IT Infrastructure Upgrades

Saturday, 17 August 2024 marked an important date for operators of #CriticalInfrastructure in Australia - the compliance deadline for #CyberSecurity framework. Under the #SOCI Rules (LIN 23/006) 2023, if you are an operator of critical infrastructure in Australia, you are required to establish and maintain compliance with a cyber security framework. The rules in LIN 23/006 (dated 16 February 2023) apply 6 months after passing (17 August 2023), then allow 12 months for responsible entities to be compliant. These rules cover operators of 13 types of critical infrastructure assets: broadcasting, domain name system; data storage or processing, electricity, energy market operator, gas, hospital; food and grocery, freight infrastructure, freight services, liquid fuel, financial market infrastructure, and water. Operators of these assets are required to be maintaining one of the following Critical Infrastructure Risk Management Program (#CIRMP) frameworks: 🛡 ISO 27001 🛡 ASD Essential 8 🛡 Framework for Improving Critical Infrastructure Cybersecurity (US NIST) 🛡 CMMC (US DoD) 🛡 AESCSF Framework Core (AEMO) A reminder too that CIRMP annual reports for the 2023-24 Australian financial year are due by 28 September 2024!

Europe just defined how AI must be secured On 15 Jan, the European Telecommunications Standards Institute (ETSI) published a standard, EN 304 223, defining baseline cybersecurity requirements for AI models and systems. ➡️ A common set of AI cybersecurity controls, usable across jurisdictions, vendors, supply chains. Why this matters now Traditional cybersecurity was built for software & networks. AI changes the attack surface: ▫️ training data can be poisoned ▫️ models can be manipulated or obfuscated ▫️ prompts can be indirectly injected ▫️ behaviour can drift in invisible ways ➡️ EN 304 223 explicitly names these risks, treating them as security failures. How this takes effect EN 304 223 is already being pulled into procurement processes, security questionnaires, internal audits, vendor due diligence, insurance reviews. With the EU AI Act, high-risk AI systems will need to demonstrate compliance through conformity assessment either via internal control with robust technical documentation, or through assessment by a notified body. ➡️ EN 304 223 is the operational “how” that law and auditors will rely on. The real breakthrough: lifecycle security The standard defines 13 principles and 72 trackable requirements, organised across 5 phases of the AI system lifecycle: 1️⃣ secure design 2️⃣ secure development 3️⃣ secure deployment 4️⃣ secure maintenance 5️⃣ secure end of life ➡️ Retraining a model = redeploying a system from a security standpoint. AI security becomes a continuous operational discipline. Accountability made operational EN 304 223 assigns accountability across 3 technical roles: ✔️ developers ✔️ system operators ✔️ data custodians ➡️ AI risk lives between teams. This standard makes ownership explicit. The target: production AI EN 304 223 applies to deep neural networks and GenAI models already embedded in products, services, and operational decisions. Academic or research environments are excluded. ➡️ This standard is about AI that is live, scaled, and consequential, particularly in finance, healthcare, and critical infrastructure. What “compliance” means Complying with legal, audit, procurement, and insurance expectations using EN 304 223 as evidence: mapping controls across the lifecycle and ownership across roles. What Boards and executives should do now 1️⃣ Mandate an AI inventory: What AI is live, where, doing what, using which data pipelines, supplied by whom. 2️⃣ Assign named accountability across the lifecycle: Align to the standard’s role logic per system. 3️⃣ Require an AI security evidence pack per high-impact system, mapped across its lifecycle. 4️⃣ Decide your assurance route early. For high-risk systems plan for internal control vs notified body assessment. The bigger signal EU is turning AI security into auditable infrastructure. Trustworthy AI is becoming a standard of execution. For companies operating globally, proof of AI security is becoming the baseline. #AI #GenAI #AIGovernance #AISecurity #Boardroom

I’ve been mentoring engineering leaders recently, and one theme keeps coming up: Engineering is evolving—and so must we. When I worked on Google’s index 2 decades ago, it was just a few billion pages. Scaling to trillions and beyond required a mindset shift. We physically visited datacenters, mapped rack affinity & topologies, hardcoded these for performance—because no off-the-shelf solution existed. Fast forward to today: engineers can spin up a datacenters worth of compute with a config change—or better yet, it happens dynamically. That kind of shift isn’t just about tools. It’s about thinking differently. Now, AI is demanding another leap. You can’t say “I’m just backend developer” or “I only do mobile” or "I only work on models". You are now supervisors. System thinkers. Outcome owners. You are not just writing code—you are orchestrating intelligence. And that requires a new kind of engineering leadership. One that breaks silos, rethinks roles, and embraces the unknown.

