How Hybrid Replaced 'Cloud First' to Deliver a More Strategic Architecture

Show Notes

In this latest episode of In Conversation With, Asanti’s Emma Lauchlan speaks with data centre and infrastructure specialist, Steve Wright, about what hybrid IT really looks like today – and why “cloud‑first” thinking is being replaced by a more cloud‑appropriate approach. They explore how many organisations have slipped into hybrid by accident through cloud sprawl, and why rising OpEx costs, data sovereignty pressures and reliance on a handful of hyperscalers are forcing leaders to take stock.​

Steve shares practical advice on building a multi‑year roadmap rather than chasing a big‑bang migration, using observability to map dependencies and place workloads in the right mix of on‑premises, colocation and public cloud. Emma and Steve also examine the widening skills and security gaps, the emergence of “shadow AI”, and how IT teams can start small with low‑risk workloads while keeping strong governance, visibility and the ability to roll back if changes do not deliver.

Transcript

This transcript has been generated for reference and accessibility, with subtitles included on the video for easy navigation. It will not be 100% accurate but should be very close to the conversation.

Steve, welcome to this edition of In Conversation With. Just by way of giving you a little introduction. So, you've spent the last 25 years scaling data centre and cloud companies through to acquisition and more recently are acting as an advisor to private equity firms on strategy, investment and growth. I really appreciate you joining us today and I'm looking forward to this conversation. And just to set the scene a little bit about what we're going to talk about. We want to talk about really the change in priorities of the IT infrastructure and the landscape and talk a little bit about hybrid or this notion of hybrid. What does this mean in today's IT environment?

 

Is it something new, assuming it's some form of cloud and on-premise, but what do you see as that kind of modern definition of what a hybrid IT solution is?

 

It's interesting how it's changed over my career or maybe hasn't changed. That's a key thing. The concept of hybrid has been around for probably 30, 40, 50 years if we go all the way back to mainframes and people buying time slices. I think we've got a better definition of it now. I think over the last 10 years, maybe even just shorter than that, we've got the probably the concept of cloud appropriates rather than cloud first, which we saw in the rise of sort of the hyperscale cloud era.

 

So for me, hybrid is very much about the integration of all the different facets of your technology stack and making sure that where the workload in your applications are in the right place. So that could be the public cloud. That could be your own data centre. It could be a third-party co-location data centre, or it could be using software as a service where they're really specialized on delivering one great product for you.

 

So do you think that this, well it sounds like this, hybrid infrastructure has really started to come into play with the launch of those public cloud platforms that you mentioned like AWS, which has been around for around 20 years in a zero, which is around 16. So was it that people saw this new fast way of scaling their IT or setting up and scaling their IT infrastructure and when you, this is, this is the new big thing and everyone's gone into cloud and some have come out. I think at Asanti, we have conducted some market research that said like 91% of people that had gone fully into public cloud had started to repatriate some applications. So, is it that some businesses have maybe ended up as hybrid by accident rather than hybrid by design with the introduction of new technologies?

 

Yeah, I'd say over the last five years, the hybrid story has changed. I very much agree that it was hybrid by accident just through the demands on technology teams and to grow the infrastructure to deliver the service to the business.

 

And I think we ended up with a thing that's called cloud sprawl. So, we ended up just building services and infrastructure all over, whether it was on premise in data centre, on the public cloud, building your own private clouds and ended up trying to interlink them in various ways. I think now as an overall technology sector, we've gone through quite a maturing phase where cloud appropriate has become the right definition and hybrid is much more about, right, where is the strategy? What's the direction of travel for overall in the infrastructure space? Is this a legacy service from the business that maybe was never cloud appropriate? Do we have a base load which can just sit on a private cloud?

 

Are we using microservices and building new applications in a very different way to how we were 10 or 15 years ago and architecting properly? So I think all of those facets then deliver a modern view of hybrid cloud. A key training point has also been the interconnectivity. That's the backbone for all of these services now, how they can share data, move data around, access the data and then ultimately deliver the business outcome. That's where the key thing and key bit of glue now exists in a really modern way.

 

So is it that sort of businesses didn't fully understand the full process of moving into those public cloud platforms?

 

People that I've spoken to often cite that cost savings rather was the sort of the big or the key driver for firstly going into those platforms and also the speed at which you can scale. But I've also spoken to people that have said, you know, we spent so much time trying to re-architect applications for the public cloud platform. So it was almost like even though some things were a bit square peg round hole, people seemed to be determined to push their entire infrastructure into cloud platforms.

 

Yeah, I think if we go back to the those early definitions of cloud, it was providing elasticity. So that ability to scale up and also importantly scale back down. The pay per minute or per second of usage, being fully self-service and that speed to be able to respond to, oh, I need to deploy this really quickly. So those were in early important facets of the definition of cloud. And that sounded great to many businesses. And they took a cloud first approach.

 

And it's been interesting to see how maybe 15 years on, we look back and say, oh, that might have been the wrong choice. We didn't spend enough time thinking about the overall strategy.

 

Nowadays, when we talk about cloud, it's very much what is the strategy around how we're going to supply the service to the business or our customers.

