30 July 2021

The need to look beyond cyber

elevenM Principal Pete Quigley explores whether a siloed mindset is constraining the value digital risk professionals can bring to organisations and their clients.

I was lucky in the early 2010s to be consulting into Australia’s financial services industry when AWS came to town. I saw first-hand the internal struggles between business and technology teams who wanted to adopt a cloud-first strategy and risk, privacy and security teams who felt they were giving away the keys to the castle.  

Based on my position at the time with PwC, I had a number of fireside chats with the technology risk team from APRA, Australia’s financial services regulator. APRA foreshadowed an impending situation in which institutions would become reliant on digital channels to service their customers, but would lack visibility into what individual services and vendors made up those channels.  

Fast forward a decade and most revenue producing digital channels leverage a multitude of vendors to provide critical online services. One such widely-used vendor who has been hitting the headlines recently is Akamai. 

Akamai provides a number of services to optimise and protect digital channels. The nature of these services requires that you allow Akamai to manage critical digital services like Domain Name System (DNS). For those unfamiliar with DNS, it acts as the phonebook of the internet and allows users to connect to websites using domain names such as elevenM.com, instead of IP addresses.  

DNS is commonly considered to be a fragile system. When there are errors in the use or updating of this phonebook, users can’t find websites. This was the case with Akamai recently, whose DNS failure led to a massive internet outage

When I am asked what elevenM does, I usually revert to our tagline of ‘specialist cyber, privacy and data governance professionals’. I say that because it is what people understand and can draw a line to specific services and, indeed, specific outcomes. Within elevenM, however, we talk in terms of digital risk – the risk our clients face when operating in a digital economy.  

The outage caused by a bug in Akamai’s DNS service was not cyber, privacy or data governance related. In fact Akamai was at pains to say the issue “was not a result of a cyberattack”, even though it had very little else to say about the root cause. 

But the issue still had a significant impact on the availability of the digital channels of a large portion of the internet, and thus on the trust and confidence of users of those services – which is arguably ultimately what our industry is about. 

So, is it time we stop talking about specific delivery-focused silos and start thinking in terms of the customer’s digital experience? To more holistically assess risks to those digital experiences and how we are effectively measuring and managing those risks?