A CEO of a SaaS company told me that despite having a sizable engineering team, they weren't delivering enough revenue-boosting features. A portfolio review revealed the problem's root: They were juggling two versions of every product - the original and a next-gen upgrade. The remedy? A strategic roadmap to phase out older products without alienating customers. Retiring outdated products isn't a simple "lights out." In this case, the new versions lacked features beloved by legacy users. So, we did this: ✅ Feature Focus Groups: We listened. Loud and clear. Customers told us what they'd miss, and what would entice them to switch. ✅ Upgrade Evolution: We pivoted. Based on customer feedback, we added crucial features to the new versions, making them truly compelling choices. ✨ ✅ Communication Crusade: We kept everyone informed. Customers, teams, stakeholders – everyone got the lowdown on the "why" and the "how" of the transition. The outcome? Transformed. The maintenance workload went down and engineers could focus on innovation and revenue-generating features. Facing a similar product purgatory? Read the full story (and get even more tips!) in my blog post: https://lnkd.in/gGHpj37S  If you need more help to boost productivity and innovation,  feel free to DM me and schedule a consultation And remember, prevention is best! When building next-gen products, think backward compatibility and seamless upgrades. #productmanagement #growth #leadership #changemanagement ___ ➡️ I am Talila Millman, a fractional CTO,  a management advisor, and an executive coach. I help CEOs and their C-suite grow profit and scale through optimal Product portfolio and an operating system for Product Management and Engineering excellence.  📘 My book The TRIUMPH Framework: 7 Steps to Leading Organizational Transformation will be published in Spring 2024. You can preorder a signed copy on my website

🛡️ The Quantum Clock is Ticking quietly: Is Your Financial Infrastructure Ready? The financial industry is built on a foundation of digital trust, currently secured by #cryptographic standards like RSA and ECC. However, the rise of Cryptographically Relevant Quantum Computers (CRQC) poses an existential threat to this foundation. As we navigate this transition, here are 3 key pillars from the latest Mastercard R&D white paper that every financial leader must prioritize: 1. Addressing the 'Harvest Now, Decrypt Later' (HNDL) Threat 📥 Malicious actors are already intercepting and storing sensitive #encrypted data today, intending to decrypt it once powerful quantum computers are available. Financial Use Case: Protecting long-term assets such as credit histories, investment records, and loan documents. Unlike transient transaction data (which uses dynamic cryptograms), this "shelf-life" data requires immediate risk analysis and the adoption of quantum-safe encryption for back-end systems. 2. Quantum Resource Estimation & The 10-Year Horizon ⏳ While a CRQC capable of breaking RSA-2048 in hours might be 10 to 20 years away, the migration process itself will take years. Financial Use Case: Developing Agile Cryptography Plans. Financial institutions should set "action alarms" for instance, once a quantum computer reaches 10,000 qubits, a pre-prepared 10-year migration plan must be triggered to ensure infrastructure is updated before the "meteor strike" occurs. 3. Hybrid Implementations: The Bridge to Security 🌉 The transition won't happen overnight. The paper highlights the importance of Hybrid Key Encapsulation Mechanisms (KEM), which combine classical security with PQC. Financial Use Case: Enhancing TLS 1.3 and OpenSSL 3.5 protocols. By implementing hybrid models now, banks can protect against current quantum threats (like HNDL) while maintaining compatibility with existing classical systems, ensuring a smooth and safe transition. The Bottom Line: A reactive approach is no longer an option. Early adopters who evaluate their data's "time value" and begin the migration today will be the ones to maintain resilience and protect global financial assets tomorrow. #QuantumComputing #PostQuantumCryptography #FinTech #CyberSecurity #DigitalTrust #MastercardResearch

