Information Week

As businesses grow and tech stacks become more complex, scalability remains a top issue.  “Companies face significant challenges scaling across both physical and virtual spaces. While a holistic approach to operations across regions provides advantages, it also introduces complexity,” says Dustin Johnson, CTO of advanced analytics software provider Seeq. “The cloud can assist, but it’s not always a one-size-fits-all solution, especially regarding compute needs. Specialized resources like GPUs for AI workloads versus CPUs for standard processes are essential, and technologies like Kubernetes allow for effective clustering and scaling. However, applications must be designed to fully leverage these features, or they won’t realize the benefits.”  The variety of technologies involved creates significant complexity.   “Today, a vertically integrated tech stack isn’t practical, as companies rely on diverse applications, infrastructure, AI/ML tools and third-party systems,” says Johnson. “Integrating all these components — ensuring compatibility, security, and scalability — requires careful coordination across the entire tech landscape.  A common mistake is treating scalability as a narrow technology issue rather than a foundational aspect of system design. Approaching it with a short-term, patchwork mentality limits long-term flexibility and can make it difficult to respond to growing demands.  Related:Tech Company Layoffs: The COVID Tech Bubble Bursts Following are some more things that need to scale better in 2025.  1. Processes   A lot of organizations still have manual processes that prevent velocity and scale. For example, if a user needs to submit a ticket for a new server to implement a new project, someone must write the ticket, someone receives the ticket, someone must activate it, and then something must be done with it. It’s an entire sequence of steps.  “That’s not a scalable way to run your environment so I think scaling processes by leveraging automation is a really important topic,” says Hillery Hunter, CTO and GM of innovation at IBM and an IBM Fellow. “There are a bunch of different answers to that [ranging] from automation to what people talk about, such as is IT ops or orchestration technologies. If you have a CIO who is trying to scale something and need to get permission separately from the chief information security officers, the chief risk officer or the chief data officer team, that serialization of approvals blocks speed and scalability.”  Organizations that want to achieve higher velocities should make it a joint responsibility among members of the C-suite.  Related:Things CIOs and CTOs Need To Do Differently in 2025 “You don’t just want to automate inefficient things in your organization. You really want to transform the business process,” says Hunter. “When you bring together the owners of IT, information, and security at the same table, you remove that serialization of the decision process, and you remove the impulse to say no and create a collective impetus to say yes because everyone understands the transformation is mutual and a team goal.”  2. IT operations  IT is always under pressure to deliver faster without sacrificing quality, but the pressure to do more with less leaves IT leaders and their staff overwhelmed.  “Scalability needs to be done though greater efficiency and automation and use things like AIOps to oversee the environment and make sure that as you scale, you maintain your security and resiliency standards,” says Hunter. “I think re-envisioning the extent of automation within IT and application management is not done until those processes break. It’s maybe not investing soon enough so they can scale soon enough.”  3. Architectures  In the interest of getting to market quickly, startups might be tempted to build a new service from existing pre-made components that can be coupled together in ways that “mostly fit” but will demonstrate the business idea. This can lead to unintentionally complicated systems that are impossible to scale because of their sheer complexity. While this approach may work well in the beginning, getting business approval later to completely re-architect a working service that is showing signs of success may be very difficult.  Related:How CIOs Can Contribute to Corporate Strategy “First of all, be very careful in the architectural phase of a solution [because] complexity kills. This is not just a reliability or security argument, it is very much a scalability argument,” says Jakob Østergaard, CTO at cloud backup and recovery platform Keepit. “A complex structure easily leads to situations where one cannot simply ‘throw hardware at the problem’ this can lead to frustrations on both the business side and the engineering side.”  He advises: “Start with a critical mindset, knowing that upfront investment in good architecture will pay for itself many times over.”  4. Data visibility  Organizations are on a constant mission to monetize data. To do that they need to actively manage that data throughout the entire lifecycle at scale.   “While cloud computing has gained popularity over the past few decades, there is still a lot of confusion, resulting in challenges including understanding where your cloud data lives, what it contains, and how to ensure it is properly protected,” says Arvind Nithrakashyap, co-founder and CTO at data security company Rubrik. “When it comes to scalability one blind spot is unstructured and semi-structured data.”  Unstructured data poses a security risk, as it can contain sensitive business data or personally identifiable information. And since all unstructured data is shared with end-user applications using standard protocols over TCP/IP networks, it’s a prime target for threat actors. Since most companies have hybrid and multi-cloud implementations IT needs to understand where sensitive data is, where it is going and how it is being secured.   “One of the toughest hurdles for organizations whose unstructured data portfolio includes billions of files, and/or petabytes of data, is maintaining an accurate, up-to-date count of those datasets and their usage patterns,” says Nithrakashyap. “[You need to understand] things [such as] how many files [exist], where they are, how old they are, and whether they’re still in active use. Without reliable, up-to-date visibility into the full spectrum of critical business files, your organization can easily be overwhelmed by the magnitude of your data footprint, not knowing where critical datasets

The demand for new data centers isn’t showing any sign of slowing. With new projects being announced each week, keeping track of the latest data center developments is not always easy. To keep you informed about the latest data center news involving design, construction, and related developments, we bring you the highlights from the past month. This curated selection will help you stay on top of the latest data center development news with ease. North American Data Center Deals As experts came forward with their initial thoughts on how a second Trump presidency could shape the nation’s data center industry, new development announcements continued to pour in. DC Blox is developing four hyperscale edge node data centers across the southeast. The facilities will be in Montgomery, Alabama; North Augusta, South Carolina; and Huntsville, Alabama; in addition to the location in Conyers, Georgia that was made public earlier this year.  Cologix, meanwhile, is expanding its central Ohio footprint after acquiring 154 acres of land in Johnstown. The operator is planning to develop an 800 MW campus to support the region’s “rapidly advancing digital economy.” In Virginia, Iron Mountain said it acquired two data center development sites to strengthen its presence in the region. The purchase of the Richmond and Manasses will add an estimated 350 MW of planned future capacity.   Related:Financing Strategies for Data Center Operations: A Comprehensive Guide Core Scientific says it will spend $6.1 billion to turn its bitcoin mining site in Denton into an AI data center. The investment is expected to lead to $194 million in property tax over a decade, according to The Dallas Morning News. The news comes as CleanArc said it’s developing a new data center in Virginia’s Caroline County, while AVAIO Digital said approval has been granted for its 76-acre Perseus Data Center Project at the Pittsburg Technology Park.  Meta continues to target multibillion-dollar data center investments, with reports this month indicating the Facebook parent company is planning to build an AI-ready facility near the city of Monroe, Louisiana.   The demand for nuclear projects continues, with Meta announcing it was seeking as much as 4 GW of new nuclear energy as the company looks for a reliable electricity source for its data centers.  The news came as Amazon said it would build a data center campus next to a Pennsylvania nuclear plant after US regulators rejected a special power deal, and Oklo agreed to deliver as much as 750 MW of electricity from nuclear reactors it plans to build to two data center companies. Related:How Data Center Reference Design Can Streamline Your Infrastructure Planning Microsoft said it is building its first wooden data centers made with superstrong ultra-lightweight wood in a bid to slash the use of steel and concrete, which are among the most significant sources of carbon emissions.   More North American data center news: Infrastructure-as-a-Service provider servers.com announced the opening of a new data center in Miami and expanded operations in Amsterdam, San Jose, Washington, Dallas, and Singapore   A rendering of WS Computing’s new data center facility in Gromstul, Norway. (IMAGE: SKANSKA) European Data Center Developments In Europe, UK data center operator Latos Data Centres said it will be delivering its first hyperscale data center in Cardiff, Wales, and a total of 40 new data centers across the UK by 2030.  The Cardiff data center will be a Tier III facility designed to meet the needs of the most demanding global technology companies, the company said.  Meanwhile, Nordic colocation provider atNorth is planning to expand two of its data centers in Iceland. The ICE02 campus near Keflavík, will gain an additional capacity of 35 MW, and the recently opened ICE03 site in Akureyri will gain additional capacity of 16 MW. Related:Global Data Center Market Projected to Near $500 Billion by 2029 The announcement came as Skanska signed a $50 million contract with WS Computing AS to build the core and shell for a new data center facility at Gromstul, Norway. Backed by investment management firm DTCP, GreenScale launched with the acquisition of Atlantic Hub, Northern Ireland’s largest data center based in Derry, complemented by a strategic site in Donegal, Ireland, totaling 170 MW of capacity.  More European data center news this month:  T-Mobile and CE Colo Czech are launching a new section of DC7 data center in the Czech Republic, covering an area of up to 3,500 sq m.  Asia-Pacific Data Centers Builds In Asia-Pacific data center news, GDS International announced its entry into Thailand with a committed investment of up to $1 billion to develop a hyperscale data center park in Chonburi province, southeast of Bangkok.  Indian developer RMZ Corporation is spending $1.7 billion in building two data centers, and Canada Pension Plan Investment Board announced a $700 million joint venture with Pacific Asset Management Company to develop carrier-neutral hyperscale data centers in South Korea.   Shanghai DC-Science, a Chinese data center developer and operator, is seeking a loan of about $600 million to $700 million to fund a data center project in Malaysia.  More Asia-Pacific data center news this month:  Equinix entered into a Power Purchase Agreement (PPA) with Sembcorp Power to secure 58.5MW of power from a solar project in Singapore.  Teraco started construction of a new 40 MW data center near Johannesburg, South Africa. (IMAGE: TERACO) Middle East and Africa Data Center Investments Teraco said construction commenced on a new hyperscale data center with 40 MW of critical power load at its Isando Campus in Ekurhuleni, east of Johannesburg, South Africa.  The facility, known as JB7, is currently scheduled for completion in 2026 and will incorporate the latest environmentally sustainable cooling and water management designs, the Digital Realty subsidiary said.  Ezditek broke ground on its flagship data center facility, RUH01, in Riyadh to support AI and cloud growth in Saudi Arabia. The facility is expected to go live in Q1 2026.    Batelco signed a memorandum of understanding with Qareeb Data Centers at the Gateway Gulf Investment Forum 2024. The collaboration aims to create a new data center in Bahrain.  Finally, Equinix opened new data centers in Türkiye and Oman.  source

