastructure with more confidence, advising your IT staff or consultants on targeted actions to improve specific processes and to respond in anticipation of certain scenarios.


From Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses by Donna R. Childs. Copyright 2008 John Wiley & Sons, Inc. All Rights Reserved. Used by arrangement with John Wiley & Sons, Inc.