Investec CISO warns that legacy tapes will fail on new hardware

Many organisations may find that years of irreplaceable tape backups are inaccessible because modern machines cannot handle legacy format

Many organisations may find that years of irreplaceable tape backups are inaccessible because modern machines cannot handle legacy formats.

Speaking at a launch event for EMC's latest research, David Cripps, chief information security officer (CISO) at Investec, said: "People will find that they have the tape, but they won't be able to read it back."

Investec keeps some old hardware purely for the purpose of restoring legacy tape backups.

The inability to access legacy tapes is part of a wider IT problem relating to the availability of systems. The EMC research estimated that unscheduled downtime costs $611,375 (£379,519) per year in the UK. EMC also reported that security breaches cost UK businesses an average of $1,158,077 per year, while the annual cost of data loss is $1,302,895.

The global study of 3,300 IT and senior business executives found that reduced investments in critical areas of IT – such as continuous availability, integrated backup and advanced security – were hampering the resilience of IT infrastructure and recovery time after downtime. 

More articles on backup systems

  • CW500: Thinking outside the big storage box
  • Public sector backup strategy: Easier than ever; harder than ever
  • LTFS tape NAS: A great idea stuck in a niche

“At Investec, we use security as a business risk, just like the risk [assessment] in the liquidity market," said Cripps. "It is a risk event. My reporting line is into risk, and business makes an assessment of the risk impact.”

Challenges of being a CISO

From a security and availability perspective, Cripps said that if systems are down for a second, there is an immediate impact on the business. 

Among the issues he is tackling are cloud computing, cyber crime and requests from staff to use their own devices.

Cripps warned that from a CISO perspective, legislation is increasingly affecting how organisations are run. Changes to the EU Data Protection Directive, for example, will mean that a business has a time limit of 24 hours to report data loss to a regulator. 

Cripps said the security industry was failing businesses by selling fear, uncertainty and doubt (FUD). 

“As an industry, there is still a great deal of FUD by vendors to sell a product. People phone up and say they have a solution for APT [advanced persistent threats]. This is our life. Don't try to scare me into buying something, because [if you do that], you have lost straight away,” he said.

Read more on Data protection regulations and compliance