On Wednesday I had the opportunity to present a session at the ISBA’s IT Strategy and Cyber Security Conference in London. I had previously volunteered to contribute to the conference and was expecting and had planned for a small breakout session anticipating around 20 people. On the day upon arriving at the conference I found out that my breakout session would be following Mark Steed’s keynote speech in the main conference venue and therefore with quite a few more than 20 people.
The session very much focused on my thoughts and experiences around cyber security with key messages around the extent of the risk we all face plus the opposing extremes of over confidence in security efforts or a constant need for heavy security measures at the expense of school operational efficiency. I described my approach as being one of a “healthy” paranoia and of a robust risk assessment and risk recording process.
You can read my slides from the session here.
A little bit of a technology post today: Backups including redundant solutions are increasingly important in organisations as we seek to keep our IT services up and running for our own internal users and also for external users or clients/customers. This might be taking backup copies of data to tapes, having a redundant firewall or internet connection or having a cloud-based service available to replicate on-premise services in the event of a disaster. My concern however is that we can feel better for having these solutions in place happy in the knowledge that we are better off and more protected than if we don’t have them. The issue is that this sense of additional protection is false. Just by having a backup solution of one type of another doesn’t mean that it will work when things go wrong. We also need to be cognisant of the fact that when things do go wrong the result is often one of stress and urgency as we seek to restore services while under pressure from users, business leaders and process owners among others. We need to adopt a scientific mindset and test the backup solution to make sure it works as intended. It is much better to test our backup solutions to a timetabled plan than having the first test of a solution being a full blown real life incident where failure of the system could result in difficulties for the organisation. We also need to bear in mind that just because it works on the day the solution was put in place, or even works today doesn’t mean it will work in a weeks or months’ time, or in a years’ time when we truly need it. We need to have a robust programme of testing our backup solutions to ensure that they work, that we are aware of how they work and any implications and that those who need to use them are comfortable with their use. Only by doing this can we be more comfortable in the knowledge that, when something does go wrong, we have a solution in place and are ready to put it to use.
The perfect example of the above, for me, was a recent test of our own backup solutions which included a service which indicated that recovery to a redundant system would be complete in 4 hours plus would be based on data backup taken regularly. Upon testing the solution we found that the 4 hours recovery period was exceeded due to issues with the backup and the data was 3 days old. We also found that there were implications for other systems when the test failure occurred.
Technology and Learning