PurePerformance - Understanding DORA - Europe's Digital Operational Resiliency Act with Kay Young
Episode Date: October 14, 2024DORA - the EU's Digital Operational Resiliency Act - will take effect in January of 2025 and is currently top of mind for IT Leaders across all financial service institutions that operate in the Europ...ean Union. But what is DORA really? Why is this important? How can institutions meet the DORA requirements? What is the role of observability, automation and AI in all of this?To answer all those and more questions we invited Kay Young, Sr Principal Product Manager at Dynatrace, who has been working with organizations around the globe that have been tasked to implement regulations such as DORA, GDPR, FedRAMP or others.In our conversation we also touch base on the third-party risk management as well as resiliency testing and incident reporting.Resources we discussed:Kay's LinkedIn Profile: https://www.linkedin.com/in/karlien-young-4a156730/What is DORA blog: https://www.dynatrace.com/news/blog/what-is-dora/Taming DORA compliance: https://www.dynatrace.com/news/blog/taming-dora-compliance-with-ai-observability-and-security/Blog on Dynatrace's DORA compliance journey: https://www.dynatrace.com/news/blog/the-dynatrace-journey-toward-dora-compliance/Beyond DORA compliance: https://www.dynatrace.com/news/blog/dora-how-dynatrace-helps-the-financial-sector-stay-resilient/
Transcript
Discussion (0)
It's time for Pure Performance!
Get your stopwatches ready, it's time for Pure Performance with Andy Grabner and Brian Wilson.
Welcome everyone to another episode of Pure Performance.
As always, when you don't hear the sexy voice of Brian Wilson, it's the other voice. It's Andy Grabner solo today because Brian unfortunately couldn't make it.
But I try to do a good job in educating you listeners about topics that are relevant in our industry.
And today it's about Dora.
Now, when I hear Dora with my background, I have a completely, completely different
definition of what Dora means, probably than my guest.
And actually, without further ado now, I would like to introduce my guest or welcome my guest
to the show, Kay Young.
Kay, thank you so much for being here.
How are you doing?
I'm doing well.
Thanks for having me.
Thanks for being here.
Kay, could you, before going into Dora, could you just quickly tell me a little bit about
you?
What do you do right now?
What's your background?
Just curious who our guests are. Yeah, so I am one of the principal product managers here at Dynatrace
and my focus is very much on ensuring that our product is compliant
to various regulations and certifications,
making sure that we have a really good product
and people can trust that we have everything really good product and people can trust
that we have everything in place to handle their data accordingly.
I've been in the industry for over, I'm giving my age away,
but for over 15 to probably longer years,
working on products in various industries and, you know,
making the best there is of it.
Yeah, very cool.
And I think you brought up a very good topic or word, trust.
Trust is a big thing.
And now kind of going into Dora,
can you give me an explanation, introduction to Dora
and telling everybody now that is listening
and you're thinking we're talking about the DevOps metrics. This is not about the result of the DevOps
Research Institute that happened years ago. This is a different type of DORA, which reminds us how
important it is when we use acronyms that we have a clear understanding of what the other person is
talking about. So Kay, can you introduce me to DORA?
What is it?
Yes.
So, DORA, or in this case, the Digital Operational Resilience Act, is a regulation that came
out in the EU that is aimed at strengthening IT security and operational resilience of
financial institutions and their service providers.
So it really is about establishing a framework that requires firms to have, you know,
robust and effective information and communication technology, risk management, incident reporting,
resilience testing processes and so forth in place.
Okay, so that's definitely a different type of DORA than I know, because my DORA has four
metrics.
It's typically around deployment frequency, deployment failure rate, and how fast you
can react to failure and delete time.
So this is clearly different.
But it goes into the trust piece, right?
I think that's a big point.
People need to trust the software, need to trust the institutions that we work with.
You mentioned DORA is really a regulation aimed for the financial institutions and service
providers.
Why just that and why not expand just out of curiosity, if you know, why is this really
focused on this type of
industry?
