{"id":3746,"date":"2012-06-01T07:41:10","date_gmt":"2012-05-31T21:41:10","guid":{"rendered":"http:\/\/nsrd.info\/blog\/?p=3746"},"modified":"2018-12-11T14:33:53","modified_gmt":"2018-12-11T04:33:53","slug":"healthy-paranoia","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2012\/06\/01\/healthy-paranoia\/","title":{"rendered":"Healthy paranoia"},"content":{"rendered":"<p><a href=\"https:\/\/nsrd.info\/blog\/wp-content\/uploads\/2012\/05\/paranoia.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-3747\" title=\"Healthy paranoia\" src=\"https:\/\/nsrd.info\/blog\/wp-content\/uploads\/2012\/05\/paranoia.jpg\" alt=\"Healthy paranoia\" width=\"371\" height=\"625\" srcset=\"https:\/\/nsrd.info\/blog\/wp-content\/uploads\/2012\/05\/paranoia.jpg 371w, https:\/\/nsrd.info\/blog\/wp-content\/uploads\/2012\/05\/paranoia-178x300.jpg 178w\" sizes=\"auto, (max-width: 371px) 100vw, 371px\" \/><\/a><\/p>\n<p>Are your backup administrators people who are naturally paranoid?<\/p>\n<p>What about your Data Protection Advocate?<\/p>\n<p>What about the members of your Information Protection Advisory Council?<\/p>\n<p>There&#8217;s healthy paranoia, and then there&#8217;s crazy paranoia. (Or as is trendy to say these days, &#8220;cray cray&#8221;.)<\/p>\n<p>Being a facet of Information Lifecycle Protection, backup <em>is<\/em>&nbsp;about having healthy paranoia. It&#8217;s about behaving both as a cynic and a realist:<\/p>\n<ul>\n<li>The realist will understand that IT is not immune to failures, <em>and<\/em><\/li>\n<li>The cynic will expect that cascading or difficult failures will occur.<\/li>\n<\/ul>\n<p>Driven from a healthy sense of paranoia, part of the challenge of being involved in backup is an ability to plan for bad situations. If you&#8217;re involved in backup, you should be used to asking &#8220;But what if&#8230;?&#8221;<\/p>\n<p>As I say in my <a title=\"Enterprise Systems Backup and Recovery: A corporate insurance policy\" href=\"http:\/\/www.enterprisesystemsbackup.com\/\" target=\"_blank\">book<\/a>, backup is a game of risk vs cost:<\/p>\n<ol>\n<li>What&#8217;s the risk of X happening?<\/li>\n<li>What&#8217;s the cost of protecting against it?<\/li>\n<li>What&#8217;s the cost of <em>not<\/em>&nbsp;protecting against it?<\/li>\n<\/ol>\n<p>Paranoia, in the backup game, is being able to quantify the types of risk and exposure the business has \u2013 item 1 in the above list. Ultimately, items 2 and 3 become business decisions, but item 1 is<em> almost entirely<\/em>&nbsp;the domain of the core backup participants.<\/p>\n<p>As such, those involved in backup \u2013 the backup administrators, the DPA, the IPAC, need to be responsible for development and maintenance of a <em>risk register<\/em>. This should be a compilation of potential data loss (and potentially data <em>availability<\/em> loss*) situations, along with:<\/p>\n<ul>\n<li>Probabilities of the event occurring (potentially just as &#8220;High&#8221;, &#8220;Low&#8221;, etc.);<\/li>\n<li>Current mitigation techniques;<\/li>\n<li>Preferred or optimal mitigation techniques;<\/li>\n<li>Whether the risk is a <em>primary<\/em>&nbsp;risk (i.e., one that can happen in and of itself), or a <em>secondary<\/em>&nbsp;risk (i.e., can only happen after another failure);<\/li>\n<li>RPO and RTO.<\/li>\n<\/ul>\n<p>This register then gets fed back first to the broader IT department to determine question two in the risk vs cost list (&#8220;What&#8217;s the cost of protecting against it?&#8221;), but following that, it gets fed back to the <em>business as a whole<\/em>&nbsp;to answer the third question in the risk vs cost list (&#8220;What&#8217;s the cost of <em>not<\/em>&nbsp;protecting against it?&#8221;).<\/p>\n<p>Finally, it&#8217;s important to differentiate between <em>healthy paranoia<\/em>&nbsp;and <em>paranoia<\/em>:<\/p>\n<ul>\n<li>Healthy paranoia comes from acknowledging risks, prioritising their potential, and coming up with mitigation plans before deciding a response;<\/li>\n<li>Paranoia (or <em>unhealthy<\/em>&nbsp;paranoia) happens when risks are identified, but mitigation is attempted before the risk is formally evaluated.<\/li>\n<\/ul>\n<p>A backup administrator, given carte blanche over the company budget, could spend <em>all of it<\/em>&nbsp;for 5 years and still not protect against <em>every<\/em>&nbsp;potential failure the company could ever conceivably have. That&#8217;s unhealthy paranoia. Healthy paranoia is correctly identifying and prioritising risk so as to provide maximum appropriate protection for the business within reasonable budgetary bounds.<\/p>\n<p>&#8212;<br \/>\n* Arguably, data availability loss is a broader topic that should also have significant involvement by other technical teams and business groups.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Are your backup administrators people who are naturally paranoid? What about your Data Protection Advocate? What about the members of&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,5],"tags":[138,187,722,1252,836,837],"class_list":["post-3746","post","type-post","status-publish","format-standard","hentry","category-architecture","category-backup-theory","tag-backup","tag-business-continuity","tag-paranoia","tag-recovery","tag-risk","tag-risk-vs-cost"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-Yq","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/3746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=3746"}],"version-history":[{"count":1,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/3746\/revisions"}],"predecessor-version":[{"id":7478,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/3746\/revisions\/7478"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=3746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=3746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=3746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}