This article can also be found in the Premium Editorial Download "Storage magazine: Survey says storage salaries are climbing."
Download it now to read this article plus other related content.
Processes remain informal
Government regulations like Sarbanes-Oxley and industry mandates like the Payment Card Industry Data Security Standard demand defined and auditable controls, but many storage groups just aren't there yet. My meetings revealed that many organizations suffer from the following:
- Willy-nilly processes that depend on individuals (The IT hero syndrome). One or two people on the storage team are considered gurus and they're the firefighters who put out the flames. The problem is that critical data availability depends upon individuals, not documented and repeatable processes. This places the whole organization at risk when the storage superhero is out sick or on vacation. Storage executives should institute formal standard operating procedures and document everything.
- Lax day-to-day operations. When it's time to do a big storage consolidation project, storage professionals tend to be extremely meticulous at managing the details. But this care goes out the window during the daily grind. Storage administrators often make undocumented changes on the fly--behavior that can be the equivalent of a ticking time bomb. When something finally breaks, there's no information documenting technical changes or administrative access. A relatively minor hiccup can become a major headache without this audit trail.
- Fuzzy lines of delineation. The handoff
- between storage groups and other IT teams is a frequent grey area. The lack of clearly defined responsibilities leads to two untenable consequences: either too many people are involved in redundant activities or critical tasks remain undone as each group assumes that it's the other person's job. Formal processes can help, but strong management, cooperation and communication are also needed.
To paraphrase an old security saying, "The risk management chain is only as strong as its weakest link." You can spend gobs of money, create volumes of documents and hire the best minds in the business, but if you haven't tested your business recovery at the business application layer, you may already be in trouble.
Storage executives need to look at risk from a business perspective and include people, processes and technologies in their assessments and action plans. Testing and auditing are also perennial requirements. If you're lucky, you'll never need this preparation, but there sure seems to be a lot of bad luck around these days.
This was first published in November 2005