John T Marcante: 3 Key Questions for Boards Amid Global IT Outages and Cyber Disruptions

John T Marcante on IT outage: As an experienced technology professional with a background in both software development and large-scale infrastructure management, including overseeing my first data center assignment post-9/11, not much surprises me when it comes to technology disruptions. However, the recent global IT outage has been unprecedented in its scale and impact.

The aftermath has been marked by a considerable amount of blame-shifting among organizations and software providers, which has proven to be counterproductive. As leaders and board members navigate the challenges posed by this incident and recent cyber events, it is essential to focus on practical questions, extract valuable lessons, and implement strategic actions. Returning to fundamental principles, a back-to-basics strategy will be essential for effectively addressing and mitigating the impact of such disruptions. Before diving, it’s crucial to recognize the overarching objectives for leaders today:

• Profitable and Sustainable Growth: Ensuring that growth strategies are not only effective but also sustainable in the long term.
• Engaged and Innovative Culture: Fostering a culture that is both engaged and innovative, leveraging emerging opportunities.
• Resilient Business Operations: Building a business that is resilient and capable of engendering client loyalty even in challenging times.

While much of the following discussion focuses on defensive strategies that enable a resilient business, it’s important to remember that a robust offensive strategy is equally vital. As Bear Bryant famously said, “Defense wins championships,” but success in today’s competitive landscape also demands a proactive offense.

Technology represents both an offensive and defensive element in today’s business environment.

John T Marcante: The Irony of Leadership Accountability: Technology’s Dual Role of Disruptor and Driver

Technology, the primary disruptor of our era, is also the key driver of growth, innovation, and resilience. However, there’s a tendency among boards and C-suite executives to relegate technology to the domain of CIOs and CTOs, rather than viewing it as a collective responsibility. The recent wave of disruptions underscores the necessity for all leaders to engage actively with technology’s risks and opportunities.

John T Marcante: Back to Basics: Top Questions to Address Post the Recent Global IT Outage and Cyber Events

1. What is our current inventory of technical debt, and what does our investment plan entail? Below are some practical best practices which everyone can benefit from.

1. • Risk-Based Assessment: Evaluate our technical debt comprehensively. Understand the vulnerabilities in our applications, infrastructure, and networks, and identify the necessary investments for modernization.  As an example, have we modernized our infrastructure with self-healing capabilities?  Does our technology include features like automatic rollback of machine and server updates, or are time-consuming manual interventions required?
   • Impact Analysis: Recent multi-day IT outages, such as those affecting the airline industry, highlight the importance of understanding and addressing our technical debt and investment needs to prevent future disruptions.

2. Do we fully comprehend our third-party and supply chain risks, and are we prepared for unexpected system or data losses? A few best practices are outlined below.

1. • Vendor Testing Procedures: Scrutinize how our vendors test their updates, patches, and releases. Understanding these processes is crucial in our interconnected environment.
   • Update Management and Segmentation: Clearly map out our approach to updates and patches. Ensure critical systems are segmented from non-critical ones, allowing for a more controlled and risk-based approach to implementing changes.
   • Canary Testing: Adopt canary testing methods where feasible to test updates in a limited environment before full deployment.  This approach promotes testing changes with a small number of representative clients without the “big bang” approach to releasing software.
   • Disaster Recovery Plans: Reevaluate and regularly test our disaster recovery strategies, particularly for critical infrastructure. Given that ransomware attacks can compromise backups, ensure we have a dedicated recovery plan for such events.  Too often, disaster recovery planning with respect to the loss of critical data is used to mitigate a ransomware event.  During a ransomware event, backups are often connected to the network and are compromised in the attack.

3. Have we conducted tabletop exercises involving the C-suite and Board to practice our response to top-risk scenarios? Have we planned for a multi-day IT outage?

1. • Practice Scenarios: Engage in tabletop exercises that include scenarios like multi-day data losses and ransomware attacks. Such practice sessions are crucial for identifying gaps, clarifying decision-making processes, and planning communication strategies for clients, regulators, and employees.  Many of these communications can be drafted as part of the planning effort.
   • Survival Strategies: Assess our ability to operate during a prolonged disruption, including worst-case scenarios where technology is unavailable. Develop strategies for continuing client service and maintaining operations under such conditions.

• Tone at the Top: When senior leadership and board members actively engage with business and technology specialists, it unequivocally communicates that resilience and security are fundamental priorities for the organization. This engagement fosters an environment where information and potential risks can be effectively shared and addressed across the entire enterprise

John T Marcante: Conclusion: A Unified Approach to Technology Risks

Technology represents both an offensive and defensive element in today’s business environment. Cybercriminals are continually innovating and targeting sectors with high industry concentration risks, from energy and healthcare to widely used enterprise software. In addition, we are all interconnected and susceptible to third-party risks.  Therefore, it is imperative that technology is not relegated solely to a few specialists. Instead, it requires a collective, proactive effort from the entire executive leadership team.

Read more stories:

John T Marcante: The CIO Who Mastered the Cross Section of Technology and Business

Infinidat: Best-in-Class Enterprise Storage Innovation for Data-Driven Organizations

John T Marcante, the US CIO in Residence, Deloitte

I am a technology and business leader with deep expertise in digital transformation, business strategy, financial services, and cybersecurity. As the US CIO in Residence for Deloitte, I leverage decades of experience to help organizations navigate the complexities of technology and innovation at the executive level. In this role, I serve as an independent advisor, providing strategic guidance to clients, practitioners, and senior leadership, while also chairing Deloitte’s CIO Advisory Council.

Previously, I served as the Global Chief Information Officer at Vanguard for nearly a decade. I am also the founder of Technology Leadership Solutions, LLC, where I focus on shaping the future of business through technology-driven leadership coaching.

My unique blend of technology expertise and business acumen has made me a trusted advisor to C-suite executives and boards alike.