How do you frame the impact of digital resiliency to your C-suite?

2.7k views1 Upvote6 Comments

CTO in Software, 11 - 50 employees
The foremost tenant of digital resiliency is cybersecurity, because we've seen massive cyber attacks on the supply chain of multiple firms affecting true commerce. As companies move fast and digitally transform their business, security gets left behind but it needs to be everybody's initiative. Both security and resiliency must be job one for everybody, I don't care what your role is. Because however much revenue was generated from digital transformation, it can be dialed back from lack of resiliency, via ransomware, etc. That’s what happens when companies run fast with scissors. Digital resiliency is about moving smart.
CIO in Education, 1,001 - 5,000 employees
I try to deal with it within my own ecosystem. To the extent that I can be self-sufficient in terms of digital resiliency and build in whatever safeguards I need, I insulate myself with the understanding that things happen sometimes and I'll have to figure out how to deal with them. I'm worried about ransomware as a whole, but I also have a backdrop of having a campus network that I'm on so I can partner with somebody else if an incident happens. Email is likely the first thing I'm going to hear about when it's out because either something didn't get through that should have or I got some obvious spam in my inbox.

When I got to Anderson, I had a guy who spent half his job on security and instead I made a team of two focus on security full-time. Out of a several million dollar major initiative budget, I spent over half a million on security. I brought in Varonis, ripped out my secure email gateway and am finalizing a replacement such as Proofpoint/Mimecast/Cisco. I’m putting in Armorblox. I'm looking at products like Code42 so that I have endpoint immutable backups. I'm looking at Nutanix hyper-converged infrastructure with VM so I have immutable server backups. Any purchase I make goes through a campus local security review so anything we bring in the door has at least been vetted. Those are some of the fail-safes that we have in place organizationally. My model is a little different because I'm not as worried on a daily basis about order-to-cash or revenue.
Director of IT in Software, 1,001 - 5,000 employees
People say “software isn't perfect” but they don't really understand that until they live through the imperfections. I worked in cybersecurity software for 10 years, and at the end I was running global sales operations for business critical support. So with the business applications lens, it’s ingrained in me that the first thought is a security review, especially if we're talking about Salesforce and their marketplace of third-party application providers. I've been in scenarios where they've passed the standard Salesforce security check—which is part of the prerequisite to get into their app exchange—but once they put that package into their environment, it's like a weed. It explodes and the things it touches and controls create a whole other ball of wax that you have to examine in terms of all those impacts. 

My particular view of security as it pertains to resiliency is that it's not just about protecting against cyber attacks or DNS issues, it's about putting all of your eggs in one basket. For example, I know of companies that have doubled down on Salesforce as their single platform to build their entire quote-to-cash lifecycle on. When the Org wide outage happened I was getting texts from people saying, "We're completely sunk. We can't transact or book business. Revenue is at a screeching halt." And as I look at applications that are newer, I ask: What is the longevity of this product? How is that going to impact our ability to transact business in a sustainable and scalable way over time?
CEO in Software, 11 - 50 employees
From a resiliency standpoint, you have to consider the term sustainability as well. Your business may not be sustainable due to various risk areas: you can't hire the right people, or you can't get fuel to run your trucks because you don't have network connectivity. A security failure is no different: Maintaining sustainability through appropriate security behavior is important. But security is its own problem space in an organization. I've read and created a dozen business continuity or disaster avoidance and recovery plans at varying levels of complexity. I don’t typically see plans written by others that include security posture, and security protections and recovery. Why is that?
1 2 Replies
CIO in Education, 1,001 - 5,000 employees

Because it's not baked into the reflexive mode of getting the business back in operation. It's that separation of what's important to the business for business’s sake versus what's protecting the business for security.

CTO in Software, 11 - 50 employees

It’s because security does not drive revenue. If you're a private equity firm, you don't want to hear about security. Until it's the firm’s problem, it's your problem—if it becomes the firm’s problem, then it's also your problem because they’ll fire you.

Content you might like

Yes, and we actively scan for these types of vulnerabilities.25%

Yes, but we're still working out our strategy for these attacks.58%

No, we're not concerned about zero-click attacks.16%

Other (please share below)0%


1.2k views1 Upvote

Avoiding vendor lock-in42%

Competitive Pricing58%

Ease of scaling to workloads45%

Resistance to outages40%

Regulatory compliance12%

Other (share below)4%


1.7k views1 Upvote1 Comment