It’s that time of year again: the time when journalists and vendors make predictions and IT leaders set priorities for the new year. In a lot of ways, the stakes are high, given a new US presidential administration and the active conflicts in various parts of the world. What will happen to the economy and IT budgets? What will all the unrest equate to in terms of business continuity and cyberattacks?  As the world and technology become increasingly complex, CIOs and CTOs need to figure out what that means to the organization as well as the IT department. Loren Margolis, faculty, Stony Brook University, Women Leaders in STEM Program, warns that IT leaders need to proactively combat cybersecurity threats that continue to become more sophisticated.   “To proactively combat [cyberattacks], leaders must think like them,” says Margolis. “Questions to ask [include] What are our potential openings and soft spots? What are our competitors doing to combat them? If I were a nefarious operative, what would I do to breach our system?”  She also says CIOs and CTOs need to get ahead of machine learning to increase customer satisfaction, reduce costs and increase efficiency. In addition, IT leaders should consider the skill gaps in their workforce.   Related:How CIOs Can Contribute to Corporate Strategy “Keep ahead or at least on top of the cybersecurity, artificial intelligence, and data analytics skills that are needed. Acquire talent and develop that talent so your company remains competitive,” says Margolis. “Find ways to use [AI and analytics] to become even more agile so you remain competitive. Also embrace them as opportunities to train and develop your workforce. Make sure your organization is a place where great tech talent can come to develop and use their skills.”  The following are some other priorities for 2025.  1.  Increase value delivery  Joe Logan, CIO at cloud-native knowledge platform iManage believes CIOs and CTOs will be focused on driving cost to value, especially when it comes to security.   “Because the nature of the threat that organizations face is increasing all the time, the tooling that’s capable of mitigating those threats becomes more and more expensive,” says Logan. “Add to that the constantly changing privacy security rules around the globe and it becomes a real challenge to navigate effectively.”  Also realize that everyone in the organization is on the same team, so problems should be solved as a team. IT leadership is in a unique position to help break down the silos between different stakeholder groups. The companies that master cross-functional problem-solving tend to drive higher value than those that don’t.  Related:What to Do When a Key IT Vendor Suddenly Goes Out of Business 2. Ensure AI investment ROI  In 2024, many organizations discovered that their AI investments weren’t paying off as expected. As a result, AI investments are shifting from rapid innovation at any cost to measurable ROI. Heading into 2025, Uzi Dvir, Global CIO at digital adoption platform WalkMe says CIOs and CTOs will face increased pressure to justify AI investments in the boardroom.  “Change management is emerging as a crucial factor for companies to fully realize the benefits of their AI investments and companies are gravitating towards more intuitive, human-centric AI,” says Dvir. “Faced with more and more AI apps, employees are asking themselves if it’s worth the time and effort to figure out how to use these new technologies for their specific roles. In response, enterprises are now prioritizing better visibility into AI adoption [and identifying] areas ripe for optimization and enhanced security.”  As always, the path to AI mastery doesn’t lie in technology advancements alone. Companies that actively start investing in and addressing change management will reap the true rewards of their technology investments.  3. Overcome budget limitations   Related:Building a Global Team of Experts to Support Complex Enterprise Sales Every IT leader is under pressure to improve efficiency and time to market while reducing costs. As is typical, they’re being asked to do more with less, and do it faster, but in 2025, they’ll increase their usage of AI, machine learning, and low-code/no-code platforms to improve efficiency.    “We are expecting to realize a 10% to 20% improvement in developer productivity via the use of products like GitHub Copilot and Amazon Q. Our current run-rate usage of these products has us bringing in the equivalent of an entire products code base worth of AI-generated code every year,” says Steven Berkovitz, CTO of restaurant technology solutions company PAR Technology. “We also expect these tools to help our developers focus their time on the hard and novel problems and spend less time on the repetitive tasks of development. We particularly expect this to help accelerate starting new projects and products as much of the boilerplate work can be automated.”  However, many developers hesitate to use AI for fear of job loss.  “I think [job loss] concerns are overstated, and developers should be embracing the tooling to improve their efficiency versus fighting I,” says Berkovitz. “[AI] will make them better, faster developers, which makes them more valuable to companies, not less.”  4. Strengthen cybersecurity  Cybersecurity threats are becoming more sophisticated, necessitating stronger defense mechanisms. Unfortunately, the digital services enterprises use to innovate are also utilized by threat actors to exploit.  “Strengthening cybersecurity measures will protect company assets and build trust with customers and partners,” says Rob Kim, CTO at technology services and solutions provider Presidio. “Challenges include the scarcity of skilled professionals in emerging technologies [including] Gen AI, data/lake house modernization and cybersecurity. Ensuring data privacy and regulatory compliance in a rapidly evolving legal landscape can also be complex.”  5. Deal with the lingering talent shortage  The World Economic Forum found there’s a global shortage of nearly 4 million professionals in the cybersecurity industry as demand continues to increase. That shortage follows a 12.6% growth rate in the cybersecurity workforce between 2022 and 2023. Highly regulated industries, such as government and healthcare, are among those experiencing the greatest cybersecurity workforce shortages, which presents unique challenges.  “This same narrative has been repeating

Today’s enterprise data systems are extraordinarily complex, and selling to the world’s largest enterprises requires a team with expertise who has a passion for and a deep understanding of data, infrastructure, and complex technical requirements. From integrating data to managing global performance, the technical team has become more essential now than ever in handling long-cycle, high-stakes deals.   The Changing Role of IT in Enterprise Sales  Over the past decade, the role of IT in enterprise sales has transformed. With the rise of cloud computing and data-driven decisions, clients now expect vendors to partner with them to provide technical solutions and strategic guidance on data integration, scalability, and performance. Today, enterprise sales focus as much on technical expertise as it does on closing deals — and it should, given it’s a key driver of realized business growth.   A significant shift in recent years has divided the market into two categories: product-led growth, where cloud-based and self-service models prevail; and the traditional enterprise sales model, which focuses on large, complex systems that require a hands-on, technology-led approach. Cloud adoption has simplified some aspects of sales for smaller clients, but selling to large enterprises has only become more complex, especially for IT leaders managing the infrastructure and expertise needed for customized, long-cycle solutions.  Related:Things CIOs and CTOs Need To Do Differently in 2025 Navigating Complex IT Requirements in Enterprise Sales  Enterprise sales are characterized by complex IT requirements, involving requirements gathering, multiple decision-makers, and highly customized solutions that must integrate seamlessly with existing infrastructure. This complexity presents both a challenge and an opportunity for IT leaders, and managing these requirements depends on team expertise.   I find it invaluable when technology professionals specialize in enterprise sales intricacies, from data integration and system architecture to performance optimization, big data engineering, and cybersecurity. When this cross-pollination occurs, technical prowess becomes the backbone of sales efforts, ensuring solutions are robust and aligned with a client’s broader goals.  For example, we recently collaborated with a global client facing data integration challenges across regions with diverse privacy regulations. To address their needs, we developed a plan that accounted for regional policies, operational requirements, and technical constraints, ensuring the solution aligned with their broader strategic goals. Our pilot program helped operationalize the solution for production from day one, consolidating workloads like ETL and OLAP analysis, streamlining administration, and enabling seamless scalability. This approach not only supported global growth without compromising data performance or security but also freed up the client’s most valuable resources to focus on next-generation innovation and revenue generation rather than managing or patching legacy systems. This level of expertise is essential for enterprise sales — without it, you risk missing opportunities to deliver the strategic value enterprises need to remain competitive and grow.  Related:How CIOs Can Contribute to Corporate Strategy Recruiting Top Talent  A successful enterprise sales strategy begins with a strong team. Recruiting the right talent is crucial because the data and IT requirements for enterprise sales are complex, and skilled professionals are in short supply.  When hiring for technology-focused roles, prioritize experience in large-scale infrastructure, data management, and system integration. Enterprise sales expertise cannot be taught in a classroom — it comes from years of handling complex systems and understanding how technical capabilities align with business outcomes.    Related:What to Do When a Key IT Vendor Suddenly Goes Out of Business Expanding Talent Search Through Global Recruitment  Before the COVID-19 pandemic, operations were centralized, with salespeople based near clients. Remote work, however, has allowed many growing companies to recruit top talent worldwide, strengthening teams by tapping into a broader talent pool. It has simultaneously dispersed customer locations outside of the company’s headquarters.  At my current company, our team currently spans seven time zones, which gives us unique insights into region-specific challenges. For example, energy availability impacts IT operations differently across regions; in Europe, a strong emphasis on sustainability drives climate-friendly solutions. This regional expertise helps us understand our clients’ unique needs more deeply and enables us to provide tailored solutions that are aligned with local priorities.   Building a Collaborative Culture Across Regions  With a global technical sales team, fostering collaboration and maintaining cohesion are key for alignment and growth across the business. Codify your values by training teams on effective cross-regional work and integrating these values into your performance management system. This helps establish a strong foundation for teams to work off of when solving client challenges and delivering results tied back to key business goals.  To drive collaboration in remote or hybrid settings, I recommend AI note-taking tools to document and streamlining action items, as well as capture the voice of the customer. I also recommend investing in tools like internal wikis, instant message apps and video conference tools, which enable productivity and teamwork regardless of location. At our company, these tools make it possible to operate as a fully remote-first company and improve our recruitment reach and overall efficiency.  Technical Sales’ Role in Building Customer Relationships  While relationships often drive enterprise sales, technology’s role in cultivating these relationships is significant and sometimes overlooked. Technical expertise demonstrated in customer engagements beyond the sales call is critical to establishing trusted relationships and meeting client goals.  It is for this reason that technical teams provide strategic guidance throughout the sales cycle, help drive system optimization, advise on integrating new technologies, and ultimately keep clients competitive. For companies scaling teams for enterprise sales, technical expertise is indispensable. Success in enterprise sales hinges on capable, technical teams skilled in managing data, infrastructures, and complex system integration and consolidation.   By recruiting top technical talent, fostering a collaborative culture, and drawing on global insights, companies can better navigate enterprise sales complexities and deliver solutions that address the unique data needs of the world’s largest companies. Ultimately, long-term success in enterprise sales relies on the combined strengths of the technical sales team, empowered to handle the scale and demands of these high-stakes engagements.  source

Companies want CIOs to weigh in on corporate strategy, yet most CIOs find that they must carve out their own strategic roles. What’s the best way to do this?  At first blush, it might seem that there is no “best way,” because the idea of a CIO sitting at the corporate strategic roundtable is relatively new.   An initial driver for CIO strategic engagement was ushered in with the launch of digitalization initiatives. Digitalization made CEOs and boards realize that technology would be a driver of business success. This prompted a deluge of invitations to CIOs to attend strategic meetings, even though no one (including CIOs!) knew how and what CIOs would contribute. Ultimately, it was left to CIOs to define their own strategic business roles.  Rule #1: CIOs contribute to corporate strategy by defining their own strategic roles.  CEOs know they want the CIO at the strategic roundtable since it’s now obvious to everyone that technology enables business success, but that tends to be all a CEO knows.   That’s why CEOs and boards expect CIOs to establish their own strategic identities and worth. To do this, CIOs must first read the “tea leaves” of their companies.  Is it best to be a technology thought leader? I know of at least one case where that was all that was expected of the CIO in strategic planning. The CEO and the board wanted to know that they had an in-house “data architect” who knew what every system was doing, where every piece of data was, and how best to align all of it so everyone in the company worked with consistent, high-quality information.  Related:Talent Management: The Missing CIO Management Strategy In other cases, companies want a CIO who is so business-savvy that the CIO knows all the customer touch points and business pain points, and like a super physician can apply a magical technology balm to these processes, taking the pain away. I’ve seen CIOs do this, and some have even ascended to CEO positions.  Still other CIOs see themselves as technology trash collectors. They update technology over a series of years and get rid of the outmoded “boat anchors” that burden corporate balance sheets.  CIOs who are defining their strategic identities and the value they bring might choose one or more of these approaches, but one common path that they all travel is role definition, for there is no one else in the organization who can do it for them.  Rule #2: Contributions grow when you stick to business.  There was the CIO who established himself as a master data architect, and this satisfied the board and the CEO. But he was an outlier. This is because most companies want their CIOs to transform the business for the better. To do this, CIOs are building their business chops by studying finance, operations, marketing and sales, because they understand that they must get up to speed on how their companies operate and thrive above and beyond technology.  Related:Changing Role of the CIO These CIOS analyze revenue streams, income statements, financial ratios, borrowing costs, customer behavior, and stakeholder concerns. They’re addressing these topics head-on in strategic meetings. This helps them gain business respect with their peers in the C-suite and with stakeholders, board members and the CEO.   There is also one “special insight” that CIOs possess and that other executives don’t: CIOs are integrally familiar with the enterprise’s portfolio of systems. Their work in IT has acquainted them with where they have systemic malfunctions and breakdowns. In a sense, the CIO is like an enterprise surgeon. He sees the breakdowns in those systems and can likely trace those breakdowns to problems in the business. If he can solve these problems with technology, he establishes his strategic worth.  Rule #3: C-suite teamwork pays off.   CIOs are at their strategic best when they team with other C-level executives in a digital transformation project that closely aligns technology with the business.   Related:Bridging the AI Strategy Gap in the C-Suite An example would be a new CRM system that gives everyone a 360-degree view of the customer experience with the company, whether they work in customer service, sales, marketing, product development, order fulfillment, or finance. It isn’t enough to ensure that systems and data across all functions are operational and consistent; you must also have the enthusiastic backing and participation of the executives who use these systems.  By teaming with their executive peers on digital projects, CIOs erase the old pattern of users coming to IT, asking for systems, and then returning to their regular business routines while IT works in the back room on a system that the users might not end up liking.  Communication channels develop and trust builds when C-level executives work together. A foundation of mutual work and trust is built that paves the way for more productive strategy making.  Rule #4: Go for the home run; don’t just get on base.   CIOs are not necessarily risk averse, but there are some who like to play their positions on the conservative side. If this management style fits your personality, you should probably stick with it. However, there is empirical evidence that CIOs who are willing to step outside of their traditional comfort zones — say to propose a new business — assume high risk but also cash in on high strategic rewards.  An example is the CIO at a well-known financial services company who developed a product in IT that was so innovative that he proposed a separate for-profit line of business for it. The board and the CEO approved, and the CIO became the CEO of a new subsidiary. This is an extraordinary example of where high-risk-high reward strategic business leadership can go, but if the shoe fits, go for it.  source

While there are many options to leverage the cloud, lofty strategies can run the risk of getting ahead of what enterprises need — or is feasible. Even with scalable options that can “rubber band” to suit demand, is there a disconnect between what enterprises aim for with their cloud plans and what can be delivered? Over the years, there have been protestations about the ubiquitous cloud, with cloud-first billed as the strategy of the future. But is that where enterprises should aim their cloud efforts? Diving into those and other questions, this episode of DOS Won’t Hunt gathered Marcus Merrell, principal tech Advisor at Sauce Labs; Anuj Kapur, CEO of CloudBees; Bina Khimani, chief product officer and chief revenue officer with Kinesis Network; and Richard Munro, business value lead for the VMware Cloud Foundation Division. They spoke to questions that included whether enterprises are now able to tailor cloud resources to fit their actual operational needs, if cloud costs have become more manageable, how cloud usage has scaled in recent years, and whether or not more organizations are going cloud-first. Listen to the full podcast here. source

When it comes to IT nightmare scenarios, few can match the possibility of having a key vendor partner suddenly close its doors. With little or no advance warning, IT leadership must scramble to find a suitable replacement and continue vital operations.  It’s critical to go on the offensive quickly, advises Troy Gibson, fractional CIO with business and technology consulting firm Centric Consulting’s CIO services unit. “Waiting to see what will happen is a recipe for disaster,” he says in an email interview. Remember that there will be many other customers in the same boat, so a rapid response is essential. “There are advantages to being at the table first to set the stage for what happens next.”  Warning Signs  Poor communication often signals a business in trouble, says Simon Fletcher, engineering manager at cybersecurity firm Twingate. “This is the most visible warning sign,” he notes via email. “If a vendor becomes unresponsive, or delays in communication start arising, this can be an early red flag.”  Another warning sign is a vendor experiencing frequent leadership changes. “A high turnover in staff, particularly in executive and leadership positions, can indicate internal instability,” Fletcher says. Product or service quality decline, or a sudden lack of regular updates, is yet another red flag. Additionally, staff layoffs and/or facility closures can be a sign of internal trouble.  Related:How CIOs Can Contribute to Corporate Strategy Taking Action  The first step to take once a vendor’s failure becomes apparent is to assess how important the vendor’s services are to your organization, Fletcher says. “This is critical to understand how dependent your organization is on the vendor and how the shutdown will immediately affect operations.”  Fletcher believes that a thorough assessment can be highly effective, since it allows the leaders at the affected organization to quickly understand the potential risks and operational disruptions caused by the vendor’s shutdown. “By prioritizing the most critical services, the IT leader can allocate resources effectively, focus on minimizing downtime, and maintain business continuity,” he explains. “It also provides a clear direction for further steps, such as engaging alternative vendors or activating any existing contingency plans.”  Identify and secure all critical data associated with the vendor, particularly if it resides in specialized SaaS applications, recommends Todd Thorsen, CISO at data backup service provider CrashPlan. “IT leaders should prioritize exporting and backing up all data from these applications to ensure no intellectual property or essential work is lost,” he says via email. “This includes identifying all endpoints, such as laptops or any other devices on which data might be stored and securing the content in a centralized backup environment.”  Related:Building a Global Team of Experts to Support Complex Enterprise Sales By focusing on data backup, organizations can protect their intellectual property and critical work, even when a vendor suddenly shuts down, Thorsen says. “This mitigates the risk of data loss and ensures that teams can continue with minimal disruption.”  Gibson suggests engaging the vendor to understand their actions and how they might be able to help you mitigate the situation. “They may have already established a transition plan,” he notes. “If this is a software solution, cloud-based or on-prem, negotiate to gain access to the code and build scripts.” If that’s not possible, seek support to set up the solution on your own cloud platform. Finally, review the current contract to understand what products and/or services were agreed upon. “If there’s an escrow account for the code, understand the steps needed to access it.”  Preemptive Protection  The best protection against sudden vendor failure is regularly backing up all critical stored data to independent, secure environments. “This means setting up backup systems that aren’t reliant on the vendor’s infrastructure and ensuring that all work and intellectual property are duplicated in a secure location,” Thorsen says. Maintaining a comprehensive inventory of all applications in use, and understanding what data is stored in which location is also crucial, he adds.  Related:Tech Company Layoffs: The COVID Tech Bubble Bursts As a key part of the IT risk management process, Gibson recommends that each vendor should be assessed on an annual basis to establish what would be the impact if the provider were to suddenly go under. Vendor size is inconsequential. Gibson reports that he’s seen several Fortune 500 companies coping with business-critical software solutions owned by a small IT provider that suddenly shut its doors.  Parting Thought  IT leaders should regularly review and audit the data they’ve stored across applications and endpoints, Thorsen says. To protect against unexpected vendor shutdowns, he suggests that data should be backed up regularly, made easily accessible, and stored in a secure environment. “Proactively managing data backups, rather than reacting to a crisis, can significantly reduce the impact on business continuity and protect against potential data loss,” Thorsen concludes.  source

During a keynote at last week’s Forrester Security & Risk Summit in Baltimore, the research firm presented energy management and industrial automation company Schneider Electric with the Security & Risk Enterprise Leadership Award. Stephanie Balaouras, vice president and group director at Forrester, led a discussion with Mansur Abilkasimov, Schneider Electric’s deputy CISO & chief product security officer, and bestowed this year’s honor.   Balaouras noted that the judges, a group of Forrester analysts, voted unanimously to choose Schneider Electric. Barclays was the first recipient of the award in 2023.   Schneider Electric’s ability to integrate security, privacy, and risk management across the enterprise stood out as a factor in being chosen, according to Balaouras.  “We wanted to recognize organizations that have figured out how to take these functions, embed them across the enterprise, and actually use them as a driver of business, use them to drive business success and drive results, and improve the organization’s reputation for trust with customers, employees, and partners,” Balaouras told the audience.  A Holistic Approach to Security and Trust  Schneider Electric is a company that develops everything from DC chargers to safety instrumented systems. It maintains a holistic approach to energy and management in which security, privacy, and risk do not exist in silos.   Related:Quantum-Proofing Your IT Systems Carrying out an integrated strategy is a challenge for a company like Schneider Electric given its wide footprint in infrastructure, distribution centers, and factories filled with industrial machines. Abilkasimov told the audience that nobody can achieve 100% visibility, but gaining this visibility as part of risk management is a key challenge for the organization.  In his keynote, Abilkasimov stressed that product security is not an afterthought and is integrated in the “holistic vision” of a product’s life cycle. In a “security by design” or “security by operations strategy,” the manufacturing teams are responsible for security by design as well as security by operation, he said.  The company received the award because of its implementation of a Trust Charter that incorporates ethics, safety, cybersecurity, and governance as well as a Trust Center, which addresses the requests of customers and stakeholders in security and data protection. “Trust Charter is a document that embodies all our principles and tenants for code of conduct, from AI to cybersecurity, from ethics and compliance to price, from safety to quality,” Abilkasimov explained in the keynote. Related:What Do We Know About the New Ransomware Gang Termite? Abilkasimov and his team also organize a “Trust Month” in which they lead discussions around cybersecurity with employees and partners around trust. “Cyber is one of the pillars of this trust,” he said.  Trust is important for both cybersecurity and talent retention. Forrester recognized Schneider Electric for its ability to find talent for cybersecurity roles in operational technology (OT). according to Balaouras.  “Companies that are trusted, they earn and retain customers,” Balaouras told the audience. “They earn and retain the best talent. And what we’ve also found is customers are actually more willing to share sensitive data with trusted companies and even embrace emerging tech, where in other situations, they would have skepticism or fear of engaging with that emerging tech.”  Schneider Electric Tackles Third-Party Risk   In his keynote remarks, Abilkasimov described Schneider Electric’s approach to managing risk from the company’s 52,000 suppliers, which includes suppliers for Internet of Things components and regular IT as well as service providers. He explained that companies must prioritize which suppliers to work with on a security assessment. “It’s impossible to cover all of the suppliers with a cybersecurity or third-party security program, so sometimes you need to choose your battle,” Abilkasimov told InformationWeek after the session.  Related:Finding Your Shadow: Can Shadow IT Be Controlled? Schneider Electric has added 5,000 suppliers to its third-party cybersecurity program. It started with the 300 most critical IT suppliers, and the company will grow the program further, according to Abilkasimov.   “We work with those companies on cyber, crisis simulations, partnerships, C-level connections, and continuous monitoring through threat intelligence or cybersecurity scoring platforms,” Abilkasimov said in our interview.  He added, “Be it an IoT supplier or simple product security component supplier, they all go through this process.”  In Forrester’s “Security Survey 2024,” 28% of breaches stemmed from a software supply chain attack. Also, in another Forrester report, “What 2023’s Most Notable Breaches Mean for Tech Execs,” third-party vulnerabilities were the top cause of breaches in 2023 and comprised 23% of all breaches.   How Forrester Chooses Its Security Leadership Award Winners  Forrester had opened nominations for the award on May 1. Balaouras said the evaluation process is similar to a security maturity assessment. Companies must show metrics or KPIs that prove ROI, and they should exhibit how they approach security by design and privacy by design.  “We talk about their overall approach to embedding security, privacy and risk management across the enterprise not as discrete functions, but how they embed it across the enterprise,” Balaouras told InformationWeek after the session.  Balaouras stressed that Forrester doesn’t handpick the winners. “We put out the award and put out the criteria, and we invite companies and organizations from the public sector to look at them and nominate themselves,” she said.  Barclays received the award in 2023 for maintaining trust and transparency in its universal banking operations and for its human risk behavior metrics that revamped the company’s security culture.  A key factor in Schneider Electric’s success in managing security and risk is making trust concrete, according to Balaouras.  “When I compare Barclays to Schneider Electric, I think one thing they had in common was executive-level commitment to security, privacy, and risk management as critical features of building trust,” Balaouras said. “Both organizations from top to bottom really had buy-in.”  She continued, “When I look at Schneider, they put trust front and center, and they had operationalized it. What was truly unique at Barclays … last year was they had really extensive security awareness and training for a large financial institution. They had really mapped out all the complex matrices, all the different stakeholders

The notion of shadow IT as risky business can be instilled in IT strategy. Shadow IT emerges when departments or employees use software, hardware or applications without the knowledge or oversight of the IT department. By adopting this tech, these departments or individuals become dependent on such tools, unbeknownst to the IT team.  It’s been around for a long time but has become increasingly common with the rise in consumer knowledge of tech and the number of cloud services — and now generative AI tools — available. On top of this, vendors have made it easier for users to gain access to their services by purposely subverting IT teams. In the past, for example, employees always required an admin to install an application. However, vendors have streamlined this process by installing applications into user-controlled areas.  Just like how plants and trees can grow wildly without proper management, unauthorised IT systems can proliferate, creating a tangled mess that’s hard to control. Gartner has predicted that by 2027, three quarters of employees “will acquire, modify or create technology outside IT’s visibility — up from 41% in 2022”.  So, how do you approach the seemingly impossible task of maintaining unmanaged assets and resources without disrupting the whole business ecosystem?   Related:Forrester Award Keynote: Schneider Electric Deputy CISO on Managing Trust, Supplier Risk The Risks of Shadow IT   The main danger of shadow IT is that it is an unmanaged risk — and IT can’t mitigate threats they don’t know about.  Unmanaged personal devices like smartphones, laptops and wearables, which employees use on the enterprise network but fall outside of a company’s bring your own device (BYOD) policy, are common instances of shadow IT. These can make the network vulnerable to potential breaches like bad actors spreading malware or ransomware.   More covertly, these security gaps can extend to ‘out-of-sight’ cloud services. For example, sensitive business data may be stored on personal cloud accounts without the necessary encryption or multi-factor authentication that might be used on managed servers. This means the business is vulnerable to data breaches and cyberattacks, creating critical risks that IT aren’t even aware of.  Any unauthorized third-party software in use may also breach company data protection standards and quality assurance. Users without the necessary skill and training won’t be able to effectively configure and secure such tools.   Operationally, shadow IT creates lots of data silos and restricts data sharing. As IT doesn’t have a bird’s eye view of operations, they can’t control or secure these systems, spot inconsistencies, and effectively manage overall resources and costs.   Related:Quantum-Proofing Your IT Systems The Benefits of Securing Your Shadow   Shadow IT usually emerges from users not being able to get the services or functionality they need through managed assets and resources. They might not have enough cloud storage space and so use a personal account or use external third-party software as the ‘approved’ software doesn’t give them the capabilities they require.  Therefore, despite the embedded risks of shadow IT, companies shouldn’t look to eradicate these applications. Instead, IT can either offer efficient ways of transferring data onto secure systems or transfer applications onto managed servers without changing the applications themselves, akin to pulling the rug from under your feet.  