Editorial Type: Interview Date: 2021-04-01 Views: 75 Tags: Storage, Backup, Cloud, Ransomware, Strategy, Management, Altaro
Eric Siron is a long-standing backup evangelist and the author of the recently published 'Backup Bible' eBook. Storage magazine editor David Tyler spoke to him about why properly managed backup policies are more important than ever, and why relying on a cloud provider to do the heavy lifting on your data protection is a risky approach to take

David Tyler: Hardly a week goes by that we don't see a new ransomware or data loss horror story - so why do we still need to tell people how important backup is?

Eric Siron: For better or for worse, fear is a poor long term motivator - that's really the issue.

You can walk into a boardroom and say "Here's the deal: ransomware, fire, flood, tornado, hurricane, act of God, meteor strike, whatever…" and you can get a ton of money that day - they want you to fix it, make that problem go away. But when you come back three years later and explain that all that stuff is now out of warranty and needs to be refreshed, the response all too often is "But hang on, nothing bad happened - you said meteor strikes etc. - so we're not going to give you all that money this time."

That's the boardroom issue. Take it to the IT guy and he'll tell you he has 87,000 projects to do, and backup is just something he will (hopefully) get around to. For such a critical system, it never ceases to amaze me: everybody needs backup, but nobody pays attention to it. If you look at all the major operating systems, the one aspect of all of them that is outright trash every time, is the built-in backup. Nobody takes it seriously.

As a journalist you're obviously seeing these bad news stories, but if you just go out into any random business and ask "When was your last major data loss?", the chances are they won't even know - it's just not top of mind. It's very easy to just think that it won't happen to you - and let's face it, the odds are heavily in their favour. That's what I mean about fear not being enough of a motivator, so we have to keep at it and make it an issue.

DT: Does that mean that as an industry we have to find a 'business-positive' reason to convince organisations to prioritise backup?

ES: You absolutely do, and if anyone has any suggestions for what that might be, I'd love to hear them! How do we explain how important this is? If you go to pretty much any technical forum you will see "Hey, I just got this great new system, now I want to back it up - but I want to do it for free." Really? Is that what your system is worth to you? Of course there are free backup solutions out there, but is that really the value you're placing on all of your data?

I say to these people, whatever happens to your system, your backup is crucial - if that's gone, you're finished. They need to understand that, and also that the law of averages says that the longer you go without a failure, the more likely you are to have one. People get too comfortable with "… it worked fine yesterday." That's not a good thing, it's not a good sign for the future - all it means is that it worked yesterday. Even with seasoned IT professionals, that mentality can be hard to get around.

People will say they are replicating to 78 locations around the world, so what could possibly go wrong - the simple fact is that one ransomware strike will render all that replication useless. The business case is actually very simple: look at your data, and decide what that is worth to you. If it were stolen or lost, what would that do to your organisation? It's like an insurance policy: it sucks to keep throwing money at insurance all the time, until you have to make a claim - and then you're glad you did it. What is that old saying? "You have to be lucky every day, the bad guys only have to be lucky once…"

DT: Why do you think there is such a disparity between how the boardroom views data protection and how the IT function does?

ES: I've found that business people are trained to think short term and reactively: "This is what's happened in the last three months, that will guide how we behave in the next three months". For IT people of course, three months is far too short a horizon - the last three months don't really tell you anything. They are thinking in maybe 5 year increments.

The shift to cloud, and therefore from Capex to Opex, has changed things a bit, but that basic problem still exists, that the time horizons between IT and the boardroom are so at variance. At the same time, in larger enterprises you might find that you can never even get your argument to the boardroom.

This is the disconnect: the way that people in the boardroom look at how the business survives, is completely different from how IT does it. I can go in there and talk common sense and logic to them all day, but that's not what they're there for. For them, it's about getting through the next quarter, and looking at that three month trend.

"How do we explain how important this is? If you go to pretty much any technical forum you will see 'Hey, I just got this great new system, now I want to back it up - but I want to do it for free.' Really? Is that what your system is worth to you? Of course there are free backup solutions out there, but is that really the value you're placing on all of your data?"

DT: You touched on the shift to cloud services: has the ease-of-use of cloud storage been a boon or an additional risk - or both - for businesses?

ES: In the short run I'd say it's been almost overwhelmingly negative - people assume that because Microsoft and Amazon have all this money and these huge systems, there is no way anything bad can happen to you. A lot of people are under the impression that cloud providers are already running backups for them as part of their service - they're not! That's an extra value add, they're not going to give anything away for free. There is definitely a false sense of security going on out there around cloud backup.

Part of the problem is that when vendors are selling their systems, they generally don't talk about backup unless as an afterthought: "Oh, by the way, you also need to back it up…" "OK, how much is that going to cost?" "Maybe another $100,000." "Erm, ok…"

Vendors aren't upfront enough about the criticality of backup, and making sure that it is seen as part of the solution from day one. The application and the backup of the application need to go hand-in-hand, and at present that doesn't happen nearly often enough in my opinion.

There is a lack of clear responsibility, especially with SaaS type systems; the accountability chain is 'fuzzy'. And to make it worse, a lot of users assume things are going on that simply aren't. Many users are losing a clear view of what their data even is, as a result of moving things into the cloud - so that's why I feel that the short term ramifications of the cloud - from a backup perspective - are mostly negative.

Longer term, it brings us back to the Capex/Opex issue we discussed earlier: if I'm going to do cloud-based backup, I can get rid of a lot of Capex. It can be easier to go into a boardroom and sell that, as maybe a $6,000 a month charge as opposed to $85,000 in chunks every couple of years. Ultimately I think cloud will mean that the solutions will be smoother - but the hurdles to get there might be higher, in terms of hearts and minds.

Eric Siron's recent eBook 'The Backup Bible' can be downloaded for free using the following link: