May 19, 2020

From BA to the NHS: why the UK needs to seriously step up its IT game

British Airways
Cybersecurity
Vishal Bhatnagar, CAST
6 min
From BA to the NHS: why the UK needs to seriously step up its IT game

Another week another UK IT headline. A ‘power outage’ at British Airways caused the UK’s national carrier to cancel worldwide flights at the start of the UK May bank holiday. The WannaCry ransomware attack brought much of the National Health Service to a halt. Events like these expose once again the importance of IT systems in today’s business.

But this should not be the only lesson to take. Such incidents highlight the complexity and the sheer number of vulnerabilities in critical infrastructure sectors such as the NHS, airlines or telecom operators caused by complex software.

It’s simply all about complexity

The reality is, the negative business impact of complex software is set to become much worse, unless we tackle the issues at its core. Rapid technological changes accelerated by the Internet of Things (IoT), Artificial Intelligence (AI), Automation and Robotics are only adding complexity to already-complex, legacy, and outsourced IT set ups.

Added to this, macro-economic changes like Brexit and regulatory changes compound each other in sectors like banking, telecoms, retail and airlines to create pressure on IT departments like never before. For instance, the blame game for the BA outage had already started with the unions blaming BA’s IT management for outsourcing jobs to Indian firms.

As for the WannaCry hack, NHS Trusts were called negligent for not patching a known security vulnerability. But the core underlying causes are what we should address, if we want to make this country a global technology leader, let alone realise our dream of building the next Google, Apple, Facebook or Amazon. The UK needs to pick its act up.

IT Culture vs. Club Class

As experts in code quality we see a LOT of code. The latest CRASH report from CAST Software that analysed 2B Lines of Code (LOC) across over 400 organisations globally. We see different issues across management levels in organisations. The need for a stringent software engineering mindset and discipline is a common thread.

This year, the study found the code quality of software used in the UK lags its European and American peers in criteria such as security and robustness. No wonder we seem to have more than our fair share of IT glitches in this country across banks, the public sector and now airlines.

One might think the days when IT was treated as a back-office and a cost centre are long gone but it doesn’t seem to reflect the attitude we still have towards IT in this country. At the top of the hierarchy, most UK organisations, clearly including BA, don’t have board representation for IT departments and there is still a level of apathy towards IT risk. Despite what they say, IT is not in the DNA of most UK boards.

Third generation outsourcing and two year CIOs

That is not to suggest that most IT mid-managers do themselves or their businesses any favours because of the lack of objective visibility they provide into the IT estate they are charged with managing for present and future generations. Even more so, when the majority of IT systems are in their second and third generation of outsourcing contracts. Here, there is very little visibility into the underlying risk and security vulnerabilities within the IT estate being managed.

There is little point in arguing for a reversal in the trends of globalisation that has led to offshoring. The solution is more objective and predictive Service Level Agreements (SLAs) for outsourced vendor management contracts. These contracts would explicitly monitor and measure improvements in Technical Debt and Complexity rather than rewarding the supplier for just keeping the lights on, delivering cost savings and leaving the Technical Debt as a liability for their successor. With an average CIO tenure of fewer than two years, this is hardly surprising.

At the engineer’s level, security is an afterthought. Developers often think of themselves as ‘artists’, rather than programmers who need to follow coding standards and best practices. The issue here is that spending more IT budget on risk prevention means less to spend on delivering technology innovation. This can lead to a culture of ‘Code now, fix later’.

This is a cultural and management issue. One which most managers outside of IT would recognise as the toughest to type fix. As with many IT decisions, the correct response is to compromise. But making good compromises requires being fully informed of the facts and obtaining those facts, at the holistic risk level, across critical systems, is a fundamental starting point. Ignorance of the facts is perhaps the greatest IT risk of all.

Getting risks in the right order

Trying to adopt a continuous review of IT risk requires the right analysis, automated by a software analytics platform, such as CAST’s Application Intelligence Platform. Once a clear understanding of software risk becomes available to management, a mapping of such risks against business priorities allows prioritisation to occur. Only after such priorities are established can a proactive approach to paying off Technical Debt, the costs accrued by years of neglected by poor IT maintenance, can be initiated.

The complexity of the job at hand of IT execs should not be underestimated. With an average of 5,000 vulnerabilities emerging every year, it’s not an easy task to prioritise and decide which vulnerability to patch.  Technical Debt hidden within vast amounts of bespoke legacy outsourced and software creates an extremely difficult situation which is almost impossible to manage.

Technical debt, such as the cost to patch systems compromised by WannaCry, is very easy to ignore until it is too late. The solution, a holistic approach to assessing and prioritising known vulnerabilities and violations from the thousands across the IT estate of most organisations, makes far less national press headlines than hospitals shutting down or a teenager accessing personal details of 160,000 subscribers at Talk Talk by exploiting a SQL injection vulnerability well known the security circles for more than 20 years.

Drive down to the Devilish details

The multiple reasons behind IT outages, varying from Cyber hacks where security vulnerabilities are exploited by hackers to power outages, real or imagined and process breakdowns. But just as we would assess the overall health of a driver to determine if they have decent reflex actions, or suffer from weak eyesight, etc., we should regularly assess the overall health of the IT estate.

This includes, but is not limited to Technical Debt, complexity, and security. We should not do this instead of monitoring, we always must strengthen the external perimeter to prevent hacks and build a more resilient Disaster Recovery process. Only when we tackle these core issues of IT systems will we be able to manage these threats better. The devil is not in the details, it is those very details.

By Vishal Bhatnagar - SVP and Country Manager, UK & Ireland

Share article

Jun 18, 2021

GfK and VMware: Innovating together on hybrid cloud

GfK
VMware
3 min
VMware has been walking GfK along its path through digital transformation to the cloud for over a decade.

GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.  

In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade. 

“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.

Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.

By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.

One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.

“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.

Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs. 

“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.

The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment. 

The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.

One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.

“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.

“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client. 

“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”

Share article