Building Resilient IT Infrastructure From the Start

Summary

This commentary argues that while the cybersecurity industry concentrated on perimeter defences, modern IT infrastructure — especially in hybrid and multi-cloud environments — has become an overlooked attack surface. Growing complexity, frequent ad hoc changes and hand-offs between security, engineering, operations and legal create misconfigurations and gaps adversaries exploit. The Cybersecurity and Infrastructure Security Agency’s (CISA) “Secure by Design” framework is highlighted as a roadmap to embed security into infrastructure lifecycle: create tailored control policies, continuously assess posture, present scan results as engineering tasks and automate remediation so security becomes continuous rather than an afterthought.

The authors warn that manual processes and temporary weekend fixes leave backdoors open and that governance tools which only show gaps are insufficient without automated remediation. They recommend shifting infrastructure security “left” — integrating it early into provisioning and operations — and using automation and security control management to detect and fix problems before attackers do.

Key Points

Modern enterprise infrastructure is fragmented across public cloud, private cloud and on-prem systems, expanding the attack surface.
Miscommunication between security, engineering and other teams often results in misconfigurations and delayed or missing controls.
CISA’s Secure by Design framework advocates embedding security across the infrastructure lifecycle, not just at the perimeter.
Continuous assessment, tailored security control policies and delivering scan results as discrete engineering tasks help close gaps faster.
Automation and integration with DevSecOps are essential to remediate configuration drift and reduce window of exposure.
Shifting infrastructure security left makes protection proactive and aligns security with rapid deployment cycles.

Context and Relevance

The piece is relevant to CISOs, security engineers, cloud architects and platform teams grappling with the operational realities of hybrid environments. It connects to recent high-profile breaches and reports showing multi-environment data spills and reinforces industry trends: Secure by Design, continuous compliance, and security control management (SCM). For organisations moving fast with cloud-native practices, the article underscores that visibility alone isn’t enough — action and automation must follow.

Why should I read this?

Short answer: because if you run or secure cloud or hybrid systems, this is the checklist you didn’t know you needed. It cuts through the slog of spreadsheets-and-email handoffs and shows why making security part of build and deploy cycles (not Friday-night fixes) actually stops the kinds of breaches that cost millions and reputations. Quick, practical and directly applicable.

Author note

Punchy take: Marene Allison (ex-J&J CISO) and Lisa Umberger (Sicura CEO) bring operational credibility — they don’t just warn, they map how to turn CISA’s guidance into engineering workflows. If you care about uptime, compliance and avoiding headline breaches, treat this as essential reading and a starting point for automation-driven security control management.