The control point is the data itself

Good morning Madi -

It sure is an interesting point you address. For me personally...my mindset has always been about the data itself. I’ve never really categorized my data as “control point”, but that object is the core of what I do. Everything else → what it resides on (infrastructure: servers, storage), how I interact with it (tools such as automation and various UI’s), and how I back it up… are secondary components. You bring up some good points. Thank you for sharing!

Hey Shane! That’s great to hear — sounds like you’ve been thinking in a data‑first way all along. Definitely an advantage 🙂 Curious if this shift just validates what you already see day to day?

I’m not sure how MSPs view their environments, or even other customers. My guess for MSPs is it would be a split. Because, at the core of implementing anything for a customer, it’s all about the data itself. Everything starts with it. From a BC/DR perspective, it for sure starts there when you’re talking about sizing for an implementation → what’s the total data size; what’s the data change rate; what’s the data’s RTO/RPO & various SLAs; etc. Although, as you mention in your post, maybe the data is just too obvious and the focus gets put on tools & infrastructure? I’m not sure…. 🤔

That makes a lot of sense, Shane , especially from a BC/DR perspective. It almost feel like the data has always been the starting point in practice, even if we don’t always talk about it that way. Curious how others think about it.

I agree. The key point is that storing data is not the same as understanding it.

For years, it was enough to ensure backup and recovery.

With AI consuming and making decisions based on large volumes of information, the challenge becomes context, traceability, and relevance.

​@Madi.Cristil I agree with Shane. In my case, I have been using the Business Impact Analysis (BIA) process, meaning I focus on the value of the data and ensure that the data most critical to the business is treated accordingly.

One of the references I use for this analysis is NIST SP 800-34 it is from 2010, but I think still an excellent reference. 

https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final 

Really nice reflection Madi :-) thank you for sharing 

Thank you all for your input in here! Very interesting to understand how people working in the data protection space see this shift! Even if obvious for many, I am sure for some it's a wake up call. 

For me it’s both, keeping the infrastructure online, testing failover, replication or whatever the case may be. I demonstrate all of these feature to my customers and have to make sure they are working properly and I understand it. The data is important as well, I do have several Veeam servers that are backing up critical lab machines, etc. Although most can be rebuilt a restore is quicker. Those VMs I have more protection, snapshots, backups, and replication and/or CDP setup. 

That makes a lot of sense — I like the “both” perspective.

I guess the real question is how do we actually find that balance in practice?

What stood out to me in that statement is that it quietly reframes what “control” actually means.

We’ve spent years getting very good at protecting data — making copies, improving recovery times, expanding coverage. That progress matters. Without it, nothing else works. But protection on its own is only part of the equation.

Control implies intent. And you can’t really have that if you don’t understand the data you’re protecting.

Not all data carries the same weight. Some of it drives revenue, some of it carries regulatory risk, some of it is operationally critical, and a lot of it is just noise. When everything is treated the same, protection becomes uniform, but control doesn’t.

That’s where the shift becomes real. If the control point is the data itself, then resilience isn’t just about being able to restore it — it’s about knowing what you’re restoring, why it matters, and what impact it has when it changes.

AI is accelerating that realization. When systems start interacting with data at scale, the difference between “protected” and “understood” becomes very visible, very quickly.

So it’s not one or the other. Strong protection is foundational, but understanding is what turns it into control.

This is one of those pivotal periods of change.

The sheer volume of data inevitably requires us to analyse business data, understand the varying degrees of importance of that data, and consequently determine the frequency with which we carry out backups.

In my point of view, the ‘data-centric’ approach, as opposed to the ‘infrastructure-centric’ one, enables us to save on backup resources and reduce RTO and RPO times.

Yeah, this adds a really good angle; especially around how it changes resource usage and recovery expectations.

I wrote a piece sometime ago and described data as the new oil, and this idea is now expressed more precisely in the statement that the “control point is the data itself”. In modern digital environments, value, risk, and security all converge at the data layer, making it the true center of governance and resilience: https://www.forbes.com/sites/nishatalagala/2022/03/02/data-as-the-new-oil-is-not-enough-four-principles-for-avoiding-data-fires/

That's a fantastic piece of content, Chris! Really liked the 4 pillars: 

• Provenance: Know where your data came from
• Privacy: Know who it came from and what laws to follow to use it
• Protection: Don’t lose the data :-)
• Preparation: Know how to refine the data, and remember how you refined the data so that you can do it again and again consistently

Thank you for sharing it!