Confessions of a reformed data security phobe
A Data Security Phobe is someone who has an irrational fear of data security. If you Google this I suspect you won’t find it because I made it up. But as I talk to IT folks around the country, I am convinced this is a real condition that must be addressed. I also realized, embarrassingly enough, I am a recovering Data Security Phobe.
As a person who has worked with enterprise data most of my career, I am well aware of the fragility of data and the importance of keeping it safe from both destruction and misuse. With that said, I am also infinitely aware of how painful it can be when either of those events happen. So, I rationalized that perhaps the fear wasn’t irrational.
Most of us folks with phobias do rationalizations, for example, is fear of flying (Aviatophobia) really irrational? Planes do crash, largely due to mechanical or human error and sometime malicious intent (sound familiar), so there could be some basis for the fear.
On one of my recent flights, the man in front of me during boarding stopped and told the Flight Attendant that he was afraid of flying, and he had a few questions for her. He then proceeded to ask if the plane had been checked out and was she sure we were not going to crash. Interesting questions, she was very supportive and explained that everything would be fine. There was no way she could really know this, but luckily the man seemed to take comfort in her answers. He made a sign of the cross and boarded the plane. Someday I will write a travel blog.
At any rate, as I thought about this exchange (wifi hadn’t been turned on the plane yet, and no, they hadn’t started serving drinks) I realized the man just needed a way to assure himself that everything was going to be ok. I started to think some of the discussions I had had with IT teams over the last few months. In the early days of data security, our comfort was in knowing that if we could protect the perimeter everything would be fine. We would rationalize that if we bought the best firewalls, added malware detection and a virus scan and we were good to go.
We’d pray we wouldn’t get invited to a data governance discussion. We’d rather stick needles in our eyes than sit in a task force whose mission in our mind was to make up rules to protect assets we didn’t know if we had and as a result, make our lives harder. We twitch as we are asked about adding complex detection software to our networks to track data that give more false positives than useful information and included a new set of servers, networking and storage we now needed to manage. This never ends well.
The really scary ask is when we we’re asked to start scanning and indexing our data looking for sensitive information. We knew this would bring even fast storage to its knees and can make our lives a living hell. We’d experience applications failing due to latency and users would start grumbling about poor response time during the scans. Then, we’d turn the scans off and only run them on Sundays but wait, that interfered with our full backup schedule. So we don’t run the scans consistently. If there is an issue, the odds were 50/50 that we’d have useful data. We would get caught between 100% guaranteeing we’d mess up active IT infrastructure or risk the lower chances that we will need the information from the scans. In most cases, we pick keeping things that will bite us sooner as the priority and we know we are running on borrowed time. This is the movie we see running through our heads as we think about yet another data security initiative.
I remember multiple painful support calls back in my EqualLogic days where the latency on the storage would spike and the queue depths would all of a sudden get deep then shallow repetitively. Applications would start having issues and user access times would be choppy. We became good at tracing this back to some data scanners or search appliance scanning and indexing the data over the network. These would be doing ridiculous amounts of reads, and the really broken ones would write to the same spindles they were already hammering. We had some strategies to help make things better, but the laws of physics sometime can get in the way.
I also remember when we started EqualLogic 2001 we had a long discussion about security. There were some really smart people in the room. We concluded if you had physical access to the array all bets were off. We did a good job managing access control and thought we were good. Then by 2004, folks start putting the arrays on the internet, so physical access became virtual and the discussion changed. Reality then began to set in for me that we needed a well thought out plan on how we were going to protect the data and the paths to the data.
So I understand the fear, and I get the rationalizations. Can you let this fear continue to effect your behavior? It depends.
If you have a life that requires you are in Boston half the week and Seattle the other half you need to figure out a way to live with your fear of flying or change your life. If you are responsible for sensitive data, you need to get over your fear of data security. However, I also believe you need to temper data governance with the reality of operating a business.
It took me awhile to figure out the fear in the eyes of some IT people when I started asking about data security, especially when their CIO or VP of IT was in the room. They could see another painful ask about data security headed in their direction and would rather be talking about getting their teeth drilled than embark on another initiative. Once I realized I was talking to fellow Data Security Phobes, I understood their initial reaction. I also knew that resistance to protecting and securing their companies data was dangerous and futile.
As a recovered Data Security Phobe I understand the angst. So when I talk about data security now, I start the discussion reminding folks that every part of the IT infrastructure needs to be responsible for securing the infrastructure and the data. The headlines all speak to the reality of all organizations’ data being vulnerable and borrowed time ticking away. The rationalization and avoidance was a way of coping. The reality is your data is exposed, you need to understand your choices, ignoring data security isn’t one of them.
Read the DataGravity use case brief on managing sensitive and confidential information to learn how data-aware storage can help you protect and secure your data without adding to your data security phobia.1 Like