Beyond Recovery: What You Haven’t Heard About DORA

Part 5 of a 5-part series

I think it’s fair to say most of us working in security or compliance have heard about DORA, the EU’s Digital Operational Resilience Act, coming into effect next year.

The act affects not only financial entities (which includes everything from banks to investment firms, insurance companies and more) offering services on EU soil but also many service providers supplying critical ICT services to these entities.

More than a few vendors in the storage and recovery space have promoted their solutions as the answer to DORA compliance. After hearing more or less the same things from a plethora of marketing departments, you’d be forgiven for thinking DORA was all about the kind of “resilience” that comes from your ability to recover from a breach. I sure did.

But, after reading the entire act, most of the supporting EU publications, as well as the legal interpretations from a number of law firms as to the act’s impact, I stand corrected and wanted to share some of what I’ve learned.

More to DORA Than Resilience and Recovery

Writing for a data infrastructure provider like Hitachi Vantara, I too would have liked to say DORA was all about business resilience through rapid recovery. But it isn’t. DORA is in many ways just as much about withstanding attacks (as in, not being knocked down in the first place) as it is about recovering should it go wrong.

Here’s a little secret. When I set out to write this article, my initial intention was to treat it as a separate piece and not part of the Beyond Recovery series because I didn’t think it would quite fit in. To my own surprise, after doing the research, many of the concepts we’ve been discussing around taking a holistic, strategic and root-cause focused approach to security are very relevant to DORA compliance. They may even be necessary.

DORA requires you to continuously manage your risk. And as we’ve discussed in this series, pure risk-management is unsustainable or at least very costly – and is going to get a lot costlier under DORA. I believe switching to a more proactive quality-management approach to reduce how much risk management you need in the first place is your best long-term bet.

A New Approach to Addressing DORA

Because of the current trends we’ve discussed showing risks are ever-increasing, compliance to the regulators’ criteria will be challenging as is. And they will continue to become increasingly so as risk accumulates, unsustainably so.

One example of how DORA is about so much more than just recovery, and just how serious it can be, is that regulators could demand organizations address specific vulnerabilities at their discretion. The failure or inability to do so could result in fines and even criminal penalties.

So, it’s much more than backups and recovery then. In fact, if you look at the Draft Regulatory Technical Standards (Section 3), one of the very first requirements of DORA is asset management.

That makes sense. How can you decide what’s important to your organization, what needs protecting and what you might need to recover first, if you don’t know what systems drive what business processes and revenue, or where they are? And how can you even secure systems you aren’t aware of or have no control over?

This connection between IT assets and business process is a recurring theme in DORA, and one I’m personally happy to see.

Responsibility Goes Right to the Top

After asset management, the requirements continue on to incident management, classification and reporting, and resilience testing. All of which feed into a mandatory ICT governance and control framework to minimize risk to critical business and IT assets.

And the responsibility for this framework sits at the highest level of the organization.

Quoting from Kemp IT Law, “The management body of the financial entity (generally the board) will be responsible for this framework, including policies, roles, business continuity plans, audit, supervision of ICT service providers, training, etc.”

Now, none of this means recovery isn’t part of DORA. It’s a big one, and some parts of it are very stringent indeed. One that I’ve not seen mentioned by any vendor is that critical services such as those doing end of day processing must be recoverable in two hours.

Two hours.

Again, under penalty of fines and, potentially, criminal charges.

Be Ready for Recovery and Be Able to Prove it

And then there is what could be one of the most significant factors or differentiators of DORA; the requirement for demonstrability.

In other words, the regulator could require you to prove that you can recover in two hours’ time, or perform vulnerability remediation, or that your asset register is comprehensive.

Failure to do so could result in non-compliance and penalties even without an incident occurring. And exacerbate them significantly should a breach occur.

Consider also that each country has its own regulator. This means each country-specific regulator may choose to enforce DORA as strictly as they see fit. An incident, or even failure to respond to a challenge by the regulator in one EU state, could result in challenges in other EU states where you might operate as their regulators get wind of it.

