In an era of geopolitical volatility, digital resilience is vital. It is essential for organisations looking to mitigate risks, safeguard operational stability, and prepare for the unexpected. For today’s technology leaders, the ability to demonstrate a firm grasp of digital resilience strategies and tactics is an indispensable part of their role and responsibilities.
So how do IT leaders and teams build a resilient future?
That was the question at the heart of an early October Tech Monitor roundtable discussion, held in association with Cisco. Senior IT professionals from a range of large financial services firms gathered in the city to consider security best practices. What follows are some of the takeaways from an evening of compelling conversation.
Consolidation versus best of breed
Trace the history of the IT industry and you can detect rhymes, sometimes repeats, as techniques and solutions reappear, albeit in a different guise. Technology fashions come and go – and then come back again. Take the era of dumb terminals, which emphasised the criticality of centralised computing. This gave way to powerful personal computers before giving way, however briefly, to an era of client-server when centralisation ruled once again.
The perpetual cycle can be seen in cybersecurity, too, where a period of best-of-breed tools has now seemingly been supplanted by a desire for consolidation. As the threat vector expands, and as the defence posture becomes more complex, security professionals are requiring greater cohesion. That doesn’t necessarily mean solutions from a single vendor. Instead, it might mean modularity, a platform approach that provides more cohesion between disparate products that, in turn, reduces or removes gaps in the attack surface.
Among the drivers for greater consolidation is the complexity brought about by (multiple) cloud deployments – public and hybrid – and the ongoing challenge of managing legacy systems. As one attendee observed, disparate systems necessitate constantly “speaking to different teams about different solutions”. Not only does this give rise to inefficiencies, but it can also expose organisations to greater risk.
What’s your minimum viable company?
When putting a security and resilience plan together, organisations should consider their “crown jewels”, said Scott Manson, Cisco’s Director for Cyber Security and Resilience. He was talking in the context of what it takes for a business to survive a catastrophic cyber attack. Reprising an argument he made in a recent interview with Tech Monitor, Manson said that organisations need to define their “minimum viable company”, and ask themselves “what digital services would need to be running in order for you to trade, keep the lights on, and make sure you don’t go out of business?”
For that reason, Manson argued, organisations should think hard before putting their “crown jewels” in SaaS (software as a service) or PaaS (platform as a service) services provided by third-party vendors. And if you are considering placing key workloads into remote services, he added, microsegmentation is likely to add layer of protection.
AI as a risk. AI as risk mitigation
The conversation inevitably turned to the role of artificial intelligence as an accelerator of risk and as a potential ally to those looking for mitigation against attack. On the latter, and based on a straw poll of attendees, it appears that few are adopting AI-infused security tools today, but there is an undoubted appetite to experiment.
On the former, risk comes in a number of forms. For example, some are witnesses to the poisoning of the large language models (LLMs), often caused by hallucinations inherent in generative AI (GenAI) but sometimes a result of deliberate sabotage. Problematic output generated by deficient LLMs can lead to reputational damage. It can also result in infiltration.
In a challenge to this scenario, one attendee said that no output created using GenAI should be applied without authentication. Ensuring that there is always a human in the loop means organisations can always validate machine-generated results or otherwise reject them, taking a risk-based approach.
Elsewhere, “shadow AI” is a trend that some are detecting. Like its predecessors, “shadow IT” and “shadow cloud”, it describes how departments – operating autonomously – are bypassing the central IT function and spinning up their own GenAI instances to seek efficiency gains or to experiment with new business models. Few around the table criticised these departments for intent but questioned the means. Shadow AI is not yet sufficiently widespread to create additional vulnerabilities at scale, but it might soon become a weak link in an organisation’s security planning.
‘Building a Resilient Future: Strategies and Tactics’ – a Tech Monitor executive roundtable in association with Cisco – took place on Thursday, 2 October at Bob Bob Ricard City, London
