Op-Ed: Security and innovation — the balancing act for the next decade

But meeting security and compliance regulations alongside internal guidelines has become a real hurdle as regulations are becoming increasingly complex and data breaches are now daily events.

How can companies continue innovating at a fast pace while meeting data security, privacy, and resilience requirements?

Most business leaders will tell you that the two are in conflict — a growing number of Australian organisations are struggling to achieve one without compromising the other.

But this dichotomy doesn’t have to be a reality, and with the right approach, innovation and regulatory compliance can support each other.

Companies need to better understand core data management principles — in many cases today, it’s data that drives innovation, and of course, for security and resilience purposes, it’s the data that needs to be protected and secured.

Ditch ‘lift and shift’ to solve infrastructure complexity

Pressure for IT departments to adopt digital technologies and be seen as “cloud-first” in recent years has resulted in a rush to the cloud: many have just lifted and shifted their existing infrastructure and dumped it in the cloud.

This approach has led to even more data silos, complexity and security gaps, and means developers are now spending precious time maintaining multiple different data models, integrating data sources, and bolting on security fixes, instead of innovating.

VIEW ALL

This worsens when organisations start adding in niche databases to build their growing features portfolio, creating more places for data to live, more data to integrate and an increased surface area for attack, making both innovation and security of data difficult.

We are now also seeing some examples of this in Europe, where GDPR and the “Right to erasure” has greatly challenged organisations, not because they technically couldn’t delete information, but because they often weren’t sure where their user data was stored.

In Australia, similar regulations are being drawn. From the review of the Privacy Act and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 to more targeted regulations such as APRA’s CPS 230 aimed at the financial services sector. Organisations will likely face greater security and compliance challenges that will impede their ability to innovate if they don’t adopt better cloud and data management strategies.

Embedded security and multi-cloud for data resilience and compliance

The answer is not about adding additional layers to existing digital infrastructures; it’s about adjusting mindsets and workflows around the way existing technologies are used.

1. Adopting new data models

It’s important to choose data models that fit the way data today is being used and shared. Our opinion is that the top three considerations should be: 1) A data model that is intuitive and easy for developers to work with, 2) A flexible schema that allows for the data model to evolve as application needs change, and 3) the ability to horizontally scale out. This means you can move fast and adapt to new environments as the business evolves and grows, and as regulatory requirements change.

2. Consolidating around platforms that make data secure by default

It’s about protecting the data itself so no matter how it is being used, where it is being stored, and whom it is being shared with, it needs to be secure and encrypted by default. The starting point is to consolidate platforms to solve multiple problems. This consolidation allows innovation to occur as it allows search, mobile and visualisation tooling, which are all heavily data-reliant, and of course, integrated data security in the one platform.

3. Rethinking what multi-cloud for resilience means

For many years, organisations in Australia have said they were “going multi-cloud” as a way to add a layer of security and resiliency and to use multiple cloud service providers to spread the risk around availability, resilience, and price competitiveness. However, many of the companies using “multi-cloud” are not doing it in a way that solves today’s security challenges and compliance requirements.

Compliance and resilience can only be achieved by having each critical application and the underlying infrastructure hosted in multiple clouds at once — instead of having different applications in different clouds. This means that in the event the organisation (or its cloud provider) experiences an outage, data is safeguarded and available for applications to use.

I expect that in the coming months and years, going multi-cloud to solve resilience and availability is going to become standard.

Compliance, security and innovation are not irreconcilable; they are compatible. It is about changing the mindset and workflows around how data and cloud are being used, and offering developers tools that are designed to solve today’s problems to continue to drive innovation.

Anoop Dhankhar is the country manager of ANZ at MongoDB

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.