There could be many reasons why they
focused on this first but
from my
point of view I think this was really
highlighted in the
EU that these are
really risky
businesses. These are businesses
that cannot fail. If our financial institutions
go down, we are in trouble. So let's start with this. Let's really make sure that our financial
institutions are robust. These, you know, banks and insurance companies and things like that is built on a solid foundation and that there is no risk where we can prevent it.
And you mentioned also this is a EU, so European Union regulation.
Is it fair to assume that other regions around the world have, let's say,
similar regulations for their financial
institutions?
In case you know, I'm not sure how well of an expert you are.
There definitely is a growing trend where we're seeing this.
I'm really looking at DORA framework that the EU has put in place is revolutionary and
it really has opened the world's eyes to how important such frameworks is and that
we have to expand this to other industries and other regions throughout the world. We saw a
similar thing happening when GDPR was brought out in the EU where it was such a groundbreaking thing
and it really influenced the regulations for the rest of the world. So we are keeping a really, you know, eye out on how this will expand to the UK,
the US and other regions in the world.
Now, knowing, you know,
big organizations like the European Union,
these regulations,
the definitions of the regulations
probably take a little while
to actually get finalized, get enforced.
Can you give us a rough overview of the timelines?
How long has this been going on?
When is this going to be enforced?
When is this really relevant for organizations?
Well, the first version of DORA came out, I'm going to round up a bit, but two years ago,
where they set the framework in place and say, this
is what we want to establish.
Let's start working together on this.
Since then, there has been addendums that they've laid out, the latest being in June
of this year that they released this.
And this regulation is coming into effect from the 17th of January next year.
So from January, all organizations will actively start complying to the DORAS framework that needs to put in place.
Prior to this, it was, you know, chances were given to as an industry, let's discuss how do we want to put these frameworks
in place let's put best practices in place and then you know from january all action
oh that's uh it's actually it's not too far away if you think about it that's only four months to
go it came quicker than i think everybody expected yeah yeah and so you know without going into all
the details about every single piece in um in the in the DORA requirements or in the DORA papers, can you give us a little bit of a quick overview of what are some of the requirements that financial organizations need to meet in order not to be, I guess, I don't know, prosecuted or they have to pay fines or whatever are the legal implications.
Yes. So DORA outlines expectations for ICT or information and telecommunication technology, risk management, the testing and incident reporting. So it's all about advanced monitoring, analytics and automating processes that can support these efforts.
So it gives this really strong framework on how do we become more robust?
How can we preemptively identify risky areas and prevent risk from occurring?
And how do we report and share this knowledge to the rest of the
industry where we do find incidents or you know things that could affect others in the industry
as well so is there do you see and again this is not my field of expertise and i'm just asking you
thinking about financial the financial world i assume there's a lot of competition so uh and typically those
organizations probably don't want to share things amongst each other or maybe they do i don't know
but does do regulations like this actually force these organizations to share more things amongst
each other especially as it comes to maybe threats as especially as it comes to best practices? I do think this is one of the big, this is one of
the pillars of Dora is that they want to foster this collaboration amongst the industry experts.
Without this fostering and, you know, fostering this collaboration that everybody wants to do,
it will be, we're not learning, we're're not getting stronger we're not preemptively hey
i have a vulnerability here be aware of it let's fix it make sure you don't get hit and so this
this really is an important aspect of dora that is so unique and why dora is more seen as a framework than, you know, this is the strict guidelines you want to put in place.
It is about as an industry, as a community in there,
let's see what is those best practices.
How can we learn and expand on this all the time?
Thank you.
That's good.
Now, you mentioned, I think, observability earlier
because somebody may ask the question,
so why are we, with our background at Dynatrace,
even talking about this?
I mean, clearly, our slogan is,
the world needs software to run perfectly.
The world needs software to run securely.
Many other observability vendors obviously aim the same thing
by helping organizations to get insights into their IT infrastructure, their applications.
