Today, organizations don’t just want their data close by; they also want to be able to access it at any time. Keepit stores organizational data in its own infrastructure.
The Danish company Keepit offers Backup-as-a-Service (BaaS) for cloud software including Microsoft, Google, and Salesforce. Through fourteen data centers worldwide, Keepit creates vendor-independent backups of SaaS data, allowing organizations to protect their information against loss due to human error, ransomware, or technical failures.
“In the past, organizations bought backups for a sense of security. Today, backups are an essential part of a cybersecurity plan,” says Kim Larsen, Group CISO at Keepit. “Organizations today want to know where their data is located and be able to access it at any moment.”
What does the IT environment you are responsible for look like?
Larsen: “Keepit manages the backup of customer data, which means that when something goes wrong for a customer, that organization turns to Keepit to get the data back. That requires a particularly high security threshold.”
“We have fourteen data centers and all infrastructure is fully owned by Keepit itself. Every piece of code is developed in-house, and the people who wrote that code still work with us. That approach provides strong control over the entire environment.”
What are your main priorities at the moment?
Larsen: “In the past, organizations bought backup for the sense of security. Today, backup is an essential part of a cybersecurity plan. Attacks on critical infrastructure are no longer a theory, and the discussion around data sovereignty is gaining significant importance. Organizations want control over their data, regardless of whether it involves a natural disaster, a cyberattack, or geopolitical developments.”
Companies today want control over their data and to have access to it at any time.
Kim Larsen, Group CISO at Keepit
“This shift means that the cloud is no longer a single monolithic solution. Don’t put all your eggs in one basket: anyone who is completely dependent on one large cloud provider is vulnerable. What is your alternative if something goes wrong? We are already seeing such incidents happen today, such as with AWS or CrowdStrike; it’s no longer just about theory. Organizations want to test and know if backups actually work.”
Does the rest of the organization understand these priorities sufficiently? How do you get everyone on the same page?
Larsen: “Awareness at the board level has grown significantly in recent years. More and more organizations are being hit by ransomware attacks, for example, with all the financial consequences that entail. That threat ensures that management recognizes the importance of a cybersecurity plan.”
“Ten years ago, the CISO was someone who handled things somewhere in the organization without receiving much attention. Today, management expects concrete answers: who can attack us, what are our vulnerabilities, where are the gaps in our security? That makes the role of CISO richer in content, but also places higher demands on how security risks are communicated to non-technical decision-makers.”
Does the IT department have access to enough people and resources to successfully complete the challenges?
Larsen: “We have enough employees to guarantee solid security and continuity. The real problem is often finding the right people, especially in security operations. People with in-depth knowledge and a broad perspective on security are scarce in the labor market.”
It is a challenge to find the right people.
Kim Larsen, Group CISO at Keepit
“For growing companies, there is an extra dimension to that: it is not only difficult to find the right people, but also to retain them while the organization expands rapidly.”
Is the Future of the IT Environment in the Cloud, On-Premises, or a Combination of both?
Larsen: “The future of the IT environment lies in a combination of cloud and on-premises solutions, where a so-called ‘designated cloud’ plays a central role. Although cloud solutions like Microsoft offer great advantages in terms of resilience and scalability, they also bring challenges regarding data sovereignty, as users often do not know exactly where their data is located.”
“At the same time, hosting data entirely on-premises is not an ideal alternative, as most companies lack sufficient knowledge to secure it. The cloud remains valuable, but Europe is not going to catch up with decades of IT development from large cloud providers in a single year, no matter how strong the call for sovereignty is.”
We cannot simply catch up with 30 years of IT developments in Europe.
Kim Larsen, Group CISO at Keepit
“What is realistic, however, is making a distinction between application sovereignty and data sovereignty. Full application sovereignty is not achievable in the short term, but control over one’s own data is. Organizations must be able to guarantee access to their data, even if a cloud provider fails or if geopolitical circumstances make access difficult.”
What impact do regulations like NIS2 have on IT policy?
Larsen: “NIS2 has a positive impact and helps the CISO in a way. The regulation gives me the opportunity to have conversations with the board of directors in a way that was more difficult before. Directors must now be actively involved in cybersecurity, which spreads the responsibility more broadly than just to the CISO.”
“Presenting a list of a thousand challenges to a board of directors doesn’t work. It’s about presenting the three most critical risks clearly and concisely in a language that board members understand.”
“In addition, the regulation obliges organizations to effectively test their recovery plans, not just on paper. That makes backup solutions concretely more relevant, because organizations must be able to demonstrate that their recovery plan also works in practice.”
How is your organization handling the AI hype?
Larsen: “AI is everywhere, even without organizations consciously choosing it, and that is exactly where the risk lies: employees use free AI tools daily without realizing they are sharing company data with external parties who can use it to train their models.”
“To manage this, it is important to offer only company-approved AI tools, share clear guidelines on which data can be used in which tool, and build awareness among employees about the risks of free tools. Because even a useful tool doesn’t mean all company data belongs in it, and understanding that distinction is crucial.”
Which important trends are you following with an eye on the next three years?
Larsen: “According to figures from Gartner, 96 percent of CIOs, including our own CIO, expect their company to use AI within the year. Only three to six percent of CIOs know how to approach this. That is a large gap.”
“Many risks lurk within that gap. For instance, there is the danger that tools will be implemented that use data incorrectly, making an organization unintentionally vulnerable. Additionally, this can lead to confusion about the strategic direction they want to take.”
“It is important to refine AI until it is something understandable and workable, so that people can get started with it while still leaving room for innovation and further development,” he concludes.