 

One of those other key elements, which I just touched on was the pay per minute per hour. Could you ramp up your workload and then ramp it back down?

 

It seemed very cost effective. Also for the CFO at the time, while we're moving the burden from the business being very captain intensive buying new hardware, some of it very expensive at the time to all we're just on our consumption model and it's moved it to the operational base. There wasn't probably enough modelling at the time to say, right, how do we control and maintain these costs over the next five or 10 years? I think that's been one of the big drivers, particularly from the CFO and the board has been actually, do we have these costs under control? Do we understand the predictability of them and what are base costs for running the infrastructure for these businesses? And do we also understand the spikiness of the workloads? So when we do need to invest for scaling up, some of the great examples used, I always use HMRC and the self-assessment period. We all know nobody really files their self-assessment between probably mid-February and Christmas. And then all of a sudden through January, there's this massive ramp up starts to happen until the very last day where it's, I'm not sure what the exact figure, but I suspect it's four, 5,000 times scaling as everyone tries to submit their tax return on the last day.

 

And so it sounds maybe that those similar reasons for businesses going into that cloud infrastructure, maybe some of the reasons that they're now creating a hybrid infrastructure that the costs weren't right. Like you say, the modelling wasn't right. So do you think those are still the key business pressures that are commonly driving organisations towards hybrid?

 

So there's a couple of different areas where I'll touch on cost has always been a concern, but ultimately, if you're, you're in a business, you recognize you do have a cost base to supply the services and ensure that your teams are well equipped to deal with your, your operational outcomes.

 

Another one has been data sovereignty. So people have become more conscious about where their data is located in the world.

 

And the definition of cloud to some people, they don't necessarily think of a data centre, they just think of this amorphous thing in the world, whether it's for your personal use, you know, your photos that are backed up from your iPhone, or Android, or whether you're using AWS or as your you sort of select a zone or a region, but you don't actually know physically where that data is located.

 

That's really come back onto the agenda in the past 18 to 24 months, as the geopolitical scene has got a bit more fractious in the world.

 

And then finally, there's been a big aspect of just trying to figure out what's appropriate for our business.

 

Do we have a very steady, stable business that's not really changing that much, it's growing nicely, but the underlying technology stack isn't being innovated every day, every week, every month, where there is just this base load and actually, are we just using standard infrastructure as a service? Are we using traditional storage and compute services, which maybe wouldn't be more suited to having our own infrastructure again.

 

It does feel sometimes that we go through cycles in the world of technology where we outsource and then we insource and then we outsource and then we insource again. I think we're probably going through one of those cycles again in the hybrid era, maybe with some slight definition around the edges around, okay, well, that's the appropriate service to buy from that provider, or we'll build this bit of infrastructure on our own because we have the expertise and we can also get external support from a managed infrastructure provider or managed service provider as well.

 

You mentioned there regulated industries. Do you think that they are maybe more likely to create that hybrid infrastructure because of the data sovereignty, because of the ever-changing geopolitical landscape that we seem to be living in at the moment? Is it affecting those industries first and foremost, or is it to do with, like you described, the load, the fact that businesses are now able to look at their IT load and say, this is pretty consistent, we don't need that scalability and burstability unless they've got some sort of front-end application that they know is going to experience spikes in traffic?

 

I think for a lot of the highly regulated industries already, they're probably a few years ahead of the normal business curve. It's a strange place where you think the regulator's doing the right things sometimes, but in this situation, I think they have been relatively aware about the direction of travel for technology and ensuring that they're providing the right guardrails, the right operational guidance, as well as the regulatory oversight. We do need it within UK borders, for example, for certain types of data and we do need that processing to happen on the mainland.

 

For other industries, I think it's become more a business decision and they're more conscious about, right, where is my data located? Am I being compliant with potential new regulation? What's the demands from my customers? Are they now being more concerned? I think we are hearing a lot more when you're supplying to many different customers their concerns around data sovereignty, the data protection aspects, and then into the wider cybersecurity and how we protect that.

 

Just a touch on the sovereignty piece, because we know there's been or we've experienced outages or rather businesses have experienced outages that have been on these public cloud platforms. I was really surprised by some of the businesses that came out and said they were affected. I think HMRC was one of them. If there is this sovereignty concern, why are still some aspects of things that you would expect like HMRC that has to be held in the UK? Why is that still sitting on a public cloud infrastructure that could be anywhere across the globe?

 

Yes, so there's a lot of dependencies which we don't understand in the underlying infrastructure of public cloud providers.

 

For a lot of the time, we don't want to understand them. That's the idea. We want that complexity taken away. We want to be able to just deliver our infrastructure over the top of theirs and it just works.

 

That dependency tree, though, is a bit opaque.

 

As we've seen, Amazon have had a number of issues, particularly in their first region, US East One. It's the biggest. It's probably a bit of a gnarly beast to manage. There's also quite a lot of ultimate global dependency that ends up happening in terms of the control of the rest of the infrastructure.

 

You can architect around that, but again, it's well architecting a solution across a global infrastructure and maintaining the understanding of the nuance of those interdependencies is really, really difficult for organisations.