So, let’s recap some of what we now know about DORA:

• It calls for a holistic, “whole-business” approach to risk, with risks approved and continuously reviewed, from the executive level down.
• It requires a comprehensive look at business assets and processes in order to assess, reduce and mitigate their associated risks; not just an IT focus on security.
• It mandates a program or “framework” to address risk across all the business and IT processes of your particular business; not a generic IT compliance framework.
• Its stringent nature means we must carefully and proactively consider how we do things to minimize the risk and complexity of any business process. This so that we introduce fewer issues and can manage remaining ones more readily. Simply adding more detection and response capability won’t cut it – we won’t be able to keep up.
• Technical debt issues, such as systems that cannot be easily incorporated into a recovery scheme, updated, patched or have security controls applied are going to cause significant challenges to legal and compliance risk.
• It requires us to recover extraordinarily quickly, and to be able to demonstrate our ability to do so.

It’s All About Inherent Resilience

So, while most voices have been talking about DORA as though it’s all about recovery, it’s actually primarily about what I’ve previously referred to as “inherent resilience.” It’s a term I coined because I’ve always felt that real resilience should be as much (if not more) about not getting knocked down in the first place rather than just about getting back up. And considering that the vast majority of breaches are caused by known issues, this is an area where we can do much better by applying the concepts presented throughout this series.

To repeat, we must become more strategic and focus on the root causes of our issues, the IT and business processes that introduce the preventable risks and vulnerabilities which are in turn responsible for most breaches. As we explored before, the safety net of our recovery capability is the single largest enabler and accelerator of this shift.

Then there’s the power of simulation as discussed in our last instalment, which can not only further accelerate our shift towards lower risk environments, but also help us more easily and cost-effectively demonstrate compliance. Not to mention increase the speed at which business can innovate and adapt.

The powerful simulation possibilities Hitachi Vantara offers make it possible to simulate and demonstrate recovery in a truly realistic way (by leveraging digital twins from your backups) that satisfies both the business and the regulators. This is more critical than many people realize as recovery efforts can often fail due to the difficulty in anticipating the relationships and dependencies between systems and workloads in a disaster or breach scenario.

Simulation is Essential to the Process

It’s similar to why technical debt is often so difficult to address. We know there are likely unknown or unpredictable dependencies which create a fear of making changes due to their potential impacts. But leveraging simulation capability to create a “copy” of your infrastructure allows us to remove this barrier and much more rapidly resolve the technical debt issues that could keep us from compliance and much more.

Naturally, recovery is also an important part of DORA, and I could say that Hitachi Vantara, having the fastest recovery solution in the world, is your best bet at meeting its stringent recovery time requirements.

Additional mechanisms like true data immutability further strengthen your chance of a successful recovery.

But we should not forget about the freedom and possibilities that this safety net gives us in making proactive change rather than just waiting for the worst to happen. It’s these things, beyond recovery, that makes these capabilities so valuable all the time, not just when disaster strikes.

The faster, more reliable and more comprehensive your recovery solution, the faster you’ll be able to drive this proactive change and achieve comprehensive DORA compliance. And should things go wrong, those same attributes won’t just have you back in business faster, they’ll protect your compliance in terms of recovery time objectives.

Using DORA as an Opportunity for Change

In closing, I must say that my views in this series are my own, and you should absolutely consult your own counsel and make your own decisions. I’m sure some will think my view on DORA is bigger than it needs to be. But answering DORA this way means we can leverage the push for it to drive real change, real improvements in our ways of working, accelerate transformation, increase agility and boost our bottom line while reducing our risk.

So why treat DORA as just an extra compliance cost and risk falling afoul of it by not doing enough? Rather than as an opportunity not just for change, but for better outcomes, better IT and better business.

The choice is yours.

Read the Previous Articles in This Series

• Beyond Recovery: Beyond Technology, part 1 of 5
• Beyond Recovery: Exploring the Problem, part 2a of 5
• Beyond Recovery: Exploring the Problem, part 2b of 5
• Beyond Recovery: Money Talks, part 3 of 5
• Beyond Recovery: Breaking the Legacy Paralysis, part 4 of 5