As cyberattacks continue to grow in both volume and complexity, cybersecurity must be front of mind for all organizations. But even as this threat looms large, many CIOs are too focused on short term security solutions, relying on cloud as a safety net and overlooking their longer-term cyber resilience strategy. So, why isn’t a hybrid cloud strategy enough to ensure cyber resilience, and what can organizations do to bake in resilience by design?
Flick March specializes in reliability, security and resilience in technology at Kyndryl.
CIOs spend a huge amount of time, money, and resources on cloud strategies, and their decisions can have significant repercussions across the entire business, for staff and customers alike. However, the way departments often purchase and utilize cloud resources can significantly undermine a business’s overall level of resilience. Regardless of how technologically advanced and secure cloud environments are, having system architecture, ownership, and accountability rife with walls and manual handovers means that resilience is nearly impossible to bake in by design.
What do we mean by resilience?
It is vitally important for the majority of companies that they are able to continue their operations around the clock. On recent years, severe outages and cyberattacks have driven headlines that have significantly damaged the reputation and revenue of affected organizations, on top of interrupting their ability to serve their customers. Central to this “always-on” service demand is data; ensuring that it is always available, reliable, secure, and has an immediately available back-up environment available if its primary environment goes down.
Major disruptions like outages and cyberattacks have thrown disaster recovery (DR) and business resilience into the limelight, exposing how current enterprise architecture, team roles and responsibilities, and purchasing models do not always support actual business operations, making resilience difficult to guarantee.
Current Enterprise IT architecture is not built to think in terms of business operations. Questions like “Can my doctors access medical data? Can my bank access money? Can my users reach my content?” don’t mean a lot to technology towers like networking, data centers, security, or cloud operations in isolation – yet each are a vital link in the process chain.
The technology industry has institutionalized itself into these competing towers, often to the detriment of business operations and resilience. Achieving proper resilience, therefore, requires a breaking of this mold: a fundamental rethink of how we design, procure, and maintain our systems with business operations in mind, and data’s central role within this.
Adopting a resilience-first mindset
Today, in a time where disruptions must be expected, CIOs are butting heads with their own enterprise architectures and processes, coming to the realization that the model they’ve been using for the last 30 years is no longer viable. The IT industry has compartmentalized itself into neat towers and silos, evolving into, and being sold as, individual dedicated disciplines. These fragmented disciplines do not in turn correlate to end-to-end business functions.
Each IT discipline has its own SLAs, RTOs or RPOs, irrespective of minimum viable business function requirements. Professionals managing these towers often work in silos, focusing only on the performance of their department and passing off responsibility whenever a problem falls outside of their direct remit. Often, towers are vying with one another for budget allocation, competing in a field where they should be collaborating for an overall improved, shared outcome.
This siloed approach is particularly unhelpful in the event of a cyberattack. For example, whose job is it to find a solution when an attacker brings down a network and customer information is lost? SecOps? Disaster recovery? Network? Datacentre? These towers create responsibility gaps which make it impossible to mount an effective response.
Building a resilience framework within your cloud strategy
Cyberattacks or network outages can ripple through multiple departments within an enterprise and following the breadcrumbs of a system failure to its root cause can feel like relay race between teams. Time is not the only currency spent in the race to find the source of a breach, either: those delays also mean significant financial and reputational losses.
Changing the existing cloud model is a hugely complex ask, extending beyond an organization's tech stack to the wider business. The more manageable approach, therefore, is to develop a resilience framework, consisting of step-by-step processes, requirements, and considerations to bring IT towers into a more cohesive alignment. The challenges lie in both developing an exhaustive resilience framework in the first place, and then actively retrofitting it to your existing tech stack and internal operations.
Enabling true resilience
The data journey is the Achilles heel of any hybrid cloud strategy. The way that it flows, how discoverable it is, its quality and usability, and, ultimately, who’s in charge of getting it up and running again in the event of an outage or a cyberattack. Proper resilience practice is not about knowing who to hand off to in an emergency – it’s truly knowing how your system fits together.
To break down silos and effect true change, then, CIOs need to understand their minimum viable organization and their risk appetites so that they can invest and act appropriately. Without an effective resilience strategy, any hybrid cloud strategy risks grinding to a halt.
