Just like any other investment, storage security must be evaluated as a part of company's business model. Corporate management often encounters difficulties in justifying such investments that have no direct addition to the bottom line. There is no simple answer to this complex issue. Quite often, storage security is presented as a solution against a variety of potential threats and risks. Various studies have touted a variety of risks and threats, varying from virus attacks to theft of critical assets. But management needs more than "what if" scenarios.
This column outlines some approaches to address the business side of storage security. It addresses the business issues that management should consider when deciding on investment in storage security.
There are some approaches out on computing Return on Security Investment (ROSI). One simple approach for estimating ROSI is to first identify the critical assets of the corporation. Next, compute the estimate of damage (of an attack) on each asset, times the likelihood (or probability between 0 to 1) of its occurrence. In a simplistic approach, this number should not exceed the amount of investment to prevent this attack.
So, what are the other non-financial business issues that should also be considered when deciding on storage security investment?
First is the issue of recent legislative moves aimed at protecting privacy. This includes: Healthcare Industry – Health Insurance Portability and Accountability Act and Financial Services – Graham-Leach-Bliley Act. Businesses may be exposed to legal risks resulting from any privacy thefts. Protecting privacy entails encrypting (personal) data while in flight or at rest.
Second, there may be certain security issues resulting from corporate audits, third party audits (such as by audit firms) or government audits. Such audits may mandate the need to protect certain data while in flight or rest. Any use of storage security technology to address the audit issues will have a better chance of getting the funding.
The third consideration is to consider the impact of downtime resulting from any of the attacks such as denial of service. Based on such impacts, storage security investments may be funded as part of the emerging need for business continuity initiatives. Most large businesses are deploying comprehensive plans to support disaster recovery.
The fourth aspect relates to corporate mandates. For large corporations, there may be a corporate mandate that may include funding for data protection.
Finally, often businesses, when talking of storage environments, translate data protection to data backup. The storage industry has done little to differentiate data security vs. data availability. This confusion has led, at times, to sidelining storage security investment in favor of data backup and restore services.
So, in summary the business executive should:
1. Treat the investment in storage security just as any other business investment.
2. Do not simply focus on technical risks to justify investment in storage security.
3. Consider the above business issues to support your justification for investment in storage security.
This was first published in June 2003