Last month I walked around at several events: the well-attended Cybersec at the Jaarbeurs in Utrecht, a content roundtable at Levi9 on sovereignty and Cloudflare's Immerse meeting. What struck me was not only the interest, but also the tone. Whereas sovereignty and cybersecurity used to be often seen as a technical matter for specialists, you now see that the discussions are becoming increasingly strategic. And rightly so: AI gives attackers and defenders alike enormous new clout. And with it, the digital battle and digital independence has definitely escalated.
We used to be able to compare our data centers to commercial aviation. The outside world was relatively safe, and the goal was primarily to allow customers to make their "digital journey" as safely and comfortably as possible. Of course there were risks, but they could largely be overcome with technology and procedures.
Today, that image is outdated. In a digital war, these same data centers must operate like military aircraft. They must ensure their own security, but also be constantly prepared for active attacks from a hostile environment. As every general knows: you should not prepare for the previous war, but for the next one. Only: what does it look like when "suddenly" AI is deployed everywhere, both in attack and defense? What if you are attacked by hundreds of AI agents trying to find every possible weakness? Or an AI agent from your customer "derails" and leaves a trail of data corruption in your data center?
Everything has gone into strange motion in the last year. AI not only strengthens our lines of defense, but just as much gives attackers new weapons. In this game of attack and defense, it is naive to think that no breakthroughs or accidents will happen anyway. The increasingly serious question is not whether, but when, an organization will be hit. Over 20,000 successful ransomware attacks last year. Unbelievable!
What happens when it suddenly goes "all black" and your data center, your Internet and communications are down for days or weeks? How do you deal with hostage-taking and ransomware, or weeks of interruption to critical processes? For some companies, it can literally mean the end when factories suddenly can't produce anything for weeks. As happened in recent weeks at Jaguar Land Rover in the UK and thus was forced to shut down production worldwide.
This emphatically places responsibility in the boardroom. Risk management is no longer just about insurance and fire safety, but about digital continuity and survival. It is not enough to "buy an extra pound" from your cloud vendor. Administrators need to know which processes and data are truly critical and what level of protection and sovereignty is necessary in the process. Can you keep putting all your eggs in one cloud basket? How many baskets do you need to have to have system or vendor fallback? And should those baskets perhaps be closer to home, within your own laws and regulations? Supported by domestic vendors or channel partners who take ultimate responsibility for that sovereignty?
The aviation analogy remains instructive. A military aircraft is prepared for hostile attacks, has capabilities to "shake them off," and even has an ejection seat to save the pilot. You can't do that in a commercial aircraft; there, in the event of a failure, you have to do everything you can to land safely and in a controlled manner quickly. Ask the same questions for your digital services and data. Who is in the cockpit? Who decides when an emergency landing is necessary, even if it is in an undesirable place? And always at an undesirable time. And what does that mean for the continuity of your organization, for your customers? Even if there are no casualties, the economic damage can be catastrophic. Do you have the emergency scenarios ready and people trained?
And above all, do not prepare for the previous war, but for the next one. That means: not just fixing or adding what was still missing, but thinking about how a future attack might play out. Not only thinking about protecting, but also about what happens if things do go wrong. How do you survive? How can you figure out what went wrong? How can you restart conditioned? How do you communicate with customers and shareholders, if you have any means of communication at all? Have you put together a survival kit in case your data center and Internet suddenly go down for weeks? And is there a temporary fallback option available if a reboot is going to take longer - perhaps months? Does your vendor or supply partner have these kinds of provisions?
I have written before on the importance of forensic data to identify errors and causes, and thereby make the industry safer - just as aviation has done with its "airworthiness." Only by sharing lessons can the digital infrastructure become safer worldwide. If you don't know "what" went wrong and "how" they got in, they may just be able to do it again next time. Despite the ten or more bitcoins you paid as ransom.
Above all, responsibility can no longer be placed on the hired CIO or CISO. Directors and regulators must have a say in how digital risks are managed, whether buyouts are paid and how continuity is ensured. With more than 20,000 successful ransomware attacks worldwide each year, digital war is no longer a future scenario, but a reality. And that reality affects not only businesses, but also national security and political stability.
The crowds at trade shows, the sharp discussions at roundtables and the growing list of victims make it clear that digital security is no longer an operational prerequisite, but a strategic issue. It directly affects the continuity of organizations and even national autonomy. The question of which digital processes and data to keep sovereign yourself - within your own legal and administrative frameworks - and where international suppliers can play a role, must be answered in the boardroom.
In my current activities as an ad interim CTO at companies, I see that security and business continuity as a topic are coming back more and more often. Digital transformation demands "Safety and continuity by design" - internally, externally and as a purchased product or service - and thus requires adequate risk management. Increasingly, this is also becoming part of my guidance of organizations. It is not speed but completeness that determines the final quality.
And to be able to explain this in simple terms to board and supervisors, because unfortunately almost no board members are really experienced in this area. Then it's mainly a matter of establishing the right form and content, including committed clout, necessary capabilities and of course the budgets to implement this within a relatively short time.
Cybersecurity is no longer "something of IT," but an essential part of risk management and governance. Or, as I have written many times on my blog: it is a discussion that is about trust, continuity and sovereignty. And it is a discussion that directors can no longer put off. I am - still - happy to help them with this.
