Data Security and Disaster Recovery: Imagining the Bad Day

In brief

Situation. A company processing exabytes of customer data has a duty to imagine, in detail, what the worst possible day looks like, and to have rehearsed it.

Complication. Disaster recovery and data security cannot be retrofitted after an incident; they have to be designed and stress-tested in advance, covering scenarios from infrastructure failure to hostile cyberattacks.

Resolution. I led the development of a comprehensive Data Security and Disaster Recovery strategy across production and analytical systems. The work involved scenario modelling for a full range of risk conditions and ensured the company’s readiness to recover rapidly while maintaining data integrity.

Impact. Significant enhancements to existing infrastructure and operational practices. Improved resilience and security posture. Directly led to the establishment of a new senior role, Head of Cybersecurity, demonstrating institutional commitment to data protection.

The longer story

Disaster recovery is one of the few areas in business where pessimism is professionally rewarded. The job is to spend Wednesdays imagining catastrophe: ransomware, data centre fire, malicious insider, regulatory raid, accidental DELETE FROM. Most of the scenarios you model will never happen. A small number will. The discipline is in not knowing which.

The deeper organisational benefit of a serious DR programme is that it forces leadership to articulate, in writing, what the business actually depends on.

You will discover, in the exercise, that the official “critical systems” list is wrong. The actual critical system turns out to be a spreadsheet maintained by someone in operations who left two years ago, and it has been the load-bearing pillar of a process nobody documented.

DR exercises uncover these pillars. The recovery plan is the visible output. The map of hidden dependencies is the underrated output, and it is the one that makes the company actually safer.