The Power of Persuasion

Hunter discovers that it's not always easy convincing management that a technology is necessary, especially if it's a 'proactive purchase.'

July 29, 2005

3 Min Read
Network Computing logo

Wire Speed

You may be thinking that ACME should consider across-the-wire backups (also called electronic vaulting) or replication mirroring instead of tape backups. In fact, we've looked at those alternatives. So we're considering tape backup encryption technology that could also be applied to our overall storage and database systems, as well as any data-replication movement. We're insisting on a wire-speed product that operates to alleviate encryption overhead, and we're requiring security features, such as access controls, authentication and logging. The product we've tentatively selected is an encryption appliance that offers integrated fault tolerance.

To test the winds of approval, I sent a short e-mail message to our CIO, Steve Fox, to see how he would react to a $50,000 encryption system price tag. After some prodding questions, he agreed to "socialize" the idea with some of the other senior managers involved in the approval process. Unfortunately, he received some deer-in-the-headlights gazes in return, as well as some questions about investing in a solution when there was no perceived problem. Apparently, as with many other security purchases, we would have to persuade top brass to be proactive, before some marauding exploit violated our perimeter.

No Rules

Although Congress is considering data-privacy legislation, ACME so far isn't bound by any Sarbanes-Oxley-like regulations mandating the encryption of backup data. Still, our customers trust us with their data, and we used this trust as a central tenet in our purchase proposal.We also played up the FUD (fear, uncertainty and doubt) factor: What if our customer data became public? What would be the damage to our reputation? What would be the impact on our revenue?

We provided a realistic assessment of the risks surrounding unprotected backup data. We've been encrypting some customer-related fields in some of our databases, which didn't cost anything except IT staff time. We've used password protection in our tape backup software, but the software couldn't encrypt all the stored data. In IT auditing terms, we had a risk of data becoming compromised if our off-site tape backups fell into the wrong hands. We used this risk assessment in our purchase justification, but because we hadn't yet experienced any actual losses, it was difficult to prove ROI, which is what the bean counters usually want to see.

Pending Approval

As I write this, we have not gotten approval to buy the encryption technology, and we may not get it. The encryption appliance was not in our original budget for 2005--though we have enough slack here and there to afford it--and even if it had been, we would still have to get approval to buy it.

The tough part is still convincing senior management we need this technology and need it now. Sometimes, being a success in IT isn't predicated on your technical skills, or even your business skills, but on your power of persuasion.Hunter Metatek is an enterprise IT director with 15 years' experience in network engineering and management. The events chronicled in this column are based in fact--only the names are fiction. Write to the author at [email protected].

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights