Cybersecurity, Business Resilience and Data Governance in a Multi-XaaS,  cloud, Legacy and Metaverse space
Cybersecurity, Business Resilience and Data Governance in a Multi-cloud, metaverse world

Cybersecurity, Business Resilience and Data Governance in a Multi-XaaS, cloud, Legacy and Metaverse space

The cost of breaches is going up each year. According to this website, the average cost of recovering from a breach was ~$3.86 Million last year.

What is the cost of a data breach? | CSO Online

The causes range from Culture to Awareness and the technology impregnation.


Does your Board have an integrated perspective of Business, IT & Digital technologies when it comes to Cybersecurity, Business Resilience and Data Governance? Or is it still seen in silos?

Does your organisation use multi-Cloud, and do you use API and Data integration to establish digital collaboration with your customers, business partners, suppliers, and contractors?

Have you considered and /or prepared for all the Cybersecurity and Data accountability exposures that your organisation may have when you use Multi-SaaS, Multi-PaaS, Multi-IaaS cloud?

Are your Cybersecurity and Vulnerability assessments adequately addressing the integrated aspects of your business? Do these assessments and more importantly, protection measures, recognise that your ecosystem [customers, partners, suppliers] could be on a multi-cloud too?

Is your Board fully aware of not just the benefits part of the risks but also the threat mitigation associated with a Physical-Virtual integrated Metaverse world?


It goes beyond People, Process, Technology and Tools to avoid a Cybersecurity or Data breach. The Cloud’s rise as an all-pervasive platform was predicted a decade ago and here, we are, enjoying the benefits partially or fully depending on where we are in the journey. Cloud became the default platform of choice for boot-strapped start-ups and scale-ups since it enabled them to conserve cash that they can invest on either business products development or enable sales to bring the revenues and profits to keep the business a going concern. Established enterprises on the other hand had to go through a change journey to modernise their existing systems or transform to a cloud-based system to gain benefits by implementing a cloud-based platform. 


Cloud based platforms deliver the obvious benefits of lower one-off investments, accelerated adoption, scalability, exponential functionality enhancements, reliability, and consistency of business process execution. Most Cloud based platforms also lend the ability to integrate applications and data seamlessly with other SaaS, PaaS and/or IaaS systems. You can always tweak legacy systems or introduce an intermediary technology to integrate with other business systems and with other enterprises. There are immense productivity benefits as well as reduced manual errors associated with API & Data Intra-business integration, Inter-business integration, B2B, B2B2B, B2C, B2B2C and all other integration. With hybrid workplaces and M2M [Machine-2-Machine] integration, the concept of Edge compute or Network compute fabric are also exponentially increasing the integration points [Why the world needs a pervasive Network Compute Fabric - Ericsson]. AR, VR and MR has been around but now the world is converging around the Metaverse where not just human beings have a Social media and virtual experience but we will shortly experience a convergence of Machines having its own Social media like description but with the added linkage to humans for integrated Digital asset management, GIS associated field services Work & Asset management, healthcare management, benefits management and beyond. 


Most SaaS, PaaS and IaaS providers do ensure robust Cybersecurity, Data Protection and Compliance for their own systems. However, if you are an Enterprise business, you have the Accountability to provide assurance on Cybersecurity and Data Protection governance when you or your trading partners whether upstream [Customers and Go-to-Market Business partners] or downstream [Suppliers and Co-Creation providers] are using several SaaS, PaaS, and IaaS providers to deliver all the business functionality for your business units. 

NIST have given us an excellent illustration of cloud consumer reference model in the picture in Page 15 of its NIST CLOUD COMPUTING STANDARDS ROADMAP [Refer link below – All copyrights and IP acknowledged].  

https://www.nist.gov/system/files/documents/itl/cloud/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf

You are possibly on to consuming everything on the cloud as per this Cloud consumer reference model. As Cloud adoption accelerates, your customers, partners and suppliers are all likely to adopt multiple SaaS, PaaS, IaaS products from the cloud. You will also have multiple integration with a few or all your customers, partners, and suppliers. The Security standards that are required are also mapped well in Section 7 of the above-mentioned NIST document. How is this relevant and does it sound too complex? This article is to demystify through some practical use cases as to what it means to your enterprise and therefore what you as a CIO, CDO, CTO, and CISO must consider improving your Enterprise cybersecurity and data protection posture.


Cybersecurity, Business resilience and Data protection of Your Sales and Services

Your Sales and Services organisation, when nearly or fully digitised and digitalised, will be engaging with Customers and Partners through Marketplaces, eCommerce platform, CRM platform, Content management platform, Product configuration platform, Aftermarket services platform amongst many others. Your systems are likely to be integrated between each other through direct or API based integration. Your systems are likely to be integrated with external organisations through direct or API based integration. All must be secured.

No alt text provided for this image

Your platforms could be hosted on a SaaS cloud, or you could be using a PaaS cloud for exchange of data or to provide the ability to access your systems through Apps.   This is not meant to be an exhaustive list but here are some questions to ask to tighten up Cybersecurity and data.

-       What if your Customers and Platforms systems are also hosted on a SaaS, PaaS or IaaS cloud? What if some of your systems and that of your customers and partners are on legacy platforms with weak security?

-       Are you covered for Cybersecurity at all layers, viz., SaaS, PaaS and IaaS? But also, are you covered from the source of data to the end consumer of data? Are your code safe from penetration and vulnerability from the source through to the consumption point?

-       Are you a Retailer who also has sensors on shelves to monitor product consumption and replacement or do you have cameras monitoring customer movements using CCTV? How are you protecting this data without violating privacy?

-       How are you protecting Identity, Payment, Credit and other information that you are exchanging amongst your customers and partners?

-       How well is your content protected for compliance purposes?

-       How are you protecting the data feeds that you receive?

-       How well are you protecting the data that you receive about your products’ performance as part of your Aftermarket services? How well do the Marketplaces, Customers and Partners protect the data you share with them?

-       Is your Products’ performance data shared with any others? How well is the data protected and who governs the distribution of such data, how and when?

-       Have you implemented a “Product facebook” to be able to visualise a full lifecycle of your product and if so, how is the data inflow and outflow secured?

-       What have you in place to ensure that your ability to conduct business with your customers and partners are uninterrupted? How have you modularised such that you are still able to transact business with most of your customer base? How fast can you recover from critical break-down?

It is not just the enablement of Digital commerce and accessories recommendations within them, many organisations have invested heavily in Data and Analytics to be able to predict future sales, associated demand planning and supply chain resilience.

https://www.dhirubhai.net/pulse/business-strategy-outcomes-using-insights-from-data-raghavendra

Cybersecurity, Business Resilience and Data Protection of Your Manufacturing and/or Supply chain [or Generation or Distribution or Transmission or Network], Warehouse, Distribution, Transportation & Logistics


You could be a Producer with Manufacturing and Supply Chain and may have your own Distribution, Transportation & Logistics for products sell and deliveries. You could be a Distributor or Retailer with Warehouse, Distribution, Transportation & Logistics capabilities for products deliveries. Or, focused on only Transportation & Logistics. In any case, you are likely to have a swarm of IT & Digital systems to be able to manage the execution of your business processes for which you may use SaaS, PaaS or IaaS capabilities from the Cloud. You may use Digital technologies too, which are Cloud or Edge compute. For example, you could be using IoT to track incoming goods – from suppliers or movement between plants - to manage Production better or to understand the stress factors affecting your products. You could be using IIoT to manage distribution and transmission. You could be using Video inspection & Video analytics capabilities or LIDAR to examine products. You could be using AR/VR/XR to remotely trouble-shoot plants and machineries. You could be using Data from plants, products and SaaS to understand root cause of failures or to forecast better.

No alt text provided for this image

 Each business process digitised system or Digital technology has an exposure point, which must be determined and secured. This is not meant to be exhaustive but just a few examples of questions to help understand the Cybersecurity and Data risk exposure better.

-       Have you implemented integration with Suppliers? How secure is this integration?

-       How secure is the integration with your Warehouses, Transportation and Logistics providers? How secure are your tracking devices? What if these tracking devices have been tampered? How secure are your routing software?

-       How secure are the M2M integration internally or with 3rd parties?

-       How are you able to secure data privacy of individuals who may be in the vicinity of your video inspection?

-       What security measures are in place to avoid tampering of guided execution if you have implemented AR/VR/XR?

-       How are patient interactions protected in the event of Video conversations?

-       How are video road surface scans protected as part of your local council works?

-       How are you able to ensure that you can detect events that could affect your business resilience and are able to act proactively rather than reactively?

