Studies show that digital transformation is accelerating as companies try to navigate the post-pandemic market landscape.
With demands shifting and new security threats emerging, companies are exploring new ways to become agile and resilient. And as many of them start relying on data-driven insights and cloud infrastructure more, they will also need to rethink how they are protecting their most valuable asset: their data.
A recent FutureCIO virtual roundtable, sponsored by Veeam, explored how companies examine their data protection and backup strategies as they drive digital transformation. Participants also discussed how data responsibility does not disappear with the cloud and why companies need to double down on data protection as they embrace hybrid working.
Preparation is critical for transformation
Brian Chan, IT director at Jebsen Group, noted that digital transformation is not just about technology changes. To truly transform, companies need to be ready to change their business processes — which he stressed was the most challenging part.
One approach is to start by re-examining all business processes. “Just because a process exists today does not mean it needs to be there. So, for me, we need to first reduce the unnecessary processes and approvals before we talk about new things,” said Chan.
Another challenge with digital transformation is data integrity, which becomes complex when a company has numerous mission-critical legacy applications and data on-premises. And because a company would have organically grown their data and storage infrastructure, they would have “rubbish data and hidden storage,” said Ricky Chow, head of IT group at Delta Financial Group.
“The most challenging item is not only the technology change but the data integrity of the legacy system. There are so many [unwanted] data which we need to take out, and there are many hidden storage [systems] we need to consider,” Chow explained.
Chow noted that data integrity is one of the reasons why migrating legacy data is difficult. CIOs will need to address this problem before thinking about digital transformation and data migration.
Transformation success also requires a high level of transparency with users, pointed out Stefan Kung, IT director at the Hong Kong Economic Journal. He noted his company saw better acceptance as they became clear about the transformation goals with the employees.
However, Kung observed giving employees too many choices will only slow down the transformation. Instead, HKEJ decided to start their transformation of the systems and processes first while keeping the employees abreast of the changes. It included moving to a multi-cloud environment “where mobility is a little bit easier,” he said.
“[Transformation success] in the end comes down to culture. If you ask whether people want to change, they will probably not know how to respond. When you change, they will probably follow,” said he added.
The role of data protection in digital transformation
Many digital transformations aim to maximize (and even monetize) corporate data. It makes first-party data the most important asset. Protecting it becomes a priority.
But in modern enterprises, much of this data resides in different locations. And with cloud becoming the preferred go-to infrastructure, how does it change the role of data protection?
The roundtable participants share two ways. The first is to clearly demarcate what public-facing data is and what is not. “We [store] public-facing data and that for internal use differently,” said HKEJ’s Kung, highlighting the hybrid approach at his company.
He described that mission-critical data is stored on-premises and in a private cloud. The rest is available on public data, which is encrypted for data protection.
Shane Read, chief information security officer at Noble Group, offered an alternative way. “We are a cloud-first organization, and we do not have the luxury of not going to the cloud.” It means that the company does not have any on-premises data storage; everything is now on the cloud.
In such a setup, Read noted risk ownership and risk transfer become essential. More importantly, risk management becomes the responsibility of the data owner, which in this case is Noble Group.
“You can never transfer out the risk to a third party. The risk has to be accepted by the company. The risk ownership of the controls you put in place is still yours, and your risk mitigation strategy is still owned by you. And if your data is lost, because of your inability to configure those platforms correctly, the ownership of [the breach] is on you as well,” Read explained.
Joseph Chan, senior regional director at Veeam, agreed.
“The cloud [platform] provider is not a charity. Every risk is taken by yourself.”
Joseph Chan, senior regional director at Veeam
Use current incidents to highlight good data protection practices
This makes attacks like ransomware a Board-level concern, especially when the company’s operations — not just reputation — are at stake. This is why companies need to rethink their data protection strategy.
Blaming it on COVID-19 is not good enough either. “We cannot blame COVID-19. Criminals are criminals, and they saw the opportunity with COVID-19,” said Noble Group’s Read.
He noted that many employees worked within secure, firewall-ringed zones in their company offices. When the pandemic forced them to do remote work, it increased the threat surface. Mindsets also changed as employees were no longer as vigilant as when working in a corporate environment.
This combination of factors allowed cybercriminals to become successful with ransomware. “I think every organization in Hong Kong would have seen it just because of the way these criminals operate,” Read added.
Read felt that companies need to address these issues now. Companies looking to make remote working permanent and entertain hybrid working strategies will also need to ensure that their data is well protected.
Jebsen Group’s Chan echoed some of Read’s thoughts. Having experienced first-hand a ransomware attack, he noted the backup storage value as part of the data protection strategy.
The problem with backup is that people do not see the need to spend their effort on it. “But once people feel the pain, they are more willing to back up their local data,” said Chan.
Both Jebsen Group’s Chan and Noble Group’s Read shared that they are looking at various strategies to protect data and recover from ransomware attacks. These include having a cloud-based disaster recovery, cloud-based backup, and having on-premises backup data.
Seeing the bigger protection picture
Participants advised that backup should not be done as a single, isolated project. In today’s digitally connected world, it should be seen as part of a digital transformation strategy. And it should be part of one right from the onset.
This was the reason why Akina Ho, head of digital transformation and innovation at Great Eagle Company, spent a lot of time convincing her senior management of the value of a robust data protection strategy. She engaged consultants and meetings with other competitors who have implemented such a strategy successfully.
Speaking from experience, Ho argued that companies should not expect the hired consultant or implementation company to drive all transformation changes. “Change management means [the company has] to change. Consultants cannot make us change if we are not ready.”
She noted that companies need to adopt a different mindset, which is often where many companies struggle. It also requires senior management to buy into a change management project and drive this change themselves and throughout the company.
“I couldn’t agree more. This is about business ownership,” added Noble Group’s Read.
For some companies, it required both a top-down and bottom-up approach. And it also requires time for a company to change. For example, Jebsen Group’s Chan noted how the operation teams were initially sceptical of the new robotic process automation (RPA). “But then after a year, after some success cases, they are starting to ask how RPA can help them in meetings.”
Vendors are also responding to the call for better returns on backup investment.
For example, Veeam is helping companies to replicate data from the production site to another site. It reduces the backup data size while increasing the ROI of backup data is always in use for testing and sandboxes. The same data can be used to hone security strategies, maximizing resilience.
Innovation such as these will also change the way we look at backup forever and make it part of the business. And as the global environment recalibrates itself for a post-pandemic world, participants felt it is about time we make backup and data protection our topmost concern.