Post-Pandemic Adaption with CTO Steve Giovannetti

Apex talks to Steve Giovannetti, the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. Here, Steve discusses how he has been and continues to navigate the post pandemic landscape within ML/AI, Cloud, and more at Hub City Media!

 

Q: What are the roles and responsibilities of the CTO within your services organization?

A: In an organization like Hub City Media, I wear a few different hats. Ultimately, I’m asked to make decisions and research new Identity and Access management technologies and products nearly every day. More specific parts of my job include:

  • Looking at new products or services we might develop in house.
  • Researching and developing new technologies we can apply to our service delivery like devops, cloud or AI.
  • Coming up with creative solutions to client problems. One of the most common has been helping them deal with the challenges presented by COVID-19.

 

Q: What sorts of challenges did COVID-19 cause for your clients?

A: The most prevalent challenge was navigating from working in an office to having their entire staff working remotely. Most organizations had access infrastructure like VPNs in their office networks, but these infrastructures weren’t stressed like they were when their entire staff I started working from home. We helped our clients navigate through shoring up capacity, as well as implementing more secure remote access authentication technologies (like multi-factor authentication). This allowed them to connect securely to their on premise or even cloud Applications.

 

Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working?

A: Maybe not new vendors, but there certainly were existing strong authentication vendors that saw a jump in activity once companies wanted to grant more access to applications from remote locations. We saw colossal interest and activity with Access Management, multi-factor authentication and passwordless authentication.

 

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Very early at the start of the pandemic, we saw some projects get put on hold; however, that

changed once companies resolved the remote access issue. Then, oddly enough, it was business as usual, and companies even started new initiatives on how to improve remote work. For example, we had one client ask us to help them completely automate their hiring process via their Identity Management system, which was only partially automated at the start of the pandemic.

 

Q: Where are you in the journey of utilizing hybrid cloud and DevOps? What challenges are you facing?

A: Hub City Media was a very early adopter of public cloud, and immediately grasped the importance of DevOps as a practice and as a set of technologies. We spearheaded early efforts to deploy Identity and Access Management systems using Docker and Kubernetes. That practice is quite mature now, and we are constantly improving our techniques. We’ve been doing a lot more with Infrastructure as Code and automating the provisioning of cloud services where we then deploy products. This has allowed us to decrease time to value for our clients, so we spend less time on infrastructure and more time delivering the functionality they are looking to leverage.

 

Q: Are you seeing more organizations deploying “Enterprise AI” to address Identity and Access Management or just security in general?

A: Yes. AI is becoming more prevalent in Identity and Access Management systems, especially in Identity Governance, where a lot of the burden is placed on members of an organization, specifically managers, to certify the access of their teams. This is a tremendously tedious task that can mostly be delegated to AI. We are also seeing the application of machine learning to deal with identity role engineering in large enterprises. This is another task where humans get overwhelmed in the data analysis to properly define birthright roles – a perfect task for Machine Learning.

 

Q: What is the current state of Big Data and AI investment? Do you sense the pace of Big Data and AI investment changing?

A: I see it accelerating in the Identity and Access Management sector. The new products on the market make it fairly easy to prove out value in a quick proof of concept. I would expect using AI for Identity Governance to become quite commonplace, and for it to extend to using AI/ML to make Access Management decisions in the future. That will be driven by analyzing access behaviors of users over time – again, an impossible task for a human to perform or even to codify rule sets in advance, but a perfect application of AI/ML.

 

 

Steve Giovannetti – CTO & Founder of Hub City Media

Steve Giovannetti is the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. He specializes in the analysis, design and implementation of distributed, multi-tier, applications, and heavily focuses on containerized solutions and running Identity in the cloud. Since 1999, Giovannetti and Hub City Media have been deploying production identity management, directory, and web access management systems for commercial, government and education customers.

Leading Through Collaboration With Phanii Pydimarri

Apex talks to Phanii Pydimarri, Senior Director of AI & Advanced Analytics at Stanley Black & Decker. Phanii is Global Data Analytics Leader with over 15 years of experience in end-to-end Data Management. Today Phanii discusses key elements in the evolving role of the CDO and strategies for fueling cross-functional business growth.

