In our view, the essence of operational resilience is an assumption that disruption is inevitable, and organizations must have measures in place to be able to absorb and adapt to any shocks. This includes cyber incidents, technology failures, natural disasters and more. With more dependency on technology and third and fourth parties, expectations are increasing for organizations to continue delivering critical business services through a major disruption in a safe and secure manner. This means actively minimizing downtime and closing gaps in the supply chain to remain competitive.

This is different from the long-standing industry practice of disaster recovery where, traditionally, companies would return to normal operations in the several days after an event with defined recovery point objectives and recovery time objectives. Although still an important practice, appetite for conventional disaster recovery approaches is diminishing across industries and especially with regulators. This is evident from emerging regulatory requirements and expectations in UK (Bank of England’s Critical Third-Party regime), Europe (Digital Operational Resilience Act), Australia (APRA CPS-230 Operational Risk Management) and Canada (OSFI – Operational Resilience and Operational Risk Management), etc. Similarly, in the U.S. the Office of the Comptroller of Currency (OCC) also indicated that the Federal Banking Agencies are considering updates to operational resilience frameworks and approaches for critical business services and for third-party services providers.

As hybrid cloud and generative AI adoption increases, data and applications are everywhere—across multiple clouds and vendors (SaaS/Fintech), on premises and even at the edge. For this reason, it’s more important than ever for enterprises to ensure their cybersecurity and resiliency strategy incorporates their entire IT estate, no matter where it resides.

To do this, enterprises must first prioritize the most critical business services and develop a workload and data placement strategy to determine which applications and data should reside in a certain environment based on its specific security, resiliency and data sovereignty needs.

According to the 2024 IBM X-Force Threat Intelligence Index, attackers are increasingly shifting from ransomware to malware that is designed to steal information, which reinforces the importance of leveraging technology and approach that provides holistic view and end-to-end protection across your entire IT estate, including your partners.

While partnerships are essential for businesses to remain competitive and tap into new entry points, enterprises must make sure third parties are thinking about security, resiliency and controls in the same way they and their regulators are.

It’s clear trust and security must be at the foundation of decisions about where workloads and data reside—regardless of the industry. But how can an enterprise ensure these priorities remain front and center, especially when working with third and fourth parties?