If 2022 is teaching us anything, it’s that no organisation is an island. A better analogy, if I can be a little poetic, is perhaps that we are ships, buffeted by winds, riding rising and receding tides and trying to chart a course to calmer waters. We can build strong ships, but the ocean is out of our control. This lesson has been served to us in the form of global disruption on a scale that is so far out of our control that it can leave us feeling powerless. This year we are still dealing with the impact of a global pandemic on working patterns, navigating huge trade disruption, and grappling with the impact of war and civil disruption. It’s a lot to consider.
So much, in fact, that in August Gartner was compelled to discuss the matter, providing insight into the scale of the challenge, with recommendations for management.
A survey by Gartner in 2021 found that 41% of Boards of Directors view geopolitical power shifts and turbulence as one of the biggest risks to performance, and it predicts that by 2026, 70% of multinational enterprises will adjust the countries in which they operate by hedging to reduce their geopolitical exposure.
“Digital geopolitics is now one of the most disruptive trends that CIOs must address, with many now dealing with trade disputes, legislation coming from one country that impacts global operations, and government imposed restrictions on the acquisition and use of digital technology,” said Brian Prentice, VP analyst and Gartner Fellow. “They need to get acquainted with this new reality and prepare for its impact.”
So what does this mean for IT and security professionals? Well, in short, we are going to need to be agile and flexible to support the business in these changing times. It is a time for clear and strategic visions, and architectural transformation to build infrastructure that is specifically designed to enable change.
This can seem scary, maybe even impossible. When the risk landscape grows and evolves, a natural reaction is to impose rules and regulations in an effort to reduce exposure. But if we apply too many restrictions, we fail to provide space and opportunity for growth and our organisations will fail to compete and adapt in the way they need to.
Instead of a defensive and limiting approach, we need to create room for innovation and productivity, and that requires a different approach to security.
This is something that we have talked about before. Our global CIO Mike Anderson posted recently with his thoughts on better ways to enable “business IT” (not “shadow IT”), and my fellow EMEA colleague, CIO Ilona Simpson has also posted, explaining why security is the first step to enabling growth and innovation.
These are useful insights, and I would add to them a call for all teams to get much more forensic in their interrogation of geo-footprints or physical real estate in the age of cloud. Because a cloud in a diagram still exists somewhere in reality. And if Gartner’s prediction is true, 70% of organisations will need us to have a really clear idea of the countries our data visits—you cannot control what you do not know.
I am heartened to hear more and more CISOs asking questions pertaining to data residency. It’s something that started when the GDPR first came into force, and has gathered momentum as nation states around the world have introduced new data protection legislation. But while leaders know to specify in contracts that data needs to be stored in particular jurisdictions, I have seen multiple cases where the routing of data is not specified. I have personally supported EU organisations in identifying cloud vendors who are complying with contractual obligations to store data in EU data centres, however on inspection, the traffic is routed via the US, across the Atlantic. With news that under-sea cables are increasingly being targeted as an attack surface by malicious actors, it’s perhaps time we started to further interrogate data flows.
Our Chief Strategy Office team of experienced CIOs and CISOs is always available to our customers and other organisations who are considering working with us. We help organisations understand and respond to geopolitical events. In particular we are regularly invited to help capture and communicate risk and mitigation plans to board members and other stakeholders. Have you revised your strategy to respond to geopolitical events lately?