Building a compelling case for data protection decisions - Storage Special


Issue dated -28th July 2003
-

Previous Issues

CURRENT ISSUE

COLUMNS

SPECIALS <NEW>

Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ

EC SERVICES

ARCHIVES/SEARCH

Network Sites

Exp. Hotelier & Caterer

Exp. Travel & Tourism

Exp. Pharma Pulse

Exp. Healthcare Mgmt.

Express Textile

Group Sites

ExpressIndia

Indian Express

Financial Express

Front Page > Storage Special > Story

Print this Page|

Email this page

Storage Special: Business Case for Data Protection

Building a compelling case for data protection decisions

While the need for data protection is felt strongly by most corporates, when it comes to actual spend, data protection is treated like any other IT segment. How do CIOs and IT heads convince managements of the need to spend on data protection? LYNNE VANARSDALE says they need to do so with a logic and language that CEOs and company heads will find compelling, and provides some extremely useful pointers

In our times, data drives competitive advantage and market gain. The risk/return profile of modern companies depends heavily on the safety and accessibility of data. Data protection helps businesses manage the risk they face by providing continuous access to important information and establishing pathways to recover the information if access is disrupted.

Yet, as enterprise budgets are shrinking and companies are leery of any spending that does not directly drive revenue, all investments are heavily scrutinised—and short of a looming, predictable disaster, data protection solutions have to stand in line with every other spending proposal. This means that IT leaders need to bring to the table solid strategies and strong arguments for solutions that will meet enterprise data protection needs. And they need to do so with a logic and language that corporate leaders will find compelling.

In some ways, the argument for data protection is self-evident. Business success in today’s world is driven by the ability to collect and exploit ever-increasing amounts of infor ma tion. Anything that blocks access to this information places businesses at risk.

In other ways, however, the business case for data protection has always been a difficult one to document. Traditional methods of measuring the value of a business investment—total cost of ownership (TCO), return on investment (RoI) or the amortisation of cost as overhead—fall short of adequately quantifying the value delivered by a risk management solution like data protection. These methods work well for revenue-generating activities, such as product development, but are not as useful in estimating returns when the payback depends primarily on uncertain events. For example, RoI assumes one can forecast all conditions for a set period of time; no flexibility is built in to model sensitivity toward changing conditions within that period. TCO generalises a day-to-day savings based on a known operations model, but does not do a great job with models where operations vary wildly. Both are dependent on measuring the right variables in the right way.

A better model of value derives from a method that takes into account that managing risk has a business value. Such an equation will address all the risk components from a business case perspective:

Scope: What data is necessary for a business to reach its strategic objectives, assure uninterrupted operation and meet government regulations/
customer liability?
Time: How fast must recovery occur? How long can data flow be interrupted without causing critical problems or business losses? How long must historical data be accessible before it can be purged?
Cost: At what point do higher costs outweigh the benefits of increased performance in backing up, archiving and retrieving data?
Resources: Greater automation, increased manageability and low maintenance all increase the value of data protection solutions to meet business needs.

One approach to measuring the business value of data protection that is working well for IT professionals engaged in risk analysis is Net Present Value (NPV). NPV accumulates today’s value of future cash flows over a given period. Since the cash flow model and the time period are flexibly manipulated in the NPV equation, and the result is given in terms of the present value to the company, NPV is a more versatile
tool for assessing the value of managing risk.

A five-step risk assessment and sensitivity analysis is the cornerstone for using NPV to build the business case for data protection decisions. These steps are:

1. Determine what business results are strategic (as opposed to critical). IT professionals need to work with business line and executive management to understand the key underpinnings of enterprise goals and objectives.

2. Assess the business-level impact of achieving those business results. IT professionals need to understand the monetary value of hitting or missing business targets.

3. Map decision-making and data-flow processes. IT professionals need to understand how data is used to achieve business results—when speed is critical, when data is no longer relevant but still must be maintained, when data must be deleted to comply with regulations or reduce the risk of legal liability, when information is interdependent.

4. Analyse alternatives and their risk. IT professionals need to measurably model the probability of scenarios that either put strategic data at risk (downside risk) or enable the better use of data to drive the target business strategies (upside risk). Then, applying a set of considered data protection alternatives to these scenarios, they must assess the difference in the upside and downside risk.

5. Compare the product of the impact and risk for each alternative approach. This comparison allows for decisions based on monetised representations of risk management.

In some cases, the five-step process is challenging. Assess ing the business-level impact of data and analysing alternatives, for example, requires the IT professional to seek out the actual ‘owner’ of the business process
— not always as easy as an organisation chart might indicate.

This five-step process is significant, however, because it places the IT professional in the shoes of the corporate leader. IT project justification moves outside the domain of hardware, software and networks and gains the capability of presenting the business case for data protection in monetised, business-relevant terms that make sense to corporate leaders. For example, a data protection case that is built on protecting data in accordance with government regulations or meeting legal requirements that help a corporate avoid liability is far more compelling to executives than simply arguing that corporate data has increased from one to three terabytes and that data protection capacity therefore must be tripled.

The IT professional does not abandon the proven factors for making data protection decisions. Those include seeking out interoperability to guard investments over time, stressing simplicity of installation, use and expansion to lower management costs, and pushing for performance that optimises cost/benefits. IT professionals will continue to look for ‘smart storage’ solutions that are secure, flexible and scalable. But by adding a strong foundation of business strategy to the technology infrastructure solutions, the IT professional can focus efforts toward measurable business results by addressing quantifiable risks and thereby capturing the support of corporate leaders.

The author is enterprise product manager, Quantum Storage Solutions Group and can be contacted at lynne.vanarsdale@quantum.com

© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.