More and more vendors we see, and also in the open source world, more and more tools come out that focus on security, that focus on risk management.
But maybe a quick overview for people that have never connected observability with regulations like DORA.
Can you give us a quick overview of what would the role of observability be as organizations need to become compliant?
Yeah, sure.
Now, although there are many aspects to keep in mind where DORA and risk management guidelines are concerned, observability is one of those key approaches
that can support several aspects of it.
It can help by providing visibility into the system performance,
the health of the system.
It can help establish faster identification
and response to potential issues.
So it really is a key enabler for continuous monitoring,
early detection of risks,
and helping to automate responses that need to go out.
Which brings me, like a keyword here,
brings me to the next question that I have.
Observability is one thing to get insights,
but then automation.
We've been working pretty hard, at least since I've been in IT, to automate as many things as possible.
Again, with my background, I typically talk about automating your build process automation in the context of DORA, what are some of the things that people
may not consider or that they should consider when it comes
around automation? What can be automated? Well, automation
and especially AI-driven insights, I
strongly believe this is really critical to helping you with your
DORA compliance.
It reduces that manual intervention that needs to be put in place.
It is crucial to help you improve your response time.
DORA gives very strict guidelines on how quickly you need to notify the relevant authorities on if there is an incident so that corrective act can be taken and so forth.
So having this automation in place and having this AI-driven insight
becomes a critical component in meeting these strict guidelines.
So it's interesting where you are because I talk and i work with a lot of you know people
around the world and we always talk about certain kpis and again i always bring it back to my field
of expertise this is more in software engineering software delivery so we always talk about
how fast can we deploy how fast can we push out a new fix? And these are typically, you know, these metrics and objectives are typically driven by competitive aspects.
You want to be competitive in the market.
Therefore, you want to bring out a new feature in a certain amount of time.
And therefore, your process to deliver and develop needs to be automated as good as possible. In this case now, I hear it like the European Union says,
hey, we give you strict guidelines on how fast you need to detect
and then notify about any potential issues, I guess, in a certain category
and who you need to contact, what type of information you need to share.
Did I get this right?
This is correct, yes.
It's about what are those vulnerabilities that could potentially impact other companies as well that the industry needs
to be aware of um to share that knowledge again that we spoke of earlier but also to make sure
that as your company you have the relevant response plans and in place to prevent these and fix them should they come up
yeah now you know listening to this and again this is uh this is why i love this podcast because i
learned something new and and sometimes i like you know things pop up in my mind and i just want to
validate if this actually makes sense but i believe DORA could be a great framework for
any organization, essentially, because I'm sure it provides some good guidance on best practices
in general, right? How do you deal as any type of organization that is using digital services?
How do you deal with, how do you detect even problems? How do you deal with them? Who do
you report them to? Now with DORA, there's a guidance on financial institutions needing to report to the European Union.
But I guess whether it's the European Union or whether you report to your own board or your own
leadership, I guess in the end, any organization should have these thoughts and guidance in place.
Yes, no, it's very important. I always like to refer to this crowd strike
incident that happened a few months ago. This really showed why
such a framework is so important. If something goes
down, what is the consequences of this?
I think the European Union
putting this DORA regulation in place was really forward thinking and knowing, hey, we need to start planning for these things.
This is a, you know, these type of incidents can happen.
We need to make sure we are secure and plan for it.
And I'm not sure what the right English term for it is, but I guess it's critical infrastructure or critical systems.
Like, as you said, banks, right?
We need banks to work because otherwise our society
will probably end up in a bad situation.
The same is true for, I guess, energy, transportation, healthcare.
These are all pieces of critical infrastructure and critical services, and they obviously have to take really good care
of that everything is resilient
and that they then know in case something goes wrong
to really notify the right people
so that the right processes can be put into place.
Exactly.
Hey, one of the things,
and you mentioned CrowdStrike,
and there have been other incidents. Actually, I think CrowdStrike was of the things, and you mentioned CrowdStrike and there have been other incidents.