📢 𝗔𝗰𝗰𝗼𝗿𝗱𝗶𝗻𝗴 𝘁𝗼 𝘁𝗵𝗲 𝟮𝟬𝟮𝟰 𝗜𝗕𝗠 𝗖𝗼𝘀𝘁 𝗼𝗳 𝗮 𝗗𝗮𝘁𝗮 𝗕𝗿𝗲𝗮𝗰𝗵 𝗥𝗲𝗽𝗼𝗿𝘁, 𝘁𝗵𝗲 𝗮𝘃𝗲𝗿𝗮𝗴𝗲 𝗰𝗼𝘀𝘁 𝗳𝗼𝗿 𝗮 𝗵𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲 𝗯𝗿𝗲𝗮𝗰𝗵 𝗶𝘀 𝗻𝗼𝘄 $𝟵.𝟳𝟳 𝗺𝗶𝗹𝗹𝗶𝗼𝗻. ✨ Healthcare has held the dubious title of "highest average data breach cost" for 14 consecutive years. 🌎 That figure represents more than just financial loss. It means a critical gap between the exploding volume of sensitive patient data we manage and the antiquated infrastructure often tasked with protecting it. ✏️ For healthcare leaders and board members, the question is no longer "if" we modernize, but "how fast." 💡 We are seeing a strategic pivot in which technical debt is finally being recognized as an operational risk. The organizations that will thrive in this next era are those treating data center modernization as a core component of patient safety and business resilience. 🎯 Here is where I am seeing the most successful leaders focus their modernization efforts: 🔹 Hybrid Architectures and Advanced Processing The era of the one-size-fits-all on-premise data center is over. We are seeing a strategic migration of Electronic Health Records (EHR) to the cloud to reduce licensing costs and improve agility. However, for workloads that must remain on-premises, the infrastructure is shifting to support advanced processors. These high-density environments require a rethink of power and cooling strategies to handle the computational load of modern AI applications. 🔹 VDI Enabled by GPUs Virtual Desktop Infrastructure (VDI) has been a staple in healthcare for mobility, but the requirements have changed. With the rise of telehealth and high-resolution imaging, standard VDI implementations often fall short. We are now integrating GPUs into VDI environments, allocating dedicated graphics power per user. It ensures that radiologists and cardiologists can collaborate in real time on high-resolution images without latency—directly improving diagnostic speed. 🔹 The Rise of "Clean Rooms" for Recovery HIPAA Security Rule compliance regarding data backup and disaster recovery is evolving alongside the threat landscape. It is not enough to have backups; you need an isolated environment to test and restore them safely. "Clean rooms"—whether on-prem or in the cloud—are becoming essential for cyber recovery. They allow organizations to sanitize data before reintroducing it to the network, ensuring operational continuity without risking reinfection. 💥 Modernization is a complex undertaking that requires a balance between capital expenditure and strategic foresight. But the ROI goes beyond the balance sheet—it creates a resilient foundation for the AI-driven future of patient care. ➡️ If you are evaluating your data center strategy or looking for ways to reduce your risk profile through modernization, let's connect. #HealthcareIT #DataCenterModernization #CyberSecurity #HealthTech #Leadership

