Digital resilience: a mindset and a matter of practice

Resilience spiegel crop 058

Once upon a time, we built physical datacenters. That was back in the day, when uttering the word “cloud” usually signaled to take an umbrella or, for the more meteorologically interested, might spark a conversation about the fluff of a cumulus versus the mist of a stratus.

We would build our platforms from scratch, using racks and cabinets, placed in cages with doors and locks. Readying platforms to go newly live, we always sought the assurance that if something went amiss, we would be prepared. And to be prepared, we would physically visit our datacenters, get our hands in the racks, and start pulling plugs. Then, plug by plug, we watched what would happen. Would the platform prove resilient? If so, entirely or in part? If there were issues, would the system self-heal? Or would it fail, and if it failed, did it fail nicely and recoverably? This ritual affirmed that neither time, nor dust, nor any other physical-world issue would jeopardize the platform, its uptime, or reliability.

Two decades later, we’re still doing the same thing for our customers. It remains just as important – arguably even more so now that IT environments are more interlinked than ever and increasingly rely on third-party services – to ensure their systems are running optimally, stably, and securely no matter what local or global disruptions occur. In short, it remains just as important to increase digital resilience. Only nowadays, we’re rarely pulling plugs. Instead, we’re practicing good digital hygiene, actively working to identify and address security vulnerabilities, and constantly finding ways to better our customers’ business using fit-for-purpose IT solutions. In other words: digital resilience is something we actually practice. And we do so daily with the understanding that practice doesn’t make perfect; it simply supports security and predictability, therefore preparing us for what might come.

Rethinking resilience

All organizations welcome digital resilience. All mission-critical organizations need it; without it, their missions can fail, leaving end users in the cold. That cold could be literal for, say, a utility company, while other system freezes could result in any number of incidents, such as compromised financials, infringed privacy, disrupted deliveries, grounded transportation, a damaged reputation, or eroded trust. As such, few organizations must be convinced anymore of the importance of the need for great resilience.

In 2021 alone, a proliferation of threats underscored this reality. Some made the whole world vulnerable, such as COVID-19. Others affected many people through knock-on effects, such as the Ever Given container ship blocking the Suez Canal. And still others targeted specific interests but nevertheless caused general anxiety that the untargeted would become collateral damage. In the last category we would file recent cyberattacks, from the Colonial Pipeline ransomware takedown that led to gas shortages along the East Coast of the US to Log4Shell, which revealed overnight how a large number of systems worldwide were vulnerable.

“Security is not our end goal, nor should it be our customers’ end goal. Security is a vehicle for resilience; its driver is trust.”

Any way you slice it, attacks in the digital world are rising and, while at it, wreaking havoc in the physical world. Some have been on the brink of causing physical harm to society. Many are no longer purely financially motivated, as are ransomware attacks, but rather meant to destroy and/or get intel for the ultimate purpose of destruction by a hacker or their underwriters. Cyberattacks, and the fear thereof, have also become part of political brinkmanship, which we’re witnessing as we write this in early 2022 and war in Ukraine persists. In this light, digital resilience becomes about protecting not just infrastructure or IT environments, but humanity at large.

So, if everyone agrees that digital resilience is worth having, why is it hard to have and, even more so, hold onto? Organizations that struggle to stay resilient – or whose resilience buckles under the pressure of crises – are probably not thinking of resilience in the most constructive way. Resilience is not a commodity that you can buy or trade. Neither is security.

Sometimes people think of both as an item that can be stockpiled. With this mindset, they’re under the impression that the more you have of it, the more secure and/or resilient you are. While in the 1990s, one lock might have thwarted an intruder, that’s not the case in 2022. Whether they are a script kiddie or a professional hacker belonging to a transnational syndicate, a malicious actor needs but one weapon to commit a cyberattack: a computer.

Prevention and passion

To increase resilience for our customers, we increase prevention. This requires having multiple mitigating measures in a layered defense and regularly running security checks on them. It entails monitoring, patching, upgrading, and applying mitigation measures, as well as checking that all of these steps have been taken by any third-party service providers to our customers. Verifying backups and ensuring their restorability is second nature. These processes can be mundane and tedious, but as we’ve noted before at Schuberg Philis, vigilance requires diligence.

By running drills on a regular basis, we not only check the system’s technology and technical processes, but we practice our protocols and psychological responses to crises. We also stay aware that despite the discipline of drills, every incident is a new incident. If events unfolded just as they did in a practice, we wouldn’t even classify them as an incident, but as an occurrence.

Still, having run through drills means that we can trace universal experiences across incidents and be prepared for, say, 80% of what they throw at us. Having trained for most of it means we have sufficient mental capacity to deal with the 20% that makes an incident unique.

We apply the same rigor of checking and drilling within our company to ensure our customer teams are accessible, prepared, and all on the same page. Practically speaking, this means having teams populated by members who are passionate about their work, quick to respond, ready to take on responsibility, and deeply trusting of each other. Our colleagues can reach each other at any time of day or night, and we provide the same interrupt-our-sleep availability to our customers.

To bolster resilience, we encourage change and continuous evolution. Our revision of the old adage is: if it ain’t broke, it will be! Some might say we approach adapting platforms like a sport because we’re constantly seeking ways to predict our performance, build up our teams, and, whenever possible, beat our own personal records. Our projects are usually done at a rapid albeit controlled pace, with our eyes on the finish line. These virtues apply not only to our IT solutions, but also to the people who create and use them. We encourage our customer teams and our customers to keep changing and evolving too.

Minding our customers’ business

Although security has been built into all our solutions since we began as a company, over time, we’ve also evolved our security expertise. From a more traditional perspective, we recognize the apparent contradiction of a paradigm in which secure internal systems are run externally on a public system – that is, a hyperscaler’s cloud. But we’re able to execute solutions that enable the right level of security not despite, but rather, in harmony with the right level of accessibility.

We can help our customers determine these sometimes very nuanced parameters with efficacy and efficiency because we know – and very much mind – their business. As our slogan summarizes: we make IT at the heart of business; by implication, we secure the core value-generating operations of a company. A solution is something we evaluate in terms of technology, and, more crucially, in terms of business impact. Relatedly, we acknowledge that security always comes at a cost, impacted by the law of diminishing returns. Security is excessive if it gets in the way of business.

Anyway, security is not our end goal, nor should it be our customers’ end goal. Security is a vehicle for resilience; its driver is trust. Security in itself doesn’t accelerate resilience; the feelings of confidence and assuredness it brings about accelerate it. This is why we call our accelerator team a trust accelerator, not a security accelerator. This is why we call our framework a digital trust framework, not a digital security framework. If we were chefs, security software and hardware components would merely be our kitchen appliances. What we serve our diners would be a warm, freshly cooked dish of trust. Ideally, the serving would be bottomless, kept perpetually refilled by our prevention methods and passionate attention.

Unsurprisingly, this past year, there was more demand for our expertise in security as well as compliance and auditability, two other traits in the holy trinity of trust. Our solutions objectively led to fewer P1 incidents. This gave our customers the good night’s rest we so often promise. And though sometimes it meant our own sleep was interrupted, we were prepared for those interruptions. Since the days of pulling plugs at datacenters, we’ve had a lot of practice at testing digital resilience and know exactly what actions and attitudes our customers needed to enjoy even more of it in 2021 and beyond.

By Marcel van Ruijven, Thijs van Leeuwen and Frank Breedijk

Frank Breedijk 3031

Want to know more?

Contact Frank Breedijk.