In an era where digital resilience and regulatory compliance
are paramount concerns for financial institutions, Valiantys, HYCU, Lansweeper,
and Appfire have forged a strategic partnership to tackle the challenges of
DORA (Digital Operational Resilience Act) compliance. VMblog sat down with Adam
Jackson, Global Head of Enterprise Service Management at Valiantys-the largest
Atlassian solution partner globally-and Andy Fernandez, Senior Director of
Product Marketing at HYCU to learn more about why the four companies aligned on
this innovative GRC (Governance, Risk, and Compliance) service.
The partnership combines Valiantys' expertise in IT
consultancy and Atlassian solutions with HYCU's powerful backup capabilities,
Lansweeper's best of breed asset discovery and management solution, and Appfire's
dashboard and document management capability to offer organizations a
streamlined approach to achieving and maintaining DORA compliance, particularly
crucial as the pending January 17, 2025 deadline approaches.
VMblog: Can you provide some background on
Valiantys and its role in the industry?
Adam Jackson: We are a global IT consultancy
organization specializing in the Atlassian stack, with presence across North
America, APAC, UK, Benelux, Switzerland, Germany, and France, where we were
founded. We have the most specializations of any Atlassian solution partner and
are the largest in terms of numbers and dedicated focus. Beyond platform and
license reselling, we provide best practice advice and guidance around change
enablement and transformation using the Atlassian stack as a catalyst to add true
value to organizations.
We work very closely with Atlassian, helping shape their HR
approach and security controls. We're members of the Partner Advisory Council
and the Solution Partner Advisory Council, providing guidance on how Atlassian
can enhance their transformative capabilities and partner more effectively with
organizations to further the ecosystem.
VMblog: How did the partnership between HYCU and
Valiantys come about?
Andy Fernandez: Two years ago, Atlassian became an
investor in HYCU. Many of our customers were running Atlassian on data center
environments with traditional virtual backups, but when migrating to cloud
solutions, there was a gap. HYCU filled that gap. As a channel-focused company,
we wanted to ensure customers had a partner to guide them from a solutions
perspective. Valiantys, being the largest partner in the Atlassian ecosystem
with the broadest coverage, was a natural fit. This isn't just about having
logos on websites - we're building solutions that solve real problems.
VMblog: What drove the development of your new GRC
service?
Fernandez: Third-party risk is critical, and we're
seeing good progress with EU regulations focusing on cloud and SaaS-savvy
regulation. Recent incidents have shown how service disruptions can affect
everything from flights to hospitals. While cloud brings tremendous scale and
value, it's not infallible. We need to protect the supply chain and tool chains
that organizations rely on. DORA is one of the regulations protecting financial
services, and soon we will see other directives to protect other critical
infrastructure in the EU and in the US.
VMblog: Why did you choose to focus on DORA
initially?
Jackson: The January 17th deadline created an urgent
market need. We identified a gap in the market for DORA-specialized platforms,
particularly in the Atlassian ecosystem. While there are solutions being
adapted for DORA, none were built specifically for it. We're using DORA to
catalyze and build more GRC solutions.
Fernandez: DORA represents a new wave of regulation
that fully understands cloud-native risk. Legacy GRC integration hasn't caught
up to meet these requirements. Someone needed to build this from scratch for
this new wave of regulation, and that's why the Valiantys GRC is so important.
VMblog: And what's driving the urgency around DORA
compliance?
Fernandez: We're seeing major incidents every week
where third-party service providers, cloud platforms, or SaaS platforms
experience supply chain attacks or mistakes leading to significant enterprise
disruptions. While these platforms provide tremendous value, Murphy's Law
applies - regardless of how strong the five nines are, there's always going to
be third-party risk.
The technology landscape has evolved dramatically. Twenty
years ago, everything was in a data center - your email, document management,
git repository, and critical apps were all on-premises. Today, we have a mix of
critical apps running both on-premises and in the cloud, plus countless SaaS
applications that anyone with a credit card can purchase. Our research shows
that IT managers typically underestimate their SaaS footprint by a factor of
ten - when asked about their organization's SaaS applications, they estimate 20
when the reality is closer to 200.
VMblog: Who needs to be DORA compliant?
Jackson: DORA's reach is extensive. It applies to
financial institutions, banks, investment firms, crypto companies, crowdfunding
platforms, and payment processors. Importantly, any organization that provides
services to an EU Financial Services organization must also be DORA compliant.
Similar to GDPR, while it's an EU regulation, it affects any organization
wanting to do business with EU entities. It's not just for enterprise-level
organizations - it applies to companies with as few as 30-40 employees if
they're handling customer financial data.
VMblog: What are the main challenges organizations
face with DORA compliance?
Fernandez: There are two major pain points. First is
the technology challenge - understanding your SaaS and asset footprint is
incredibly difficult and typically requires manual effort. Most organizations
don't have a clear picture of their application landscape, and when they
discover it, they often find that the majority of applications have zero
protection capabilities.
Jackson: The second challenge is operational. We're
seeing organizations struggle with the preparation phase. One organization in
the Nordics hired a 100-person team just for DORA preparation. The costs are
astronomical, and they're not even thinking about how to manage the ongoing
compliance lifecycle. This is reminiscent of what we saw with GDPR, where
contractors made fortunes helping organizations prepare.
VMblog: How does your GRC service address these
challenges?
Jackson: We've built an integrated system that uses
Jira Service Management as a system of record to provide consistency for
managing platforms and applications across the entire organization. We've
focused heavily on the end-user experience - from my past experience in service
assurance, preparing for an audit could take six weeks of continuous work. Our
solution provides immediate visibility from the C-suite level down to
individual departments, all surfaced through the CMDB within JSM.
The solution combines several best-of-breed components:
Lansweeper handles deep discovery and asset management, HYCU provides backup
and restore capabilities, and Appfire delivers holistic visibility through
dashboards showing compliance status, document management, and risk management
approaches. Instead of having risk registers at different levels, we've lifted
everything to an organizational level that can be drilled down into individual
silos.
VMblog: What makes this solution different from
traditional GRC approaches?
Fernandez: Traditional approaches often result in
dozens of people trying to manage compliance through spreadsheets and manual
processes. The Valiantys GRC Solution reduces this to one admin who can manage
everything across the board. It's not just a fancy recording tool - it's
connected to the solutions that actually solve the problems.
Jackson: A key differentiator is that we've built this
without heavy coding, using a low-code/no-code approach. Organizations can
manage their entire compliance program through a single platform, and because
JSM uses a single module, you're not paying licenses per department. You can
copy the configuration and benefit from the same license structure.
VMblog: How does the implementation process work?
Jackson: We provide a roadmap of activities that build
a longer-term journey, ensuring customers feel like they're dealing with one
unified solution rather than four individual parts. This is quite novel in the
Atlassian ecosystem. We've focused on making data-driven decision-making
possible at all levels of the organization - not just IT managers or the
C-suite, but everyone can access the data points they need to understand the
implications for their individual departments.
VMblog: What's the current status of this service?
When will it be available?
Jackson: The service is available now. It uses Jira
Service Management as a system of record to pool all required data. Each SaaS
application is created as an individual asset, and we automate workflows to
track backups and compliance requirements. We surface this information through
Appfire dashboards and provide visibility using the Confluence platform for
document management. It's essentially expanding traditional ITSM tools by
integrating these different components.
VMblog: What's next on your compliance roadmap?
Jackson: While we're currently focused on DORA with a
January 17th deadline, we're building this as a framework that can adapt to
other compliance requirements. ISO standards (27001, 29000, 9001) are next,
followed by American market requirements like HIPAA and energy compliance
frameworks. The solution is highly repeatable - we can adapt to new frameworks
in just a month or two rather than 6-18 months. We're using the Elastic AI
platform to build an agent that will help analyze framework requirements and structure
our approach accordingly.
The key is that we're not just building point solutions -
we're creating a platform that can grow with organizations' compliance needs
while maintaining that single source of truth and unified user experience.
##