IBM execs on storage security and operational resiliency

Security, resiliency and AI are reshaping how organizations think about storage infrastructure. At IBM Think 2026, these were center stage themes.

Notably, two storage experts were on stage during this event, speaking on each matter.Sam Werner, general manager of IBM Storage, is responsible for IBM's end-to-end portfolio, directly managing the product management development teams.  Before he took this role in August of last year, he was the head of product management for IBM Storage.

Christopher Vollmar, global product architect of operational resiliency and enterprise storage and IBM Master Inventor, is responsible for identifying opportunities to drive storage innovation based on market or client challenges and for solving them. Vollmar also helps colleagues by fostering their creativity and developing their ideas for innovation.

In this combined Q&A, TechTarget spoke with these two IBM storage experts to gauge their thoughts on resiliency and other important storage considerations.

Editor's note: The following was edited for length and clarity. Werner and Vollmar were interviewed separately.

What are some of the more important storage considerations for enterprises today?

Sam Werner:

We're in a very interesting time. … The AI supercycle is driving significantly more demand for storage. There were many vendors that were saying spinning disk drives are going to go away. I think it's clear that if everything went flash at the [current] consumption rate, there's not enough capacity -- which is why there's such a tight amount of demand.

I think that a vendor that can deliver an optimized platform across lots of different types of media will give you the best economics, and it's showing up in our results right now … even in this environment where memory costs are up.

But then I think about how you ensure that you're protected from any kind of cyber situation. ... When there's a cyberattack, you have to be able to recover -- which requires a storage strategy. … The only way you can guarantee a recovery point objective (RPO) and a recovery time objective (RTO) is if you can guarantee how long it takes to detect, because that will give you a sense of what copy you would have to go back to.

What's a capability or approach in operational resiliency that you think is underutilized by enterprises?

Christopher Vollmar:

The approach that is underutilized today is the ability to test and validate immutable copies on the production storage system, like the IBM FlashSystem, where they reside. It starts with defining a schedule for your Safeguarded Copies, but the progression to validation of the copy is key.  Is it a clean version that you could recover to, or is there some sort of corruption in it? Usually, I see that start as a process that can be done 'reactively' for an organization, but over time I see that progress to an automated, proactive approach that gets integrated into the Security Operations Center.

Another underutilized approach is creating a way to track your recovery points across primary and backup storage and how they relate to your applications.

What's the single biggest shift in attacker behavior against storage you're seeing in 2026, and how should IT leaders adjust their priorities? 

Vollmar:

The trend around supply chain and third-party compromises was something that needs more highlighting and consideration in looking at operational resiliency. I also think that highlighting that organizations still have work to do around 'Security 101' is also important … in terms of what organizations can do around changing attack surfaces. 

IBM has a long history in mainframe and enterprise legacy infrastructure. How do you architect resiliency to span legacy infrastructure as well as in modern cloud environments? 

Werner:

There are several pieces to resiliency. … First of all, we've seen an extension of the number of sites that clients maintain copies of … and I think that AI is very far behind in resiliency.

For the mission-critical stuff, what we see as best practice is to have three sites. You'll have a synchronous for near-zero RPO, where you can continue operations very quickly for mission-critical [operations]. And you'll have an asynchronous site as well for disaster recovery … that can easily be cloud … or you can go cloud to on-prem. ... Then, I think a really key piece of it is doing air gapped snapshots, and the best way to do that is within an array.

All of that will require much higher availability and resiliency than I think people have considered so far.

Then, where I find there's more exposure is in the AI space and unstructured data. People spend a lot of time and money vectorizing data for RAG, and they create vector databases. I find the data protection strategies around vector databases -- mostly because it's probably being driven by AI teams that haven't really given it a lot of thought yet -- those are not protected.

What about these lakehouses or data lakes that they're building? Or large object storage repositories where they're putting data? How are they protecting all of that in a consistent way for AI applications that are now going to start becoming mission-critical?

All of that will require much higher availability and resiliency than I think people have considered so far.

Vollmar:

I start with the business. What is the minimum viable company and what are the applications and the data that makes it up? If we can start there, then we can start to drive out how to protect and design recovery across various systems and platforms. ... For me, that design process has to center on recovery and validation of the workloads. Sometimes we find that people can be too focused on 'create a copy' without a plan on how to recover the business.   

Alexander Gillis is a Technical Writer and Editor at Informa TechTarget, with more than 8 years of experience writing about technology.