Flooded airports, DORA, and IT-security siloes: Cohesity's Mark Molyneux on cyber-resilience
Many organisations "don't understand the capabilities that IT can provide to security and that security can provide to IT" says the Barclays veteran. CIOs and CISOs should...
No-one ever said tech leadership was supposed to be easy, but CIOs and CISOs are grappling with an unprecedented array of challenges, from increasingly interventionist regulators, to surging cyberattacks, disruption from AI, and climate change. Sometimes, too, an inability to collaborate.
Mark Molyneux is currently EMEA CTO at data security and management firm Cohesity. He was previously at Barclays bank, where he was director for global storage, virtualization and cloud – running a team overseeing all networked storage and backup across investment and personal banking; an estate of 65 petabytes of primary storage, 25 petabytes of NAS, 590 petabytes of backups, and 100,000 virtual machine workloads for VSI/VDI.
Molyneux is close to the challenges IT leaders have always faced, and the way recent trends have amplified them, particularly when it comes to the need to think not just about “recovery” but about resilience more broadly.
Those challenges include a drive to keep down costs while simultaneously delivering modernisation and change – including the adoption of AI – and dealing with legacy and technical debt. To that, he adds, “You throw in something like Broadcom’s VMware acquisition, which has dramatically changed the landscape of virtualization” and resilience around it.
“Perfect storms” and actual storms
Layer onto that the increasing challenge of cyber risks, particularly ransomware, and it sounds like a perfect storm. Except there are actual storms to consider too, as climate change impacts physical infrastructure.
Recent floods in Dubai that knocked out an airport data center illustrated both the challenges of climate challenge, and the extreme impact of a cyberattack which can overwhelm tech teams’ ability to respond.
Drawing a compelling parallel, Molyneux says organisations in the usually arid state might have a perfectly sensible disaster recovery plan, he said, but if staff couldn’t get into a back up data centre because the roads were flooded, or found the doors had shorted, that became useless.
Similarly, he said, a cyber attack can mean not just that data is inaccessible, but that access systems are shut down, and company-wide phone networks are dead, making it impossible to even think about kicking off the recovery process. In many traditional IT teams “disaster recovery” specialists are not close enough to cybersecurity, he notes.
Cyber-resilience? Business resilience!
“To understand cyber resilience, you need to understand what your end goal is. And your end goal is business resilience,” says Molyneaux.
“So, you then build a bubble around data resiliency that says ‘Well, okay, accepting that I’m safe at point one, cyber resiliency is my next challenge.
“You're talking about immutability and air-gapped copies of data and dark site locations and fully tested recovery plans from a cyber perspective, plus proactive threat detection and hunting and other strong security features.”
This can mean accepting that achieving cyber resiliency fundamentally changes earlier concepts around RTO and RPO. As Molyneaux says, if backups are deleted or encrypted you simply can’t recover.
“We advocate very much a Clean Room and process where security and IT are working hand in glove to go through the data assets recovered to make sure it's clean. So, when it goes back in, you don't get reinfected.”
Siloed security and corporate IT
Collaboration between IT and security is critical to achieving that broader resilience. The problem is, “In the majority of the customers I've spoken to, they have very siloed divisions of security and IT.”
This can mean different tool sets, a lack of information sharing, and an inability to work together. That gap is why ransomware hits some organisations so hard, “Because they don't understand the capabilities that IT can provide to security and that security can provide to IT.”
It’s down to CIOs, and CEOs, to bridge this gap, Molyneaux says.
If nothing else, this could result in cost savings as information is shared, and common tool sets are implemented. There’s a potential beneficial impact on digital transformation as they use the right tooling to really analyse what data is critical to their organisation and how they protect it.
“If you're sitting on a mountain of data, you've got a huge challenge from a security perspective, because you don't know what most of that is.
“You've got a huge challenge from a physical data centre cost.”
That, in turn, impacts organisations’ ability to reach sustainability goals.
“If these two groups of people are working together more effectively, companies are going to naturally benefit because we're doing the right things” – benefit from streamlined organisations, cleaner IT, better data visibility AND more cyber-resilience.
Gaining insights into that information pile will enable them to better protect the most important data – such as the training data needed for new AI models. But it also works to shrink the data mountain overall and decrease the amount of infrastructure needed to support it.
If tech leaders weren’t already considering these issues, legislation will focus their minds. The SEC is tightening requirements in the US. In the EU, the Digital Operational Resilience Act (DORA) will enter into force from January 2025, while NIS2 broadens the range of sectors covered by the EU’s Network and Information Security Directive. IT and security leaders already face a volatile, dangerous environment, the role of regulations like NIS2 and DORA represent another “huge challenge” , says Molyneux.
To Molyneux, these might be onerous, but they also provide a framework and blueprint in which to work towards resiliency, whatever sector you’re in. As he asks, in this landscape, “why wouldn’t you want to be resilient?”
Afterall, just consider the alternative.
Delivered in partnership with Cohesity.