Protecting Digital Infrastructure In An Era of Platform Concentration

Recent high-profile outages at major technology vendors reveal a troubling pattern. The most serious digital failures often stem not from sophisticated attacks but from basic engineering missteps. Rushed deployments, weak change management, and inadequate testing turn tools meant to protect critical systems into sources of disruption. As enterprises rely on a handful of dominant platforms, even minor errors can cascade across industries, exposing the fragility of today’s interconnected digital infrastructure and affecting services, livelihoods, and trust in the systems we depend on.

For Suresh Sankaran Srinivasan, Group Head of Cyber Security and Data Privacy at Malaysian multinational telecommunications company Axiata, the solution is not more tools or defenses but smarter design and disciplined processes. With more than 25 years of experience, Srinivasan has led cyber strategy across complex, multi-market ecosystems, learning firsthand how small oversights can escalate into global incidents. His thinking extends beyond traditional cybersecurity, as he explored in his TEDx talk Digital Afterlife: Who Owns Your Data When You Are Gone, where he challenges us to consider the consequences of our digital lives. As he explains, "Resilience isn't a tool. It's how we design, build, and run our digital world," says Srinivasan.

• Reckless rollouts: A small number of dominant platforms now sit in the path of much of the world’s traffic and security controls, amplifying the impact of even minor failures. That risk is compounded by a decline in basic engineering discipline, driven in part by relentless pressure to ship and innovate faster. The result is an architectural monoculture, where a single mistake, such as CrowdStrike’s faulty patch or a Cloudflare developer’s misuse of the 'unwrap' function in Rust, can cascade into a global disruption. The push to ship faster has begun to outweigh discipline and review. "A fundamental learning from these outages is that cyber product companies are suffering from poor change management. They were in a rush to roll out features," Srinivasan says.

Faced with an industry that often prioritizes speed over discipline, the only path forward is for leaders to take resilience into their own hands. A critical tool for learning from failures is the Post-Incident Review (PIR), yet this step is frequently skipped in the rush to recover from outages. When reckless rollouts take precedence over reflection, security operations centers are left drowning in alerts, and customers remain exposed to disruptions that could have been prevented.

• Preventable casualties: Srinivasan points to a lack of follow-through in how the industry learns from major outages. PIRs are meant to identify root causes and inform future design, but those lessons are not always carried forward. "If the broader industry had done this properly, the second Cloudflare outage wouldn’t have created so many casualties," he says, noting that similar architectural weaknesses continued to affect a wide range of organizations.
• Scrambling the eggs: In the aftermath of the CrowdStrike incident, Srinivasan and his team at Axiata re-examined their entire cyber stack after realizing they had placed "too many of [their] eggs in a single basket." They rebuilt the architecture for redundancy and real-time visibility by decoupling DNS from their primary WAF provider, adding a passive CDN for backup content routing, and implementing 24/7 monitoring with automated failover, including a static-page fallback if all else failed. The approach paid off during a later Cloudflare outage. "When the world went down, we had, at best, an outage of ten minutes in one or two of our services, purely because the stack is much broader and diverse," he recalls.

Srinivasan says this level of resilience is achievable, starting with a clear view of the tools organizations already have. For many CISOs, that means shifting board conversations toward making honest choices about acceptable risk. It also means using contracts to hold third-party providers accountable, so the SOC isn’t operating in the dark.

• Maximize existing investments: Srinivasan emphasizes that resilience is about fully using the tools you already own. "Many organizations pay for a Mercedes S-Class but only use it for basic transport, ignoring the advanced safety and performance features they already own. The first step is knowing all the capabilities of the tools you’ve invested in and designing your stack to use them fully." Leaders need to make risk choices explicit and hold vendors accountable. "If you haven’t made investments, prioritize and get your board to sign off on acceptable risk," he says. "For third-party vendors, I can’t control how they adopt new technologies, but I can control my risk by asking direct questions about their processes and embedding liabilities into contracts."

Ultimately, Srinivasan urges leaders to adopt a mindset of proactive resilience, preparing for a world where physical and digital crises can intersect without warning. Events like a fiber cut during a border conflict or a cyclone in Sri Lanka show how deeply interconnected these challenges have become, creating a complex reality for modern leadership.

Reflecting on these experiences, he says, "These may seem like physical or political events, but they all have a digital subtext. The interdependency between the physical and digital worlds has pretty much become seamless. You cannot decouple the two anymore; anything that happens in one world will have an impact on the other."