I have always enjoyed speaking with David West. He’s one of the relatively few people within the storage industry’s sell-side who genuinely seeks to understand information management - the industry from which I leapt into storage.

After I read David’s recent blog post ILM: What’s Old is New Again, in which he wrote about the return of ILM, I responded with the following comment:

“ILM never left, Dave. That’s a storage industry centric perspective as if storage first brought ILM to the table a decade ago.

Managing information over a life cycle existed long before the storage industry began using the term [ILM], and it’ll continue to persist regardless what terminology or focus the industry fancies at the moment.

The storage industry brought at least two important contributions to the table for information management.

The first was a hard dollar ROI. Frankly, the hard dollar ROI for information management was less compelling before storage companies got involved. Information managers can now highlight ILM’s impact on storage and storage management beyond the usual business user productivity claims.  They can now talk in terms of serious savings and bottom line impact.

The second was a forward looking vision of how storage infrastructure could communicate and collaborate with the business application layer to deliver compliance, protection  and preservation at the lowest possible cost.

ILM doesn’t need to make a comeback. It never left. Storage managers need to step up their game and understand how the storage industry’s perspective on ILM complements traditional business-level information management. And information management practitioners need to step up their game as well and begin working more closely with IT to learn about and leverage these complementary technologies.”

The important point to understand is that businesses already use many types of applications designed to manage information over its life cycle (independent of storage considerations). The storage industry takes that concept one step further by mapping life cycle management to storage infrastructure and storage management costs.

The challenges to realizing end-to-end ILM (i.e. business-wide information management) are in the integration between business and storage applications, and the collaboration between information stewards (in business) and information custodians (in IT).

Note:  Technology professionals sometimes object to being referred to as custodians despite the fact that their role in information management is largely custodial. To avoid hurting their delicate feelings try less objectionable titles such as  Information A-Team or Information Geniuses. Remember, your data lives on their real estate.

In his recent Wikibon post following a July 28 Peer Incite: Prevent Unstructured Data from Fueling Business Risk, Dave Vallente warns CIOs of what he calls the “data management trap”.  Thankfully, Dave provided an overview for those of us who were unable to participate.

I agree with Dave that “the starting point for an information management strategy should not be the technology implementation”.  However, I would add that a CIO is not the appropriate person for the job.

In response to Dave’s post I wrote:

“Information management responsibilities should not be delegated to the CIO unless an organization has absolutely no other alternative. The CIO has the wrong skill set and mindset, and in my opinion, a conflict of interest despite some obvious potential synergies.

Back in April I wrote a brief response to Chuck Hollis’s State of the CIO blog post.

Here’s an excerpt…

‘Chief Information Officer - quite possibly one of the greatest business misnomers of all time.

I’m still waiting for someone to explain the role of the ‘I’ in CIO. The word infrastructure is far more appropriate given the CIO’s focus…perhaps with a dotted line to information…

Savvy companies understand that information usually has no ‘real’ champion at the executive table…certainly not the CIO whose skillset is generally not appropriate for, and whose directives may be at odds with, sound corporate information management. Those who can afford to establish roles primarily responsible for IM (e.g., Chief Knowledge Officer or Chief Preservation Officer) eventually do.

If CKOs and CPOs are the architects of IM, you can think of CIOs as the general contractors…

I believe it is absolutely essential that EMC help its customers understand that information stewardship and accountability must be elevated to the C-level. And I would strongly advise against adding these to the CIO’s already hefty list of responsibilities.

Let’s talk about the state of the state of information stewardship and accountability.’

Putting information management decisions into the hands of a CIO is like putting life or death medical decisions into the hands of a health insurer. It’s a long-term recipe for failure.”

What are your thoughts about information management roles and responsibilities? Join the conversation over at Wikibon

I’m all for data protection, and I believe we can all agree that the protection of personal information is extremely important. However, if our government wishes to enact laws to protect our data, then it should do a better job of crafting unambiguous wording. Ambiguity is an attorney’s best friend. With the number of attorneys-turned-legislators in government one would think they should know better.

I was inspired by a recent post on Stephen Foskett’s Enterprise Storage Strategies Blog titled “Massachusetts Says Encrypt It All!” Stephen raised an interesting issue about tape encryption in the context of MA and NV data protection laws. His post compelled me to take a closer look at the wording of the laws. For your reference, the laws are:

• NRS 597.970: Restrictions on transfer of personal information through electronic transmission. [In effect since October 1, 2008]
• NRS 603A: Security of Personal Information
• 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth [Effective January 1, 2010]

I began with a comment on Stephen’s blog:

“Stephen, I’ll suggest the same interpretation of Nevada’s law here that I used in a comment on Steve’s IT Rants.

