im Damoulakis, GlassHouse CTO, writes about how the balance has begun to shift in favor of risk in the area of security.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005102

As IT managers comb through storage infrastructures in search of cost savings in an effort to rein in rising storage budgets, one ever-present challenge is to avoid inadvertently increasing or ignoring risk. A strong case can be made that many environments today are seriously underprotected. Backup success is often inconsistent, disaster recovery capabilities are deficient, security of data at rest is minimal. This creates a serious challenge: How do you rationally balance cost and risk?

A good place to start is to better understand the magnitude of potential risks. In evaluating a risk, three basic questions must be answered:

• What is the impact to the business? This includes not only the potential effects on financial results but also those to reputation.
• What is the likelihood of occurrence?
• What is the cost of addressing the risk? This should factor in level of effort, required investment and organizational capabilities

Unfortunately, a great deal of subjective analysis is still needed. A high-impact, high-probability risk most likely must be addressed regardless of the cost to the organization, but many lesser risks may not be addressed because they are outweighed by cost. At what point does the scale tip away from cost toward protection?

In the area of security, the balance has begun to shift in favor of risk. Data encryption efforts that would have failed the cost test a few years ago are now being re-evaluated due to a perceived increase in the potential business impact, and at the same time, new technologies have been introduced that make the encryption effort far more feasible. Similarly, companies have recalculated in favor of disaster recovery in the wake of the 2005 weather disasters and the availability of newer replication and data-protection technologies that make the effort more affordable.

Informed cost/risk decision-making demands solid data. This includes accurate usage and consumption metrics as well as comprehensive cost modeling combined with a strong understanding of business impact. Too often organizations make a leap toward an initiative without proper analysis. The results can turn out to be either wasteful or unsafe.

Jim Damoulakis is chief technology officer of GlassHouse Technologies Inc., a leading provider of independent storage services. He can be reached at jimd@glasshouse.com.