Data Management: Sexy for All the Wrong Reasons

Data Management: Sexy For All the Wrong Reasons The legality of handling corporate data

October 13, 2005

8 Min Read
Network Computing logo

In a cute turn of a phrase that I wished I had come up with, I recently saw a headline articulating a new definition of ROI: Risk of Incarceration. Probably without realizing it, the headline writer exposed a much bigger issue in storage technology with his catchy phraseology.

Return on investment, of course, is a business metric describing the internal rate of return that an investment is expected to yield over a specified period of time. It is a useful tool (though not a definitive one) for comparing several investment opportunities in order to help you select the most sensible one of the group.

IT vendors--especially those in the storage industry--attempted to co-opt the term in their product literature at the end of the dotcom era. It was part of a thinly veiled effort by vendors to distance themselves from the taint of the dot-bombs by couching their product marketing pitch in terms familiar to readers of the Wall Street Journal or Harvard Business Review. Vendors also taught their sales droids to use the term so they could sound more MBA-like when offering storage products to consumers that, in fact, solved no business problems whatsoever.

For a time, you couldn't escape a vendor web site without being offered a white paper or an "easy-to-use calculator" purporting to illuminate the ROI case for the vendor's wares. Of course, when marketing departments get a hold of any truly useful business or technical term, they tend to water it down to the point of meaninglessness. ROI was no exception.

Recouping Original InvestmentThe storage industry dumbed down the concept, substituting hair-brained variations, the best of which might be better termed "payback analysis." In other words, instead of demonstrating how an investment in XYZ storage array would return 7 percent for 13 months compared to only 5 percent with an array from ABC, vendors claimed that the "unique ROI features" of their products would return the company's capital expenditure within a certain period of time. Their product would, in effect, pay for itself through promised (though unsubstantiated) cost-savings that would accrue to the company once the product was placed into production. In short, vendors were arguing that ROI meant Recouping Original Investment.Saying that the product would eventually produce savings that would offset its purchase price is not the same as saying that the investment in the product would yield a better rate of return than a competitor's product. ROI and payback are not the same.

However, relating ROI to payback proved a deft side-stepping of the central issue--the actual business value of storage technology. And all of the leading opinion brokers in the IT research and analysis industry played along. The worst example was a report issued jointly by a well-known industry analyst and a Wall Street brokerage that offered impressive mathematical models for describing storage ROI. The problem was that the mathematical model didn't support the conclusions of the analysts: when actual storage product costs were plugged into the formulas, the results didn't add up. That didn't seem to bother anyone, so, with the collusion of the analyst community, vendors reshaped ROI to mean Rationalizing Obvious Inadequacy.

Rationalizing Obvious InadequacyTo be meaningful, storage investment ROI calculations require a lot of due diligence by consumers. First, storage buyers must conduct an often painful investigation to figure out just how screwed up their storage infrastructure is and how badly their most expensive resources are being wasted through a combination of poor management and lousy product architecture. Current costs must be scrupulously documented because you can't make a determination of the value derived from a new product without knowing the cost of the status quo.

Then, the buyer must test each of the products proffered by the vendor community to see what, if any, difference each product might actually make in their storage costs or service levels. As a rule, IT managers have neither the time nor the inclination to undertake either of these tasks. So, real ROI analysis was seldom performed. In its place, IT guys commonly substitute Reliance on Idiocy for true ROI--by borrowing their business value arguments and performance assumptions from unverified vendor marketing drivel.

For their part, business managers have done little or nothing to encourage the application of ROI discipline in IT product selection. Where an ROI analysis is mandated, it usually turns out to be a data collection effort aimed a justifying a "rightsizing" strategy or a harbinger of some outsourcing strategy (translation: unemployment for IT slackers). To many IT folk, ROI has become synonymous with Resume On Internet.Moreover, it has often been the case that an ROI mandate is handed down from senior management at about the same time that budgetary cuts eliminate test labs. Where are IT guys supposed to get the skinny on actual product performance if they have no way to test products themselves? Understanding this dilemma, storage vendors have become expert at yet another kind of ROI--Recontextualizing Output from Iometer--by giving the appearance of integrity through the marketing of "authoritative" testing results collected via highly questionable methodology.

