Securing critical digital assets is vital to continue delivering key public services in a crisis, as citizens depend on many of these services more than ever in austere conditions. Moving digital assets to the cloud is one of the first steps governments can take to secure their public services against large-scale disruptions. From what I hear from our customers, this journey often brings challenges and roadblocks that are organisational rather than technical.
In this post, I want to share takeaways from my engagements with public sector customers that I hope will help you better prepare for this transformation. If you are responsible for the business continuity plan of your digitally enabled organisation, these insights can help you build the foundation for cloud-enabled digital resilience.
I have organised my thoughts into nine tips:
A continuity plan does not have to be complete and exhaustive from the start. In fact, a precise plan at the beginning can bog you down in the details. Instead, build a top-down plan one layer at a time. Set a vision and plan to uphold that vision, but be flexible with the details. Enable your organization to scale the planning efforts and push the vision and top-down goals towards the operational leaders. It is better to have the power to effectively communicate and measure your progress within the whole organization than to have a detailed plan that only fits a part of the organization. Review your actions to create a feedback loop that incorporates learnings. If time pressure does not permit you to plan far ahead, focus more on review and learn as you go.
Appoint someone to be the decision-maker and the primary point of contact in your organization for continuity. A single owner does not do everything alone; they delegate and organize. They don’t need to have direct control over the organization and resources, but they need the mandate and support to drive the continuity initiative.
Having a directory for your organization – as simple as a list of contacts – works better than chasing the owners of services and assets during an event. Avoid deliberately creating bottlenecks, though owners should be equipped and willing to act independently in a crisis. Enable members of your organization with the policies and tools to take ownership for implementing and launching your continuity plan.
Keep inventory of your digital assets so that you know what to protect during an adverse event. Digital assets should have owners who are points of contact during preparation, crisis, and recovery. Classify your assets if this helps you better assign governance controls to the assets or choose the right level of continuity. Consider that digital assets have dependencies on other assets. For example, records in a land registry can refer to owners in population or business registers, contracts in the registers of approved notaries, or mortgage information. Many of the dependencies might not be under your organization’s control so plan your continuity requirements and plans accordingly.
Prioritise what needs to be saved first or fastest. When disaster strikes, you will likely be running low on budget, time, and people. You can invest in building mechanisms to save resources during crisis by preparing early. Automate recovery solutions where possible so that recovery can be triggered automatically or with minimal effort. Write playbooks and instructions that can be followed with basic, prior knowledge. For the most critical services, build capabilities to self-heal so that you don’t need to intervene when adverse events happen. Test and verify your recovery mechanisms often. The more automated they are, the better you can take advantage of the elasticity, scalability, and pay-as-you-go pricing model of the cloud.
The dynamic nature of many types of events requires agility and the ability to make decisions at a fast pace. Be prepared to act quickly when a backup-and-restore strategy needs to evolve due to an event lasting longer or the recovery duration extending because the impact on your assets is greater than you expected. Afterward, you might need to launch additional compute and networking infrastructure. Leverage cloud elasticity and global presence to serve your citizens when and where needed without the requirement to make large capital investments to have infrastructure ready on stand-by most of the time.
Upskill early and often. Learning takes time, knowledge fades away when not used frequently, and new skills need to be acquired as business context and technologies change. Consider that learning materials are not always available in your native language and translation quality can vary. The same goes for instructors and partners. Not everyone is capable of effectively helping you in your language. Prepare your knowledge base of instructions, documentation, and playbooks in the language(s) your workforce naturally uses. Find like-minded organizations and individuals around you to share your experiences with.
Consider that upskilling is required at all levels of the organization, especially when moving to a completely new paradigm of resource delivery such as the cloud. Make sure your executive leaders are aligned with both your continuity vision and how cloud works. Upskill your technical leaders so they can make well-architected decisions and effectively evaluate cloud usage in the organization or work with the right partners to augment your workforce. Equip your technical workforce with appropriate tools and knowledge to build operational excellence.
Unless you aim to build everything on your own, find a trusted partner or partners capable of delivering your vision. In addition to the partner’s technical or consulting competencies, consider your historical context and legislative restrictions. Can the partner catch up with the intricacies of your services, organization, and data models? Can the partner deliver within your legal framework? Does their workforce have the right clearances to access classified information, be it configuration, code, or data? Building a relationship with the right partners in advance of continuity needs can help support and maximize an organization’s continuity strategy.
Every highly visible roadblock on your path is usually there for a reason. If you want to move fast, push these roadblocks aside to create guardrails. Blanket rules that prohibit the use of specific technology can be turned into guardrails that require specific certifications from technology providers or certain types of control to be in place. Data that moves outside of country borders can and should be encrypted with keys that you control. Confidential computing can be mandated where operator or workforce access is prohibited.
To better help you plan your continuity journey ahead, Amazon Web Services (AWS) announced Continuity of Government IT (CGIT) in late 2022. CGIT is comprehensive, cloud-based guidance that enables governments to protect their digital assets and services during disruptions of any kind. The guidance has been developed in collaboration with governments, public sector institutions, and AWS Partners around the world. CGIT is available to governments globally, and we look forward to working directly with you and AWS Partner Network members of your choice to establish the best path to your continuity goals. Get started with CGIT.