Actually, I think CrowdStrike was not the issue, but the other incidents in the past is where, let's say, third-party software, whether it's third-party libraries, anything in the software supply chain. There's many parts and many steps in the software delivery process where things can
go wrong. Does DORA cover anything of this as well? Is DORA expanding to the whole software
delivery lifecycle? Yes, indeed. It does extend its requirement to those third-body service providers. So this means the financial institutions themselves need to ensure that the entire supply chain is resilient.
There is guidelines given on how you determine whether this is a critical supplier versus just an important supplier.
And you as a financial institution really needs to work with these companies,
make sure they have the relevant operational resilience
and continuous monitoring in place that you require based on your risk profile
and how you want to operate. And it is a very important aspect because we are so reliant on those third-party systems
that we use in our applications.
We have to make sure the whole supply chain works.
And now we don't obviously want to make this, as I said, this is a thought leadership podcast.
I want to talk about these topics. But we as Dynatrace, we are a critical, I guess, third-party component to many of our customers who are in the financial space, who operate in the financial space.
Does this mean they need to justify and they need to prove that Dynatrace also does everything and we are applying to certain rules?
Or how does this work? What if a financial institution uses a tool like Dynatrace also does everything and we are applying to certain rules? So how does this work?
What if a financial institution uses a tool like Dynatrace?
What do they need to kind of report?
Every customer, every financial institution has to,
will have their own definition
of what they feel is a critical system.
So Dora provides this guideline,
but it's ultimately up to the financial institution
themselves to determine, okay, what are you?
Are you a critical supplier?
Are you an important supplier and so forth?
And DORA provides then various requirements that these third-party management systems
need to do this.
So we, as Dynatrace, have worked very closely with the financial institutions
as well as the regulatory bodies in this case to make sure that what we have
in place complies to how we interpret the DORA requirements.
Now, DORA is purposely made.
As I say, it's really about this is the guideline
and let's work together and work on that best practices.
So we have various conversations with the customers
once they've determined, okay, you are a critical system.
Show me what you have.
Let me make sure this this is really what what we
want in place and it works for you as well so we encourage those conversations with our customers
and ourselves to make sure that they are happy and they are you know supportive of what we put in
place cool thanks for that um i mean i assumed that's the case and it's just great to hear it because many software vendors like us are critical third party components in these financial institutions and observability.
What we provide and also security and automation are just a small piece of the cake of everything. You mentioned earlier that incident reporting is very important.
So in DORA, basically specify how fast you have to report.
The question is, I have a big background in testing,
in case you didn't know.
So before Dynatrace, I worked for a company
where we did a lot of performance testing, a lot of functional testing.
And that's why testing is still very dear to my heart.
Is there also something where there is a way to test for the robustness?
Does the EU specify certain guidelines on how to make sure before maybe a system goes live that they need to fulfill certain test criteria?
Or is there anything around, you know, resiliency testing, risk testing available as well in DORA?
DORA does require you to do resilient testing because, yes, it is very important that you make sure you have a plan in place, you have procedures in place, and that you do regular, you know, resilience testing, disaster recovery, and so forth.
And that you make sure that this is then also applied to your third-party frameworks. So, again, it provides guidelines and it's up to the financial institution to then determine how risky the system is, how critical it is in their whole infrastructure, what is their acceptable limits in there and what does it need to comply to?
And, you know, what is their backup plan?
If it goes down, what can they do? So this is really one of those very important things
that organizations need to have appropriate processes,
documentation, and governments in place for.
Cool.
Kay, thank you so much for giving me the overview
because clearly there is more to DORA than I thought.
First of all, also, it's not the DORA,
not the DORA the explorer and not the DORA the DevOps metrics that are out there. By the time
of this recording, so we are about four months away from that regulation to take effect. And
I don't know if you, just from from your personal experience now because you have obviously worked
in this field over the last couple of months you've written a couple of blog
posts so folks if you're listening to this and you want to read up more
in the description of the podcast you'll find the links
we can learn more about Dora and also what the role of
observability is.