 

Even those who are the most experienced at doing this still run into challenges. There's a wider piece around the centralisation of the internet.

 

If we go back to the early days of the internet, the idea was a distributed system. There was no one central place of control. There was no over dependency on a single organisation or business. We've now got to a scale with some providers where we're seeing 20, 30% of internet traffic volumes being hosted in a small number of locations. I think there's now a saying, if one of these providers sneezes, the whole world has a bad cold for the day.

 

And ultimately, it's not just the consumer side. People may be concerned if Facebook isn't working or such. But as you say, when HMRC are having an issue or the BBC or some of these major institutions where you can't actually continue to do business, that's a much bigger concern.

 

Yeah. I think we've had so many outages that show that we have become really dependent on a handful, if not less, of technology providers that really prop up our everyday lives from the Amazons to the Googles to whoever it may be. But with those dependencies, if we look at where those companies are situated,

 

they are mainly US tech providers. How much do you think the US Cloud Act and Donald Trump is going to have an impact on how people view and consume those types of services going forward?

 

I think we've already seen a bit of a pullback, certainly across Europe, or at least the flag being raised that the US can use their extra territorial powers to access data and data centres that are in Europe and hosting cloud services.

 

There's a big question whether they will actively do that a lot. But again, it's raised that flag and that concern, not just from a governmental level, but for a lot of businesses.

 

We talk a lot about the intellectual property inside a business, and certainly with my customers and who we supply to, there's a lot of information which they hold, which is very unique to them. That's their secret source as part of their business. If that was to be leaked, well, that starts to create issues about their competitiveness in the markets, how they're going to sustain their business going forward, or if they're heavily on the research and development side, they really want to protect their new and upcoming product or solution services.

 

The fact that that could be mishandled in some way by someone saying, "Well, we just need access to it for this security reason," is a bit suspicious.

 

There are a number of things that I think we're trying to do across Europe in terms of trying to progress some of our larger tech businesses.

 

But as you say, the might of those US operators and the penetration they have in the market, it's really hard to shift that oil tanker away from them and be able to have this more sovereign nation state clouds on each of the countries.

 

What more should the UK be doing to try and facilitate that change? We've had some conversations within Asante with larger finance houses that are actively exploring how they can further pull out of these platforms. But like we said at the top of this conversation, AWS has been in the marketplace for 20 years. There's a lot to unpick and a lot to reverse out of that there. But is there anything that UK businesses that are in the cloud should be exploring? But also, is there anything that the data centre industry should be doing to try and help or facilitate this?

 

I think from a business aspect, there's understanding what your applications, what your workloads are. That's the first part. And we touched on cloud sprawl and this concept that actually you've had services being built both on premise at your offices, may have some third party co-location, some bits going into Amazon, some bits going into Microsoft, maybe a bit in Google, and not necessarily understanding all of the interdependencies of how they work together. So getting that observability across all of those different facets is probably the key thing. Then understanding what the actual workloads doing, is it that stable workload? Is that suitable to be on a private cloud?

 

Or actually, is it more suited to be re-architected into a microservice infrastructure?

 

Or actually, should it just stay where it is? That could be one of the decisions to be made. But taking that strategic view across the estates, and then trying to understand the business needs in the coming years, which is always difficult. I think every year, IT teams have been told, cool, it's going to be a nice stable year, we're going to be to be consistent, we're just going to keep the lights on. I don't think I've ever experienced that in over 25 years now of a normal year where there hasn't been some large level of change happening. So it's been a case of keeping the lights on and building to grow.

 

What's the second part of the question?

 

The second part was, what should the data centre industry in the UK do? Or how can they do more to perhaps help?

 

Is it help or does it make people, businesses aware rather that they are there that they can actually take some of this workload off them? Do you think that, I don't know, that the data centre sector, maybe even in the UK is competitive enough?

 

From a data centre aspect, I think we should, well, there's one thing we should do straight away. Every time we talk about cloud, we should say cloud that is in a data centre. That'll help with some of the reputational aspects and the potential for or about data centres and their perceived challenges to the nation.

 

From a true data centre operators aspect, I think there's a big piece on awareness about what services they can provide. So long gone are the days where a data centre operator is just a space power and cooling, the very basics of the pyramid for IT infrastructure. It's much more about the service rep now and working with partners to create a level of ecosystem in some ways to say, well, we've got the connectivity here for you already. We've got the right level of support. So the last thing you want to have is your expensive senior IT guys going into the data centre and doing racking servers and plugging in cables. You want them doing the valuable work of configuring and managing the applications. I mean, the support services that ensure that it is almost cloud like they can ship equipment in and it's then just powered on and ready for them to use as opposed to having to go through some of the harder aspects.

 

Yeah. I mean, we've run some market research recently that actually asked the IT decision makers in the UK what types of services they were going to outsource and the feedback was it was to evaluate architecture and potentially re-patriate out of cloud. So does that skill of assessing the architecture, which you've referenced, is it often set in internal IT teams or is that one of the most likely ones that people are going to outsource to, whether it's an MSP or an IT consultancy firm?