-       What steps have you taken to ensure robust and yet tight inventory as well as ensuring that your shipments are available to your customers reliably as per schedule?

Gartner, IT Industry’s leading independent analysts, have said that it is often a systemic and culture issue that is at the heart of cybersecurity and data breaches as opposed to the long-held belief that it is about hiring people with the right technical knowledge.

How to Protect the Enterprise from Cybersecurity Attack (gartner.com)

This is particularly true with regards to Design and Product Lifecycle management, which is the core of whatever you do in the organisation even if you are a reseller or a distributor and not the fundamental OEM of the product or service.


Cybersecurity, Business resilience and Data Protection of Design and Product [or Services or XXX] Lifecycle management


This is your core IP, which you use to differentiate yourself. The way your organisation had conceptualised the product or service, the way it is produced, the way it is tested or validated, the choice of products and services you want to sell if you are a reseller or retailer or ecommerce player, the way it is delivered to the way you deliver a superior customer experience and generate repeat business. You are likely to use a few digitised and digital systems to manage the product or service readiness till it is ready for mass production or mass fulfilment.

No alt text provided for this image

The IT Department can provide the tools and systems, but it is up to the respective business users who must ensure that Data and Information is exchanged securely including making sure that there is enough funding for Cybersecurity and Data protection implementation. However, the IT Department is responsible for ensuring that the right level of Cybersecurity and Data protection systems are in place and monitoring is done periodically.  

-       How are you making sure that you are exchanging Product design information securely with collaborators?

-       What steps have you taken to ensure integrity of the test results you are sharing with collaborators and regulators?

-       When using Simulation design and test, how have you ensured that the data used is closer to reality and that the data is not compromised following the exchange of data between collaborating organisations?

-       How are you safeguarding your Innovation and IP and that of your collaborators? What steps have you taken to safeguard the “open source” elements of your collaboration as much as you safeguard the “closed loop” elements of your collaboration?

-       How are you able to ensure that your ability to collaborate online is done reliably? To what extent are your Product twins, Service twins and Manufacturing twins depend on continuous availability of data and how are you securing their resilience?


Cybersecurity, Business resilience and Data Protection in your Business support and corporate functions

It is no surprise that SaaS adoption is increasing for Business support and corporate functions, which is possibly to do with the speed at which functionality is introduced into SaaS products and the number of SaaS products that provide for nearly every aspect of Business support and corporate functions. Whether it is HR & Payroll, Talent, Financial or even Frauds, risks, and compliance products. Not just the products but also the speed with which intra-business and inter-business integration has been adopted in the last decade is simply amazing.

No alt text provided for this image

The biggest impact of a Cybersecurity or a Data breach within Business support and corporate functions systems is reputational threat. 

-       What identity protection measures do you have in place for your HR & Talent acquisition systems or learning systems when you have integrated them with social media platforms?

-       How are you protecting the knowledge that is shared within your Intranet and Extranet?

-       How good are the induction materials with regards to Cybersecurity, Business Resilience and Data protection?

-       What protection is in place if your HR & Payroll is outsourced and/or when benchmarking is being done?

-       How are you protecting the data that you get from elsewhere?

-       How are you protecting your Contracts and Contractual information when you are benchmarking the terms with which you have negotiated your pricing and/or conditions?

-       What is the measure of protection of your internal & external frauds data, internal & external audit artefacts?

-       How well are your corporate performance dashboards protected?

-       What is your company’s position on Data giveaways as part of End User License agreements, subscription agreements, Analytics and AI usage and how are you protected from the ones that shared the data with you?

-       How well would you be able to carry on with your business functions?

The above is not an exhaustive list but intended to influence and embed a functional ownership of cybersecurity and data protection as we move towards a Digital enabled business. There are organisations whose business systems are entirely on the Cloud and are successful with their measures on cybersecurity protection, data protection and business resilience.


Cybersecurity, Business resilience and Data Protection in your IT & Digital management

Your business units have a functional responsibility for Cybersecurity, Business resilience and Data Governance. On the other hand, your IT & Digital management unit has a technology ownership for Cybersecurity, Business resilience and Data protection. The twain will meet when there is a mutual respect and understanding of the perspectives. The core business functions would see it from a business execution lens. We now come to the IT & Digital management functional ownership of Cybersecurity, Business Resilience and Data governance who see it from a Technology lens. ISACA have connected and introduced training on COBIT 2019 with the NIST Cybersecurity framework, which is technology focused.

