In this week’s Voices of the Industry, Mark W. Jobson, Director of Product Marketing for Iron Mountain’s data center business unit, discusses why data center compliance should be viewed in a positive light as opposed to a restrictive set of regulations.
Prior to writing this article, I asked people in the industry what words come to mind when they hear “data center compliance”. As you would expect, common responses were “regulations”, “restrictions”, “audits” and the like. The phrase that came up more than expected was “necessary evil”, and while I am certain people were not being entirely literal, I began to wonder if compliance is getting a bad rap.
As a colocation service provider, data center compliance is far from a “necessary evil”. When properly executed, it is more than just badges on a PowerPoint presentation or web page. A fully integrated compliance program becomes the foundation of service delivery and evolves to ensure long-term customer satisfaction and industry sustainability. With this in mind, a well-run data center compliance effort can be viewed in a more positive way – a “necessary awesome” if you will.
Here are five supporting thoughts.
Compliance programs keep colocation providers focused on critical core competencies to meet the diverse customer requirements within the broader marketplace.
In the data center world, we are always looking for new ways to differentiate, better serve our customers, increase efficiency and drive profitability. However, if we fail to focus on supporting our customer’s core security and compliance requirements, situations can occur where data center problems make global news. High-profile data center issues affect the entire industry, shake buyer confidence and further support individuals who possess an in-house data center mentality.
Colocation providers with robust compliance programs help protect their customers and the industry. Consistent programs ensure that every employee receives periodic training on security protocols, incident management, and role-based data center best practices. Annual third-party audits put documented controls and best practices to the test, identifying areas that may be further fine-tuned to ensure optimal performance.
The end result of a well-run data center compliance program is reduced operational risk. Excellent documentation and process improvement help teams identify potential risks before they become incidents. When incidents do occur, the teams are better prepared to execute a faster recovery.
Compliance gives public and private-sector organizations the confidence they need to trust a third party with their data center.
Notwithstanding a disruptive IT environment and outstanding TCO savings with third-party data center services (e.g. colocation), many companies continue to keep the majority of IT Operations and data centers in-house. According to 451 Research’s 2016 Voice of the Enterprise Report, 52.1% of organizations surveyed outsource their data center to colocation companies, integrators, managed services providers or like partners – leaving 47.9% of respondents with in-house solutions. Why is this the case? Iron Mountain’s research within our enterprise customer base shows security and compliance concerns as the biggest stated barriers to significantly adopting cloud computing and colocation. It follows then, that colocation providers who adopt a robust data center compliance framework can most effectively address these trust / fear of change challenges with proven practices and documentation that shed light under the operational ‘hood’.
[clickToTweet tweet=”Mark Jobson: A fully integrated compliance program becomes the foundation of service delivery. #datacenters” quote=”Mark Jobson: A fully integrated compliance program becomes the foundation of service delivery. “]
Third party audits validate these controls, which range from technical operations to business functions. Compliance allows even the most change-resistant companies the ability to ensure that the provider’s controls meet or exceed their in-house controls and, once satisfied, can then perform cost-benefit analysis with the full data set at their disposal.
As most data center professionals know, the colocation value proposition is compelling: TCO reduction, increased operational efficiency, direct access to network ecosystems and other benefits. However, with so much riding on the data center decision, if there is any gray area, it can easily make the perceived risk outweigh the reward. Data center compliance minimizes the unknown and enables organizations to choose colocation with confidence.
Well-architected compliance programs with dedicated support drive accountability, consistency and value-add.
It is typical to have customer interaction with many different roles as they progress through the sales, onboarding and support stages. A well-resourced compliance program can increase the efficiency of service delivery, reduce intra-organizational friction and minimize finger pointing, leading to happier customers and employees.
At Iron Mountain, the Security function is a standalone group that is given a great deal of autonomy and authority. Data center providers who emulate this model and invest in dedicated compliance experts to manage their programs (vs. assigning compliance support as an additional duty) realize significant benefits. The most common benefits include focused attention on customer regulatory and compliance needs, the ability to hold the larger service delivery organization accountable and the elimination of conflicts from competing job responsibilities.