 

From the aspect of skill sets, most internal IT teams will have a level of skill there. It's just whether it scales enough and fast enough for them to be making the overall architectural decisions.

 

Those are big business decisions that need to be made and generally come with a level of governance and oversight, potentially all the way up to board level about the strategic direction of travel. So sometimes it will be useful to have a partner that maybe does this on a more day-to-day basis, just to help provide some of that guidance and potentially open up people's eyes to other options as well. There's always that challenge when you're running at 100 miles an hour, you miss quite a lot about what is changing. We are in such a world of fast change at the moment, particularly in technology. Being able to keep an eye on every single area is very, very difficult.

 

Yeah, I was going to say that those kind of IT leaders within big businesses have got their day jobs to do, which could be keeping a trading floor online as well as making sure that employees can access services. So like you say, when it's such a big challenge to look at the architecture, to see what sets where, I guess that's a sizeable project for those types of businesses.

 

It is. And to take that big chunk and do it in one go is generally not going to happen. You need to think of this as probably a multi-year plan because you're going to have to phase it around doing, as you say, the day-to-day work still needs to be done, the platforms still need to be online, customers still need to be served, employees still need to be able to work.

 

And those transitions do create some level of risk, but there can be a lot of business benefit if you get the architecture right so that you've got built-in resilience for the future.

 

So Steve, you covered off quite a lot there and we talked about the main drivers for businesses to perhaps look at their IT infrastructure. But if a business finds itself in a position whereby perhaps that cloud bill has gotten way higher than they budgeted and they're starting to assess, do we actually need that scalability? Where do businesses start when planning this hybrid transition? How do they start the process of evaluating what's sitting where?

 

So I think the key thing on this is having the right tools in place.

 

There's a whole business and industry that has come around in the last five years around observability.

 

And that's not just because of the hybrid world. It's come around predominantly as tools have got better and we've been able to access larger sets of data. We've been able to do correlation between that data as well.

 

The other aspect is that key interdependencies. So the tools can start to bring that to the forefront so you understand where the data is flowing between applications, services, or even a network level. So you've got that absolute clarity around what's being used a lot, what's being very chatty and talking to a lot of other things, and actually some things which aren't really that active.

 

So if I was approaching that from the outset, right, once I've got my observability in place, I'm probably going to pick off one of the smaller things to begin with and then take a look at that. Just from a practical aspect, I understand that application, that workload a tiny bit more. What's it delivering for the business? Is it absolutely critical or is it something that could go through some change and transition without having huge business impact? You then start to build that momentum on a change program. And the key thing with any change management is momentum and trust. It's making sure that the early changes do go well. So people do believe that actually this change is for the better.

 

Then people start to trust that change is a positive thing. And if things do go wrong, you can quickly say, okay, we didn't get that one right. But we've done lots of other changes, they've been successful. And we can carry on moving forwards. And just getting into that mindset of change is an okay and good thing.

 

A lot of businesses, the technology teams will be very used to change just by the very nature of the work. Other area of the businesses might not be so used to rapid change. So it very much is bringing people along on a bit of a journey there and getting them used to, okay, change is good, change is okay.

 

And it is for the better.

 

And are there any KPIs that businesses or the teams within businesses that should maybe set themselves or review or even report up the way to the board to make sure that they understand that this transition is working, it's safe and it's delivering on what we've said through the process of assessment it will deliver.

 

So I think from the aspect of this is a governance control, as with anything in business, you do need a level of governance and oversight. And there should be a relatively well formed business case for that change in transition. Is the benefit going to be reduction in cost? Is it going to be an improvement in performance or improvement in productivity? When you're investing in a business, you know, those are the standard things you're going to be looking at. It doesn't matter whether that's within the technology team, within your manufacturing environment, or any of your other large investment programs, you still need that underlying business case to really justify why we're putting this time effort resource into these changes.

 

I think you touched on it already. But you know, where should businesses start when they're planning this transition? But it is create the business case, map the infrastructure and then look for the easier or the quick wins. Which applications, for example, can we take out of this cloud environment that should be relatively stable and give, I guess, the organisations the comfort that this is the right plan?

 

I think the number one thing for me is not to be idealistic about it. You know, the idea of, right, we're cloud first. And there's the ideology there of cloud first. Well, that might not be the right way, ensuring it's, as I say, cloud appropriate. So understanding that workload, as we've discussed, understanding what the transition risk is, and making sure it's just in the right place. And does it have the right level of resilience? Sometimes we make things over resilient and add in a lot of complexity, which isn't necessarily required.

 

Whereas other things, it might be appropriate. But as you add in that complexity and that multiple levels of resilience, you're naturally increasing cost and a level of risk there of when it does go wrong, that it's going to be harder to fix as well.

 

So while it might be more resilient and more fault tolerant in theory, it does create better uptime. You could also have the flip side of that additional complexity means that if there is a problem, it does take longer to diagnose, longer to resolve, longer to deliver back to the business.

 

And in your experience, and when businesses are going through this period of change, are there skills gaps within the businesses? Should organisations build those skills in house, or is it easier, better to maybe bring a partner in to help deliver this?

 

So I'm a strong advocate for building skills in house.

