Building your company’s digital sovereignty

The term ‘sovereignty’ usually belongs to the language of politics. Recent geopolitical and trade shifts have shown the extent to which countries rely on one another for digital services, and explain the appeal of ‘technological sovereignty’ as an ambition for governments.

But these issues aren’t exclusive to government. They apply to everyone who provides - or even relies on - digital services.

That means having a handle on the risks to how you operate now (are you able to comply with evolving regulation, are your bills going to escalate because of tariffs or exchange rates, will services you depend on remain available to you) but also the ability to shape your own future. It’s about ensuring that you have control of the right things, and a strategy to ensure you don’t become overly locked into the constraints created by markets or particular players.

As my colleague Mike Bracken has spelled out, we see real digital sovereignty as having two crucial components - agency and capacity:

• Agency is the power to set a direction. It is the ability to act, to make a deliberate decision, rather than being forced down a path by circumstance. This calls for leadership confident enough to question its existing digital estate and to explore alternatives, even when the default path seems easier.

• Capacity is the institutional competence to choose well. It means having the skills, processes and knowledge to make sense of your digital geology. It goes beyond just having technical talent. It requires leaders who grasp how digital systems work, procurement teams who can design contracts for the digital-era, and policy makers who understand the strategic implications of different technology choices.

Significantly, this also means ensuring that how you understand technology is a central pillar of your strategic decision making, not an afterthought, especially in times and areas of uncertainty.

What are the risks of ignoring digital sovereignty? There are two sides to this, both equally vital for the C-suite to grasp:

1. The geopolitical and supply chain risk. As sanctions regimes change, and tariffs or export controls are introduced, you may find that services you depend on are harder to access, are increasingly expensive, or carry new risks. Large organisations must keep an eye on this kind of big picture volatility.

2. The operational and customer risk. At a more immediate level, if you lack understanding and control of your digital systems, you lose your ability to respond to customer needs and guarantee a high quality of service. This loss can be existential for any organisation. As we've seen with recent cyber attacks, organisations that are locked out of systems with no plan for a minimum viable alternative face catastrophe.

In 2013, Dr. Werner Vogels, Amazon CTO, cautioned against what he called “undifferentiated heavy lifting.” He was referring to the fact that an increasing amount of both the technology that we need to do business and the technologies that we need to provide distinctive services was readily available for re-use. His comments were a sound challenge then and remain one now: we still encounter too many organisations investing too much effort or money in low value activities.

But this approach can also be the start of a slippery slope. Just as wholesale outsourcing strips organisations of agency, so too can thoughtless reliance. The challenge of technology leadership and architecture is how to minimise the undifferentiated work, but maintain the agency to adapt as your business and the operating landscape change.

The goal is not an unattainable ideal of ‘digital independence’. The goal is intelligent dependence.

Herman Hauser, founder of chip designer ARM, offered a useful framework for assessing this capability, which can be applied directly to commercial entities. For "countries," insert "companies":

“Do I have all the critical technologies myself? If not, do I have access to these critical technologies from a number of countries to avoid being overly reliant on one? And if I do need to take support from a monopoly, do I have guaranteed unlimited access to those technologies? The answer to at least one of these questions must be yes, or else one risks real dependency.”

Parts of Hauser’s challenge are a tall order for almost any organisation, but the challenge is useful. It forces us to think clearly about how we’re set up, what we’re going to need, and how to build toward that: from developing our own skills, to investing in open source options, to active acceptance of some risks.

1. Understand your status quo and the forces that have shaped it

A huge part of this work is in building situational awareness, and this has two critical parts:

• Understand the market. Your organisation must have a thorough understanding not just of the market you sell into, but of your technology supply chain.

• Understand internal operations: Many organisations have outsourced so heavily that nobody in-house understands how your operations work. This is equivalent to buying what you don't understand.

2. Know where your greatest costs of change are and (if you’re not comfortable with that) work to reduce them

Situational awareness naturally leads to mapping out what you're dealing with, which helps you identify areas where your control is low. Once identified, you can determine if that low control is acceptable, or if you need to carve out a strategy to change it. This might mean introducing multiple vendors for something where you've only got one, or investing in an open source solution to run alongside something commercial to ensure you always have options.

Most of the work you need to do is not radically new. Over the past 15 years, practices like shifting to the cloud, building automation, collaboration, and rigorous testing (DevOps practices) provide a strong foundation. Making these investments significantly reduces your cost of experimenting with a second cloud provider, or attempting to run services side-by-side.

3. Avoid the common pitfalls

Leaders often make two crucial mistakes:

1. Thinking purely technologically. As soon as you introduce the word *digital*, people tend to think purely about a technology solution. However, by thinking more broadly about business operations and business priorities, you create more options for yourself. For instance, a short-term crisis can be managed by changing a business process or moving to a manual process.

2. Focusing only on data location. While regulators and customers may demand data location, this is not the start and end of your sovereignty conversation. You are not "fine" if your data centre is local but all the software running in it comes from elsewhere. You must think holistically about what is needed end-to-end.

4. Actively shape your market

The choice for leaders is not a simple binary of “build vs. buy”, or a battle between a few dominant providers.

Large organisations have significant power to influence their own supply chains, but even smaller ones can act. If you’re dissatisfied, it’s likely that others are too - together you can have leverage.

5. Get the right people at the table

The sovereignty conversation is not just a technology conversation. It overlaps significantly with cybersecurity and general business strategy. The entire leadership team must collectively define the organisation’s priorities in what it is able to control, guarantee, and rely on.

A core part of being able to be sovereign is having clear multidisciplinary teams who are responsible for the holistic outcomes of services. This means teams thinking about the technology, the users, the business outcomes and the non-digital operations that go behind it - all together. These teams are what enable you to respond to change.

Underneath the C-suite, you need representation from all disciplines across the business, working together to create a holistic understanding of how you work now, and how you want to work.

Simply having agency isn’t enough. The important thing is what we do with it. But without agency, we lock ourselves - and those who depend on our services - down. We limit the problems we can solve and the ways we can solve them.

It is within every organisation’s power to increase their agency - and their sovereignty - and it has never been more essential