Making digital resilience scale

Intensified geopolitical tensions underscore the interconnectedness of nations, ringing alarm bells of dependence on supply chain partners vulnerable to security threats, resource scarcity, and autocratic governance. At the same time, the explosion of artificial intelligence (AI) has made companies and their public end users more aware of its potential misuse, such as in creating deepfakes and dispensing hacking skills to nefarious actors who otherwise wouldn't have access to such expertise. With these circumstances only expected to persist, it's becoming more of a challenge for organizations to keep up their digital transformations.

And yet, digital transformation is itself "the fabric for enterprise survival in the face of continuous disruption," in the words of a recent Deloitte study. Many organizations already know this – 90% of digital leaders "believe they must be more proactive about integrating trust, security, privacy and resilience into technology roll-outs," according to the 2023 KPMG global tech report, with cybersecurity and privacy cited "as primary factors that could slow down transformation progress." As these survey respondents affirm, digital resilience safeguards business continuity and, when there's an incident, reduces its breadth, depth, and impact to allow quicker recovery. To maintain the momentum already invested in their digital transformations, organizations must therefore consciously work to expand digital resilience by strengthening their everyday cybersecurity defenses and continuously fulfilling their regulatory compliance needs.

Secure by design

Because we can do more than ever with digital assets and data, many organizations nowadays have in-house capabilities for dealing with digital threats and events. Some have become wise to the continuous effort that must be invested into thwarting cyberattacks and either mitigating or limiting the fallout of those that slip through. But given the increased value of digital assets and data, cybercrime is booming. Criminals and their transnational syndicates have only become more professionalized, causing the tech arms race to escalate. Ransomware, in particular, has been called the "biggest cybersecurity threat facing the world today" by the National Cyber Security Centre in the United Kingdom. And thanks to the large language models (LLMs) developed by AI, cautions a Europol report on ChatGPT, "phishing and online fraud can be created faster, much more authentically, and at a significantly increased scale."

In such a precarious climate, the foundation for digital resilience is IT that is secure by design and well maintained. For Schuberg Philis, this entails planning, building, and running solutions that intimately integrate security expertise in the work of our diligent dedicated customer teams from day one. Merging the priorities and preoccupations of development, security, and operations into a single DevSecOps approach makes any digital transformation more efficient and sustainable. Another way we shorten feedback loops to Dev teams is by defining golden paths, which are secure ipso facto. From software development to systems and services configuration, golden paths enhance delivery for everything by bringing together all relevant tools to permit smoother deployment, development, and recovery. What's more, by designing, running, and managing platforms for our customers using standardized building blocks, we perpetuate standardized security solutions that are hospitable to keeping workloads secure. All these methods enable the agile deployment of more features, optimally running operations, and, crucially, organizations that can securely scale their business.

The complexity of compliance

Compliance is "complicated and expensive," as a Forbes article puts it, noting that experts were already citing "compliance fatigue" years ago. The issue has become all the more pressing since the crystallization, in 2020, of what is commonly referred to as the EU digital strategy, a series of acts and legislative instruments affecting the entire continent and its value chain partners. As of late 2023, legislation for the multiple regulations remains in differing stages of development, while variation in sectoral scope, detail level of enforcement, and non-compliance penalization all add to the complexity.

Adding to this compliance pressure is the fact that some regulations newly assign accountability to the C-suite and board level. For example, NIS2 – the expanded, more stringent version of the first EU-wide cybersecurity directive known as the NIS Directive – departs from industry standards in that it scopes not just systems, but an entire organization. It specifically states that protecting an entity from cybersecurity risks and proving that its cybersecurity program meets international standards is thereby now the responsibility of the company's management. Unlike its simpler predecessor, it also demands more attention be devoted to security in supply chains and operational continuity. As "essential and important entities" in the Netherlands, most of our customers so far are being impacted by NIS2.

Being compliant by being secure

Compliance cannot be carried out hastily, and it often demands more proof than those steps taken to improve cybersecurity. However, investing in security actively enables compliance because it requires identifying and assessing risks, thus avoiding the tendency toward blind compliance. For Schuberg Philis, a cornerstone to providing IT that is compliant by design is to ensure that it is secure by design. Further, we track regulations' varying timelines to be sure that our customers' technology complies with their varying demands. By possessing the capacity to read, understand, and appropriately implement relevant legislative elements, we boost effectiveness and efficiency in proving our own security and compliance while simultaneously offering customers continuous assurance services of equally high standards.

For example, we know from firsthand experience that the most effective way to achieve compliance nowadays is fast digestion of regulatory content and fast evidence collection. To illustrate, the Ransomware in control report co-authored by Schuberg Philis's Trust Officer, gathers all best practices of global security frameworks and builds on them to present 89 controls that can be mapped against the ransomware kill chain, rendering big risks immediately tangible and measurable. As a company, we gathered the evidence for those controls from all our customer teams, creating organization-wide visibility on our ransomware risk in just two months.

For the Digital Operational Resilience Act (DORA), we read over 400 pages of legislation and translated its essence into just 83 IT controls, simplifying the complex legislative text. Again, we acted swiftly to deploy our framework to all our financial services customers, knowing that DORA is something at the top of their mind. Currently, we are working on an integrated control framework that deduplicates controls from all audits and regulations to reduce the number and breadth of audits per team. Saving time on proving compliance means that we can devote more time to advancing the security of the systems we manage – another reflection of the mutually reinforcing power of being secure and being compliant.

Continuous validation

This era of digital vigilance is the logical response to the evolving technological landscape and sociopolitical disruptions that have become the norm. Whether addressing data governance, consumer privacy, use of digital services and markets, or the application of AI, cybersecurity and compliance are a must. Yet, we know neither in itself guarantees safety nor fully eliminates risk.

In its 2023 report on Dutch cybersecurity, the National Coordinator for Security and Counterterrorism in the Netherlands stated: “Cybercrime is industrially scalable, resilience is not yet." We are in the process of changing that reality. By helping our customers maintain good digital hygiene and empowering them with automated security and compliance by design, we are committed to preventing incidents in the first place and, should incidents happen, minimizing their effects. In this sense, digital resilience is already industrially scalable, encouraging digital transformations to flourish no matter the state of the world.