Can an attorney successfully argue that tape is not ‘an electronic transmission…to a person outside of the secure system of the business’? In fact, the transportation of tape off-site is not electronic, it’s physical. The electronic transmission of the data to tape occurs before the tape leaves the facility. By the time it’s on tape, electronic transmission is no longer a factor. And if a fax - a combination of electronic and physical transmission - is permissible, then why not tape?

Mincing words, I know, but we all know that cases are won and lost in court based on wording and semantics. Legislators will need to be more clear about that.

Right now, it seems the wording is too vague. I suspect transporting a tape off-site would not break the law as it is now worded.”

Unlike Massachusetts law in which the word “electronic” is defined as ”relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities” and “record” is defined as “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics”, Nevada law offers no such definitions and leaves the door wide open for interpretation.

I continued reading the laws, and paused to write a few observations along the way:

•  Massachusetts legislators conveniently and hypocritically defined “person” in a way that exempts the State from its own data protection law.  201 CMR 17.00 defines “person” as “a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.”  Shades of Sarbanes-Oxley and the federal government—do as I say, not as I do. Massachusetts business owners should be furious that the State is not prepared to shoulder the same burden. After all, what Massachusetts entity stores more private information on Commonwealth citizens than the State itself?
• 201 CMR 17.03  states “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.” As Steve Duplessie of ESG already pointed out, it remains to be seen if 201 CMR 17.00 can be enforced against out-of-state violators. I doubt it, but the threat alone will undoubtedly compel many out-of-state businesses to take action.
• It also appears that the law may not be enforced consistently and equitably.  201 CMR 17.03  states “Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, shall be evaluated taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.” Will this mean that a relatively small law firm or retail business will not be held to the same level of accountability as larger firms?
• 201 CMR 17.03 (f): “Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information…Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.” Certified by whom? The service provider? The State?
• 201 CMR 17.03 (h): “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.” I do not have to tell you how prohibitively expensive and time consuming it would be to inventory and identify every paper record that contains personal information within an organization. Fortunately, software applications do exist to aid electronic discovery. Unfortunately, most discovery tools cannot easily accommodate the data on tape backups. Do the legislators fully comprehend the impact of this requirement?  I doubt it. Encrypting everything is not a solution.
• 201 CMR 17.04 (1)(iii): “control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access.” I believe a definition is needed for the word “location”. Without it, I can interpret this to mean that the passwords should not be stored electronically alongside the protected data. What about data on a remote server accessed via a desktop computer containing a local unprotected password file?

Data protection laws need to be crystal clear, practical and affordable.  I’m pleased with the spirit of the MA and NV data protection laws, however, state legislators must tighten the language and re-evaluate their expectations.  As they stand now, the laws are ripe for abuse and misinterpretation so long as they remain poorly defined and impractical. 

What do you think of the laws and the impact on your business? Join one of the conversations at Steve’s IT Rants or Enterprise Storage Strategies.

Earlier this year I weighed in on the Donatelli/EMC non-compete drama with a brief post about the nature of non-competes.

Since then I have read several new articles and opinions about the topic of non-competes. I am currently following two: Boston.com’s Clause for Concern, and Bijan’s Revised non-compete legislation doesn’t go far enough.

Here’s my take in a nutshell:

I agree that non-competes make no sense for rank-and-file employees (a.k.a. employees at will). I’ve been the victim of a non-compete on at least one occasion during a layoff at the turn of the century.

However, I do believe non-competes are fair game for any employee under a formal employment contract (esp. key personnel, founders and senior executives). It’s a voluntary mutual commitment - a covenant if you will - and there’s no rational reason that non-competition language should be universally excluded from such an arrangement.

Rep Brownsberger should ditch the arbitrary $50k cutoff and craft the bill in the context of employment at will versus employment under formal contract. If employers want non-competes, such a law would make it much harder for them to eliminate employees at the drop of a hat without justifiable cause. And, if employees want better than at-will job security - which is what most senior execs enjoy today - then they can sign on the dotted line. Both sides would get the security they seek at a cost.

I went on to write,

And, to be clear, I’m not talking about severance contracts issued during the layoff of at-will employees. We both know those are usually non-negotiable “take it or leave it” contracts that many employees feel compelled to sign, on short notice, in exchange for less than desirable compensation.

Let’s not confuse those with the compensation packages of executives and founders negotiated up-front as a condition of employment.

And,

If employers want non-competes, I’m suggesting that they be forced to enter into formal employment contracts with new hires (i.e. not at-will) where compensation - including any severance and perks - is negotiated up-front just as it is now for most founders and executives.  At-will employees should have no such requirement as a condition of employment or severance.

