Recent weeks have seen a surge in calls for cybersecurity resilience. UK organisations are now being urged by the NCSC to “bolster their defences”. And they’re not alone. In today’s digital-first ecosystem, it is critical that companies can operate – or at least remain active – 24/7. We saw these challenges at the onset of COVID as businesses were forced to – and struggled – to shift to a secure, remote, digital way of working. While many eventually made the leap, questions remain about security and resilience, particularly given that many of us now work from a cloud system.
Outages and cyber breaches have been making headlines consistently over the past 12-18 months and significantly impacted the reputation and revenue of those businesses who were named as vulnerable. But instead of focusing on the faltering of these companies which – frankly – is inevitable for any business, I’d like to suggest we focus on why our approach to disaster recovery (DR) and resilience needs a rethink.
A hybrid cloud strategy isn’t enough
CIOs spend a huge amount of time and money on cloud strategies. Their decisions can affect the entire running of the business for staff and customers alike. Yet, the way departments purchase and utilise cloud resource can significantly undermine a businesses’ resilience. Regardless of how technologically modern and secure cloud environments are, having system architecture, ownership, and accountability rife with walls, siloes, and handovers means that resilience is nearly impossible to bake in by design. Following the breadcrumbs of a system failure to its root cause can feel like a relay race between departments.
This is the Achilles heel of any hybrid-cloud strategy; proper resilience practice not only understands but demands a rethink. It’s no longer sufficient to have a DR department to hand off to when things go wrong; it’s truly about knowing how your system fits together, its risk appetite, and its non-negotiables for business continuity.
But the problem of resilience – cloud or otherwise – is a legacy problem, stemming from the way the IT industry has evolved, and is sold, in a way which does not correlate to end-to-end business functions. It’s remained siloed and as a result, has compartmentalised itself for the last 30 years into dedicated disciplines: mainframe, server, network, cloud, applications, security, etc.
Key considerations for resilience
What this all ladders up to is the fact that the cloud is not an island: you cannot procure or operate within a cloud framework and expect the entire system to be secure.
Building resilience into our systems used to be simple – it used to be solely about DR – but that’s not the case any longer and several factors have changed the game. Extreme weather, civil unrest, and other unexpected, large-scale shocks all constitute resilience risks just as cyberattacks do. As a result, any resilience framework must take a holistic approach, rather than relying on DR alone.
That holistic approach is precisely why we must now think of any resilience strategy with a clear understanding of the “minimum viable organisation.”
Building resilience through minimum viable organisation
Current Enterprise IT architecture does not think in terms of business operations, but consider this: What happens when customers can no longer make a purchase? When doctors can no longer access medical data? When banks can no longer access funds? All these touchpoints are crucial elements within a process chain, yet often the various elements – the network, data centre, security, cloud operations – are viewed in isolation.
Securing only one of these elements does no good if the rest of the chain is left vulnerable. And ultimately that’s where the minimal viable organisation comes in. It challenges what is the absolute bare minimum that businesses need to secure to continue operating and providing services. Through that understanding, they can address key vulnerabilities throughout the network and orchestrate better resiliency practice.
In its siloing and compartmentalising, the technology industry has institutionalised itself into fiefdoms that compete to the detriment of business operations and resilience. Focusing on one element of a wider process, whether it be cloud, network, etc, is no longer appropriate. Rather, to achieve proper resilience businesses must break this mould.
Cybersecurity resilience in 2022 calls for a fundamental rethink of how we design, procure, and maintain our systems with business operations in mind.
Conclusion
In conclusion, building resilience within the cloud cannot be done in the cloud alone – yet without it, any hybrid strategy risks grinding to a halt. While we as employees and businesses become increasingly reliant on cloud architectures, we must always remember the multitudes of components that make up an IT network.
Continuing to rely on siloed systems or architecture will always leave a busines open to attack and weaken any resilience efforts put in place. Now is the time to assess how your IT systems interplay, what the minimum viable organisation operation looks like, and take steps to secure those elements.
When we do this, resilience programmes can protect a company’s Achilles heel.
Flick March, UKI Security and Resiliency Practice Leader at Kyndryl
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.