We are looking at resiliency capabilities for SaaS applications.  Our internal BIA's reveal business recovery requirements such as 4 hours, 12 hours, 24 hours, etc.  We are finding that when we review vendor offerings in our contracts or other publicly available documents, SaaS providers are not talking about recovery times, but availability times (99.999% uptime).  We are trying to figure out a good way to reconcile recovery time requirements against availability statistics.  Has anyone done any work in this space?

Security Strategy & RoadmapIT Strategy & Roadmap
1.5k viewscircle icon2 Comments
Sort by:
Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotecha year ago

Availability and recovery time should not be combined into one metric because they measure different things. Availability reflects the provider's uptime, while recovery time measures how fast your team can recover after an incident, and combining them would blur the responsibility and focus of each metric.

Vice President, Software Engineering in Finance (non-banking)a year ago

We recently pushed a SaaS vendor to agree on 30mins RTO. This was only possible since the vendor product was deployed on a dedicated cloud infrastructure and not a shared tenant. In addition, the product was running on open source and scalable architecture that runs AWS, mongoDB, and elastic search components independently offering flexibility to scale.

In the SaaS space, even Microsoft doesn’t offer less than 8hours of RTO commitment. All will vouch for availability with multi-region deployments.

Honestly, it would really depend on the product architecture and if it will support that aggressive recovery time. Most SaaS vendors run multi-tenant logical separation that adds to additional complexities. Some vendors may commit to 4hours RTO but will charge accordingly.

Lightbulb on1

Content you might like

Currently in our Enterprise Architecture tool and repository, we have a Business Capability Model (BCM) and a Technology Capability Model (TCM). Enabling Applications (e.g., SAP, Salesforce etc.) are mapped to the BCM, and enabling technologies (e.g., API gateway) are mapped to the TCM. However, some capabilities like Data Management are common to both models and we are trying to figure out best way to represent that.

How have you organized your capability model? Is it a single model containing business and technical capabilities or two separate models? If later, how are you organizing common capabilities like Data Management?

Read More Comments

Is your org’s AI policy integrated into the IT security policy, or does it exist as its own separate policy?

AI policy is integrated into IT security policy19%

We have a separate AI policy, but IT security policy includes section on AI security52%

AI policy and IT security policy are completely separate27%

Something else (explain in a comment)2%

View Results

Has your org developed any internal solutions to prevent company data from being fed into generative AI tools?

Yes37%

We're working on it46%

No, we use a purchased solution for this7%

No11%

View Results

We are on the cusp of conducting a pilot of AI tooling - we intend to use Gemini & CoPilot, providing training, guidance & policy to our user group.  Before we start we should conduct a risk assessment -  my question is: can you recommend a tool or template?

Read More Comments

Ransomware negotiator Retainer? Do you currently hold a retainer with a ransomware negotiator consulting firm? If so any recommendations?