These 5 important questions will make or break your resiliency strategy:
IT and business operations are often disconnected. That could decimate your resiliency planning
Technology resiliency is no longer just about backups and failovers. It’s about ensuring business operations can withstand and recover from disruptions with minimal impact. Yet, many organizations still operate with a dangerous disconnect between IT disaster recovery (DR) plans and business continuity planning (BCP). This gap creates blind spots that can cripple operations when systems go down.
As SHI Field Chief Technology Officer (CTO) Chris Sittig states, “Organizations focus on technical resiliency: backups, data centers in different regions, etc. In doing so, they miss the operational side. IT doesn’t always understand the business impact of outages, and business leaders assume IT has it covered”.
This disconnect often stems from a false sense of security. IT teams may have robust DR plans, but without understanding how those plans affect business operations like payroll, invoicing, or customer support, they’re only solving half the problem.
“IT comes with all these bells and whistles and says, ‘We can restore these systems within X period of time,’” Chris explains. “But they don’t know what that means for patient care in healthcare or customer service in retail. That’s a huge gap”.
Field CTO Ted DiMontova adds, “When business people say, ‘IT has it covered,’ they’re usually referring to DR. But without BCP, you’re either over-engineered, under-engineered, or just plain deficient.”
How can you address this gap in your resiliency strategy, and what are the risks if you don’t?
Ask yourself these 5 resiliency questions
To determine whether your IT and business operations are disconnected (and how big that disconnect may be), ask yourself these five questions. According to Field CTO Brad Pollard, if you answer “I don’t know,” then there’s a strong chance your resiliency strategy isn’t as strong as you think.
1. How do you align your DR and BCP with critical business processes, not just IT systems?
By asking this question, you force yourself and your team to think beyond backups and servers into real-world workflows.
2. Have non-IT business leaders been actively involved in defining recovery priorities and acceptable downtime, or are these decisions made solely by IT?
If non-IT business leaders aren’t involved, then you’ve revealed your plan isn’t truly cross-functional.
3. When was the last time you tested your BCP against a non-technical disruption, such as a supply chain issue, building outage, or workforce unavailability?
This question pushes you to think about your broader business resilience.
4. How do you measure the impact of downtime or data loss? Do you measure in business terms (revenue, customer experience, compliance risk, etc.) or only in technical terms [recovery time objective (RTO), recovery point objective (RPO), etc.]?
Measuring downtime in business terms encourages your organization to translate IT metrics into business consequences. Doing so helps IT and business operations better understand each other’s needs and priorities.
5. What is your playbook for when your primary data center and key staff are unavailable for 72 hours? How do you keep your organization running? Who outside of IT owns that playbook?
This final question forces you to consider business ownership during real-world scenarios.
The cost of IT and business misalignment
By asking these five questions, you’re forcing yourself to put any potential misalignments into the spotlight, the consequences of which are real – and costly.
Chris shares an example of these consequences from a previous role at another organization. “I had storage arrays go offline, and we couldn’t fail over because everything we needed was in that storage.”
Even organizations with documented BCPs often fall short in execution. “Plenty of companies have DR or BCP,” Brad says. “That doesn’t mean they do DR or BCP. I’ve tried to conduct tests for organizations and no one showed up. The accountants couldn’t leave their desks. HR was too busy. In that case, IT tests everything, and business leaders inadvertently leave themselves out of the loop.”
Automation and AI are compounding the problem. As systems become more complex and operate with less human touch, fewer people understand how they work. “AI is going to create more tech debt and blind spots,” Brad warns. “You’ll have a black box problem where you don’t even know how your company operates”.
Ted echoes this concern. “When people don’t understand how things work, they can’t assess the impact when it goes down. The more automation and AI you throw at it, the more mystery you create. Everything becomes undocumented.”
What you can do today: Start with resiliency tabletop exercises
Once you’ve identified your resiliency weak points, start bridging the gap by conducting tabletop exercises with both IT and business leaders. These exercises are a powerful way to assess the readiness of your stakeholders and discover which mission-critical systems are overlooked.
