DigitalTransformationTalk: Data Sovereignty in practice - securing critical operations

Speaker A: Foreign. Hello, everyone. Good morning, good afternoon, good evening wherever you are, whatever your time zone. Welcome. This is Digital Transformation Talk, and I am your host, Kevin Crane. Welcome to the show. Today we'll be discussing the topic of data sovereignty and practice. This is a topic that is increasingly critical for organizations in all business sectors. As geopolitical tensions rise and regulatory frameworks evolve, organizations face the challenge of maintaining true data sovereignty. The ability to control your data absolutely regardless of where it resides or who manages the infrastructure is critical. But Recent research from IDC indicates that over 65% of enterprises report gaps in their control and visibility across international borders. So today we'll explore how organizations in Europe can overcome these gaps and put effective data sovereignty sovereignty into place. We'll cover three important discussion points. Understanding and implementing data sovereignty in Europe. Building quantum ready security for sovereign data and data control for mission critical manufacturing and defense operations. It's going to be a great discussion today, and we're going to dive in here in just a moment. But first, I want to say thank you to everyone attending today, and that includes the folks that are joining us live on LinkedIn and the folks that are joining us today on Zoom. Thank you all for joining us, joining us during today's discussion. Look, we'd like to hear from you, too, so I'd like to encourage everyone attending today to participate. Join in with your comments in the chat section, and if you have a question along the way, just jump on in. I will attempt to get some of your questions and comments into the flow of our discussion today. All right, let's get to our great panel of guests today, starting with Adam Gale, field, CTO for AI and Cybersecurity at NetApp. Adam, are you with us?

Speaker B: I am M. Thank you very much for having me.

Speaker A: Hello, Adam, where are you calling in from today?

Speaker B: I am in from Dubai today. Hence the reason why it's a little bit dark outside, because it is 7pm here.

Speaker A: Okay, very good. All the way from Dubai. Well, Adam, it is great having you with us. Thank you so much. Also joining us today is Michael Taylor, data technology and AI leader at Siemens. Michael, are you with us?

Speaker C: Yes, I, um, am. Thanks for having me.

Speaker A: Hello, Michael, where are you calling in from today?

Speaker C: Calling you from Germany.

Speaker A: All right, very good. Well, Michael is great to you. Very good. All right, well, looking forward to having you with us today, Michael. Thank you so much for being with us. Also joining us is Luke o', Brien, principal Engineer for Cyber Defense at NATO. Luke, are you with us?

Speaker D: Hey. Good afternoon. Great to see you. And I'M uh, calling in from Brussels in Belgium.

Speaker A: Well, Luke, Michael and Adam, it is great to have you with us today. Look, I'd like to start our discussion today by pointing our attention to an article published recently by Reuters. Um, the article talks about the European Commission awarding a, uh, 180 million pound six year contract for four European cloud providers to deliver sovereign cloud services for more than four 40 EU agencies. The move is aimed at reducing reliance on non European tech firms and strengthening control over sensitive data. This certainly highlights the EU's broader push to digital sovereignty and improved security. I'm wondering what you folks think about this article and if it's missing anything important that we should consider. Adam, what are your thoughts on the article?

Speaker B: I think there is a lot that could be discussed here. It is quite a short article, but two things I like about it is one that it brings to the attention the amount of money that's being invested in these services, which are critical. And as you rightly mentioned, you have IDC putting it as one of their top three things that most executives are looking at. And the second thing for me is that it calls out the European Framework for Sovereignty, which is a great starting point for anybody who's interested in this sort of subject. I fully recommend reading it and going to it because it's a good definition, a good place to start. So I like the article.

Speaker A: Now, uh, Michael, what are your thoughts on the article? This certainly highlights the EU's broader push into data sovereignty. What are your thoughts?

Speaker C: Yeah, no, definitely. I also like the article very much. You know, as Adam said, um, a couple of things that no one could say about it, but I like the idea that um, they are actually using, uh, the cloud and sovereignty framework as the basis to, for procurement. Um, it is a significant milestone, but of course it's not the final answer to that. Um, because for me at least, um, there are a couple of things that one has to consider when you think about sovereignty. There's a lot of dimensions that um, one could talk about, but of course it is a very great or good starting point. And let's see exactly how it pans out the execution of that. Because for many industries perhaps how do you integrate that, how can it scale? And so many other aspects to that. But as a fourth step, I think it's a great start.

Speaker A: Now Luke, these four European, uh, cloud providers, Post Telecom, Stack It, Scaleway and Proximus, they will be delivering cloud services to more than 40 EU agencies. What do you believe this is? Is what do you believe this is saying? About the future of data sovereignty in Europe.

