Beeper is getting a big security upgrade with on-device connections (blog.beeper.com)

A question I've been wrangling for quite some time, and where a recent discussion here (https://news.ycombinator.com/item?id=44579902) pushed me over the edge to finally ask you all:

Consensus is (seems to me) that recovering after various catastrophes (destroyed server, destroyed server room, destroyed site, deleted data, ransomware-infected network, ...) needs to be prepared for, tested, exercised, trained. However, preparations and especially tests like trying to set up your whole IT from scratch are expensive, time- and resource-consuming.

How do I convince non-IT people in our company, especially of the bean-counting kind, that this is important? Sending them scary news articles doesn't seem to do the trick. Can I put this in numbers? Is there are sensible dollar amount to spend on such things? Are there statistics one can use, how often catastrophes happen, how long they will take to fix, what they usually cost? Other ideas?

Comments (5)

saadn92 · 15h ago

Business folk understand numbers that could potentially impact them directly. Create a slide deck or a powerpoint about the amount of savings over time they'd get, or the amount invested and the total return on investment. It's stuff like that they'll understand and react to. It's either money saved or money made.

Talk about things like cost of downtime, probability statistics, and how much money is lost if you're not prepared. Things like that will help.

thyristan · 14h ago

Right. But how and where do I get those numbers? How do I compute the return on investment for disaster prep? Simply estimated cost of disaster times estimated probability?

saadn92 · 13h ago

Easiest way is to get some estimates using ChatGPT. If you have information about your company, then get those numbers and see what estimates it can spit out for you. Adjust as needed

gamechangr · 12h ago

use business language...

What is the most likely outcome (negative thing to plan for)...

What is the worst case scenario?

Then suggest a small percentage of a monthly budget go towards the "worst case scenario".

epc · 14h ago

The only way I succeeded was to argue with real numbers and costs. The business side liked to frequently claim that we did $XXX in business every minute using the web site, so I started using that (if the web site is down for an hour, we lose 60*XXX in revenue, right?).

Get the burden rates for staff, calculate the realistic costs of doing DR preparations and exercises vs the realistic costs of recovering from an actual incident.

Factor in loss of staff (for whatever reason).

You can dig up the costs from other companies but you can only make it real to management if you use data and numbers from your own enterprise.

Make it a documented, financially driven business decision that they cannot ignore. They may well decide not to invest in DR/continuity prep. In that case, document your activities and start looking for new employment, they do not value the business enough to invest in protecting it from absolutely predictable, let alone unpredictable, I/T events.

I was spouse–adjacent to Google for many years and really admired their DR/continuity work and exercises. I don't know if that's written up anywhere but it really seemed to be embedded in their operational philosophy (at least up to 2020, my semi–inside exposure to Google ended then).