 

I've been heavily involved in developing apprentices from an early part of my career. I think that's a really important aspect to develop those skills, not just for your own business, but for the future skill sets for other businesses as well. People will grow, they'll go out into the world, learn, and they then may actually come back to your business and bring those wider experiences back.

 

However, recognising we are in a world where there is a rate of change that we need to keep up with, bringing in specific skills or experience at certain times to help advance the team, and provide some of the shortcuts of being there, done that, got the battle scars, let's not go down that path. I've seen that path before, and we hit a dead end. We wasted six or 12 months on a project, I think is really, really valuable. And that can be for relatively short periods of time to get the strategy and the architecture right, and then the overall plan. And then hopefully the team in house can then do the actual implementation and have taken on board some of the fast learning experiences of those external advisors as well.

 

And do you think that as a sector, the data centre or the data centre industry has a skills gap? And if so, what caused that? Was it the introduction of cloud and hyperscaler so that most, more of that workload and skill set was getting almost shipped offshore?

 

So we've got different facets to the data centre industry. We've obviously got the physical engineering parts, you know, the mechanical electrical engineering, which we are seeing a shortage of those skills. But you see a shortage of those general trades in your day to day life, trying to get an electrician or a plumber for your home is a challenge nowadays. So I think there's a big skills shortage that we've known about for quite a long time as a country that we still haven't managed to overcome.

 

Then as we go up the stack in terms of technology, we spent probably the best part of 15 years encouraging everyone to learn coding skills and become programmers.

 

But we we've neglected sort of the middle of that pyramid, the actual IT infrastructure, servers, networking, hardware, where all of those skills weren't necessarily being developed at the same rate. So that has led to some of the rise of the hyperscalers, because the programmers are finding it very easy just to deploy in a very self service, fire an API, fire a command and they get exactly the service they need in quite a timely manner.

 

Ultimately, though, under that API layer, there is still all of this physical hardware, an infrastructure that needs to be looked after and maintained. And having the right level of experience for those infrastructures is a real challenge because it has been neglected for 20 years. And the older people in the industry who built up those battle scars have worked on big infrastructure and dealt with outages as well. They're getting towards the latter years of their career. And there isn't that natural progression that we've seen of people in their 20s and 30s coming through to replace them at those senior levels. I think there is going to be a crunch point that continues to hurt us over the next few years. It's not insurmountable, but we just need some more targeted efforts on making sure when we do have gems in the rough and superstars who we think can come through and gain skills quickly, that we give them the right support, the encouragement.

 

And also the learning experiences. One of the big things from my early career was how to deal with outages. The internet wasn't quite as critical as it is now. So you were given the time to deal with an outage and work through a diagnostic process methodically and then find the right solution for it. Because of the pressure on teams now to ensure that the service is always available and that the business is delivering and that customers are super pleased, actually that whole process, you can't really do in a live environment anymore. And we haven't quite created the perfect simulated environments to create that same level of pressure and intensity while thinking clearly to handle that and gain those skills.

 

You mentioned there that a period of time ago we weren't maybe so dependent on the internet for our everyday lives, but we know now that these outages, it doesn't just damage brand reputation, it damages a business's bottom line. I think the M&S outage was reported to have cost them about 300 million. I'm not really sure where the co-op went and then Jaguar Landover couldn't make any vehicles for about a month. So there is a material impact on businesses now. So we're talking about creating a hybrid infrastructure which could sit across an AWS, it could sit in a co-location data centre. How do organisations ensure that they've got a consistent threat detection across the environments in which are hosting their IT infrastructure?

 

So traditionally you would have thought about the perimeter. Your perimeter firewalls and actually anything external is a risk and for the most part internally we trust the services.

 

We've had to flip that on its head. Zero trust within the infrastructure has become a bit more of the norm where applications are almost suspected to have been breached, even if they haven't. That's just the default attitude.

 

As you get into a hybrid environment where you've got different moving parts in different locations, different potential edges and perimeters of those applications as well, the potential attack surface becomes larger. So you have to take this approach again. Well, it's very specifically this application speaks in this way to this other service and really locking it down. That then fits into a wider identity and authentication management model of ensuring that the people that are accessing those services do so with the right credentials. Whether that's your internal employees logging into systems, whether it's your IT administrators with elevated privileges, doing that from a secure environment, or that's customers logging in to get updates on their delivery or the services they've purchased. All of that needs to be viewed holistically. You can't just go, I'm going to install one type of threat detection software and it's going to work across all these different environments. We're not quite in that simplistic world anymore. But that's not just new for hybrid. That's for whether you're running in a traditional on-premise infrastructure setup, whether you're a fully cloud first, it would still be the same mentality that needs to be taken. And it comes from that good governance aspect of actually the risk profile that we're willing to take has to be minimal.

 

There's also the aspect of your third-party supply chain. If you look at the most recent and largest attacks, that's all been done through third-party support services.

 

The auditing and compliance levels that you need to have to go through and looking at all of, again, those interdependencies that you have, not just from an underlying infrastructure standpoint, but from a suppliers services aspect has become heavily in focus.

