Baking in cyber resilience by design
As cyberattacks continue to grow in both volume and complexity, cybersecurity must be front of mind for all organizations. But even as this threat looms large, many chief information officers (CIOs) are too focused on short-term security solutions, relying on cloud as a safety net and overlooking their longer-term cyber resilience strategy.
So why isn’t a hybrid cloud strategy enough to ensure cyber resilience, and what can organizations do to bake in resilience by design? CIOs spend a huge amount of time, money, and resources on cloud strategies, and their decisions can have significant repercussions across the entire business for staff and customers alike.
However, the way departments often purchase and utilize cloud resources can significantly undermine a business’ overall level of resilience. Regardless of how technologically advanced and secure cloud environments are, having system architecture, ownership, and accountability rife with walls and manual handovers means that resilience is nearly impossible to bake in by design.
What do we mean by resilience? It is vitally important for majority of companies to be able to continue their operations round the clock. In recent years, severe outages and cyberattacks have significantly damaged the reputation and revenue of affected organizations, on top of interrupting their ability to serve customers. Central to this “always-on” service demand is data; ensuring that it is always available, reliable, secure, and has an immediately available back-up environment should its primary environment goes down.
Current enterprise information technology (IT) architecture is not built to think in terms of business operations. Questions like “Can my doctors access medical data? Can my bank access money? Can my users reach my content?” don’t mean a lot to technology towers like networking, data centers, security, or cloud operations in isolation—yet each one is a vital link in the process chain. The technology industry has institutionalized itself into these competing towers, often to the detriment of business operations and resilience. Achieving proper resilience, therefore, requires a breaking of this mold: A fundamental rethink of how we design, procure, and maintain our systems with business operations in mind, and data’s central role within this.
Today, at a time when disruptions must be expected, CIOs are butting heads with their own enterprise architectures and processes, as they realize that the model they’ve been using for the last 30 years is no longer viable. The IT industry has compartmentalized itself into neat towers and silos, evolving into, and being sold as, individual dedicated disciplines. These fragmented disciplines do not, in turn, correlate to end-to-end business functions. Each IT discipline has its own service level agreements, recovery time objectives, or recovery point objectives, irrespective of minimum viable business function requirements. Professionals managing these towers often work in silos, focusing only on the performance of their department and passing off responsibility for problems outside their direct remit.
Often, towers are vying with one another for budget allocation, competing in a field where they should be collaborating for an overall improved, shared outcome. This siloed approach is particularly unhelpful in the event of a cyberattack. Whose job is it to find a solution when an attacker brings down a network and customer information is lost? Security operations? Disaster recovery? Network? Data center? These towers create responsibility gaps which make it impossible to mount an effective response. Time is not the only currency spent in the race to find the source of a breach, as delays also mean significant financial and reputational losses.
Changing the existing cloud model is a hugely complex ask, extending beyond an organization’s tech stack to its wider business. The more manageable approach is to develop a resilience framework, consisting of step-by-step processes, requirements, and considerations to bring IT towers into a more cohesive alignment.
The data journey is the Achilles heel of any hybrid-cloud strategy. Proper resilience practice is not about knowing who to turn to in an emergency—it’s truly knowing how your system fits together. To break down silos and effect true change, CIOs need to understand their minimum viable organization and their risk appetites so they can invest and act appropriately. Without an effective resilience strategy, any hybrid cloud strategy risks grinding to a halt. The Jakarta Post/Asia News Network
Sean Lee is Asean sales and managing director of Kyndryl Indonesia.
The Philippine Daily Inquirer is a member of the Asia News Network, an alliance of 22 media titles in the region.