Although the Covid-19 pandemic is not yet behind us, we’ve already learned a few lessons from seeing how IT organizations approached and handled the situation over the past weeks. One of them relates to business continuity plans (BCPs), which organizations put into place prior to the crisis.
Incomplete business continuity plans
Business continuity management is a well-established process that helps companies identify risks that could impact the organization and design plans to address different scenarios. It also ensures that there is a fallback plan in place until the situation returns to its normal state so that key business functions can continue with minimal interruption.
But Covid-19 has challenged most of the BCPs in place.
The IT BCP plans defined today were designed to help organizations remedy serious damages to IT infrastructure, data centers and networks, e.g. due to flooding, earthquakes, fires or terrorist attacks, all of which would prevent IT services from supporting various business functions. But in the case of Covid-19, none of these events occurred. IT services continued to perform normally and back-end infrastructure – including data centers, infrastructure, applications and networks – operated as expected. The problem resided in the last mile, i.e. end users, operational staff and support functions. They couldn’t go to the office and work in their usual, secure onsite environments. Moreover, third-party disaster recovery services, costing substantial recurring fees, were unable to alleviate the situation at all. Employees couldn’t leave their homes given the confinement rules imposed by authorities and, regardless, existing and planned spaces would not have had the capacity to support the entire company staff.
Remote working as the new normal, not the exception
When analyzing the situation, we noticed that most organizations have remote access capabilities, although not all of them were designed to scale to the extreme levels now required. It was not unusual to see organizations hurriedly order laptop devices for their employees in order to grant them access via VPN to corporate resources and applications. This last minute procurement introduces various challenges:
- Organizations couldn’t stick to their regular procurement processes for these new devices, e.g. pitching to their preferred vendors. For some, this resulted in higher costs than would usually be expected.
- Not all organizations have been provided with the devices they requested due to shortages given increased demand.
- The hasty deployment of dozens, or even hundreds, of laptops has been a source of stress for organizations who are trying to manage costs – not only from a hardware and infrastructure perspective but also from an application, license, data, access and security perspective.
Because of (or thanks to) Covid-19, organizations have realized that teleworking is a legitimate operating model for the company, not merely an option to be used once a week or a few times a month to improve work-life balance. They have seen that remote working functionalities should be better integrated into their BCPs and disaster recovery plans (DRPs). We should expect a shift of IT budgets from BCP design and periodic testing to proper teleworking infrastructure for all staff.
Finally, the same organizations are now expecting to finance future teleworking deployment using the long-term cost reductions these teleworking solutions will bring: reduction of office space, lower operating costs (office cleaning and insurance), etc.
DaaS (Desktop as a Service), an agile and scalable technology
Available technologies can support a wide variety of remote working strategies, each suitable for different business models and stages of remote working implementation. The table below compares the two main solutions: the virtual private network (VPN) and Desktop as a Services (also known as virtual desktop infrastructure – VDI).
|Capability to work offline||Laptops can still be used off-line for some tasks||In the case of central infrastructure or connectivity issues, remote devices cannot be used|
|Support of high-end graphic applications||High-performance applications might require specific CPU/GPU designs||DaaS can support graphic and processing capacity needs on a user or application basis and is freely configurable at any time|
|Impact on IT infrastructure footprint||Requires life-cycle management of new assets (desktops, laptops, etc.) and maintenance/support costs||Can be enabled on existing devices used by employees at home: desktops, tablets, smart TVs, laptops, etc.|
|Extra licenses required for remote devices||Additional licenses need to be purchased/reported for new devices||No need to procure licenses for remote users|
|Transfer of corporate data to remote devices||Data is copied at end points||All company data remains in central infrastructure, reducing potential data leakage|
Backup of remote devices
|Policy to be implemented and adopted for backup of new remote devices||Hosted centrally, so all user data is backed up automatically based on company policy|
|Antivirus/patching updates||Devices must be available at all times to ensure antivirus and system updates are rolled out to each device individually||All patching and security are managed in one central location|
Recommendations for CIOs
With the lessons learned from the recent Covid crisis, CIOs will need to take some steps to anticipate future IT disruptions:
- develop a digital workplace strategy that includes collaboration applications, security controls, bring-your-own-device (BYOD) programs and network support;
- create inventory of work use cases; understand the typical workflow of people who are able to do their jobs remotely; identify the systems, applications and data they need to access;
- review short-, medium- and long-term IT strategies and plans, and adjust them to the new normal;
- identify security needs to remain cyber-secure; review existing security infrastructure, assets and threats, and assess what people will need to work safely, as discussed by my colleague, Laurent de la Vaissière, in his blog;
- challenge current business continuity, disaster recovery and operation plans and underlying costs, while integrating teleworking as a mandatory component;
- consider appropriateness and adequacy of the technology that will be used: DaaS or VPN based on what hardware remote employees will use (company-issued or personal devices) to enable their business roles .