🚨 NEW PEER-REVIEWED RESEARCH: PQC Migration Timelines Excited to share my latest paper published in MDPI Computers: "Enterprise Migration to Post-Quantum Cryptography: Timeline Analysis and Strategic Frameworks." The transition to Post-Quantum Cryptography (PQC) represents a watershed moment in the history of our digital civilization. Organizations planning for a 3-5 year "upgrade" will fail. The reality is a 10-15-year systemic transformation. Key Contributions: 📊 Realistic Timeline Estimates by Enterprise Size: Small (≤500 employees): 5-7 years Medium (500-5K): 8-12 years Large (>5K): 12-15+ years ⚠️ Critical Finding: With FTQC expected 2028-2033, large enterprises face a 3-5 year vulnerability window—migration may not complete before quantum computers break RSA/ECC. 🔬 Novel Framework Analysis: Causal dependency mapping (HSM certification, partner coordination as critical paths) "Zombie algorithm" maintenance overhead quantified (20-40%) Zero Trust Architecture implications for PQC 💡 Practical Guidance: Crypto-agility frameworks and phased migration strategies for immediate action. Strategic Recommendations for Leadership: 1. Prioritize by Data Value, Not System Criticality: Invert the traditional triage model. Systems protecting long-lived data (IP, PII, Secrets) must migrate first, regardless of their operational uptime criticality, to mitigate SNDL. 2. Fund the "Invisible" Infrastructure: Budget immediately for the expansion of PKI repositories, bandwidth upgrades, and HSM replacements. These are long-lead items that cannot be rushed. 3. Establish a Crypto-Competency Center: Do not rely solely on generalist security staff. Invest in specialized training or retain dedicated PQC counsel to navigate the mathematical and implementation nuances. The talent shortage will only worsen. 4. Demand Vendor Roadmaps: Contractual language must shift. Procurement should require vendors to provide binding roadmaps for PQC support. "We are working on it" is no longer an acceptable answer for critical supply chain partners. 5. Embrace Hybridity: Accept that the future is hybrid. Design architectures that can support dual-stack cryptography indefinitely, viewing it not as a temporary bridge but as a long-term operational state. 6. Implement Automated Discovery: You cannot migrate what you cannot see. Deploy automated cryptographic discovery tools to continuously map the cryptographic posture of the estate, identifying shadow IT and legacy instances that manual surveys miss. The quantum clock is ticking. Start planning NOW. https://lnkd.in/eHZBD-5Y 📄 DOI: https://lnkd.in/ejA9YpsG #PostQuantumCryptography #Cybersecurity #QuantumComputing #PQC #InfoSec #NIST #CryptoAgility

FS‑ISAC has issued a sector‑wide paper, "The Timeline for Post‑Quantum Cryptographic Migration". It argues financial services must move in lockstep to replace RSA/ECC in time. The press release is here: https://lnkd.in/gKqFkJC4. And the paper (registration required) is here: https://lnkd.in/g4-DPFqD FS-ISAC voice is the collective voice of the financial industry on cybersecurity. It reflects a consensus of leading experts across the sector. Its guidance often informs industry standards and regulatory expectations, making this new position paper especially significant. For a CISO in financial services, FS-ISAC’s recommendations can translate into actionable steps for strengthening resilience. In terms of quality and importance, it’s hard to overstate the value of this document for a financial CISO. The paper warns against “crypto‑procrastination” - underestimating impact, misreading migration complexity, deferring the threat (I love the term!). It maps ecosystem dependencies - FMIs, central‑bank rails, telecom/critical infrastructure, vendors, and standards (IETF, X9), and urges crypto‑agility and an enterprise crypto inventory. Recommended phases: Initiation (governance/budget), Discovery (inventory/prioritization), Deployment (remediate high/medium‑risk uses; start disallowing legacy), Exit (ban legacy algorithms; audit/attest). The timeline aligns with global signals: NIST aims to deprecate RSA‑2048 by 2030 and bar classical PKC by 2035; NSA CNSA 2.0 and the EU’s coordinated roadmap are similar; MAS and the Bank of Israel have directed preparedness. My take: this is the clearest cross‑industry map yet for CISOs - strong on sequencing and coordination, realistic about vendor/standards bottlenecks, and urgent. It stops short of prescriptive, FS‑specific interim dates, but the 2030/2035 anchors are enough to justify moving from planning to implementation now. In short, you should read the paper even if you are not in FS. #PQC #PostQuantum #QuantumReadiness #QuantumSecurity #QuantumResilience #QuantumResistance The image below is comparison of transition timelines from the paper.

