Kris Lovejoy, Global Security & Resiliency Leader at Kyndryl, discusses the company’s core values and what the Digital Operational Resiliency Act (DORA) could mean for the future.
DORA is a prominent example of the regulatory interventions currently being made by governments and multilateral organisations globally.
It aims to make financial services entities in the EU more cyber resilient as businesses digitalise their operations.
When a business suffers an adverse cyber incident, it can see its workflows disrupted, lose significant revenue during the downtime and experience serious reputational damage.
The businesses it partners with and sometimes entire industry sectors, might feel knock-on effects from that one cyber incident.
DORA sets out expectations and frameworks for areas like risk management, resilience testing and information sharing.
It then has the power to exact penalties for non-compliance – effectively seeking to make poor security and resilience practices a problem before an adverse event takes place, with the aim of significantly strengthening overall preparedness across the economy.
When enforcement begins in January 2025, DORA will apply to EU-27 financial entities and third-party providers that support them.
While the precise severity of the penalties remains to be seen, they are set to be significant – on the order of one or two percent of global revenue per day of non-compliance.
While DORA is, in a sense, positioned to protect financial institutions from adverse events that might be triggered by threat actors or internal failures, the bigger picture is about protecting economic infrastructure more broadly and ensuring it can recover at pace from disruption.
These regulatory moves represent an evolving and maturing view of cyber risks.
It is not just about investing only in defence, prevention and avoidance.
It is also about minimising the damage when things go wrong and helping to ensure that recovery is as fast and seamless as possible.
Because it is impossible to fully negate the possibility of breaches and failures, how you manage your responses to them is equally as important.
In Kyndryl’s recent State of IT Risk Report, for example, 92% of respondents said that their organisation had experienced disruption in the preceding two years.
When we are thinking in terms of resilience, not just threat, we need to see non-cybersecurity related incidents like human error and IT network outages through the same lens as cybersecurity-related incidents like malware and unauthorised access.
The Kyndryl mindset is to be agnostic to the source of damage and be laser-focused on business continuity – returning to operations following a disruption.
That means that when we are consulting on cybersecurity technologies, we are also thinking about modernising legacy technologies in the enterprise’s ecosystem.
This could include addressing skills gaps and building a culture of accountability, building more transparent and explanatory monitoring and systems health checks, or ensuring the maintenance of data privacy during the normal course of business operations.
It’s elements like all of these, properly integrated, that can deliver effective resilience.
Digitalisation has been progressing in most enterprises in a relatively piecemeal way for decades.
However, the pandemic disrupted this pattern.
Organisations had to activate new ways of working on shortened timelines.
During this period, rapid innovation occurred in relatively uncontrollable ways – meaning that you would now find businesses with large attack surfaces.
Threat actors also changed during that time, especially with disruptors like ransomware becoming increasingly commercialised and accessible.
That goes hand in hand with changes in what bad actors are attacking.
Opportunities have grown and there are many ways to take advantage.
In addition, rapid growth also can increase other risks, like internal hardware failures because of misconfiguration.
When it comes to assessing the biggest threats to companies today, there is no simple or useful answer.
It is less about identifying and guarding against the next attack, and more about thinking holistically about everything that underpins resilience.
Kyndryl’s core values include trust and responsibility.
Our enterprise customers trust us to advise consultatively on what will make a meaningful difference for them, not just execute on a particular technology or initiative.
We take responsibility for the consequences of that advice.
When discussing specific methods and technologies businesses are using, it is useful to think of the organisation as a biological entity being attacked by any number of viruses every single day.
Our role in security is to identify and implement protective measures.
What is important is to manage these many variables properly, based on the customer’s environment.
In addition to firewalls and internet gateways, we use numerous encryption and authentication options for privacy and access, along with incident response teams and protocols.
We also train on best practices for holding and deleting data.
Some of that technology has been well established for many decades.
At the same time, we are deploying AI to better analyse network records and flag potential outliers.
What differentiates Kyndryl is our experience in managing extremely complex organisations, with IT infrastructures configured in every imaginable way.
Our in-depth experience maintains these mission-critical systems for the financial services, health services, public sector services and others that form the backbone of the global digital economy.
Cyber resilience is complex.
Whether your systems are running smoothly or in the process of recovery, your first guide to action should be the answers to these questions.
What are the things that make you run (understanding your minimum viable business)?
What are the things that really make you an actual business and not just a group of people and office buildings?
How long can you go without those things – and how long would it take you to recover them if they disappeared?
Click to Open Code Editor