Brad, Chris, and Ted all agree: when systems go down, you need a plan not just for restoration, but for continuing to operate during the disruption.
“When systems are down, do you know how to invoice on paper or do payroll? Do you have a plan in place if customers can’t speak to a support agent for X amount of hours?” Brad asks.
Chris recommends bringing these hypotheticals to your tabletop. “Ask your business leaders, ‘We’ve had a massive ransomware attack. We don’t know when systems will be restored. What do we do?’ Many people think the answer is pushing a button to instantly restore from a backup. Trust me, it’s not that simple.”
Ted emphasizes the importance of using tabletops to understand application dependencies. “Most organizations don’t know what’s truly in their environment. They miss intermediary systems that support main applications. That’s a big problem for business resiliency.”
True resiliency brings meaning to metrics
Resiliency isn’t just about hot sites and RTOs. It’s about translating technical metrics into business impact.
As Brad explains, “We need to move from ‘we can bring a data center online in 45 minutes’ to ‘invoicing will be unavailable for three hours.’ That’s the kind of conversation CIOs should be having.”
And it’s not just about having a plan; it’s about having buy-in. “We did BCP really well at my previous company because the CEO and CFO were involved,” Brad says. “We had an app that let you pick your disaster. It would tell you who to call and walk you through a call tree of everything that happened.”
How SHI can help
Technology resiliency isn’t just an IT problem. It’s a business imperative. CIOs must lead the charge in bridging the gap between technical recovery and operational continuity. That means asking hard questions, involving the business in planning and testing, and embracing a holistic view of resiliency.
Whether you’re just getting started or have been working on your resiliency strategy for years, it helps to have an outside perspective. An expert set of eyes can reveal blind spots you didn’t know existed and show you how to better align your BCP and DR with your desired business outcomes.
This is where the experts at Stratascale, SHI’s cybersecurity services division, can help. We can review your existing BCP and DR initiatives and compare them to applicable compliance requirements, industry best practices, and internal goals. Then, we’ll show you the steps you need to take to take to close the IT-business gap and strengthen your resiliency.
NEXT STEPS
Contact our experts to see how Stratascale, SHI’s cybersecurity service division, can help close the gaps in your IT resiliency strategy.
Chris Sittig is a seasoned technology leader with over 30 years of experience driving innovation and strategic growth for Fortune 500 companies across healthcare, energy, finance, and service industries. As a Field CTO at SHI, he excels at aligning technology initiatives with business goals, fostering collaboration between IT and business units to deliver practical, high-impact solutions.
A passionate technology executive, Field CTO Ted DiMontova specializes in leading global teams through transformative initiatives in cloud infrastructure, enterprise architecture, security, and DevOps. Ted thrives on aligning engineering and operations with strategic business goals, helping Fortune 100 companies innovate and scale.
Brad Pollard is a seasoned technology executive and Field CTO at SHI, leveraging 30 years of experience building IT ecosystems that drive corporate growth. He has led two companies from startup through IPO, including key technology leadership roles at Tenable and Sourcefire. Brad specializes in digital transformation, strategic frameworks, and scaling organizations, guiding customers and partners with actionable insights and proven expertise.
Ready to close your business resiliency gaps with SHI?
-
5 strategic imperatives for cybersecurity and AI success in 2025:
What should resilient organizations do now to address the accelerating threat landscape while remaining mindful of looming new challenges like quantum computing?Reading Time: 9 minutesExplore cybersecurity and AI strategies to safeguard your organization against today’s perfect cyber storm.
Read More -
Why most business continuity plans fail (and how to make yours succeed):
Follow these four steps to bounce back from unexpected business interruptions.Reading Time: 5 minutesFollow these four steps to start building a comprehensive business continuity plan with confidence.
Read More -
Why are data breach costs rising in the U.S. while falling everywhere else?:
Increased regulations can take part of the blame, but what are the other factors — and how can you protect your organization?Reading Time: 7 minutesU.S. data breach costs hit record highs. Here’s why global trends aren’t following suit.
Read More