Connecting COBIT 2019 to the NIST Cybersecurity Framework (isaca.org)

There is a lot of good material available from the hyperscalers too. Here is a very good perspective from Microsoft on Capabilities, People, Multi-cloud, Secure Edge, Attack chain coverage, Security operations and Zero Trust.

Microsoft Cybersecurity Reference Architectures - Security documentation | Microsoft Docs

AWS have provided their perspective.

https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

So have Google.

https://cloud.google.com/architecture/framework/security

IBM and Oracle have directly aligned with the NIST framework. Splunk, darktrace, and others have their own supplementary points of view. 

What is the lens with which your IT & Digital technology units see Cybersecurity, Business Resilience and Data protection?   Here is a simplified view however, your IT and Digital teams are dealing with a very complex portfolio.

No alt text provided for this image

What is the complexity underlying the above picture? Simply put, your IT & Digital would have evolved over the last few years and decades. They must be dealing with legacy platforms to the most cutting-edge SaaS, PaaS, IaaS, Data & Analytics clouds. There may also be some bleeding-edge Mixed Reality, M2M and AI capabilities. What about the legacy IT Infrastructure and Networks that were never modernised? 

-       What measures have been taken to assess whether the Enterprise Business architecture and IT architecture are in sync and up to date?

-       Does your IT & Digital function have a complete updated inventory to know what is being developed, maintained and monitored? How is this verified?

-       How do you know whether all your systems are being patched with the latest fixes? What measure is in place to make sure that the obsolete ones have not been transgressed and are penetrated?

-       How are you making sure that your IT Business continuity testing is robust?

-       What do you have in place to make know that your Penetration and Vulnerability testing is comprehensive? How do you avoid corners being cut to save costs?

-       Do you have a comprehensive near real-time security monitoring capability of all your systems? What measures are in place to know about active threats, incidents and events and to manage them?

-       With attrition [voluntary or otherwise], how have you ensured that the systems knowledge is not lost and/or is there enough people resilience?


In summary, the modern Board must not only seize the benefits of the opportunities that modern technologies offer but also make sure that the Threats are mitigated. Organisations are now converging towards a Digital enabled business model. It is no longer just eCommerce but Digital enablement has ingrained into your Products, Services, HR, Finance, Supply Chain, Facilities and a lot more as illustrated in this article below.

https://www.dhirubhai.net/pulse/digitally-enabled-integrated-business-model-5-raghavendra

Cybersecurity, Business Resilience and Data Governance are not the responsibility of just your IT & Digital organisation but instead it is a collective accountability amongst all your business units; with business units owning the functional execution and IT & Digital units owning the technology aspects. The awareness must be enforced through Induction training as well as ongoing periodic training and assessments. The role of the Chief Information Security Officer has to be redefined and must come under the direct ambit of the Audit & Risks committee of the Board.

About the Author

Jagadish is a Senior Executive leader & Digital evangelist, who has been successful at building and/or turnaround Practice capabilities, Presales/Sales enablement/Solution consulting capabilities for Application Services and IT Infrastructure Outsourcing services. Jagadish has extensive and wide-ranging experience of Digital enabled business models & strategy, Digital - Apps & Infra Transformation solutions, Cloud & Infrastructure Services, Cybersecurity, multi-cloud orchestration, Service Integration & Management achieving customer business outcomes thereby delivering high win rates. Prior to that, Jagadish has delivered large Outsourcing & Technology Transformation programmes. 

Jagadish has established a network of partnerships and collaborated with partners to achieve Digital transformation for customers. He has used deep analytics, industry insight, competitive insights and business outcomes based consulting approach to deliver differentiated solutions.

Apart from speeches at major events, Jagadish has also written many articles on LinkedIn Pulse.

Note: All IP, Copyrights and Trademarks of the organisations are acknowledged. The link to others’ content has been provided here out of respect and not for plagiarisation. This is a personal blog.

Vikas Khattri Thanks for your support. May I ask you a question? With #aiops being used to accelerate #devsecops, what should be the improvements to be made to #itaudits and #aigovernance to avoid the recent reported [any unreported ones?] mass #itoutage? How does the role of #chiefaiofficer enhance value?

GO-GO ALMAS TRAVEL GO-GO ALMAS TRAVEL Thanks so much

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了