The core principles of disaster recovery (DR) and business continuity have remained relatively unchanged for decades: identify risks, conduct a business impact analysis, set recovery time objectives (RTOs), create a backup and restore plan, perform periodic testing.
In simpler times, data lived on-prem, cyberthreats were less sophisticated, natural disasters were rare, organizations could probably get by with an outage that lasted hours, even days, weekly backups were sufficient, and regulations regarding data breaches were virtually nonexistent.
Today, the volume of enterprise data has exploded and that data is everywhere (public cloud, SaaS, edge, IoT, OT, LLMs); AI-generated ransomware attacks are on the horizon; natural disasters are occurring far more often due to climate change; business units want to be up and running within minutes; and penalties for not reporting a cyberattack in a timely manner or failing to protect customer data are severe.
If your disaster recovery and business continuity plan has been gathering dust on the shelf, it’s time for a full rebuild from the ground up.
Key components include strategies such as minimum viable business (MVB); emerging technologies such as AI and generative AI; and tactical processes and approaches such as integrated threat hunting, automated data discovery and classification, continuous backups, immutable data, and gamified tabletop testing exercises.
Backup-as-a-service (BaaS) and disaster recovery-as-a-service (DRaaS) are also becoming more popular, as enterprises look to take advantage of the scalability, cloud storage options, and ease-of-use associated with the “as-a-service” model. In fact, Gartner predicts that by 2029, 85% of large enterprises will adopt BaaS, alongside customer-managed deployments, to back up cloud and on-premises workloads, compared with 25% in 2025.
Here are the steps CISOs need to take to build out a successful DR/business continuity plan in 2025.
Step 1: Build C-level support, obtain funding, create a team
Effective disaster recovery/business continuity requires significant upfront work and constant attention. It’s also costly in terms of additional storage resources, software tools, and staff time and effort.
Ryan Whelan, global head of cyber intelligence at Accenture, says he recently surveyed CISOs in the retail and hospitality verticals on their priorities, and found that disaster recovery and business continuity skyrocketed from “not even in the top 10” in 2024 to No. 3 in 2025.
Whelan says this shift is being driven at the C-suite and board level, where concerns over regulatory compliance, legal ramifications, and brand damage loom large. Whereas DR/business continuity was in the past primarily the domain of risk management and legal departments, with security playing a background role, CISOs are now at the forefront of these efforts, says Whelan.
That prioritization of DR/business continuity is translating into increased funding. According to Forrester’s State of Resilience 2025 report, 37% of respondents expect funding to increase over the next 12 months, while only 4% expect it to decrease. The rest anticipated level funding.
As Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting, puts it, “Before something bad happens it’s harder to get the money; after something bad happens, it’s easier to get the money.”
Once C-level support has been obtained, the next critical step is building a standing team that includes security, data center, storage, compliance, legal, risk management, business process, and internal and external communications. Organizations need to break down silos and create an interdisciplinary group that will continue to function as an ongoing entity, continually evolving to meet new threats.
Specific roles include incident reporter, the person responsible for communicating with stakeholders; a plan manager, whose role is to make sure everyone performs the tasks assigned to them; and an asset manager, who is responsible for securing and protecting critical assets and reporting back on their status throughout the incident.
Step 2: Identify risk — and locate all your data
Identifying risk in a large, distributed enterprise is a complex task. Risks are everywhere, starting with cyberattacks (including insider attacks), and encompass human error, system failures (hardware, software, network), natural disasters, and third-party vulnerabilities associated with supply chains, cloud service providers, and SaaS providers.
When Forrester asked survey respondents to identify the root cause of invocations of their DR/business continuity plans, the top causes were IT failure, natural disaster, IT security incident, supply chain disruption, and power outage. Each type of risk calls for a different response plan.
Renner says that organizations often struggle to answer basic questions such as “Where is my data?” and “Who owns the data?” He adds, “The more complex the system is, the harder it is to identify system owners and to identify where the data is residing, including structured and unstructured data.”
The good news is that there are AI-driven software tools that can scan structured and unstructured enterprise data to identify vulnerabilities, perform data discovery, and classify the data.
Gartner predicts that by 2029, 90% of backup and data protection platforms products will integrate genAI to improve management and support operations, compared with fewer than 25% in 2025.
Step 3: Conduct a business impact analysis
Data doesn’t exist for its own sake; it’s there to support the business, so enterprises need to understand the business impact of a disaster and back up only what’s necessary. Still, when organizations go through the exercise of identifying all the bits and pieces of a complex business process, it can become overwhelming, particularly in a hybrid or multicloud environment rife with microservices, containers, APIs, identity and access controls, SaaS applications, and so on.
Accenture’s Whelan says that rather than try to restore the entire business in the event of a disaster, a better approach might be to create a skeletal replica of the business, an MVB, that can be spun up immediately to keep mission-critical processes going while traditional backup and recovery efforts are under way.
This type of “out-of-the-box” fail-over system could include a core functions such as email, which would enable the organization to communicate internally and externally, while other, less time-sensitive functions like ERP are recovered.
This MVB approach requires tight integration between business units and technology teams, Whelan says. They need to work together to conduct dependency mapping aimed at identifying critical business functions and the technology components associated with that function.
Step 4: Backups strategies shift from 3-2-1 to 3-2-1-1-0
The basic 3-2-1 backup strategy that has been standard for many years is no longer sufficient. The idea of having three copies of data on two different backup formats, with one copy located offsite, is being replaced with 3-2-1-1-0.
The two additional elements are: one offline, immutable, or air-gapped backup that will enable organizations to get back on their feet in the event of a ransomware attack, and a goal of zero errors. Immutable data is “the gold standard,” Whelan says, but there are complexities associated with proper implementation. For example, in the event of a disaster, how does an enterprise know when the last snapshot occurred? And how does an enterprise verify that the data being saved in an immutable data store is accurate and not corrupted?
“We’re still finding that data cleanliness and providence is a major issue for organizations,” he adds.
FTI’s Renner points out that AI-driven backup and restore platforms can continuously scan enterprise data for accuracy, and develop recommendations for how often snapshots should be taken, where data should be stored, and what data needs to be backed up.
And Gartner estimates that 35% of enterprises will implement agentic AI to perform autonomous backup operations by 2029, up from less than 2% in 2025.
Step 5: Create the plan and test it
There are many templates for creating the actual plan document, and AI systems can automate the process. The plan needs to be clear, and it needs to document procedures for incident detection and reporting, communication with internal and external stakeholders, emergency response in the event of a natural disaster, IT recovery, business continuity, and roles and responsibilities for relevant parties.
But the plan must be tested. According to the Forrester report, “Unfortunately, the testing situation is largely unchanged since 2008. For all test types, most organizations only test once per year with plan walk-throughs and tabletop exercises, and as tests become more extensive, test frequency declines — 41% of respondents said that they never performed a full simulation.”
Forward-thinking companies are trying to make tabletop exercises more effective by switching from a static PowerPoint presentation to interactive, gamified experiences that are more realistic and compelling, Renner says. “I’ve never seen a tabletop not be effective in teaching someone a portion of their business they weren’t thinking about ahead of time,” he adds.
Step 6: Managing the aftermath
The final piece of the puzzle is the post-mortem, taking stock in the aftermath of a disaster. Organizations need to pinpoint what went wrong and determine how it can be prevented in the future.
And Gartner analyst Michael Hoeck argues that backup copies of enterprise data don’t have to just sit there; they can be put to good use. He predicts that by 2029, 30% of enterprises will make use of backup copies of data for analytics and inference, up from less than 5% in 2025.
No Responses