 

Like you say, it's the entire, it's not just your immediate partner, but it's their entire supply chain that you need to look at. There are so many systems there that are online that you may think that that shouldn't be a root in for hackers, but from a built-in management system, perhaps it's now completely online, it's controlled via an application. They all contribute, I guess, to potential routes in to businesses data, which is a critical part now of their business infrastructure. So are there any sort of common security blind spots? Like I mentioned, their built-in management systems might be an extreme version of that, but when we think about cyber security and that sort of criminal activity, it isn't something that you can just address once and it fixes, it's a constant threat. So are there any common blind spots that you've sort of experienced across your career?

 

It sounds really stupid, but taking care of the basics is the number one thing.

 

Keeping your system patching up to date for security vulnerabilities, making sure applications are locked down appropriately, not just having them open to the wide world or even to your internal teams.

 

So just the very basics of security is probably the number one thing that every business can take away today and just say, when was the last time we updated all our systems? Are we installing all patches that have a critical vulnerability score of eight or more within a week of that being released?

 

Ultimately, trying to reduce that attack surface down as much as possible. And as the sort of saying goes, a business needs to be lucky every single day, a hacker only needs to be lucky one time and that's all they need, that one time to get in and then they will start to exploit and infiltrate. Another key thing is I speak to quite a lot of businesses who are, well, we're not a big enough business, we won't be a target. Actually, that doesn't matter, they're not paying attention to the size of your business or the impact your business has. You have to think some of these groups are very, very professional. They have HR teams, they have marketing teams to actually keep an eye out as to how they're being perceived. And for them, this is a business on their side as well. So ultimately, they have their junior hackers going out and trying to do very basic exploits and trying to then feed those into the more senior people who then will take a look and try and infiltrate data or find further exploits to maximise ultimately their profitability.

 

It is crazy that we talk about it in that way, but there's groups now with 2,000, 3,000 almost employees, hence why there is performance management happening of hackers. So I'm sure, oh, you've not reached your target for the quarter, I'm going to have to put you on a performance climb.

 

I mean, I do find it a sign in that the businesses that we've mentioned that suffered S-Iber attacks last year, for the size of them, you'd think that that would be something that they'd have quite stringent checks on, but yeah, they've ground up the hackers have ground operations to halt. I mean, I think M&S was offline in terms of their app and online ordering for, I don't know, three months or so.

 

Yeah, they have to also think that these businesses have a legacy behind them as well. So while the businesses have been going for a long time, they'll have a lot of legacy applications from their early founding years even still.

 

And the number of times where I've gone into organisations and helped them just to assess their systems and you find something that's in the corner of the office that was the payroll system that was put in 30 years ago. And there's the one person in finance who sort of knows about that service, but I don't really know about it.

 

No one does touch it because you know, they don't know what it does.

 

Yeah, well, they know it's the payroll system. So right, we want that one to work. So don't break it.

 

But because of that fear of touching it, it then starts to create intrinsic risk in the business.

 

So this comes back again to that basics, the IT basics of making sure things are kept up to date. And unfortunately, sometimes things do break when you update them and you have to go and fix them. And it does cause more work.

 

And that while alongside keeping the lights on and still growing and innovating, it's quite a lot of different balls to be juggling at the same time.

 

And I guess, you know, thinking about how businesses are changing, thinking about the amount of data that they are collecting on a daily, hourly, minute, second basis.

 

I guess, you know, data growth is potentially outpacing infrastructure planning. So how should organisations factor this growth of data into their architecture plans?

 

So this comes down to capacity playing. It's, you know, it's a, it should be a very basic thing. And importantly, when something's very basic, doesn't mean it's simple.

 

There is a difference there. So you should be taking the inputs from a technology team, from other leaders in the business understanding what their plans for the business are, where they might be growing areas of the business, which you weren't previously expecting, or the areas of business might be in decline. So the strategic plan for the overall businesses, right, we're going to be reducing down that area, what are the trade offs that are happening there? When it comes to, you know, collecting data, the best thing is something I've always been a prone to, I prefer to collect as much data as possible.

 

You know, storage is still relatively cheap, compared to what it was 20 years ago. So there isn't necessarily a reason to be throwing lots of data away all the time.

 

You obviously have some data protection considerations. So you have to have the right policies in place. And that's much more a business policy rather than a technology policy. And then technology implements the data retention strategies.

 

In terms of the then growth of that and forecasting, well, it's much more about right, what's the access of that data as well? Can I put it on a slower, cheaper storage tier, rather than it being instantly accessed all the time? Could I then add further tooling on top of that data? So, you know, there's been the rise of AI, which has allowed us to analyse data in different ways and actually give the ability for other teams in the business, not just technology, to form data analysis in a more natural language manner, which will continue to see evolve.

 

That will then probably lead to more data being collected, as people go, Oh, actually, I think there's a gap in the answer to the question I'm wanting to ask. So let's collect that bit of extra data. So I can then build a view of what the ward looks like for my needs. So all of that put together, it creates a bit of a challenge. But ultimately, your data growth levels, you can sort of, you know, get them into a chart and sort of say, right, well, this is where we predict it's going to be. Ultimately, you're going to be applying for budgets in the search. And that's going to go to the board, you need to factor in, well, if we accelerate the business and grow faster, well, there's going to be this associated increasing cost in IT infrastructure and storage. Likewise, if we run slightly behind our targets, there'll be a slight reduction as well.

