This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Commvault CIO Reza Morakabati offers a short CIO resources library featuring three tools to help you achieve IT resilience.
In today’s digital economy, where companies have digitized most of their core business processes, data is more valuable than ever. Not only does data fuel companies’ day-to-day operations – it is also a valuable source of information that can be analyzed to generate insights and improve future business outcomes.
At the same time that data has grown in importance, however, the footprint of most organizations’ data estate has expanded well beyond the traditional data center. This sprawl makes a company’s data more vulnerable to sophisticated ransomware and other cyberattacks that can cripple operations and rob organizations of access to their data.
The bottom line? Data’s growing value, as well as its growing vulnerability to these threats, has made IT resiliency more important than ever. As a result, CIOs and other IT leaders need to tap into resources that span people, process, and technology to effectively deliver the levels of IT resiliency they require.
Resource #1: A Risk-Aware Culture
A frequently overlooked resource for IT resiliency is the creation of a risk-aware culture throughout the organization, from top to bottom.
In practical terms, this means that security isn’t just the responsibility of the CIO or the IT team – it’s the responsibility of Joe in accounting, and Mary in legal, and Peter in marketing, and so on. We cannot avoid risk, so instead we need to promote knowledge and understanding around what risks we face so that we can recognize and plan around them.
Everyone has to be made aware that phishing attacks are a real and persistent threat – and that clicking on the wrong link or giving out the wrong information over the phone to someone pretending to be someone they’re not, can have disastrous consequences.
Additionally, because everyone deals with sensitive corporate assets of one sort or another on a daily basis – whether that’s spreadsheets with sales numbers, customer contracts, or strategic marketing plans – attention needs to be paid to how those assets are being secured. Is someone storing files in a folder that hasn’t been locked down? Are they using a public file sharing service with minimal security to send someone a large file because it’s the path of least resistance?
One of the cheapest investments in resiliency that a CIO can make – one that, despite the low cost, delivers maximum bang for buck – is to invest in training your people on security best practices, whether that’s proper storage of files or how to recognize the telltale signs of a phishing or social engineering attack. This training is not a “one time only” type of affair – it should be done on a regular, ongoing basis, preferably monthly.
As a thought experiment, everyone in the company should imagine that a devastating security breach has occurred, and then ask themselves: What’s the one task that I’ve been putting off that could have helped limit the impact of that breach? Then, they should make it a priority to tackle that task the very same day. That’s part and parcel of creating a risk-aware culture. Ask everyone in your organization what tasks they might have been putting off on their to-do list that might potentially have helped you to be more secure and resilient. Maybe an account manager has been meaning to archive a sensitive email thread or move some contracts into a secure document repository, but she keeps getting distracted by all the various fires she needs to put out with each new day. Ask them to prioritize that task for the day or their week.
In creating a risk-aware culture, organizations should also consider the implementation of cyber deception technology, as part of an integrated approach to managing risk. Cyber deception has emerged as a vital piece in layered cybersecurity strategies, offering sophisticated tools that detect and divert attacks before they cause harm. Catching “the bad guys” ahead of time gives the good guys more of a fighting chance.
Resource #2: Consolidation and Automation
Another key resource that CIOs can leverage in order to deliver IT resiliency is consolidation and automation.
This is first and foremost about reducing complexity in the overall tech stack. The more elements you have, the larger your attack surface and the more opportunity for vulnerabilities. Companies should aim to make that surface as small as possible by reducing complexities.
Turning to SaaS applications is a good way to help achieve this goal while maintaining IT resiliency. This is due to the shared responsibility model, whereby cloud providers offer logical and infrastructure-level security and platform access controls, while responsibility for user access and data control remains in the user’s hands.
Keeping these options in mind, a good first step in consolidation and automation is to look at a particular workflow – say, the customer support environment – and start examining the processes and the technical infrastructure that supports it. Actually put pen to paper and map out the architecture – what does it look like? You’ll be able to count the number of systems, integrations, and touch points, as well as seeing what is SaaS versus what is not. Gaining this fundamental sense of the level of complexity around various workflows will help prioritize which workflows need to be consolidated first.
While carrying out this task, companies should pay particular attention not just to the number of applications in a particular environment, but to the number of integrations. Integrations are where a lot of IT systems fail, especially if they are custom built – and a compromised integration can serve as an easy attack vector that allows bad actors to find their way from a single system into the many others that it is integrated with.
While consolidation is an important measure for IT resiliency, automation is also key. That’s because manual processes create opportunities for people to make mistakes, and mistakes create openings for hackers and other bad actors.
For instance: An innocent slip-up – like a server admin accidentally forgetting to check the box on a security setting when deploying a new instance of a service – can create an opening that can easily be exploited. Automating that process doesn’t just make the process more repeatable and scalable – it helps take human error out of the picture, eliminating the kind of accidental security loopholes that can compromise IT resiliency.
Resource #3: Full-fledged BC/DR
A final resource not to be ignored is a comprehensive and full-fledged business continuity/disaster recovery (BC/DR) plan. No matter how secure and well prepared you are as an organization, there’s no such thing as being invulnerable – and you have to prepare for the time that something bad happens to you.
This requires CIOs to think not just about technology, but about the business processes they support. Consider DR to be the technology piece of the equation: Some sort of disaster has struck, and you’ve lost your system and lost your data. How do you recover it as quickly as possible and get back up and running? You need the right technology.
BC, by contrast, is the process part of the equation. If you lose access to either your tools or people performing processes, can you ensure that your processes still work? Think here of a process like payroll, or sales, or customer support. If you suddenly take away people and roles in one particular geo or at one particular office because of an unforeseen event, what do you do next to ensure business continuity?
Before the pandemic, CIOs weren’t wrestling with these types of questions very much. The traditional CIO role focused more on DR because it’s more directly related to the tech stack. COVID-19 has changed the role of the CIO in that they now need to be part of the conversation around business continuity and how to keep processes moving even if a piece of technology fails.
It should be noted that practice makes perfect when it comes to BC/DR. You need an accountable person or team who is really focused on this effort – read as: not doing it as a side task on top of their other responsibilities. They need to be in charge of extensive documentation and regular, ongoing testing and practicing, so that when something happens, it’s almost like an automatic reaction or “muscle memory” to initiate the BC/DR plans and keep the wheels turning.
Disrupt Potential Disruptions
There’s no shortage of challenges facing companies and their data, but the right resources, properly leveraged, can deliver the IT resiliency they need to protect their data and blunt the impact of a cyberattack or other disaster.
By creating a risk-aware culture; consolidating their tech footprint while automating out the potential for human error; and practicing effective BC/DR, companies will find that they have powerful resources at their disposal to prevent a raft of potential disasters from disrupting their company’s operations.
- CIO Resources Library: Three Tools to Achieve IT Resilience - August 16, 2022