Regulations drive investments in cybersecurity and efficiency
Legislative requirements for data center resiliency, operational transparency and energy performance are tightening worldwide — putting data centers under greater regulatory scrutiny. In response, organizations are either starting or stepping up their efforts to achieve compliance in these areas, and findings from the Uptime Institute Global Data Center Survey 2023 reveal that most are prioritizing cybersecurity (see Figure 1).
Figure 1. Regulations drive security, hardware and efficiency investments
Since 2020, several countries have introduced laws with strict cybersecurity demands for data center operators to combat the rise in cyber threats (see Table 1) — especially if they host or manage critical national infrastructure (CNI) workloads. As CNI entities become more reliant on digital services, they are increasingly exposed to cyber risks that could result in severe consequences. For example, a compromised facility managing applications for a utility risks widespread power and communications outages, threatening the physical safety of citizens.
Table 1. Regulations that mandate enhanced cybersecurity measures
Cyberattacks are becoming increasingly sophisticated as the digital infrastructure becomes more interconnected. For example, operational technology systems for power and cooling optimization are routinely connected to the internet (either directly or indirectly), which creates a broader “attack surface,” giving more access points for cyberattacks. Operators are also increasingly deploying Internet of Things devices and applications. These are used for asset tracking, predictive maintenance and capacity planning, but they require network connectivity and can lack robust cybersecurity features.
Measures aimed at improving energy efficiency rank as the second and third most popular responses to new regulations (see Figure 1). To evaluate their progress, data center operators may add new energy management systems and network connections to the power infrastructure, potentially complicating existing cybersecurity programs.
Alongside the risks to CNI, cyberattacks could lead to significant financial losses for organizations through data breaches, reputational damage, customer lawsuits, ransom payments and regulatory fines. Governments are particularly concerned about systemic risks: the knock on or “domino effect” when parts of the digital infrastructure supply chain go offline, causing others to fail or putting new traffic loads of entirely separate systems.
Privacy is also a major issue beginning to affect infrastructure operators — although this is mostly an issue at the application / data storage level. For example, the US Health Insurance Portability and Accountability Act (HIPAA) mandates that data center operators meet specific security standards if their facilities process private healthcare information — and noncompliance can cost $50,000 per violation. Such financial risks often fuel the business case for cybersecurity investments.
What do these investments look like? Many organizations start by conducting cybersecurity risk assessments, which often show that traditional and partial solutions such as firewalls and basic security is not enough. They may also hire new or additional cybersecurity staff and systems to patch vulnerable systems and applications, deploy network segmentation, set up protection against distributed denial-of-service attacks and deploy multifactor authentication for users. Once established, these measures need to be checked against specific regulatory requirements, which may call for specialized software or compliance audits.
The cost of compliance can be significant and recurring because of frequent regulatory and technological changes. Furthermore, the cybersecurity field is currently facing a labor shortage. According to the International Information System Security Certification Consortium (ISC2), there are more than 700,000 unfilled cybersecurity positions in the US alone, which is likely driving the costs higher.
While these investments can be significant for some organizations, there are many potential benefits that extend beyond regulatory compliance. Combined with other investments prompted by regulations, including energy performance improvements, these may pay dividends in preventing potential outages and play a role in elevating the overall resiliency and efficiency of all the systems involved.
The Uptime Intelligence View
Regulatory concerns over resiliency and energy use have led to a wave of new and updated requirements for data centers. Organizations are starting efforts to achieve compliance — and most are prioritizing cybersecurity. While investments in cybersecurity can carry significant costs, threats by malicious actors and financial penalties from noncompliance with regulatory requirements have bolstered the business case for these efforts.