But are there any discussions that you've been involved with recently that stand out? Any topics that people are, let's say, most stressful about?
Are there some challenges in the adoption of Dora that are more prominent than others?
And can we just highlight maybe some additional resources?
I think there's many topics that's going on in DORA.
Really, the ones that I've been involved in quite actively is it's all about
how can we help and how do we ensure that we have this really speedy, refined process for incident reporting?
How can we share this knowledge and things like that?
Because it's one thing to share with the regulatory body that I have to report my incidents to, that I have to have, you know, this is the template that I use.
This is the information that I give.
And customers really struggle to how do I deep dive?
How do I find out what is this root cause?
How do I get this quick enough that I can report this?
And then how do I share this with the industry as well?
So this is topics that's ongoing and discussions that's ongoing because this is, you know,
this is the framework that not everybody has in place.
Having those discussions with, you know, my peers in the industry is also not something
that is necessarily natural.
This is our new things that's being put in place.
We want to have those conversations and we want to discuss it with each other.
So this is quite a hot topic at the moment where I've been involved in quite a few interesting conversations.
How can we put this in place?
How can we become more collaborative in this?
And how can we get faster and do this easier?
Because it can be quite an administrative burden
for these compliance officers that now need to do this.
So I'm really looking forward to seeing how this pans out
and how people do this.
And maybe last kind of open question for you is,
you know, coming back to a little bit of Dynatrace because we are actively new and several teams are involved into this. what do we bring to the table, not just from a tooling perspective, but just in general as an organization,
what do we bring to the table for organizations
that are currently facing the challenge that in four months
they need to apply to those regulations.
And as they become active, that they can then continuously comply to it.
What do we as Dan and Chris bring to the table
that might be something that people don't think of when they think about yet another observability vendor?
Oh, there's so much that we are everything in place so that customers have that trust.
We can be used in their operations.
But we're also working on quite a lot of things, supporting customers with their compliance needs as well.
So, yes, from an observability point of view, We have these robust systems.
We can help with these recourse analysis and things like that.
And we're doing quite a lot of work on our security side as well.
What can we help you with there?
What automated checks can we put in place?
And I can't go into too much detail,
but we are putting a new app in place that will help customers with their observability as well as security frameworks and helping them with those technical requirements that DORA has. location, automate those tasks, having the visibility on where your risks might be that
you need to put in place and, you know, giving you those automated reports so that you have
peace in mind that at least from the, you know, the technical side and, you know, you
are covered.
You don't have to worry about that.
You deal with what you need to put in place process-wise,
and we will help you with the rest.
So more things are coming.
Thank you.
And so it's always good to leave with a little bit of a surprise
and like there's obviously more that can be done, more that we will do.
Kay, did we forget anything?
Because if people are listening to this,
they came in maybe initially and thought,
Dora, I'm sure I know about the stuff
that Andy has been talking about for years,
but now all of a sudden they learned something
completely new that they may not even,
you know, that will hopefully be relevant for them.
Anything that we missed in the conversation
that we want to leave with?
Nothing springs to mind.
I think we covered it a lot.
This is expanding conversations.
There's new things that's going to come up.
There's new industries where this is going to apply to.
And it's always good to keep an eye out on that
and seeing how we can expand and help.
Cool.
Okay, in this case,
I want to say thank you so much for spending the time
and recording this podcast.
It's always great to see people like you
actually really be willing to speak,
talk about your experiences,
educate us on new topics
that we might not be too familiar with.
And yeah, we will add all the links
to your blog posts.
If you're okay,
we're also adding a link
to your LinkedIn profile
in the description
so people can also follow up with you
in case they have questions.
And yeah, let's hope,
let's keep fingers crossed
that as January 17
comes around the corner,
that all the organizations out there in the financial space have implemented everything that they could
to implement this new framework and apply all the rules and do all the reporting.
Yes, thank you for having me.
Thank you.