Through this method, they can deliver faster tech, more efficiency and better security while needing less training for staff and lower costs. Crucially, this transition brings very little operational disruption.  Managing Your Shadow   Securing your shadow is just the start — managing it is an ongoing activity.  Creating an open dialogue with employees that encourages them to report any unmanaged applications gives IT visibility. Establishing robust BYOD policies is another way to keep on top of your shadow.   Related:What Do We Know About the New Ransomware Gang Termite? It’s also worth IT interrogating training processes and knowledge sources. How aware are staff of the risks of shadow IT? Where do employees go to remedy tech issues? Often search engines are the first port of call, with Large Language Models becoming increasingly popular. And it’s not just about reporting devices and training, but ensuring there is a regular flow of feedback from staff about any issues they are having with current systems or extra functionalities they might need.   Instead of reprimanding staff for using unmanaged software, companies should enact an open and constructive approach to shadow IT, one that learns from why users have needed to use such tools. That way, IT can manage standards and improve operations — and that leaves less chance of the shadow growing uncontrolled.   Controlling Your Shadow   When companies begin to migrate their technology, they can discover they have a large amount of shadow IT that stretches way beyond what is visible and managed. These applications are connected under the surface and are business critical. If you remove the roots, the tree can no longer survive. And if you remove a tree, you impact the whole forest.  At the same time, from data breaches to lack of visibility, the risks of shadow IT are aplenty.   Faced with this dilemma, companies need to prioritize a strategy that enables these applications to run on managed servers, creating secure environments with little operational disruption. With a positive approach to shadow IT, risks can be controlled and innovation promoted and encouraged.   source

Termite is quickly making itself a name in the ransomware space. The threat actor group claimed responsibility for a November cyberattack on Blue Yonder, a supply chain management solutions company, according to CyberScoop. Shortly afterward, the group was linked with zero day attacks on several Cleo file transfer products.   How much damage is this group doing, and what do we know about Termite’s tactics and motives?   New Gang, Old Ransomware  Termite is rapidly burrowing into the ransomware scene. While its name is new, the group is using a modified version of an older ransomware strain: Babuk. This strain of ransomware has been on law enforcement’s radar for quite some time. In 2023, the US Department of Justice indicted a Russian national for using various ransomware variants, including Babuk, to target victims in multiple sectors.   Babuk first arrived on the scene in December 2020, and it was used in more than 65 attacks. Actors using this strain demanded more than $49 million in ransoms, netting up to $13 million in payments, according to the US Justice Department.   While Babuk has reemerged, different actors could very well be behind its use in Termite’s recent exploits.   “Babuk ransomware was leaked back in 2021. The builder is basically just the source code so that anyone can compile the encrypting tool and then run their own ransomware campaign,” says Aaron Walton, threat intelligence analyst at Expel, a managed detection and response provider.   Related:Quantum-Proofing Your IT Systems How is Termite putting the ransomware to work?  “Researchers have found that the group’s ransomware uses a double extortion method, which is very common these days,” Mark Manglicmot, senior vice president of security services at cybersecurity company Arctic Wolf, tells InformationWeek. “They extort the victim for a decryptor to prevent the release of stolen data publicly.”   A new ransomware group is not automatically noteworthy, but Termite’s aggression and large-scale attacks early on in its formation make it a group to watch.   “Usually, these groups start with smaller instances and then they kind of build up to something bigger, but this new group didn’t waste any time,” says Manglicmot.  Termite’s Victims  Termite appears to be a financially motivated threat actor. “They’re attacking victims in different countries across different verticals,” says Jon Miller, CEO and cofounder of anti-ransomware platform Halcyon. “The fact that they’re executing without a theme makes me feel like they’re opportunist-style hackers.”   Related:Finding Your Shadow: Can Shadow IT Be Controlled? Termite has hit 10 victims thus far, in sectors including automotive manufacturing, oil and gas, and government, according to Infosecurity Magazine.   The group does have victims listed on its leak site, but it is possible there are more. “Maybe we could guess that there might be another handful that have paid ransom or have negotiated to stay off of [the] data leak site,” says Walton.   Given the group’s aggression and opportunistic approach, it could conceivably execute disruptive attacks on other large companies.   “Termite seems to be bold enough to impact a large number of organizations,” says Walton. “That is normally a risky tactic that really brings the heat on you much faster than just … hitting one organization and avoiding anything that could severely damage supply lines.”  The attack on Blue Yonder caused significant disruption to many organizations. Termite claims it has 16,000 e-mail lists and more than 200,000 insurance documents among a total of 680GB of stolen data, according to Infosecurity Magazine.   The ransomware attack caused outages for Blue Yonder customers, including Starbucks and UK supermarket companies Morrisons and Sainsbury’s, according to Bleeping Computer.   Termite’s exploitation of a vulnerability in several Cleo products is impacting victims in multiple sectors, including consumer products, food, shipping, and trucking, according to Huntress Labs.    Related:Why SOC Roles Need to Evolve to Attract a New Generation Ongoing Ransomware Risks  Whether Termite is here to stay or not, ransomware continues to be a risk to enterprises. “With certain areas of the globe being destabilized, we could see even more of these types of behaviors pop up,” says Manglicmot.   As enterprise leaders assess the risk their organizations face, Miller advocates for learning about the common tactics that ransomware groups use to target victims.   “It’s really important for people to go out and educate themselves on what ransomware groups are targeting their vertical or like-sized companies,” he says. “The majority of these groups use the exact same tactics over and over again in all their different victims.”  source