Any way you slice it, attacks in the digital world are rising and, while at it, wreaking havoc in the physical world. Some have been on the brink of causing physical harm to society. Many are no longer purely financially motivated, as are ransomware attacks, but rather meant to destroy and/or get intel for the ultimate purpose of destruction by a hacker or their underwriters. Cyberattacks, and the fear thereof, have also become part of political brinkmanship, which we’re witnessing as we write this in early 2022 and war in Ukraine persists. In this light, digital resilience becomes about protecting not just infrastructure or IT environments, but humanity at large.
So, if everyone agrees that digital resilience is worth having, why is it hard to have and, even more so, hold onto? Organizations that struggle to stay resilient – or whose resilience buckles under the pressure of crises – are probably not thinking of resilience in the most constructive way. Resilience is not a commodity that you can buy or trade. Neither is security.
Sometimes people think of both as an item that can be stockpiled. With this mindset, they’re under the impression that the more you have of it, the more secure and/or resilient you are. While in the 1990s, one lock might have thwarted an intruder, that’s not the case in 2022. Whether they are a script kiddie or a professional hacker belonging to a transnational syndicate, a malicious actor needs but one weapon to commit a cyberattack: a computer.
Prevention and passion
To increase resilience for our customers, we increase prevention. This requires having multiple mitigating measures in a layered defense and regularly running security checks on them. It entails monitoring, patching, upgrading, and applying mitigation measures, as well as checking that all of these steps have been taken by any third-party service providers to our customers. Verifying backups and ensuring their restorability is second nature. These processes can be mundane and tedious, but as we’ve noted before at Schuberg Philis, vigilance requires diligence.
By running drills on a regular basis, we not only check the system’s technology and technical processes, but we practice our protocols and psychological responses to crises. We also stay aware that despite the discipline of drills, every incident is a new incident. If events unfolded just as they did in a practice, we wouldn’t even classify them as an incident, but as an occurrence.
Still, having run through drills means that we can trace universal experiences across incidents and be prepared for, say, 80% of what they throw at us. Having trained for most of it means we have sufficient mental capacity to deal with the 20% that makes an incident unique.
We apply the same rigor of checking and drilling within our company to ensure our customer teams are accessible, prepared, and all on the same page. Practically speaking, this means having teams populated by members who are passionate about their work, quick to respond, ready to take on responsibility, and deeply trusting of each other. Our colleagues can reach each other at any time of day or night, and we provide the same interrupt-our-sleep availability to our customers.
To bolster resilience, we encourage change and continuous evolution. Our revision of the old adage is: if it ain’t broke, it will be! Some might say we approach adapting platforms like a sport because we’re constantly seeking ways to predict our performance, build up our teams, and, whenever possible, beat our own personal records. Our projects are usually done at a rapid albeit controlled pace, with our eyes on the finish line. These virtues apply not only to our IT solutions, but also to the people who create and use them. We encourage our customer teams and our customers to keep changing and evolving too.
Minding our customers’ business
Although security has been built into all our solutions since we began as a company, over time, we’ve also evolved our security expertise. From a more traditional perspective, we recognize the apparent contradiction of a paradigm in which secure internal systems are run externally on a public system – that is, a hyperscaler’s cloud. But we’re able to execute solutions that enable the right level of security not despite, but rather, in harmony with the right level of accessibility.
We can help our customers determine these sometimes very nuanced parameters with efficacy and efficiency because we know – and very much mind – their business. As our slogan summarizes: we make IT at the heart of business; by implication, we secure the core value-generating operations of a company. A solution is something we evaluate in terms of technology, and, more crucially, in terms of business impact. Relatedly, we acknowledge that security always comes at a cost, impacted by the law of diminishing returns. Security is excessive if it gets in the way of business.
Anyway, security is not our end goal, nor should it be our customers’ end goal. Security is a vehicle for resilience; its driver is trust. Security in itself doesn’t accelerate resilience; the feelings of confidence and assuredness it brings about accelerate it. This is why we call our accelerator team a trust accelerator, not a security accelerator. This is why we call our framework a digital trust framework, not a digital security framework. If we were chefs, security software and hardware components would merely be our kitchen appliances. What we serve our diners would be a warm, freshly cooked dish of trust. Ideally, the serving would be bottomless, kept perpetually refilled by our prevention methods and passionate attention.
Unsurprisingly, this past year, there was more demand for our expertise in security as well as compliance and auditability, two other traits in the holy trinity of trust. Our solutions objectively led to fewer P1 incidents. This gave our customers the good night’s rest we so often promise. And though sometimes it meant our own sleep was interrupted, we were prepared for those interruptions. Since the days of pulling plugs at datacenters, we’ve had a lot of practice at testing digital resilience and know exactly what actions and attitudes our customers needed to enjoy even more of it in 2021 and beyond.
By Marcel van Ruijven, Thijs van Leeuwen and Frank Breedijk