 

So I guess what you're saying is close monitoring will ensure that you can provide that scalability that the business needs if there's a growth in data without necessarily over provisioning infrastructure.

 

Correct. Yeah. So it's, again, back to that observability aspects, if you can look into the past of what you've been doing, you're probably going to be able to predict slightly better into the future. It's not the magic crystal ball, but it sort of gives you a baseline to at least work from over a period of time.

 

And so what architectural decisions do you think will matter most in the next five years? Or it's five years too long to think when it comes to IT and our current pace of change?

 

So we already know in most businesses, there is this stable workload.

 

For established businesses, they've got a pretty strong base IT load that is just going to carry on turning away and will grow at a certain rate aligned with the business growth.

 

Then we've got the future technologies that we're applying to businesses. So if we look at AI, that's now obviously the hottest topic in town. How we're applying that into businesses is still on the very futuristic side. There's a lot of businesses that have figured out their AI policies recently, which is interesting to see.

 

But there's going to be so many more tools and uses for AI coming over the next five years. That would be very hard to predict today what that's going to look like. But from an infrastructure level, we know some of the basics already. We know that it takes a lot of power and a lot of cooling.

 

So if you're planning on deploying one of the large language models into your business and doing that in a secure private fashion, well, you're going to need to have appropriate space and power to be able to do that.

 

You also need to be very conscious about, right, where's my intellectual property and my private data? Well, I'm not sure I really want to be sending that into the wider ether of these online AI tools, particularly as we come into highly regulated industries. If they have leaks, obviously that's a really serious issue for them. There's potential fines, there's brand reputation issues. And we're already starting to see it a little bit around the fringes as businesses are getting into a similar vein of shadow IT 10 years ago, where people were bringing their own devices and buying their own software solutions for their own departments. We're getting into a bit of shadow AI, where people are starting to use AI tools outside the bounds of the governance of the organisation.

 

And this is where the innovation in R&D side of the technology teams needs to be trying to stay on the front foot and trying to support the wider organisation. So there's a reason we're using this tool.

 

And there's a reason we're not using these other tools right now. And it's not that they're off the table for certain, but it's just we need to assess them appropriately. And we need to make sure that we're protecting our business data, potentially our customer data as well.

 

Yeah. So it is, you know, future planning around AI. Again, it goes back to the architecture, what's appropriate monitoring, I guess, to decide what should sit where. But when it comes to AI, you know, there's the large language model deploy, is that something that you're seeing commonly used by businesses? Or is it more that they are bringing in AI enabled applications, which they will also generate lots of data as the people query the database and ask for it to return whatever it is, or a document that they couldn't find or whatever that may be. But how much of an impact is AI going to make on a kind of day to day business and their architecture? I guess trying to ask that a bit more simplistically, there is the large language models and there's deployed AI applications.

 

What are businesses using? Because everywhere you go, someone is asking their employees, how can we use AI? How can we use AI? To me, it seems like they don't really understand what AI is. And there is those two distinctions between the large language model and then an AI enabled application. So what kind of, I guess, questions should businesses be asking?

 

So I think what we've seen is the AI enablement of software as service applications has been quite quick.

 

And the rollout has been quite impressive. There's still a lot of questions for me around that, whether they're actually producing useful benefits or improved productivity.

 

Certainly, some people are finding them certainly productivity enhancers. And there's some very specific use cases where I've seen extreme productivity improvements. For example, with senior software developers using some of the AI coding tools, rather than those senior software developers having to write basic code, actually, they're doing the scaffolding, the framework build, and then getting the system to code all the very basics that they would previously have typed out by hand. So that was a huge productivity improvement.

 

There's other aspects of we have these internal data stores within businesses, whether that's your, you know, maybe you've still got a legacy on premise SharePoint site or a shared drive, or using some of these tools, and you want to start analysing that data in a more coherent fashion. But you might have been running your business 20 or 30 years.

 

And there's a lot of data there, it's not very structured. And so you want to be able to query it. But you don't just want to give it all over to a software service AI provider, which maybe doesn't have the best privacy controls, maybe you don't understand where that data is hosted, and where it's going. So at that point, you might say, well, actually, we'd like to run a little test bed internally, and we'll buy a small amount of hardware, deploy a few GPUs and deploy some of the open source models. And expect that research and development and the innovation time that some technology teams get to try and do that with the business in alignment, saying, well, we're not sure of the exact outcome yet. We think there's going to be a benefit. But we need some innovation time to just do a trial over the next three months and see what we can do with this. And if it's producing some results, perfect. But generally, that would also have to be partnered with probably a specific team within the business to see how they would be using it. So it can't just be an IT technology led initiative, it needs to be partnered appropriately to focus on that business outcome. And that's one of the biggest challenges at the moment, where's the best business outcome coming from?

