As AI accelerates cybercrime, is your organisation’s infrastructure keeping pace?
Most C-suite executives are in the first throes of infatuation with AI tools. It’s not hard to see why. Better insights delivered quickly and people working more productively is an enticing proposition. For the Chief Information Security Officer (CISO) though, it’s a case of, ‘it’s complicated’.
They know that AI has great potential, but it’s also a powerful new threat in the hands of bad actors. Years of putting their organisation’s crucial workflows and data assets in complex environments that straddle multiple public clouds has left CISOs feeling vulnerable. So instead of adding further confusion, they’re falling back in love with the private cloud. More specifically, a private, unified cloud where compliance and security are an integral part of the offering, not a bolted-on afterthought.
The Private Cloud Outlook 2025 report highlighted this trend, revealing that security is the top reason why just over two in three (69%) of organisations are bringing workflows back to the private cloud. More than nine in ten businesses (92%) say they trust the private cloud for security and compliance and, for those who have made the change, 81% identify security as the joint top factor (alongside performance) that the private cloud gets right.
Security Drives the Shift Back to Private Cloud
of organisations are bringing workflows back to the private cloud, with security cited as the primary driver.
of organisations that have already made the move identify security as a joint top strength of the private cloud, alongside performance.
report difficulties integrating public cloud applications with existing legacy systems.
Security no longer means management of perimeter firewalls. A CISO now also wants to see and evidence clear control of infrastructure resilience, data management and sovereignty. Xtravirt customers are exploring how the unified platform offered by VMware Cloud Foundation replaces a complex ecosystem of solutions, each of which requires separate skills, management platforms and maintenance activities.
“The CISO needs to understand where data is stored, where applications are running, and how security is implemented and managed across this environment” says Robin Gardner, Xtravirt CCO. “Providing confidence to the board and evidencing controls that meet regulatory and audit requirements can drive significant costs and operational overhead in a traditional multi-vendor ecosystem”.
Private cloud in a customer’s own data centre provides security, sovereignty and control enabling the CISO to confidently deliver the accountability and responsibilities placed upon them.
With most other systems it’s a bolt on, you're adding protection after the fact, and that can leave a lot of cracks and uncertainty for cyber criminals to exploit. With VCF you’re essentially investing to mitigate risk, which is always an interesting discussion to have with a company upfront. But then again, the impact of businesses losing $1,000,000 per day through ransomware is a far scarier discussion to have.
CTO EMEA at Broadcom
CISOs need security built in, not bolted on
These concerns become even more important when workflows are spread across different cloud environments, meaning tools need upgrading or replacing at different times. It’s a complex misalignment which can make CISOs feel like they’re caught in a perpetual juggling act.
With our many years of experience setting up and operating VCF environments, we can first reassure CISOs on sovereignty over data by housing it alongside the tools that govern access and put it all geographically exactly where they need it to be. It’s even more reassuring for them to know that VCF is secure because it’s an all-in-one private cloud platform which has security and compliance built in from its inception, not stitched on as a last-minute accessory. It also offers a range of additional features that can be turned on at any time, such as automated compliance reporting and VMware® vDefend distributed firewalls which protect applications and can be used to enforce zero trust security. There is no need for complex infrastructure work, it’s all part of a unified approach to compliance and security which is baked into the platform.
As Joe Baguley, CTO EMEA at Broadcom explains:
“An important point for CISOs is that security is built into VCF from the start – it’s inherent in the system, it’s inherent in how we build and keep on improving the platform.”
CISOs must tackle AI powered threats and tighter regulatory compliance
This requirement to have security and compliance built into a unified platform is not just important now, it’s vital for the future too. Working with us to build a unified private cloud with Broadcom’s VCF platform means organisations will be ready when the threat landscape evolves. And CISOs know that change is the norm. They have become used to attacks shifting in intensity and becoming more sophisticated now hacker groups are collaborating and are sometimes believed to be state sponsored.
This changing threat landscape is expected to evolve again to include new types of attack powered by AI. The full extent of the risk is not yet known, but it’s clear that organisations that have bolted together disparate systems will be most at risk. Those who have worked with us to set up and operate unified platforms, operated by a single vendor, can be reassured they are better protected.
Responding to this accelerated threat environment, industry regulators are now mandating stricter controls. For example, in the EU, organisations in the financial services sector must meet the requirements of the Digital Operational Resilience Act (DORA). Failures in compliance and in protecting customer information in this sector not only lead to massive fines but, under DORA provisions, executives could even end up going to prison. That is placing renewed pressure on the entire board to get behind the CISO and invest in the most secure private cloud systems available, according to Steve Wood, CTO at Xtravirt.
“The move to individual accountability is a positive shift because it brings the conversation firmly into the boardroom,” he says.
“DORA’s all about a business’s ability to demonstrate that operational resilience. VCF has a portfolio to deliver that capability, including internal audit capabilities. We are seeing this driving buying decisions, as businesses see the need to give the CISO the supporting tool set and operating model they need for compliance and security.”
Xtravirt – The perfect partner to accelerate your resilience with private cloud
In these troubling times, VCF is the natural choice not just because of the compliant, secure all-in-one platform it provides today, but also its roadmap. Broadcom has spent a billion dollars on VCF’s development and ongoing improvements. Put simply, that is a significantly higher investment in R&D than any single organisation will ever likely spend on its global IT operations, and it’s all going into a single, continually improving platform.
Of course, it takes a lot of know-how to unravel the complex cloud environments a CISO might be dealing with and replace them with a VCF platform. That’s why companies come to us. They don’t want to go out and identify best of breed tools and then stitch them all together. They want to work with the best people out there to supply them with the best performing, most secure private cloud environment possible.
Xtravirt has been on the private cloud VCF journey from the VMware days through to Broadcom – helping enterprises design, deploy and run the platform with confidence, so we know how to successfully set up and operate an organisation’s new infrastructure for them. Importantly, before moving into design and deployment, we start with the discovery phase – understanding what the company is hoping to achieve and how private cloud can deliver real business value.
A crucial part in migrating data and workflows back to the private cloud is a highly experienced partner who understands the need to map out the tools required today and prepare the way for those that might be needed in the future. That’s what makes VCF such a compelling platform. It offers a huge range of capabilities on top of its core compute, networking, storage and management offering, but these can be integrated at a later stage, as and when needed.
Organisations don’t need to feel compelled to invest in everything. With our guidance, they can set up what they need now so they are prepared for an expanded range of options in the future. What they do have to do right now though, is talk to us, because if the official cyber security warnings become reality, there will be no ‘happily ever after’ for CISOs who have yet to fall back in love with private cloud.
