MapleSEC: How Kyndryl built cyber resiliency into its new IT infrastructure

Next month will mark an independence day of sorts for IT infrastructure provider Kyndryl Inc.

In 2021, what was then called IBM Global Technology Services was spun off and given until November 2023 to be truly separate from Big Blue as an independent provider of IT services to companies around the world.

Mission accomplished. So at last week’s MapleSEC series of presentations, Denis Villeneuve, Kyndryl Canada’s security and resilience practice leader, talked to Jason Maynard, Cisco Systems’ field CTO and Jim Love, IT World Canada’s CIO, about the security challenges Kyndryl faced during its transformation.

On the one hand, according to CIO.com, under a transition agreement, Kyndryl started with thousands of employees and over 4,000 customers which IBM Global Technology Services had serviced and were now Kyndryl’s responsibility. On the other hand, Kyndryl had to wean itself from IBM’s infrastructure or face financial penalties.

“Most of the technology infrastructure and employee work environments we inherited weren’t fit for our purpose,” Villeneuve recalled. “It was developed over years and customized specifically for IBM’s needs. The legacy systems and tools were unable to support our long-term vision of a lean, modern, and secure operating environment.”

What Kyndryl needed, he said, was “freedom of action.” An infrastructure that “allows us to work faster, work smarter, be more collaborative, and increase our engagement, while delivering great value to our customers.”

First, a little background: Five years ago, as part of its change in strategy, IBM decided it didn’t need to be an infrastructure provider to other firms. The Global Technology Services division was in slow decline, CIO.com said, with annual revenue dropping.

Having to re-invent itself as Kyndryl was a challenge — and an opportunity, said Villeneuve. Most companies that face transformation usually have to work around existing infrastructure. Kyndryl had the opportunity to start with an almost blank sheet.

It went from offering 1,800 business applications to fewer than 360 in two years. Many of those were rebuilt, or added and shifted onto a Workday or SAP platform for customers. The number of data centers dropped from 54 to four hyperscale centers.

By doing so, Kyndryl saved almost US$300 million in SG&A (selling, general and administrative) expenses, Villeneuve, said.

Today, Kyndryl has six managed services practices: Applications, data and AI; cloud; core enterprise and zCloud (IBM’s mainframe-as-a-service offering); digital workplace; network and edge; and security and resiliency.

Having resiliency within Kyndryl’s new infrastructure was a key goal.

“The success of our cyber resilience strategy really relied on our ability to drive change in our people and our processes,'” said Villeneuve. “When we shifted our cybersecurity framework and mindset, we identified several elements that were critical to our success: Employees as a defence was very important. A skilled and educated workforce is the best line of defence against cyber threats. Being able to train employees to recognize attacks empowers all of Kyndryl’s team members to proactively manage and reduce cyber risk during this giant transformation.

“The second thing is secure-by-design. We embedded cyber resilience, including a zero trust architecture, into all the technology systems and operational strategies that enabled us to protect against and recover against any adverse cyber events. We do a lot of automation when it comes to security orchestration to automate low-level tasks. It helps free analysts to spend more time on higher value tasks like threat hunting or the cyber kill chain.

“Last, Kyndryl’s identity management program was a big piece, because identity is the new perimeter — because staff are so dispersed. Our two main goals were limiting the number of IDs needed to access our systems and applications, and, more importantly, establishing minimal access privileges for every user and identity.”

Security is a business and change enabler, said Maynard. What makes a car go fast, he asked, responding: The brakes — because you can’t go fast without stopping. “If you want to be agile and fast in the market from a business perspective, you need security — not to hold you back but to allow you to move fast. And when you need to slow down, the brakes are there.”

Transforming your organization — especially radically simplifying and modernizing it — is an ongoing journey, Villeneuve said. “We may be coming up to November 2023, but there’s so much at stake. A call for continuous transformation should be a business imperative that cascades from any C-suite.”

Transformation “is about setting realistic milestones along the way,” added Maynard. “You can’t bite off more than you can chew.” Just as a zero-trust program isn’t just adopting a vendor’s suite of applications, transformation must have achievable milestones or it will go on for years.

“Same thing with cyber resiliency. There’s no other program that can drive resilience without cyber security resilience being part of that. “It’s a foundational element ” to everything else in the organization.

“You want to make sure security is at the forefront” of any change management plan.