 

So Steve, we've covered off quite a lot there. We started talking about hybrid, how businesses should be looking at their architecture and finding the right fit. And we've talked a little bit about how AI might change that with the growth in data or the explosion in data. So I guess to summarise, is hybrid the new modern default for IT infrastructure, then?

 

I think hybrid is just there. People don't necessarily call it hybrid now. It's just the aspect of having a single infrastructure platform probably doesn't exist. I don't think any modern business has just got one single platform anymore. They'll be working across different software as a service providers, their own traditional private cloud, as you may call it now, but their own traditional infrastructure, and probably some public cloud services as well. And there'll be some level of interaction and interconnection between them to ensure that the business operates efficiently.

 

So while we might give it the term hybrid cloud, you know, IT directors probably aren't thinking of it as hybrid. And certainly the business isn't thinking, I care about hybrid, I care about that very specific thing. It's probably more caring about what the business outcome is.

 

And thinking about that sort of then modern infrastructure for businesses, is there a clear definition of what actually works best over in public cloud and which is best to be kept on premise?

 

So I always come back to this base workload. I'm a strong advocate for saying if we've got base workload, we want to know the consistency of that workload, we need to know its performance, and we need to know how much that's costing the business. And for a lot of the time, having that in a out of the public cloud is beneficial, you have a lot more controls around it.

 

As we have touched on, there's our benefits to public cloud. So if you're architecting a new service using all the micro services and those interactions, that's really positive. That gives your software development teams access to a whole suite of new tools, which is perfect for that. If you're needing to scale up and down really quickly, and you are really utilizing that, you know, not just talking about a 2x scaling, but you know, where we're talking a 10x scaling, that is absolutely valuable. Importantly, though, you need to be able to do the scale back down piece afterwards. There's a lot of organisations that I can see do the scale up piece. And then it's a manual process to scale back down rather being automated.

 

And then the CFO goes crazy at the very big shock bill that they've just received for two months of whole scale infrastructure that only needs to be there, the Black Friday sale, for example.

 

And then if there's one action IT leader should take in the next 90 days, what would you say that should be?

 

So assess your workloads. That's the biggest thing.

 

Hopefully, you've got some appropriate tooling and observability across that already. But just take a look from the ground up again and go, okay, what three workloads are most interesting right now that won't have big business impact? Are they in the right place? Are they in the public cloud?

 

But actually probably should be in a private cloud?

 

Is it that they should be a software as a service tool now? Actually, there's a lot of other tools out in the markets. And then make a decision, importantly, and then get it moved in the next three months. If it's set in the wrong place, well, get it moved.

 

Momentum around this is much better than perfection. As soon as you start getting a momentum and that thought process happening within the teams, then the wider business, I think that then naturally creates its own joy of change around the business. And a level of comfort that actually this is the right thing for us to do and we can see the benefits.

 

For sure. And that's the key thing. We got to look at the business benefits all the time. And it's also okay to, as I said earlier, to put your hands up and say, actually, that change didn't go quite as we wanted. Let's roll it back.

 

You know, not every change is going to be perfect when you have to recognise that. But is it progressing the business forward? Is it providing benefits in either performance or resource or cost? If it's providing those benefits, then it's generally going to be supported by certainly the leadership of the business. And hopefully the rest of the teams will come along with that as well.

 

Steve, thank you.

 

It's been a great chat. Thanks.

 

 

LinkedIn Post Option 1 – Professional tone

New Podcast Episode – Making Hybrid IT Work in the Real World

 

In this In Conversation With episode, Emma Lauchlan, Director, Growth, Asanti Data Centres, is joined by data centre and infrastructure specialist Steve Wright to unpack what hybrid IT really looks like today.

 

Steve shares his perspective on:

• Why “cloud‑first” is giving way to a cloud‑appropriate strategy
• How accidental cloud sprawl is driving cost, complexity and risk
• What observability really means for mapping and placing workloads
• The skills and security gaps created by ever more distributed estates
• How “shadow AI” echoes the shadow IT challenges of a decade ago.

 

If you’re responsible for IT strategy, this conversation is essential listening for bringing structure, resilience and governance to modern hybrid environments.

 

#HybridIT #CloudStrategy #DataCentres #DigitalInfrastructure #AI #CyberSecurity #TechLeadership #Asanti

Listen here: [LINK]

 

LinkedIn Post Option 2 – Conversational tone

 

Has your “cloud‑first” strategy quietly turned into cloud sprawl?

 

That’s one of the big themes in our latest In Conversation With episode, where Emma Lauchlan sits down with data centre and infrastructure expert Steve Wright to talk about what’s really happening inside hybrid IT estates.

 

Steve lifts the lid on why so many organisations have landed in hybrid by accident, why OpEx costs and data‑sovereignty worries are back on the board agenda, and how a cloud‑appropriate approach can help you regain control. He also digs into zero‑trust security, the infrastructure skills gap, and the rise of “shadow AI” as business teams adopt tools faster than governance can keep up.

 

If your IT landscape feels more complex than it should, this episode is a great place to start rethinking your next steps.

 

Full episode here: [LINK]

#HybridIT #CloudSprawl #DataSovereignty #ZeroTrust #AI #ITLeadership #Asanti