COLUMN

Does rational thinking have a place in data protection?

By Alan Earls 14 Mar 2008 | SearchDataBackup.com Digg This!     StumbleUpon     Del.icio.us

For one thing, there are all those horror stories ripped from recent headlines and amplified as they travel across the Web. Then there are the increasingly onerous laws and regulations, and of course, the never-ending vendor hype. As a result, it can be difficult to achieve a levelheaded assessment of one's situation and to get clarity regarding the best policies and investments to adopt.

Additional data protection information Integrated data protection software continues to evolve Near vs. real continuous data protection Continuous data protection requires a clear purpose in the enterprise

"Much has changed in the last 24 months," says Charles Woods, worldwide business unit executive for governance and risk management, from IBM Corp.'s Global Business Continuity and Resiliency Services Consulting Practice. Thanks to increasing regulations, Woods says many finance-related organizations and large global companies have become much more proactive in assessing and addressing risk with the result that their "range of spending can vary by as much as a factor of four or five, depending on the industry."

But fundamentally, companies may still be missing the boat. Bentley College Professor of Mathematical Sciences Charlie Hadlock has worked the risk equation from many perspectives. Previously employed at the consulting firm of Arthur D. Little, he did risk analysis and consulting for companies around the world. More recently, as dean of the undergraduate college at Bentley, he has been involved with risk planning and even Y2K preparation. "There is a lot of hype from companies selling services in this area. I have looked at some of it and it doesn't seem to be very scientific or very compelling; it is about selling a product or a service," he says.

Dr. Paulo Goez, Gladstein Professor of Information Technology and Innovation at the Operations and Information Management Department of University of Connecticut, also says that organizations often misunderstand the risks they face. In particular, he says those who study risk see the same phenomenon repeated in endless variation: No matter the industry, technology or situation, when the probability of an event is small, individuals tend to discount the risk, even if the potential consequences are dire. "It is a psychological phenomenon, but that in itself represents a real risk for companies," he says. Most individuals underprepare because they believe "it" won't happen to them. However, he says, organizations must be more rational.

Goez says there's plenty of applicable literature available about risk managements with probability, payoff functions and cost functions. In addition, within the finance area, there are many well-developed models for risk assessment.

"I think one of the key issues is the amount of organization-specific internal knowledge available that should really be used to govern how a company or organization is positioned regarding the risk of data loss," says Hadlock.

Hadlock says it's important to tap that internal knowledge effectively, and in most cases that means bringing in an outsider. "In every organization, there are cultural biases that tend to limit the objectivity of an assessment, so you need to be sure the process achieves a certain amount of independence." He says some kind of outsider perspective can ensure that cultural biases don't hobble an assessment.

On the other hand, he suggests that simply outsourcing the problem may not work, because consultants have biases of their own and may miss nuances at an individual business. "What I have seen work the best is when companies bring in someone with a broad understanding of risk and the sometimes peculiar ways in which it can appear. They can serve as a facilitator to help companies help themselves."

Finally, says Hadlock, look for help implementing against a mathematically based method, "that can force you to look under every rock for potential problems."

Roberta J. Witty, Gartner Inc.'s research vice president of security and risk management, agrees. "There are holes" in the process of risk management. "People do these things, but they really need to be carefully tailored to the specific business," she says.

Thus, she adds, each company must develop its own requirements and models. "In general, this is still a very nascent process -- large financial institutions and large multinationals are doing this, but the average smaller organization is depending on consultants, who often have their own proprietary models," she says.

Whatever you do, Witty advises looking at the impact to the business from a number of angles, including revenue, profitability, customers and partners, contractual and third-party agreements, brand reputation, and employee, government, and community confidence. Moreover, says Witty, you should examine risks multiple times a year, especially when new risks appear that you weren't previously tacking.

Above all, she notes, ensure that the safety and integrity of data isn't just an IT problem. It needs to be a process that engages the whole business, ideally, an "enterprise risk management group, because this level of security is both an IT and a business risk issue," she adds.

About the author: Alan R. Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.

Tags: Data backup security,  Remote data protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data backup security Data backup and recovery news briefs: Thales Group releases CryptoStor Tape 3.0 appliance Secure your data backups with encryption key management best practices Podcast: Backing up data on mobile devices Secure data destruction options for old backup tapes and disk Putting a solid data backup and recovery plan behind mobile devices Data storage backup security tutorial: Tape encryption and cloud backup Quantum adds VMware data backup, encryption key management device How do you make sure your data is secure when using a online/cloud backup provider? Using an encryption appliance for data backup security LTO-4 tape technology finally catching on -- tape storage isn't dead yet Remote data protection Data backup and recovery vendors dig into deduplication technology, aim for cloud backup Double-Take replication software solves remote-office data backup headache for Lennox International Data backup news briefs: ProStor Systems ships InfiniVault removable disk backup appliance for SMBs i365 launches EVault Offsite Replication cloud data backup and disaster recovery service Is cloud data backup service right for your organization? New online data backup service Hybir challenges Mozy and Carbonite The pros and cons of data deduplication technology for remote-office data backup Podcast: Backing up data on mobile devices Iron Mountain Digital to add e-discovery features to PC cloud data backup service Remote data backup and recovery technology tutorial

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary