What If… Scenario Thinking as a Critical Skill in Security Decisions
On October 20th, the world woke up to a digital standstill. Hundreds of online services stopped working—or functioned only partially. Apps like Airbnb, Signal, Venmo, Coinbase, and Lyft were all down.
It didn't take long for users to discover the cause: a major outage in Amazon's US East-1 region. After several tense hours, Amazon engineers managed to restore operations, bringing the hyperscaler's services back online. Across the globe, stressed operations and IT managers finally started breathing normally again.
With systems running once more, the immediate crisis was over—at least for now. Legal departments are no doubt already drafting claims for damages against Amazon. But the real takeaway from this incident runs deeper: our massive dependency on hyperscale cloud providers such as AWS, Microsoft Azure, and Google Cloud. This should prompt every CIO and CISO to reflect on their organization's risk mitigation strategy.
We all know it, even if we rarely admit it: our digital ecosystem depends on just a handful of global players. DNS providers, DDoS protection firms, and—most critically—public cloud platforms are the backbone of modern IT. Together, AWS, Azure, and Google Cloud control roughly 80% of the global market.
At CyberSec The Netherlands earlier this year, our Principal Consultant Marcel Lücht warned about exactly this scenario.
"At the end of my presentation on Europe's dependence on U.S. and Asian tech giants, I asked the 400-person audience to imagine what would happen if the public cloud stopped working," Marcel recalls. "You could see people realizing the true impact on their core services. The cause could be technical, like today—but it could just as easily be political, with a leader such as Trump—or his successor—wanting to teach the world a lesson."
Today's events make that warning feel uncomfortably real. Many organizations are only now recognizing how risky these dependencies truly are. Geopolitical tensions are turning theoretical risks into operational vulnerabilities.
Marcel continues:
"The NIS2 Directive, which came into effect on October 18th, 2024, is helping organizations become more aware of these risks. NIS2 forces covered entities to adopt an 'All Hazards' approach to information security. If implemented as the EU intends, the traditional CISO perspective—focused solely on cyberattacks—becomes too narrow. Availability becomes a core security concern, and redundancy transforms from a business issue into a cybersecurity responsibility."
At Kazarma, we are indeed seeing this shift. Availability—and consequently redundancy—is now a key focus area, not only for organizations directly subject to NIS2 but also for suppliers and partners affected through the supply chain principle.
This should inspire every organization to rethink its over-reliance on a single provider—especially when that provider delivers a service so critical that its failure would cause significant disruption.
Of course, this doesn't mean companies must duplicate entire environments. But it's wise to build experience with alternative cloud providers for specific workloads or applications. That way, if one ecosystem suddenly goes down, teams already possess the know-how to adapt.