It's often said that IT administrators in general, and storage administrators in particular, are highly risk-averse. Clearly that's the case today. Look for a moment at any one of the surveys that seeks to understand the most pressing issues on the minds of those are tasked with the stewardship of enterprise data. These surveys point to data protection, security, system reliability and availability, and responsiveness to regulatory agencies and corporate governance as top priorities. Hot products these days are continuous data protection (CDP), disk-to-disk-to-tape (D2D2T), and e-mail archiving solutions. Storage-based data encryption solutions are now getting a thorough examination as well. Managing risk is a prime mover in the storage industry.

As a result of observing this heavy concentration on risk management a few years ago, I decided to explore the well-established practice of fiduciary risk management to see if that endeavor had anything to offer the practice of storage management. I ran across something by a fellow analyst named Felix Kloman. Felix writes a newsletter call "Risk Management Reports." It's a monthly compilation of observations and advice that Felix offers to those who manage actuarial and fiduciary risk for a living. Thanks to Felix, I've discovered an emerging research effort into operational risk. Practitioners of fiduciary risk management seek to quantify risk. Future practitioners of operational risk will seek to do the same thing. What's cool about that? IT is included under the category of operational risk. Imagine having an accepted and reliable way to quantify downtime or data loss that both CIOs and CFOs could agree upon. You wouldn't have to quote the widely divergent numbers on this subject offered up by us analysts.

I've also come to adopt an attitude toward risk management that's one of Felix' guiding philosophies: There are really two ways to look at risk. One is the hindsight view, and the other the foresight view. The hindsight view concentrates on protecting what you already have. The foresight view asks you to be constantly on the lookout for new opportunities because, in the final analysis, having little or no foresight is as risky as having no hindsight. Why? Without the foresight to see coming marketplace changes and new opportunities, you're at risk of being run out by a competitor who does have that essential foresight. Felix advises his readers to take a balanced approach. Be diligent with hindsight, but don't forget the foresight.

The sad state of affairs in storage management - and IT management in general - is that hindsight often takes priority over foresight. These days, improved backup and e-mail archiving projects often take priority over speeding new applications to a user's desktop. We all moan and groan when Nicholas Carr, author of "IT Doesn't Matter," chastises IT for its irrelevance, but we can't just pass off Nick as an irrelevant academic. We all know there's a kernel of truth in that observation, no matter how hard it is to admit. Irrelevance is what happens when all IT does is protect what it has.

Here's a radical thought: Data is both a blessing and a curse. You have to have it to stay in business. But then the government tells you to save it for years on end. You curse.

Recently I brought my family to a summer resort outside the US for a week. All five of us had one suitcase and one carry-on as we boarded the plane. We watched as other families struggled to get multiple SUV-sized bags (I mean this was LUG-gage) across international borders. Data is essential to business survival and forward motion. No doubt, you gotta have it. However, it can also be luggage with a capital LUG.

Here's a proposal: take steps to radically reduce the amount of data you have to lug around. The fewer the number of bits you schlep over system boundaries, the fewer bits you have at risk, and the faster you move to the next new opportunity. Shavingoff 10% isn't going to get you there. Think big. Think 50%.

Shred
It's become fashionable in storage circles to talk about automated, policy-based management. Corporate policies are the most difficult to translate to the storage environment. Why? Because corporate policies are outside the control of the IT department, whereas the other policy sources remain under IT control. Corporate policy makers now include attorneys who want e-mails saved in case of possible litigation and regulatory compliance managers who want multiple years of audit trails and transaction logs saved for possible governmental review. Storage administrators shouldn't and can't make corporate policy. Yet they must somehow make things happen. And, in the absence of established corporate policy with regard to shredding data, the default position for storage administrators is to save (and therefore LUG) everything.

When corporate policy is clearly understood, the job of translating policy to storage management practice gets easier. However, when corporate policy is unclear - or in some cases nonexistent - IT must somehow force clarity from corporate executives. Otherwise pack those bags. No shredding policy results in big data baggage. Do the residents of mahogany row know that? The executives that really matter here are corporate legal counselors. They have the power to create records-deletion policies that are:

1. Enforceable at the application user level
2. Defensible in court if challenged

Do We Really Have to Store All These Data Bits?
Dare I say this? We all talk about burgeoning data volumes and data growth rates in excess of 70% a year. The standard storage industry response is a call for more efficient management and solutions that enable storage administrators to do more with less. Rarely do we survey the TBs piling up on data center floor tiles and ask, "Do we really have to save all these data bits?"

There is little financial incentive for storage vendors to ask this question - a true statement even for software vendors who have no hardware axe to grind but nevertheless price their offerings based on capacity in one form or another. And it's become difficult for storage administrators to pose this question to senior corporate executives who fear the worst from litigious lawyers and government regulators. It's easier just to save everything.

Yet, do more with less is not the only answer. There are ways to move the capacity growth meter away from the red zone. Start by seriously collaborating with corporate legal counsel to establish a clear and defensible records deletion policy.

Travel light, travel fast.