In addition, compliance experts architect more efficient programs and are best able to understand common controls across multiple assessments. This can reduce unnecessary repetition and strain on internal resources. The comprehensive understanding of the compliance expert drives more consistent data, faster results and properly aligned goals / KPI’s. Motivation and compensation are driven by compliance success while deviations and threats to compliance are in direct conflict with objectives. This accountability leads to problems being openly addressed and corrected before they turn into incidents and maximizes the likelihood of reduced overall risk.
Furthermore, dedicated compliance program managers provide added value to customers by developing consistent deliverables that enable their own compliance programs. For example, a cloud provider looking to complete FedRAMP requirements are able to work with the provider’s professional team to inherit the applicable controls from their provider while developing new controls in a timely, consistent and accurate manner.
In contrast, providers that rely on the Operations Management team to multi-task for one-off audits typically lack consistency in performance, run the risk of exposure to control gaps, and often fall short when tasked with objectively prioritizing their customers’ data security needs.
Diverse compliance portfolios keep data center providers aware of the specific, changing needs of the customer.
The rate of change in technology and end-user behavior is astounding. This presents both new opportunities and threats that affect how specific industries regulate service delivery.
Colocation providers with well-run compliance programs are able to support diverse compliance requirements (NIST, HIPAA, PCI-DSS, ISO 27001 SOC 2, etc.) and stay up-to-date on specific industry best practices and pain points that affect how customers run their businesses. Applying this knowledge to service delivery, allows colocation providers to increase customer satisfaction, retention and referrals; thereby increasing long-term revenue streams.
Evolving compliance programs help us prioritize capital investment and product innovation.
Effective data center compliance programs leverage product development and innovation to efficiently adapt to evolving customer compliance needs.
This can be witnessed in the case of Federal regulations and the Data Center Consolidation and Optimization Initiative (“DCOI”). DCOI mandates the reduction of Federal data center facilities, specifies Power Usage Effectiveness (“PUE”) goals and requires implementation of Data Center Infrastructure Management (DCIM) technology to ensure agency operations are both energy and capital efficient.
[clickToTweet tweet=”Data center compliance programs leverage product development and innovation to adapt to customer compliance needs.” quote=”Effective data center compliance programs leverage product development and innovation to efficiently adapt to evolving customer compliance needs.”]
DCOI made it clear that providers marketing to the Federal demand base must focus their capital and innovation efforts on ensuring their offerings included the right capabilities (DCIM, power monitoring, etc.) to make the aggressive PUE target of less than 1.4.
Closing Remarks: your refrigerator just texted me. It said that data centers are kind of a big deal these days.
When is the last time you used data center and refrigerator in the same sentence?
There are some lucky consumers out there with refrigerators on the list of “connected devices” in their home. Refrigerators. Milk passes expiration date. Fridge sends automated smart phone notification. User hits the local grocer, replaces milk. Data reset. If it isn’t already, your house is soon to become powered by the data center – thermostats, lighting, security systems, music, garage doors – all passing data through applications that run in the cloud, which has its IT infrastructure located within a data center.
So, what does this have to do with compliance being a “necessary awesome”?
The more the general public and everyday life intertwines with data centers, the greater the risk of negative colocation-related attention from the larger market. Failures by colocation providers can cause large cloud outages that prevent access to popular web entities, leak confidential information and create travel mayhem. Picture the furor created the day millions of people can’t get into their home because their “unlock” application is not accessible.
Compliance-centric colocation services significantly reduce the risk of data center and security failures. Iron Mountain has taken this approach for the past 30 years and it has led to the successful delivery of reliable, compliant data center services to our heavily regulated customer base. And, a happy customer base translates to a healthy bottom line and positive business / industry growth trajectory.
By the way, your fridge just emailed me. You are out of lunch meat.
Mark W. Jobson is Director of Data Center Product Marketing at Iron Mountain. Iron Mountain is the global leader in storage and information management services. Iron Mountain Data Centers offer wholesale and retail colocation options that can meet the exacting requirements of cloud services providers, Federal Government Agencies, systems integrators, financial services firms and healthcare companies.