The transition to #renewableenergy is accelerating across the globe—and at the heart of this shift lies the Battery Energy Storage System #BESS. While performance and capacity often steal the spotlight, it's the silent framework of #safetystandards and compliance protocols that make these systems reliable, scalable, and grid-ready. Let’s unpack what goes into making a truly safe, standards-aligned BESS: 1. Cells and Battery Modules: At the most granular level, individual lithium-ion cells and #batterymodules must comply with rigorous standards such as: • UL 1642 – Focuses on the electrical, mechanical, and environmental safety of lithium cells • UL 1973 – Addresses battery systems used in stationary and motive applications • UL 9540A – Evaluates thermal runaway fire propagation in battery systems These certifications lay the foundation for risk-free operation by mitigating hazards right at the cell level. 2. Battery Racks: #Batteryracks are not just containers—they're engineered structures housing multiple modules. Certified under UL 9540A, racks must prove their resilience against thermal events, offering another critical layer of protection. 3. Power Conversion System: PCS is the brain that manages energy flow between the grid and batteries. It must adhere to UL 1741, ensuring compliance with #antiislanding protection, voltage/frequency limits, and communication protocols critical for grid integration. 4. Battery Management System & Communication Interfaces: This digital backbone monitors voltage, temperature, state-of-charge, and fault conditions. It follows a suite of certifications: • UL 1741 & UL 9540 • CSA C22.2 No. 340-201 • IEEE 2686, 2688 This ensures that the #BMS not only protects the system but also communicates effectively with utilities, fire protection systems, and SCADA platforms. 5. Fire/Gas Detection & Explosion Protection: Advanced detection and suppression systems must comply with: • NFPA 72 & 855, and the International Fire Code (IFC) • Explosion protection as per NFPA 13, 15, 68, 69 and IEEE 855 These ensure that any off-gassing, over-temperature, or arcing event is identified early, triggering mitigation before escalation. 6. Interconnection with the Grid: The BESS must synchronize safely and intelligently with utility networks using protocols defined by: • IEEE 1547 & 2800: These standards cover everything from voltage ride-through to cybersecure communications. 7. System-Level and Installation Compliance: Holistic safety comes from aligning with installation guidelines such as: • NFPA 70 (NEC) • UL 9540 for complete BESS certification • IEEE C2 (NESC) for utility-grade deployments These cover enclosure requirements, spacing, #thermalzoning, wiring, earthing, and egress pathways for emergency responders. I welcome conversations with peers, partners, and policymakers working toward a safer, smarter energy future. How is your team approaching layered safety and compliance in energy storage?

The rapid growth of digital infrastructure has intensified the demand for reliable, efficient, and sustainable data center power systems. With AI workloads, high-density computing, and real-time digital services scaling at an unprecedented pace, enterprises and hyperscalers must operate without compromise or downtime. Modern architectures now integrate modular UPS, intelligent PDUs, and advanced energy storage, enabling scalable capacity, improved efficiency, and seamless operational continuity. ⭐ Core Attributes of Next-Gen Data Center Power Solutions 🔹 Redundancy & Resilience Multiple failover paths (N, N+1, 2N, 2N+1) eliminating single-point failures. 🔹 High Availability / Uptime Designed for “always-on” performance with near-zero unplanned outages. 🔹 Energy Efficiency High-efficiency UPS, optimized power paths, reduced conversion losses. 🔹 Scalability Modular architecture allowing incremental expansion as demand grows. 🔹 Power Quality & Conditioning Harmonic filtering, surge suppression, and voltage regulation to protect loads. 🔹 Monitoring & Smart Control Real-time analytics, predictive alarms, and complete DCIM integration. 🔹 Fast Transfer & Response Time Instant source switching (grid → UPS → generator → ESS) without service impact. 🔹 Sustainability & Green Energy Integration Renewables, battery technology, carbon tracking, microgrid compatibility. ⭐ Why Data Center Power Matters ✔ Critical backbone of global digital infrastructure ✔ Supports exponential growth in data, cloud, and AI loads ✔ Reduces operational risk and downtime exposure ✔ Enables energy efficiency and sustainability outcomes ✔ Drives cost optimization and technology innovation ⭐ Key Technologies Shaping the Future • SiC & GaN-based high-efficiency power semiconductors • Solid-state circuit breakers (SSCBs) • Small Modular Reactors (SMRs) for hyperscale power resilience • Digital Twins for power flow modelling & predictive maintenance • DCIM + EMS-driven energy management platforms • Edge- and cloud-based remote monitoring • Microgrids with dynamic demand response • Grid-interactive UPS & power-as-a-service models #datacenterpower #DataCenter #AIDataCenter #CloudComputing #Infrastructure #DataCenterManagement #ITInfrastructure #DataCenterDesign #Colocation #Virtualization #NetworkInfrastructure #DataCenterOptimization #GreenDataCenters #EdgeComputing #DataCenterSecurity #ITStrategy #DigitalTransformation #ModularDataCenter #DataInfrastructure