Working at a cybersecurity vendor, there is a fine line between responding to significant events and being an ambulance chaser. The difference is really a matter of taste. There is no disentangling the size of the cybersecurity market from the size of the threat of data breaches, and since cybersecurity as a whole "benefits" from the problem it solves, the ambulance must be chased. The point is to do it tastefully so one appears more like a paramedic than a parasite.
That was my contention when asked whether my company should have some kind of response to the AWS outage. For us to implicitly benefit, we have to provide proportional value specific to the crisis. During the Crowdstrike outages, for example, we collated a running list of companies that had disclosed some kind of impact and provided that to the public. That list provided value to the public and thereby functioned as marketing for us. Intelligence sharing as a form of marketing is common in cybersecurity. Since that was not the case with the AWS outage, since we had no unique information nor capability that would lesson the time to resolution, I thought there was not enough value to justify making it about us.
But while making that case to my peers I did think of one thing to say, something that could be titled "what we can learn about risk management from the latest AWS outage."
There are many things we did not learn from it. We did not learn that sometimes cloud service companies have outages. We already knew that from the umpteen previous outages. We did not learn that AWS is significantly worse than others. It still seems pretty good. We maybe learned which specific services rely on AWS, but you can already see which companies use them in IP metadata anyway. This was a snow day, a minor disaster sure to happen eventually but impossible to predict exactly. I don't think we learned much.
On top of not learning anything, I don't think there's much to do about it either. Most of the discursive space in cybersecurity is filled by vendors who naturally focus on risk mitigation. It feels great to solve our problems and reduce risk, and it is a reasonable exchange for companies to contract with cybersecurity vendors to do so. I love the idea of solving my problems.
In this case, though, I think risk mitigation is pretty unlikely. No one is going to move off of AWS because they had an outage. No one is going to switch vendors because the vendor might be down one day a year during an AWS outage. People live in Florida even though it has hurricanes regularly, they live in California even though it has earthquakes irregularly, and they host 30% of the cloud in AWS even though it goes down sometimes.
Another option in risk treatment is risk transference. As cybersecurity and cyber insurance products have partnered more closely, this possibility has become more pronounced in the marketplace. And it is a strategy closer to my own life than risk mitigation. I do often pay a lot of money to get nothing in return, just in case. Again, maybe for a small number of companies critically affected by a cloud outage this would be a useful mechanism, but if it is really that big of a problem they should have already invested in some kind of hosting redundancy that would more effectively deal with the problem.
Finally we get to the risk treatment option that no vendor talks about, the one that is very close to my heart: risk acceptance. If you can't do anything about a problem, or the solutions are more expensive than problem, then you accept the risk. Indeed, one of the most important lessons of risk management is that we can never eliminate risk– that's why we manage it.
There are probably some people realizing their business continuity plans need an update. If you truly cannot tolerate any downtime, you need a plan without a single point of failure (and one that is known to fail at that!). For everyone else, the lesson of the most recent outage– and you can come back to this point the next time it happens– is that sometimes the right way to respond to a crisis is to breath in through the nose and out through the mouth.