That brings us to today. When ROI seemed to be losing its luster last year, more than a few IT practitioners, including me, were happy to see it go. In its wake, however, there was a vacuum. Little actual effort has been expended to better align storage technology investments with business requirements. Storage costs have continued to accelerate and vendors have continued to peddle a lot of products with highly questionable business value.

Risk of IncarcerationNow, ROI has resurfaced with a vengeance--this time, as the headline suggests, in the guise of Risk of Incarceration. Concerns run rampant over accidental disclosure of patient or customer data (see HIPAA and Graham-Leach-Bliley) that could lead to public embarrassment of the company. In other cases, top execs are wringing their hands over the potential legal consequences of being unable to find data in a timely way to respond to a regulatory investigation or audit (see Securities and Exchange Commission rules and Sarbanes-Oxley), something that could result in jail time for the CEO. It is these concerns, not concern over better stewardship of corporate IT investment strategy, that have thrust storage technology issues back on to the front burner.

The case could be made that important business technology initiatives like data management - initiatives that should have been undertaken years ago as part of a truly business value-centric storage strategy - are now being driven to the top of the corporate IT "to do" list, but for all the wrong reasons.

To be sure, we ought to be doing something to manage data better. Indisputably, this is the essential task of IT. Data management is desperately needed if we hope to improve productivity and business process efficiency. Many companies are literally drowning in data, in multiple copies of the same files, all of which are so poorly identified that you couldn't find them if you looked for them all day. The productivity loss accrued to the current state of data management (which is to say a near-total absence of data management) is huge and growing. It has taken a risk of incarceration, not a return on investment calculus, to make data management a priority.Only through effective data management can we drive cost out of storage. Unmanaged data increases the annual demand for storage capacity, which in turn drives the requirement for additional labor resources to manage all the new gear. With better data management, we can stretch the useful life of our storage gear and forestall new and expensive acquisitions. Yet, it has taken the threat of corporate executive embarrassment or imprisonment, rather than demonstrable business value, to get companies to act.

Risk reduction, the third leg of the business value case, is also an outcome of better data management. With managed data, you can cull the data that must be restored in the wake of an outage from the massive amounts of data that aren't as critical. That, in turn, makes backups more efficient and the restoration of data more practicable in an emergency situation. Heck, tape backup continues to have efficacy if you don't have to deal with hundreds of terabytes at every turn. Yet, it has taken fear, uncertainty and doubt to move data management initiatives forward, rather than common sense drivers.

Some readers might conclude that this rant is pointless. For whatever the reasons, at least somebody is waking up to the need for better data management, and that is a good thing. However, the rationalization of data management initiatives in such narrow terms as risk of incarceration exposes the effort to many potential pitfalls. If presenting a meaningful and valid business value case for data management fails to get the nod from the "Flashing 12s" in corporate management (Flashing 12: Someone so technically inept that he can't program the clock on his VCR), I have to question whether the FUD card can remain a dependable driver in the future.

When the perceived risk of incarceration wanes, which it is likely to do once the vendor community and trade press tire of writing the same articles with the same shock headlines, what will become of data management efforts? A friend of mine in the fed advises me that enforcement of regulations is likely to become a political football. Ultimately, he argues, regulators will only seek to enforce the rules as an adjunct to the prosecution of some larger case of malfeasance, like racketeering. In other words, an indictment against some future Enron on a major infraction of law will be supplemented by a hundred or so counts of failure to comply with SOX or GLB or SEC rules. Rarely, if ever, will a company be subjected to the full weight of regulatory enforcement merely because it hasn't fully complied with the regs.

If my friend is correct, it will not be long before the legal eagles of corporate America blow wise to this fact. They are likely to advise senior managers not to worry so much, and to take out more director and officer insurance. When that happens, what will continue to drive data management?Your thoughts? Drop me a line

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights