Fastly and Similar Outages Illustrate a Business Resilience Opportunity

Summary

The recent Fastly outage and others like it provides evidence of increased media visibility related to third-party risks; however, it also presents an opportunity for Australian organisations to adopt adaptive business resilience in place of legacy continuity planning.

Event Facts

On 9th June 2021, the global content delivery network Fastly suffered a configuration issue that impacted global networks, including those in Australia. The problem affected the digital presence of many Australian media outlets, retailers, government agencies, and the private sector. As a result, services were either entirely unavailable or slowed to a crawl.

Analysis

Appreciation of Cloud Provider Vulnerabilities is Increasing

Reporting on cloud provider vulnerabilities has increased in recent times. Consequently, Australian businesses are becoming more familiar with these third-party risks. Encompassing configuration issues, malicious attacks, code vulnerabilities, and human error, an infinite perimeter’s risks are as diverse as they are frequent.

According to ADAPT’s Collective Intelligence from Sep 2020 to May 2021:

• 77% of CISOs face increased threat vectors due to pandemic-induced disruptions
• 76% of Cloud and Data Centre leaders are concerned with multi-cloud complexity
• 73% of CIOs aspire to improve governance practices to deal with third-party risk.

Organisations raced to adopt cloud in 2020, which created new operating exigencies. Cloud governance often keeps CIOs awake at night: 43% of CIOs surveyed in February 2021 indicated concern for these risks, up from 35% just six months earlier.

Australian Organisations Recognise the Risk of Low Digitalisation Rates

Digitisation of workflow consistently ranks as the number three priority for Australia’s C-Suite. From streamlining financial processes, operational practices, external partner management, to business continuity planning (BCP), local organisations articulate the imperative to achieve operational efficiency and reduce risks using modern approaches. But the current state of digital execution demonstrates a gulf between aspiration and reality.

According to ADAPT:

• Digitalisation rates top out in financial processes at 56% on average, with HR workflows and sales operations following at 53% and 51%, respectively
• Critical risk workflows tend to be less mature: digitalisation rates of 43% in forecasting, 41% in external management, and BCP prevail.

These low rates of digitalisation cause undue complexity and effort during critical incidents. Instead of viewing risk flows in real-time and acting on the evidence, organisations are forced to rely on instinct and existing best practices that may not fit the current incident.

ADAPT Recommendations

Keep Calm and Carry On

Although cloud provider risk reportage is rising, Australia’s C-Suite should act deliberately.

In the case of the Fastly event, an hour elapsed between the incident announcement and initial remediation. Because the frequency of incidents impacting local organisations remains low enough to recall by name, leaders must take care to evaluate the impact and likelihood of the outage causing lasting damage.

Be mindful of the reactivity risk: consider the benefit/detriment of waiting for a resolution against customer trust and experience.

Business Resilience is an Imperative for Success

The Fastly event illustrates why organisations must adopt business resiliency instead of BCP. Traditional continuity planning assumes transient, locally isolated instances.

Instead, companies must develop a crisis execution competency to deal with global or persistent outages to reduce the risk of disruptive experiences. Employing crisis execution in place of continuity contingencies relies on a posture that is always alert, rapidly able to assess the real impact, and deliberately decide to act or wait.

Organisations should work with vendors to co-create resilient, decentralised networks.

Incentivise multiple partners to deploy existing bench strength to cope in a crisis. Include contractual language that encourages open communication about downstream “fourth-party” risks to improve line of sight on external threats. Collaborate on developing collective react and response mechanisms.

Favour remediations that embed quality by design to avoid compounding the original outage with further complication.

Evaluate Experience Impact by Persona and Region

One crisis execution policy does not fit all outcomes.

Consider the case of regional Australia, which endures latency and processing disconnects in periods of BAU. Third-party outages are likely to impact customers in these areas compared to peers in capital cities. Addressing the experience impact in the geographic lens could involve prioritising traffic by location, distance from the point of presence, or backhaul constraints.

Alternatively, consider the digital savviness of your customers by persona. Early technology adopters, power users of analytic outcomes, or prolific content consumers will notice disruption before those who are slower to adopt digital means of comfort. Develop mechanisms to prioritise the traffic of digital natives. Model multiple bandwidth scenarios across persona against the returns on sentiment and stickiness.

For more information about ADAPT’s Research & Advisory services, contact us at research@adapt.com.au to gain further context of this event as it relates to your strategic business priorities.