Security Experts Discuss Disaster Prevention and Recovery Strategies

At the recent Florida Public Sector Cybersecurity Summit* in Tallahassee, leaders from the public and private sectors in the recovery and disaster IT fields debated key cybersecurity topics focusing on proactive prevention, realistic planning and ongoing improvement.

The panel, moderated by Steve Burke of the Florida Digital Service (FLDS), included Keith Pruett, deputy director at the Florida Division of Emergency Management; Mike Andrews, IT manager at the city of Leesburg; and Alex Restrepo, senior transformation solutions architect at Rubrik.

The discussion began by asking the panelists whether prevention or recovery was more important.

Restrepo emphasized the need for robust disaster recovery solutions, citing historical data and the persistent threat landscape.

“We've seen firsthand the impact of various attacks, whether from natural disasters or cyber threats. The critical point is not just having the solutions in place but ensuring they are reliable when needed,” he noted.

Andrews highlighted the challenges faced by smaller teams in balancing prevention with recovery.

“Prevention is crucial, but if we accept the reality that a cyber event is likely, we should also invest heavily in recovery,“ he said. “The reality is that even if we prevent an attack, recovery needs to be swift and efficient to minimize impact.”

Many local government departments struggle to justify the need for robust recovery plans because they don’t have a direct financial return.

Andrews discussed the challenge of quantifying the need for disaster recovery resources in local and state governments.

“However, our leadership still speaks money. I was shocked to learn after hearing from our utility department when I asked them how long they could sustain themselves without technology before having to go to commission and get reserve was over a month,” he said.

After speaking with the utility department, he realized he needed to have the same conversation with other departments under his leadership.

Pruett emphasized the importance of a comprehensive business continuity plan.

“You need to have a business plan that allows you to meet your goals even in the absence of technology. Understand what is critical to your operations and ensure that these elements are on your radar,” he advised.

Restrepo shared an example from Hurricane Ian where a city was not only devastated by flooding but also hit with a ransomware attack a week later.

“That’s probably on purpose. If you are not aware, they are going to want to attack you when they feel you are most vulnerable. So election times, I would be careful; start of the school system, you know anytime where there is a major transition or major event going on, they are going to do their best to target you at that time.”

The discussion also touched on the importance of continuous improvement planning. Andrews stressed the need for plans to align with business expectations.

“If the reality of the plan does not meet the business expectations then you need to collaborate and make a new plan,” he said.

Pruett noted the difference between idealistic and practical planning.

“What we lose sight of is that we don’t live in an ideal world, we live in a real world. So realistically what we have to do is figure out what are the most likely things to happen, what are the most dangerous things and what are our reactions to those events in occurrence to how they unfold,” he said.

Pruett recommended continually reflecting on how organizations are able to respond to adversity, and what it tells them about their needs. Additionally, it’s important to recognize that change is constant in life.

“There is also the reality of, every year there is a season of change, and people come and go. So realistically and idealistically we would be putting in place an opportunity on an annual and semiannual bases [where] those plans are reviewed,” he said.

The panel also discussed the need for regular drills and updates. Most audience members indicated that their organizations have disaster recovery plans, but only a few had practiced these plans in the past six months when asked.

Restrepo stressed the importance of ongoing training and preparedness.

“Having a plan is one thing; practicing it and training your team to handle crises is equally important. Ensure that someone is trained to take over if you are unavailable,” he said.

Pruett spoke on the concept of zero trust and the reality of risk management.

“There is no such thing as eliminating risk. The rotten egg is going to be there, somewhere. As we go toward that preparedness side, response side and long-term recovery time, just remember those rotten eggs might have started out as a good egg and they are going to be made aware exactly of the vulnerabilities that either are compromised or what they want to compromise. How do we as a community prepare for that? You can’t eliminate it, only mitigate it,” he said.

Andrews summarized the discussion with a view on risk management.

“There are only three things you can do with risk: accept it, mitigate it or transfer it.”

*Note: The Florida Public Sector Cybersecurity Summit is hosted by Government Technology, a sister publication of Industry Insider — Florida. Both are part of e.Republic.