Speaker D: I think it's a great development. I think it really shows the push from the European perspective to create a more diverse marketplace uh, for these types of services. And it shows that uh, there's real serious investment in building that um, sovereignty and resilience within uh, within uh, Europe. And I think it's great that the EU, one of NATO's, uh, trusted partners is uh, is developing this uh, and creating a platform that its agen can use, um, because that really helps bring everybody together um, to a more resilient and more sovereign uh, standing for their IT infrastructure. So yeah, I think it's great news and a great development.

Speaker A: The article is from Reuters. It is here in the chat feature, the link to the article. Everyone let us know what you think. Take a look and let us know what you think. Does it resonate with you and uh, what does that mean for uh, your strategies as you're putting it, putting your strategies together? All right, well, very uh, good. Well gentlemen, what a great place to start. I'd like to move us into our main discussion points today and really talking about moving from compliance to confidence in achieving digital sovereignty in Europe. It's more about storing data in a specific location. It's about ensuring complete control and governance and compliance. Over 60% of multinational organizations report inconsistent control practices, uh, and greater operational risk. So Adam, how do you define data sovereignty in real practical terms for organizations today, especially in the eu?

Speaker B: I think that is a great question because as Luke Michael said, it's a huge subject. Huge. And you can get really lost in it, particularly when each customer or person you're talking to has a different definition of it. So that's why it's great that we have the framework. But for me I boil this down to two things and you've already been using one of the words, which is controlled control is paramount. Can I control my data? Uh, can I control my services? And then the second is security. Can I secure them? If I lose control of security or I lose security, I have lost sovereignty in my. In. That's my opinion. You have lost sovereignty. So you absolutely need these two things. And the more you dig into that, I feel like you'll fit everything into those two buckets. It's a very oversimplified view, I understand that. But I can boil it down to those two. And taking data, I'm just going to pick apart the data. One, general organizations, NATO, for example. Hundreds of countries or hundreds, I, uh, think it's 30 something countries feeding into that Going to have data all over the world. Can I control it? Can I move from place to place? Can I give access to somebody at the right time? If I can't do that, do I truly have sovereignty? So that is where it is leading for me. That's where I start my conversations with customers.

Speaker A: Can I control it? That's a good question. You're talking about really important building blocks, control and security. Adam, from your point of view, what strategies do you feel are most effective to enforce control and compliance without slowing down our operations?

Speaker B: Well, I feel like we should use the tools we already have on the truck. Um, I think people boiled the ocean too much. Let's start looking at security to begin with because you are much more likely to lose your sovereignty via a bad actor, someone hacking you. Uh, then you are a nation state using a extraterritorial law to take your data. Such as Microsoft gave up some French data. I believe they admitted that in French court to the US Government under the Cloud Act. That doesn't happen very often, but it has created ripples around the world. Now you're much more likely to lose sovereignty realistically by someone just breaching your cybersecurity defenses. So security is where I'd start. And it's probably the most well trodden, uh, path because we have so many tools already that we can use. Let's take really powerful tool, user behavior analytics, AI infused user behavior analytics in your environment, watching what people are doing. And if somebody steps up their everyday comfort zone, for example, sending data here, sending data there when they shouldn't be, creating data in areas they shouldn't be, it's more likely to be a threat and you need to be able to lock that down. The speed of the threat is increasing because of the use of AI, so we need to use AI to combat it. Just a final note on that piece as well is it helps you protect against those extraterrestrial laws where people are taking data out, because you need to look for that, look for those people siphoning data out of your system. And the only really way to do that is hire hundreds of people, which you can't really do, or use the tools we have. And those are user, uh, behavior analytics, which are security.

Speaker A: Michael, from your perspective, how does data sovereignty influence it and operations varational workflows in especially high security sectors?

Speaker C: Yeah, I think it is, um, there are so many implications there, right. In terms of like how it will affect the way operate. Because as Adam said, when you think about the data sovereignty, I think one aspect is the control. And the other aspect is security. For asset intensive industries or industrial, you know, companies, data is not only an asset, but it is also a strategic capability. Right? And so you must have an understanding of where your data is, who is having access to that data, because that data also contains, you know, sensitive information. There are, you know, a lot of things there that you don't want to get in the hands of the wrong people. And so if you don't have very good control, if you don't have a way of knowing where your data is, who is accessing that data, if you don't have a proper way of categorizing your data to understand which part of my data needs to be in the cloud, on the edge, or on prem, for example, then it's going to be very difficult for you to trace if something goes wrong, let's say there is a kind of a breach or cybersecurity breach and you don't have any measures in place, then at least there are a lot of implications from the, from the brand perspective, from the customer experience perspective, you know, loss of revenue. So there was a lot of implications at least. And so therefore then companies really need to take this very, very important as something that they need to put under control, at least in terms of how they manage their data, uh, who have access to that and where the data actually resides, you know, where the computation is actually happening. Not only that the data needs to be secured when it's at rest, but when it's actually in motion or when it's also in use. So all of these things requires, um, a different way of control. And so therefore it is very important. If you don't put it under control, then of course then there are all of these consequences that you have to deal with later on.

Speaker A: Now Michael, when I think of sovereignty, I certainly think of control and security as you're talking. But what about jurisdictions? How do you. Do we balance centralized control with local regulatory requirements across multiple jurisdictions?

Speaker C: Yeah, I think that is the, I think for many people when you talk, when we, when they talk about, or when they hear about sovereignty, I think that is the most important question. Right, the, the juridiction aspect of it, um, in that, in that, in that sense, I think having the balance in itself, I think it's going to be important. But at least in the article that we just um, talked about, in a way you look at some of the providers. I think one of them there also suggests that Alice is also using Google Cloud, for example. So my intuition is that, um, yes, the jurisdictional aspect of it is very important, but it's also about not necessarily that, um, the providers don't need to, only need to, to reside in Europe, for example, but it is about, um, the kind of laws that governs that kind of control in that sense. Right. We actually have control of that data irrespective of where it is. And so I think it is very important. And then keeping that kind of a balance, perhaps it's something that companies will have to deal with in a way.

Speaker A: Now, Luke, how does an international security organization approach implementing and verifying data sovereignty across allied networks?

Speaker D: Yeah, it's a very interesting challenge because NATO is an alliance of 32. We, we work together, um, at all the times, you know, we work together not only here in the office and here in Belgium, but of course at our locations all over, all over the world. And it's not just for us as a security focused and defense focused alliance. It's not all about peace time. We have to think about crisis and we have to think about conflict. Means we need to be ready from day one, um, to be able to work together and if needed together. So that's very challenging. So we have um, a really strong focus on what we call interoperability. And it's a point that Adam made earlier about everyone speaking the same language. So we have lots of standards. We agree these standards together as 32, and we say, hey, for data labeling, for data tagging, we can use this standard and all of our technologies should be able to use that and interoperate together by default. So you shouldn't have to go above and beyond to do that. It should just be the baseline way of working. So by having that uh, emphasis on standardization, we can achieve that interoperability. And that means that we can work together from the start of uh, any situation.

Speaker A: And Luke, what lessons from defense operations can private sector organizations apply to protect their data?

Speaker D: Yeah, great question. So, um, I think the information security field really does have a lot of roots in defense and security. Um, there's a huge amount of people from the armed forces, previous backgrounds working in cyber security. And I think that culture is sort of there still to this day. You know, we kind of invented classification of data through things like calling things top secret or secret. So classifying your data and understanding what it means in uh, a private enterprise is very important. Is this HR data, does that have certain, um, regulations, uh, around that is that health information that has certain very strong protections? The GDPR is a great way to, to start and looking at your data and classifying it about where there is a potential impact, uh, under that particular piece of legislation. So yeah, starting with understanding what your data is, giving it a label, uh, that will help you then to do more advanced and interesting things. We've already talked about AI. AI doesn't work without high quality data underneath it. So starting from that as a good foundation means uh, you've got a whole host of options to choose from.

Speaker A: This is Digital Transformation Talk. I am Kevin Crane. We're here talking about data, uh, sovereignty in Europe. We're here with Luke O', Brien Ryan from NATO, Michael Taylor from Siemens, and Adam Gale from NetApp. Now gentlemen, before I move on to our next discussion point, we do have a question or a comment coming in from uh, our audience today. This one coming in from Morgan. Uh, Morgan, thank you for your contribution today. Morgan says this, uh, can you realistically achieve true data sovereignty while still relying on global cloud providers or does that require a more fundamental shift in architecture? I'll put it out to the entire group. Anyone have any feedback for Morgan?

Speaker B: I would say that the cloud providers, the major cloud providers are certainly trying. You have uh, aws, you have Google spinning up what they are providing as uh, or they are saying is sovereign instances in Europe for example, where they are separating uh, stuff out. So you only have European staff for example, and they're setting out this, separating out the support function. So they're even building different legal entities. They're going from the top down now they're absolutely trying, uh, their argument is yes we can, but that will entirely depend on your definition of what you need from your sovereign solution. Now in the defense entry, as Luke points out, I think they're the kings of sovereignty. They define it, um, your true sovereign solution. For me a real sovereign solution is the dark side, a nuclear power station or something like that where no one can access the data apart from the people on site. That data can't, it can't come out, it can't go anywhere. But that level is so you know, restrictive in its functionality that it's not useful to everybody. So my definition of sovereignty, which is the one that I tend to talk to with customers is the hybrid model is having that sort of very locked down environment at um, home or in my business and then being able to use the clouds at the same time and non disruptively move around my workloads and then scrub where I've been. So I've been in the cloud. I don't want to operate in the US or Singapore somewhere. Pull it back into my home country and then scrub everything that was there so there's no trace of it. And this is where you find most of the major sort of uh, infrastructure providers are the ones that are real critical to our services.

Speaker D: Let's take Airbus for example.

Speaker B: That's what they do. They have critical services on prem in their own sovereign cloud, but they still use AWS and they still use the cloud. So hopefully in there you might find the answer to your question, Morgan. But I know it was quite an elaborate one.

Speaker A: Well, thank you Morgan for your contribution. And folks, if you have a question or comment for our panel, please just jump on into the chat feature and we'll get to it as we move through our discussion today. All right, let's move on to our second discussion point today. And that is building quantum ready security for sovereign data. Emerging threats such as quantum computing, AI enabled attacks, evolving regulations are shaping the landscape. 70% of organizations report they are not ready for quantum era cybersecurity threats. Underscoring the importance of foresight. Now Adam, what are some of the most critical challenges in securing data while ensuring operational continuity?

Speaker B: In the frame of quantum which you mentioned there, this is quite a big one I think. Um, I liken it to um, the millennium bug, which if you've got gray in your beard like me, you will remember. But uh, for anyone young who's listening in, it was this great big problem we had where all the clocks were going to change to The Ah, year 2000. We thought the computers were going to explode or they'd turn to AI and start attacking us. Obviously that didn't happen and we're all still here and everything's okay. The reason it didn't happen is because we're sent backs. We had a bunch of talented engineers fixing this problem for us all over the globe. I think we're at the same place with quantum computing now. Legacy encryption standards are everywhere. They're on my phone, potentially they're in my laptop, they're in our communications or at data at rest in transit. We need to go back and fix all these and put in the latest standards, which is not as easy as it sounds. It is going to be a level of man effort. So that is where we are now. We have already started baking this into our products and, and, and our partners have too. So when we, when we say about this, I usually say if you take one thing away right now, go home, I'll go back to work. Sorry. In work, look around your environment, uh, holistically, look at your operating systems, look at everything look at your applications and start finding those legacy standards, start documenting them and start replacing them.

Speaker A: And Adam, I'm curious, you were talking earlier about using AI. How do we use AI and automation to help detect and prevent breaches in high value operational data?

Speaker B: Oh, there is so many great applications here. I think, uh, it's also, I like to say for the one time we truly have upper hand, uh, in the good versus bad, if you will, sort of uh, attack. Here we have a tool on our side, AI which is so powerful it gives us a huge leap up, a huge jump there, leap forward. And the best key use case I've seen, it really is with that user behavior analytics I've seen. Now that's cross platform, that's something you can do pretty much anywhere. And uh, it's incredibly powerful on our products. We once uh, set it up in the most difficult environment you can think of, difficult environment on the planet. And it came back with a 99 accuracy rate. When I say that people think, oh we went to NATO and did it. No, I didn't go to NATO, I didn't install it in a CIA, uh, black uh, site we installed at universities. Now universities are incredibly hard to do this with because the students are always coming and going. So it's really difficult to learn their patterns of behavior. Students take it ah, as their personal mission to break whatever it is you install for them. And also in the UK where we installed it, they're always a little bit drunk so you never know what they're going to do. And the system, the AI tool had to learn the behavior and then spot malicious actions. And it did. And it also didn't throw any false flags. It didn't go here's a problem when it wasn't because you do get a sense of false, too many false flags end uh, up having a fatigue in your environment. So for me that is the future of cyber security. We have to use this tool to protect ourselves because we literally can't employ and train enough people to do it and we can't respond quick enough.

Speaker A: Now Michael, as I mentioned, According to Deloitte, 70% of organizations report they are not ready for quantum era, uh, cybersecurity threats. What approaches do you feel work best?

Speaker C: Yeah, I think it is an interesting topic, right. I think for me the way to look at it is that um, you know, to be quantum ready, it's not only about, it's not a feature topic. Right. We should not think about it in that perspective. I think uh, and I like um, an, you know, the point that Adam made. But really understanding the lifecycle of your, of your, of your data itself by the way you manage them. Because some data like you know, in the defense or manufacturing, you know, have very long life cycle in that sense. It's not about managing today and then you don't know what is happening in the future. So some of the things that perhaps I will think about is that try to understand or have an inventory of the data that you have, understand the different classification of them, the different sensitivity of them in that sense and not only having this kind of categorization, but also understanding that the way that data flows within your organization in a way, data at rest, data in use, data in motion. So all of this will require different ways of how you manage them. And sensitive data, perhaps you can say I will store that on prem or at the edge and less sensitive data. You can also think about that maybe putting that in the cloud. Some of the practical things you could do is maybe looking at those terms, classifications and have an inventory of the sensitivity of your data. Um, but also I think the other aspect is that um, we should also try to design perhaps what I would call a crypto agile architecture architectures. Right. Because we should not look at it from the perspective that, okay, trying to predict the exact date of a quantum threat. Right. We should already start thinking about those type of things now and building this up on crypto agile architectures in a way that um, when this technology is more matured and it's there to be used and you don't have to re architect everything again, but it is already something that you've already, you started taking into consideration as you design your architecture, as you design your, your data models and all of these different things. So these are some of the things that perhaps I would say start by classifying your long lived sensitive data design, say crypto agile architectures. You can prioritize mission critical systems and try to migrate into this kind of controlled way slowly until when this technology matures and then perhaps you'll be in a better place.

Speaker A: Now Luke, how is NATO approaching this? How is NATO getting ready for Quantum era cyber security threats?

Speaker D: Yeah, it's an absolutely um, massive issue. It's going to be one that's going to emerge at some point. Um, Quantum is one of NATO's, uh, nine emerging and disruptive technologies that we take a close interest in and we're working collaboratively across the whole alliance to try and tackle this. So we have the transatlantic Quantum partnership, um, that is basically connecting quantum experts across the whole alliance, uh, we have a quantum action plan about how we get ready for it not only from the threats but also the opportunities. There's some really interesting technologies um, that could be enabled or delivered um, by Quantum that might change the game into things like navigation, things like communication, ah and sensing. Um, but for us we're on a uh, long road to um, look at the encryption to start changing out those algorithms that are vulnerable to quantum attack and replacing them with quantum ready ones. So a bit like um, Adam and Michael have both said look around your estate, have an understanding of what is going on in your own enterprise and identify those areas where they could be um, could be affected by quantum. There is the threat of the harvest now and decrypt later um, if uh, certain algorithms are in use at the moment that could be cracked down the line. That's why you start looking at that data, classifying it so you can understand the impact. So yeah, um, Quantum is definitely one of those technologies that is going to emerge in the next five years let's say. Um, and it's going to change a lot for uh, basically everybody uh, in the world. But many of us don't really realize that yet.

Speaker A: Now gentlemen, we have another comment coming in from our audience today. Um, and Joseph has this to say and Joseph I think is asking a question I think is probably on everyone's mind right now. And Joseph says quantum threats still feel a bit abstract. What should we be doing now to prepare without over investing too early? Anyone have some advice for Joseph?

Speaker D: I think that's a really great question. Um, I think the first thing that you shouldn't do is go to university and start a PhD in quantum mechanics. That might be a bit uh, of an over investment but certainly um, as we've sort of all suggested on this um, on this webinar is understand how this might affect you. So maybe do a bit of reading. There's great guides out. Um, as Adam says in the comments there from nist, um, various national cybersecurity uh authorities have published them. I know the UK and Germany um, have published things about quantum readiness. So um, I think understanding it a little bit is a good place to start so you can identify those quick wins ideally that you can make for example switching out those algorithms to the ones that are certified as being quantum ready. That would be a good, I won't say easy but uh, straightforward at um, least step to take in the first instance.

Speaker A: Adam, um, Luke mentioned the study from nist. Do you have anything else to add that might be a good resource I don't, unfortunately.

Speaker B: I think Luke really summed it up there. That's exactly what I would do. I would start by getting a paper and pen and documenting in my environment where I see this might be. So I think Luke nailed it. I won't take a bit more time.

Speaker A: And Michael, should we be investing now or should we be holding off on our investments?

Speaker C: I think, as all of us have said, I think, um, there are a couple of small steps that organizations should start taking so it doesn't really require significant investment in that sense. Like, you know, if you really have a m very strong data strategy in house, you know, some of these questions are already popping up, right? You should be able to answer them. For example, you know, you're classifying your data understanding, um, you know, you know, prioritize m the mission critical systems. So all of these things are things that you can start doing now, right? You know, uh, it is perhaps part of the current, your current day to day data strategy discussions that you're having. So some of these questions can already, you can already start answering them by, you know, with these kind of small steps. So again, as you know, Adam is saying, and Luke, you don't need to go and start doing a PhD in quantum mechanics or quantum theory, a lot of these different things, right? So these small things I think you can already start doing without heavily investing in the hardware or some of these, um, technologies that are not yet available at least.

Speaker A: This is digital transformation talk. We're here with Michael Taylor from Siemens, Luke O' Brien from NATO, and Adam Gale from NetApp. We're talking about data sovereignty in Europe. Now, gentlemen, let's move on to our third discussion point today. And that is data control for mission critical manufacturing and defense operations. Look, organizations must protect their sensitive and mission critical operations from cyber threats and vulnerabilities. And organizations that plan now can avoid costly reactive strategies. And studies show that cyber attacks targeting operational technology have increased 45% over the past three years. So, Adam, how should organizations really prepare? Um, and what role does predictive analytics play in anticipating potential data breaches or operational compromise?

Speaker B: Yes, I think this is a great subject, uh, particularly in the critical infrastructure, space manufacturing being one of them. And, um, we have some great regulation in Europe, particularly around that, such as NIST 2, which covers that and actually feeds into your sovereign strategy too, because it is referenced in the framework, the uh, EU sovereignty framework. So if you are a part of that vertical, you should be looking at it. But, uh, one area that always brings to my attention here is, uh, Things like the extraction. So when you are hit with a cyber threat, uh, and by the way, it's a resiliency question, the chances are you will be hit on a long enough timeline, someone's going to come after you. So your response to that is now more important than the fact you've been hit. People are judged on their responses these days and your response needs to be tight and it needs to be orchestrated and documented. One thing that I think we don't mention enough is, uh, where data is extracted for that double ransomware. So they'll encrypt your data. Uh, everyone knows they'll do that, and then they'll come to you and say, give me some money. But what they've been doing is extracting the data and, uh, they'll take it and they'll take it off site and they'll come back six months later and say, give me some more money or I'm going to release it on the dark web or do something fun with it. And, um, there's a good chance they've gone for things like healthcare, because that's incredibly valuable data, defense data, incredibly valuable finance. Um, these sort of areas are really under attack. So the way to stop this is to use those tools in your environment, those AI powered ones, to look for those slow trickles of exfil data leaving the system. And you'll see them, you'll see one user extracting because they don't really know what they're taking. This is going to take it all. So use those tools and then offload to your SIEM partners and have them do something like stop a user, close a firewall port, lock down a system. And then what you really need to do when you figure that out and done that is go to your backups and have them in somewhere like a cybervault or a clean room. Because the good chance is if they've been taking the data out, they've broken your backups, they've installed something, they've covered their tracks by deleting your logs. So, and this is actually part of regulation now as well, the EU recognizes this is so important, they've written into DORA the Digital Operational Resiliency Acts covering the finance sector. Go look at that, build that environment out. Because what we're now finding is people are restoring from their backups and they're restoring dirty data, they're restoring the problem back into production and they'll get hit a third, uh, time. So those are some of the areas I'd start looking at because you'll See this happen time and time again. So in Vegas, two major casinos got taken offline and they couldn't even move the elevators because everything's Internet connected these days. So that is where I would be focusing my efforts.

Speaker A: I want to ask more about anticipating and predictive analytics in this aspect. But Adam, you mentioned something I think is critically important. Not the fact that you may be hit, the fact that you will be hit and your response is critical. Can you describe what you would consider to be a, ah, good response for an organization that has just been breached?

Speaker B: I would start by having a good, well written document. This is actually called for again in dora, which covers the finance sector, like I said. But anybody who's interested in cyber resilience, so you should probably give it a look. It's based on the, uh, NIST cybersecurity framework, which is protect, detect, respond, etc. Which is a great framework. Um, but to answer that question there, have it documented. Who do I go to? Who do I wake up in the middle of the night and say, we've got a problem? Because if you're running around like headless chickens, then you're not going to be able to solve any problems. For example, if someone comes to you and says, we're going to release the data and they should give us some crypto, who is it in your business that is charged with getting that crypto over or saying no to them if you don't have it documented that you don't know what you're doing? So document your plan. And in the process of documenting your plan, you'll realize there's great big glaring holes in it and you can go about filling those holes. This sounds like really simple things I'm saying, and you're probably thinking all major organizations have done this. You'd be very surprised to find that most of them haven't. They haven't documented it to any real detail. The places that you see it really well done are things like the aviation industry. Aviation is absolutely phenomenal at this. So I would follow their lead. I've been lucky enough to go to some of their crisis rooms and uh, they even print it out, their disaster recovery plan, Weber plan. Because we've had incidents where people have been hit, the systems have been taken online, they've tried to download a copy of their resiliency plan and they can't get to it. So have a physical copy under lock and key as well.

Speaker A: Michael, as I mentioned, research is telling us that cyber attacks targeting operational technology have increased 45% over the last three years. Wow. Um, what future risks are you monitoring closely and how are you adapting your strategies to respond to this increased risk?

Speaker C: I think that is, that is a very um, interesting question. Right, because again as Adam said it is not um, like if you will be, but this is something that will happen eventually in the future. So you have to be very resilient and you have to always be on, on the, on the very high halat, like one step ahead, a couple of steps ahead of, you know, I'm the bad guys, right. I think. Um, so you know, I really like what Adam said. Like you know, you have to have you know, your own policies in place, understanding if something goes wrong, you know, what are these specific measures I need to take? Who are the people that needs to make certain decisions? And so these are some of the things that we also think, thinking about right in doing that. But also I think at the end of the day also it's also um, making sure that um, you also try to minimize the impact whenever those things happen. Like your data access policies with actually having your access to certain type of data that you have to the organization. Do you, your data classified in a way, do you have role based access? For example, are you actually monitoring the usage of that? Because if you see that somebody's accessing data that they're not supposed to access, of course this should eventually just raise a red flag very quickly and then have m mitigation strategies in place to start to stop that instead of escalating, um, um, those things escalating. So these are some of the things that at least we're thinking about as part of our own strategy at least. Data strategy at least ensuring data access policies, rule based access, data classification, um, continuous monitoring, having very stringent cybersecurity policies around in terms of um, access breaches and mitigation strategies that you need to take as an organization whenever those things go wrong. So these are some of the things that perhaps organizations should start thinking about that let's say in the, in the,

Speaker A: in the short term, Michael, it seems that cyber threats now are evolving faster than traditional compliance frameworks. How is NATO preparing for emerging threats? What future risks are you monitoring closely and how are you adapting your strategies proactively?

Speaker D: So for us with NATO now, um, we have taken the approach of moving to zero trust. Um, so that's something that is um, is gaining prevalence. It came from the um, from John kinder when he invented that about 15 years ago. Now I had the pleasure of working with John last year on a conference and uh, learning from him. So definitely check out some of uh, some of his writing and his talking if you want to look at how you do that in your organization. And this addresses those points that Adam and ah, Michael have both said that these attacks are inevitable, they're going to happen. So assume that your network is already compromised. That is a statement that upsets people because it sounds like you're accusing um, them of something, uh, of the network not being secure. That's not what we're saying. Act like you're in a bad neighborhood. Right, um, and start protecting to the lowest possible level, the lowest possible perimeter, um, which for most people is either data or your identities of your users. So taking that approach and really limiting the scope of any potential breach when it does happen is really quite effective. Um, and that is what we call limiting the blast radius because we're assuming that something's going to get in. Um, these are very sort of military terminology so it resonates quite well, um, within NATO. So that's why we've been on this zero trust journey for about the last uh, three or four years. And it's something that I would really encourage any uh, company or business to look into, uh, if they're looking at a new cyber security strategy.

Speaker A: All right, I have a question that I'd like to put out to the entire group. And as you're talking, I'm thinking if I'm attending today, um, I'm thinking about what do I do next? And so I'm curious, the group, what advice you have for our attendees today on how to evaluate third party providers for compliance with, with your sovereignty requirements. What specifically should I be looking for when I evaluate third party providers? Adam, do you have some suggestions for our audience on that?

Speaker B: Yes, uh, I would define what you want from your sovereignty strategy. As I've said, there is uh, that complete dark site. Nobody really needs that, apart from if you know you're in the military or you're running a power station or something, to the uber flexible hybrid clouds. But you still need protection and some sorts of sovereignty and then the people in the middle, which are ah, the hybrids. So where do you fit on that scale? Because as you move down the scale you lose a little bit of functionality. We try our best to get functionality all the way to it. We pretty much can, but what bits can't you live without? And then you'll find your point on the scale and that's your sovereignty point. Take that and then look at the framework. You can see if you've missed anything because Everyone talks about technology and we're talking about breaches in cyber security, but what about the skill sets that run your organization? Because they're part of, uh, the sovereignty message too. Can I live without my engineers? Can I live without my software updates? All those things make up the sovereignty story. So I would recommend reading that and go from there.

Speaker A: Michael, what advice do you have for our audience in evaluating third party providers for sovereignty requirements?

Speaker C: Yeah, I think the most important thing would be, um, first of all, knowing that, um, this is an important topic in itself. And then we're not only looking at data as an asset, but as a strategy capability. So therefore you need to know what data you have, who can access it and know when it moves. And so if you, if you are going to evaluate or assess, you know, providers, you know, um, I really like the, the framework that EU has already put in place. I think that is a, a very good framework, a good place to start, at least then you begin to understand, you know, the kind of requirement and the different capabilities and the things that you need to, to consider, at least when you're making those kind of choices. Right. So I think it's far more than just, um, the provider, the cloud provider itself or the vendor. Um, it is also not only about where the data actually resides or where the competition actually is actually taking place, but also understanding the impact, for example, on your personal aspects, as we just said. Right. Maybe something goes wrong. For example, you have the skill set, you have the people that can easily react or try to solve them. And so these are some of the things that I will consider, you know, um, the vendor, do they have, do they already have this kind of, um, sovereignty and strategy in place to be able to help us, their different customers. Do they have the operational capabilities, for example, to be able to respond when something goes wrong? Right. For those big organizations. So these are some of the criteria perhaps I will look at when assessing, you know, the types of vendors that, that I will try to consider at least for those type of topics.

Speaker A: And Luke, how does NATO approach the evaluation of third party providers?

Speaker D: So for us within NATO, it's quite, um, again, I won't say easy, but straightforward for us because we have all these rules and regulations, um, that bind us. Some of them are in international treaties, um, which is really an interesting dynamic. Um, but things are covering procurement, legal, security elements, those are all written down quite clearly for us so we can evaluate against those. The challenge that we have sometimes times is working with industry or those third party providers who are not as familiar with that as us. So that's why, um, we're looking at things, how you map that to more well recognized and more well understood industry standards like the ones that we've heard about nist, ISO, maybe the national standards for the country, uh, or the air, the region that you're operating in, like in the EU or specific national regimes. So by having a clear framework to operate from, that's that common language that we've spoken about several times during this webinar that really helps both sides, um, of the, uh, of the arrangement understand each other as best as possible. So, yeah, that's the approach we try to take.

Speaker A: Luke, Adam, Michael, it's been great speaking with you today. We have reached the action item round of the program. I'm wondering if each of you could please provide us with one quick action item that our viewers can use to take advantage of your ideas and advice today. Luke, do you have an action item for us?

Speaker D: Yeah, I'll go first. That's a great one. So, um, what I wrote down, um, just whilst we were prepping for this session and whilst we've been chatting today is that it's about working out what you need as an organization or a business, uh, or even an individual. So tailoring your approach to sovereignty to suit your needs, whether that's the needs of your sector, if you're in a highly regulated environment. We talked about aviation, healthcare, finance, or if it's your geography. Are you operating in the eu? Are you operating in the us? That's tailoring to those requirements. What regulations do you, uh, do you have to operate under? Working out who needs what. And uh, as Adam has said, you know, not everything needs to be in the top secret fortress, um, of data sovereignty. Perhaps for some of your other needs you can be more flexible. So, yeah, tailoring it to what your needs are, understanding those, that's what I would say. Get that understanding down first.

Speaker A: That is Luke o', Brien, principal engineer for cyber defense at NATO. Luke, Luke, thank you so much for being our guest today.

Speaker B: Thanks so much.

Speaker A: Michael, do you have an action item for us?

Speaker C: Um, yes, I think my own action item would be, I think, very simple. Start by mapping your critical data flow. Um, this is really where practical sovereignty begins. Right. And data sovereignty, or data sovereignty should not be treated as just a compliance burden. But as we said, you need to have a confidence in the architecture that you have, in the policies that you have. So finally, I would say I'm assuming all organizations currently have data strategy, and so all of these should be part of a very strong data strategy, and that is kind of a foundation for trusted innovation. So it's very that simple. Just ensure that you have data strategy in place and start by mapping critical data flow and that will help you with the journey, at least.

Speaker A: That is Michael Taylor, data technology and AI leader at Siemens. Michael, thank you so much for being with us today.

Speaker C: Thank you.

Speaker A: Now, Adam, do you have an action item for us?

Speaker D: I do.

Speaker B: I'm going to go a little bit more technical, um, and back to the sovereignty and encryption look for your keys. Where are they? If you're using quantum proof encryption standards and you're worried about extraterritorial laws, such as a government requesting your data, um, who holds those keys, what nationality they are, and are they part of your organization? Because when they come and try to take your data and they use a formal legal request, if the person holding the keys is from a different nationality and under a different jurisdiction, they can't, they don't necessarily have to hand over those keys. So if that's something you're worried about, go look at your key strategy. Go look at your encryption strategy.

Speaker A: Adam, that is great advice. Thank you so much for being with us. Adam, Michael and Luke, it's been great speaking with you today. What a great panel. Your perspectives and advice are spot on. So thank you so much and I hope that we'll get a chance to talk again soon. And to everyone joining us today, thank you too. Join us again for our sister show, AI Talk on May 7 with a great panel of guests. We'll be discussing the topic of reimagining enterprise software delivery with agentic, uh, AI. That should be another great discussion. In the meantime, if you'd like to find me, you can do so on LinkedIn. I'm happy to connect there, so check me out. I'm Kevin Crane, and you can check out my weekly audio podcast, the Digital Transformation Podcast. But for now, that'll do it for this episode of Digital Transformation Talk. And until next time, I'm Kevin Crane saying thanks for watching.