NTT DATA Inc: Resilience brilliance needs a helicopter view 

Top of the ROC?

In terms of front-line software application and data service security, does Mehta think that we are moving from an attack surface management approach to a risk surface management approach i.e. one that makes more direct use of a Risk Operations Center (ROC) than perhaps putting reliance on a Security Operations Center (SOC)? 

“I wouldn’t say that it’s a case of one replacing the other, but rather a risk surface management approach helps organisations take a more holistic approach to proactively secure what really matters to their business. In today’s multi-faceted world of hybrid cloud and AI environments, we will continue to see the risks expanding alongside an organisation’s ever-widening attack surface,” said Mehta. “It’s critical for any organisation to continuously monitor and mitigate vulnerabilities and threats to its attack surface.”

 That being said, he reminds us that an attack surface management-only approach limits the organisation’s view of IT-related vulnerabilities within its walls – it misses the potential risks from third-party vendors and the supply chain, cloud dependencies, regulatory exposure, and operational processes.”

Helicopter view

Mehta says that risk surface management is essential as it offers a far more “helicopter view of the risks and prioritises” based on the business criticality of assets, its exploitability and considers operational dependencies – and if we look at the bottom line, it’s to protect what matters the most: business growth and stakeholder trust.

So then, is risk mitigation really even possible or is it more about isolating threats quickly, being more resilient and able to get back to business as usual with minimal delay and loss… and if so, how do organisations do that?

“Risk mitigation in isolation will never be sufficient.. and in today’s AI age it’s not a matter of if but when an organisation gets breached, so we strongly advise organisations to move towards an agile and adaptive resilience strategy,” said Mehta. “[Firms need a strategy] that integrates risk and compliance management with cyber resilience to securely enable innovation and business growth. By definition, resilience is an organisation’s ability to anticipate, withstand, respond to, and recover from disruptive events, whether that’s cyberattacks, operational failures, supply chain disruptions, or regulatory shocks.”

He references recent work, which has seen NTT DATA and Fortanix Inc. announce a global partnership to help enterprises safeguard sensitive data, counter emerging AI threats and prepare for looming post-quantum cryptography challenges.

Cryptography-as-a-Service 

Through this agreement, NTT DATA will launch a new Cryptography-as-a-Service offering as part of its Data Security services portfolio. The service combines Fortanix’s Data Security Manager Platform with NTT DATA’s cybersecurity expertise, deep knowledge of evolving data protection standards, global delivery model and strong capabilities across AI technologies.

“Modern business resilience demands more than just recovering from cyberattacks – it requires proactive preparation to protect critical assets, and continuous detection and response to navigate an evolving threat landscape. To be effective, this entire process must be simplified and integrated, enabling swift, coordinated action from preparation through to response and recovery. Our recent guide for CISOs with Omdia, provides actionable steps to help organisations move beyond a static and reactive approach to business continuity to an agile and adaptive resilience strategy with an integrated approach to cybersecurity,” said Mehta.

Three key steps

Given the discussion so far, what does Mehta think organisations need to do in order to de-risk or become more cyber-resilient? He offers three key steps as follows:

1. Simplify, modernise and integrate your cybersecurity environment: rationalise, consolidate and standardise your cybersecurity technology stack and move towards a unified cybersecurity architecture, governance and operational model that eliminates redundancy across tools and controls. Enabling you to close visibility gaps and enforce policies consistently across multifaceted hybrid cloud and AI environments.
2. Resilience is not static: it must be embedded into daily operations, governance and culture. Executive buy-in and board-level prioritisation, regular training, clear policies, and open communication channels empower employees to act as the first line of defence.
3. Shift from static, reactive to an agile and adaptive approach: Make security embedded into the core fabric of business with minimal or no disruption. Adopt more business context-aware controls through leveraging AI-enabled risk correlation and prioritisation with less or minimal manual intervention.

To conclude, what can the C-Suite do to engender support for collaboration and investment in protecting today’s complex environments?

“Business leaders need to have a sophisticated but seamless approach that can be followed at all levels. This includes the need to encourage shared accountability for cyber resilience across the C-suite… and create cross-functional governance models that unify IT, OT, and business risk management seamlessly,” explained Mehta.

He says that firms need to promote external advocacy to build stakeholder trust and brand credibility… and that cyber resilience must become part of the core mission statement of the organisation to demonstrate commitment and focus, but it must be easily understood.

Clear communication & playbooks

“Finally, here, organisations need to deploy comprehensive technologies that offer control and remediation under a unified and layered security approach, that offers visibility and ease-of-use,” concluded Mehta. “Clear communication and playbooks for coordinated action with partners, customers and employees with well-defined and understood roles and tasks in the event of a cyber incident to help build stakeholder trust and confidence.”

Image: NTT DATA