To suggest that non-competes should be eliminated completely is shortsighted and naive, in my opinion. Such agreements do have legitimate applications in the context of certain employees, particularly those nearer the top who will acquire broad intimate knowledge of an employer’s strategies, tactics and operations (as was the case with Donatelli and EMC earlier this year).

It would be naive to believe that NDAs and similar instruments designed to protect IP are effective in that context. In contrast, non-competes wholly eliminate the possibility of knowledge misuse and abuse.

As for Massachusetts and California, there is absolutely no way for you and I to meaningfully quantify the impact of their attitudes toward non-competes.  What I’ve read to-date is little more than opinion. Nobody knows for sure what the impact has been, positive or negative.

Do you have an opinion about non-competes? Join one of the conversations at Boston.com or www.bijansabet.com.

I’m doubtful, but hopeful.

Bob Hill over at www.BusinessBrief.com crafted a list of 10 lessons every CEO can learn from Fortune 500’s biggest losers.

I agree with Bob. There are lessons to be learned. However, I added:

And what, perhaps, is the biggest lesson of all? If you are F500 don’t worry about all of the above. If you screw things up royally, rest assured that (one way or another) Uncle Sam will bail you out.

Bob, I wish I could believe that CEOs will actually learn from the mistakes of their peers, but history has proven this to be largely untrue. And with a Federal government so willing to prop up institutions in our faux free market economy, what, precisely, is the incentive to genuinely succeed? Companies such as AIG and CITI have demonstrated that even catastrophic failure is rewarded handsomely.

Until the penalties outweigh the incentives, we are unlikely to see genuine change in any industry.

Take, for example, finance, health care and pharmaceuticals. What is the incentive to do the right thing for investors/patients/consumers when the penalties pale in comparison to the anticipated profits? The answer is: none.

Still, Bob’s list is worth reading for those of you who care. Join the conversation over at www.BusinessBrief.com.

Tim over at Storage Monkeys wanted to know, “Is de-duplication a strategy or a finger in the dike?”

I wrote:

“In response to the title of Tim’s post, and [as he requested] in the context of backups alone, the concept of de-duplication is an extremely important consideration for any data protection strategy. We can all agree that we’d like to store as little as possible, preferably in the least amount of space, and still meet or beat our day-to-day operational requirements. De-duplication is all about keeping the physical amount of stored data to a minimum. And, faced with a future filled with mind-boggling amounts of new data, de-duplication is a good thing.

What is important to understand is that de-duplication (which appears to be a term born in the storage industry in the past decade) goes by many names and is best visualized as a spectrum of solutions designed to take the redundancy out of data. At one end of the spectrum we find file formats such as JPG, GIF, MP3, MPG, GZIP, TAR and SIT. These are examples of intra-file data reduction (a.k.a. file compression).

Further along the spectrum we find single instance storage, a method of inter-file data reduction that has existed in many business applications since at least the early-to-mid 90s, possibly earlier. It’s a simple implementation that identifies whole [byte for byte] duplicate files and stores a single copy. A lightweight system of pointers or stubs ensures that applications are unaware of the underlying data reduction.

As we continue to move along the spectrum we encounter even more efficient methods of data reduction such as data chunking (at the block or sub-file level) and delta encoding. And storage vendors have, in recent years, added a new wrinkle to de-duplication: timing. Should we de-duplicate before or after moving our data over the network from point A to point B?

Commercial implementations of de-duplication typically combine multiple methods, and all of them make trade-offs between complexity, efficiency and performance. There is no single universally superior method or commercial implementation of de-duplication. You guessed it - it all depends on what you’re trying to accomplish.

And, it really doesn’t matter whether we’re talking about primary or secondary storage, old backup technology or new, near-line, off-line, local, remote, backup or archival storage. They can all benefit from de-duplication whether it’s embedded or bolted-on.

De-duplication isn’t a patch, it’s an integral part of efficient information and storage management.”

Do you have an opinion about the role of de-duplication in your organization? Join the conversation over at Storage Monkeys.

Frankly, I simply do not like managing a blog as you can tell by how infrequently I publish.  I much prefer to contribute insight to the blogs and columns of others than to publish my own beyond Data Mobility Group’s usual research.  In fact, I’m quite active in that regard, and my comments can be found on forums of all types from politics and education to transportation and information technology.

In the months ahead, you can expect to find the complete text of a select subset of my comments - past and present - published here with links to the original questions and conversations located elsewhere on the Internet. I encourage you to follow the links and join the conversations.

Cheers,

Following the recent news about David Donatelli’s sudden defection from EMC to HP, blogging pundits jumped at the opportunity to debate the nature of non-compete agreements.

Over the past couple of days I have read more than a dozen blog entries on the topic, written by industry analysts and veterans, and [in my humble opinion] every last one of them - including StorageMojo’s own Robin Harris - completely missed the big picture. Read the rest of this entry »