Embracing Digital Transformation – Episode #330
"Disaster Recovery for Executives: Why Cloud & SaaS Are NOT Enough"
Host: Dr. Darren Pulsipher
Guest: Tom May, CEO at Different Dev
Date: March 3, 2026
Episode Overview
In this episode, Dr. Darren Pulsipher discusses disaster recovery (DR) and business continuity strategies with DR expert Tom May. The focus is on why relying solely on cloud and SaaS solutions is insufficient and what executives—especially in mid-sized and smaller organizations—need to understand about protecting critical business data and processes. Through real-world stories, practical advice, and memorable analogies, Tom and Darren break down myths about disaster recovery and reveal what truly goes into building an effective and resilient plan.
Key Discussion Points & Insights
1. Tom May's Origin Story and Perspective
[01:32-03:14]
- Tom entered the DR field by saying "no" multiple times to a backup provider, before eventually joining and pioneering DR systems before the term was widely used.
- His experience comes from being “the guy in the room when it went bad,” benefiting from others’ mistakes and growing with the industry.
- Quote (Tom May, 03:10): “I’ve gone through so many times... I'm the guy that was in the room when it went bad and learned from things we just didn't know about at the time.”
2. The Unique Challenge Facing Small and Mid-Sized Organizations
[04:08-05:38]
- Larger corporations have big budgets, but smaller organizations either falsely assume they're protected or know they're not and do nothing.
- DR is not a one-and-done task; it’s “ever growing, ever evolving."
- You need a 10 out of 10 expert, not just a generalist IT resource.
- Quote (Tom May, 05:23): “This is every day being vigilant about it.”
3. Business Drives Disaster Recovery—Not IT Alone
[05:55-07:18]
- Avoid letting IT scare you into gold-plated DR. Instead, conduct a Business Impact Analysis (BIA).
- Prioritize systems based on their criticality and acceptable downtime.
- Real-life example: Law firms’ “billing” was assumed the top priority, but revenue-generating activities were more critical for quick restore.
4. Understanding RTO and RPO
[08:15-09:03]
- RTO (Recovery Time Objective): “How long can this system be shut off?”
- RPO (Recovery Point Objective): “At what point in time does the data come back?”
- Balance the cost with the actual business need for recovery speed and data recency.
- Quote (Tom May, 09:03): “Those are the two factors... you need to work with someone who helps you make a bad informed decision.”
5. A Phased, Roadmapped Approach to DR
[10:16-11:45]
- Take steps incrementally; establish a “Minimum Viable Product” immediately.
- Progressively enhance and adjust your DR plan.
- Expect it to be a “roadmap” not a one-afternoon fix.
- Quote (Tom May, 11:00): "How do you eat an elephant? One bite at a time."
6. Modern Threat Landscape and Cloud/SaaS Shortcomings
[11:45-15:29]
- Physical disasters (fires, hurricanes) are now rare; human error, malware, and outages are far more common.
- Cloud and colocation services offer business continuity (power, network), but not holistic DR.
- Backups within the same cloud environment are vulnerable; diversify your backup locations (“tertiary backups”).
- Quote (Tom May, 13:24): “Rule number one: Zero trust. I don’t trust them. They're my friend, they're my vendor... but I have to have another route.”
7. SaaS Backup Realities
[15:29-19:22]
- SaaS providers don’t always offer full data backup/recovery options—often requiring third-party solutions.
- Critical to regularly audit and test these solutions.
- Quote (Tom May, 16:16): “If tomorrow you had access to absolutely no data, no matter what system you’re using, would your business survive?”
- Backup/recovery needs to be architected into every new system you implement, not just added after the fact.
8. Don't Rely on “Superman”—Document Your Process
[19:22-22:00]
- Avoid single-person knowledge (“trucking factor of one”)—document recovery procedures and cross-train staff.
- Fractional DR personnel or vendors can reduce risk and cost.
- Quotes:
- (Dr. Darren Pulsipher, 21:15): “Trucking factor of one is dangerous, right? One person has the knowledge...”
