Why security and resilience are essential for enterprise risk management

Security threats have been making headlines for years. In 2020, the SolarWinds Attack was seen (at the time) as one of the most sophisticated and widespread cyberattacks conducted against the federal government and private sector, breaching thousands of organizations globally and propelling supply chain attacks to the front of security conversations. 

It seems that malicious actors are challenging governments and cyber defenses across all industries by targeting their ecosystem of IT partners. I believe the stakes are especially high for those in highly regulated industries, which can be exploited through their digital supply chain, giving hackers access to consumers’ valuable and sensitive data. 

Increasing cloud use: Increased risk

However, the risks don’t stop there. Cyber resilience, and the broader considerations linked to operational resilience, are at the forefront of IT decisions, as banks and other financial institutions are becoming increasingly reliant on cloud.

The U.S. government is taking note, releasing its evaluation on the consequences of cloud concentration as it can put financial stability at risk. Furthermore, the Biden administration’s national cybersecurity strategy can also be seen as a step to advance standards of security and compliance at different levels of engagement. 

While we must be prepared to protect and respond to malicious attacks, that is only one part of building a resilient organization. Some enterprises may fail to consider the risks to the business that can come with a lack of resiliency. Technical vulnerabilities such as an outage from a cloud provider can potentially negatively impact the integrity of cloud services — and moreover, disrupt business operations for customers. That is, if all workloads reside with a single cloud provider. This is why a hybrid multicloud approach can be crucial to keeping the lights on for enterprises to continue operations while dealing with a crisis.

Growing scrutiny from regulators 

The White House isn’t the only government entity taking note. The recent report on cloud adoption from the U.S. Department of the Treasury issued concern about the potential impact of cloud services-based technology concentration on the financial sector. The report is a stepping stone in rolling out future recommendations in driving risk management.

However, we should all consider this a strong signal of what’s to come — an industry effort to deal with regulations to reign in cloud concentration and supply chain dependence risk. But as enterprises navigate these growing regulations, they must remember there is one important factor that isn’t in question: The benefits of the cloud. In fact, cloud can be a force multiplier in security, enabling enterprises to improve their resiliency and reduce risk — when leveraged efficiently. 

Those operating in financial services need agile technology platforms that can help them rapidly modernize in response to evolving demands of their digital-first consumer — which include quickly securing loan approval in minutes to calculating the carbon footprint of their purchases. These daily activities require banks, FinTechs and other financial institutions to collect, store and manage their customers’ most confidential data.

Cloud provides a tremendous opportunity to safeguard this data as the financial services industry breaks ground with innovation to expand financial inclusion and manage the financial well-being of our communities. However, we also recognize there’s a lot at stake here — customer trust and the confidence of regulators. 

I strongly believe financial institutions and their ecosystem of cloud partners need to solve cloud complexities together to mitigate potential resiliency threats. This means getting people, processes and technology to work in unison to manage complexities by design from the first stages of crafting an IT strategy through to execution. 

Remember cloud is not a destination; it’s an enabler 

We understand that regulators will always be challenged by the responsibility they have to evolve policies to build and sustain trust in the digital transformation journey. However, we all need to understand that the answer may not be sole reliance on a single cloud provider. It’s about understanding the uniqueness of your business processes and applications to develop a comprehensive workload placement strategy.

The hybrid multicloud conversation should be focused on making intentional choices about where data and workloads are hosted and where workloads are deployed. These decisions should be made based on five parameters: resiliency, performance, security, compliance and total cost of ownership. The reality is that workloads may need to operate in different environments to function successfully. 

However, if it’s not done correctly, there could be unnecessarily accentuated risks. Mixing on-premises systems with an array of cloud environments can lead financial institutions to levels of operational complexity that can overwhelm IT teams. It is vital for FinTechs to appropriately plan from the outset to pick the appropriate deployment locations to manage data securely to mitigate risks. 

The fact is, there is no one-size-fits-all approach for industries that vastly have different wants and needs from an IT perspective. This is why it’s crucial for financial institutions to understand that cloud is not a destination — it’s an enabler. 

Thwarting cyber risks with cyber resiliency 

Recovering from a cyberattack within a hybrid multicloud environment can be challenging, with an assortment of workloads, infrastructure and equipment spread across multiple environments. This can be made worse by implementing security strategies in silos, paving the path for the dreaded “Frankencloud” environment that allows cyber predators to find their way into the organization.

I believe cyber resiliency strategies should be designed with one single point of control, allowing financial institutions to gain a holistic view of their environment, as well as potential threats. This is where partnership execution is vital, with cloud providers co-creating and consolidating both a security and resiliency strategy across hybrid, multicloud environments.

We need to ensure that cybersecurity is a top priority as enterprises continue to innovate and regulatory scrutiny continues to grow. I strongly believe hybrid, multicloud strategies are a pivotal step in the right direction to advance operational resiliency. However, the cloud community needs to build trust among financial institutions, regulators, and the government — it takes all of us.

Howard Boville is SVP and head of IBM cloud platform.