Bruce Schneier’s latest article for Wired talks about disaster planning as an important part of the security process. Specifically, he’s talking about picking a disaster that has a reasonable likelihood of being mitigable. For example, it’s pointless for an individual or business to “plan” for a nuclear winter, but that might be exactly the sort of thing that should be in the scope of planning for a government. The article is excellent, but he does fail to mention in this article something which he has talked about in the past: the utility of disaster planning as both a recovery mechanism and a security mechanism.

In many cases, it’s easier to get money to do security related things than it is to get money to do disaster recovery related things. Unfortunately, a good disaster plan can help out in case of security events, natural events, accidents and other unforeseen problems while a security defense mechanism usually only tries to prevent something bad from happening.

Also, it can sometimes simply be easier and more cost effective in terms of time, money and reliability to implement the disaster recovery plan rather than the security incident response plan. This is the sort of logic behind Brian Krebs’ article about cleaning out a virus versus just reinstalling Windows.