- (Tom May, 22:57): “Zero trust, but respect. You should respect me, but zero trust. I’m not insulted.”
9. Risk, Contracts, and the True Cost of Downtime
[23:27-24:41]
- Scrutinize vendor contracts; liability is usually capped and won’t cover your total business loss.
- People who've lived through incidents are more willing to invest in preparation.
- “The incident is worse than the preparation” (24:39).
10. How Much Should You Spend? Business Impact as the Guide
[25:00-27:14]
- Calculate revenue lost per unit of downtime.
- Different businesses have different tolerance for downtime (e.g., manufacturers can sometimes survive days, online payment processors can't).
- Map out each system’s role in revenue generation.
11. COVID-19’s Impact on Business Continuity—And Waning Urgency
[27:14-27:59]
- COVID forced global, overnight remote-work pivots, highlighting the need for DR/BC planning.
- Initial panic led to rushed implementations; urgency is fading, risking complacency.
12. DR Investment is Self-Insurance
[28:01-29:34]
- DR is best viewed as a self-executed insurance policy—better than relying on chance or ransom attackers.
- Paying attackers is increasingly ineffective as data may never be returned, and payers are re-targeted.
- Quote (Tom May, 28:24): “It's like self-insuring ... you need to go to the doctor, you just draw off it...”
13. Defending Against Ransomware
[29:34-31:11]
- Modern backup tools (like Veeam) can scan for malware as they backup.
- Attackers often surveil systems for weeks or months before encrypting both data and backups.
- Isolate backups and plan for delayed detection.
Notable Quotes & Memorable Moments
- “Zero trust, but respect. You should respect me, but zero trust. I’m not insulted.” — Tom May (22:57)
- "Those are the two factors. ...You need to work with someone who helps you make a bad informed decision." — Tom May (09:03)
- "The incident is worse than the preparation." — Tom May (24:39)
- “How do you eat an elephant? One bite at a time.” — Tom May (11:00)
- "Trucking factor of one is dangerous, right? One person has the knowledge..." — Dr. Darren Pulsipher (21:15)
- "If tomorrow you had access to absolutely no data, no matter what system you’re using, would your business survive?" — Tom May (16:16)
Important Timestamps
- 01:32 – Tom May’s background and lessons learned the hard way
- 04:08 – The small/mid-size executive’s dilemma: Where to begin with DR/BC
- 05:55 – The key: Business impact analysis and prioritization
- 08:15 – Defining and balancing RTO and RPO
- 10:16 – Take a phased “minimum viable” approach — immediate action is better than perfect plans
- 13:24 – “Zero trust”—Cloud services don’t absolve you from DR responsibility
- 15:29 – The reality check: SaaS backup gaps and audit/test requirements
- 19:22 – Dangers of undocumented knowledge (“Superman” factor)
- 23:27 – Contracts & risk: Why ‘losing everything’ is always your problem
- 25:00 – Determining appropriate investment based on revenue risk
- 27:14 – COVID-19’s effect on DR urgency
- 28:24 – DR as self-insurance vs. paying ransoms
- 29:34 – How ransomware attackers work & why validated, isolated backups are vital
Actionable Takeaways for Executives
- Don’t assume cloud/SaaS means DR “is handled.” Always have a backup and DR plan that’s independent of your main provider.
- Prioritize by business process. Use BIA to determine critical systems and the impact of downtime/data loss.
- Document & diversify. DR should be written down, transparent, tested, and not reliant on a single individual.
- Regularly review and upgrade. Treat DR as an ongoing program, not a set-and-forget project.
- Backup outside your main environment. Don’t keep all backups in the same cloud or physical region.
- Test your plan. Regular simulation and restoration tests are critical.
- Invest wisely, guided by risk and business value—not fear or hype.
This episode packs real-world lessons, cautionary tales, and practical frameworks for any business leader seeking to ensure their organization can truly survive and adapt to digital disasters. The message is clear: protection is a mindset and a continual process—not a checklist completed by moving to the cloud.
For more insights or to connect with Tom May:
- Website: differentdev.com
- LinkedIn: Thomas J May
End of summary.