 

Q: What is the difference between a Chief Data Officer and a Chief Analytics Officer? Are they one in the same?

A:

  • To be frank, the definitions on these titles are still evolving. Organizations are figuring out the difference, their area of focus and apparently calling their Data Leader with one of these titles or even better combining them and calling the roles as Chief Data & Analytics Officers
  • The major difference I see between them is the Chief Analytics Officers must be more Customer/Business focused. Their main goal should be to understand and identify opportunities to build Analytics products and solutions using the Data managed and enabled by the Chief Data Officer. The Chief Analytics Officer to me is much of a Product Owner, operating like one, designing new data analytics related products that could be both internal and external facing. The eventual goal should can be to monetize the analytics products and provide a revenue source for the organization
  • Chief Data Officers on the other end must be able to focus on identifying potential new data sources to tap into, build the corresponding modern data platform and provide high quality, highly governed and compliant data to the analytics teams across the organization. Chief Data Officers can also look for ways to monetize the data by working with both internal and external partners
  • Both these roles are evolving and at the present they can be operated by one individual but cannot be called as the same as they both have different areas of focus

 

Q: How have you seen the role of CDO change? How do you partner with the CIO? Have you encountered any challenges facing the CDO function?

A:

  • The role of the CDO has been evolving towards maturity for some time now. Organizations are understanding the role better and identifying critical success factors of the role and eventually bringing it into the corporate leadership mix
  • A major welcome change that I would like to call out here is more and more organizations are creating the CDO role and giving the organizational-wide responsibility of managing Data assets to it which shows the gain in prominence the role has gotten over the last few years
  • Partnerships across the C-level is critical for CDOs to be successful. A CDO must be viewed as the common thread between the Technical and Business functions within an organization.  CDO has the crucial responsibility of collaborating through CIOs and CTOs along with other business side C-level executives.
  • Having a great relationship with CIO is important as CDOs may still rely on traditional IT to provide infrastructure and technology support which is crucial for the success of the Data & Analytics initiatives. About 35% of CDOs continue to report into the CIOs which assumes the partnership
  • Lack of cross-functional collaboration and inter-functional siloes are major challenges for a CDO

 

Q: What is the current state of Big Data and AI investment and do you sense the pace of Big Data and AI investment changing?

A:

  • There has been a significant increase in corporate spend on Big Data and AI. Organizations are realizing the fact that not recognizing data as the most valuable asset is affecting their competitive advantage and are losing out on potential business opportunities
  • I can say that there is significant improvement in realizing value of and from big data by organizations
  • On the other hand, investments in AI are just getting started. There needs to be a lot of value-driven measurement that needs to be done by the organizations to really understand if AI can add value to their business model. There are organizations jumping onto the AI bandwagon without doing the due diligence of understanding the ROI and have lost significant investment for nothing
  • I expect organizations to improve their investment into AI, Big Data and RPA in the coming days, but would recommend operating with caution by understanding the true value proposition from the investment

 

Q: What advice would you give an early stage CDO joining an enterprise organization?

A:

  • Spend a lot of time understanding the current state
  • Identify where the organization falls on the maturity scale
  • Plan to move up the maturity scale with small achievable goals
  • You do not always need AI, do your due diligence to understand ROI
  • You do not always need modern data infrastructure to meet the organizational needs
  • Communicate, Communicate, Communicate

 

Q: How do you balance the need to ensure that non-revenue generating data-driven transformation efforts receive the commitment and funding that are required to sustain these efforts?

A:

  • Finding the right balance is the most important task of the CDO. It is highly critical to break down the between Business (Product, Marketing, Sales etc.) and Operational (Manufacturing, Supply Chain, Customer Support etc.) functions. An organization needs equal investments in both areas to see success from being data driven. Organizations tend to ignore operational focus areas as they are not direct revenue generators, but the CDO must take the responsibility of educating the executives, Senior and mid-level management the importance of this. 
  • A best example I can think of is organizations investing millions of dollars in creating newer products and offerings to their customers but doing minimum to the complaints they receive on their call center lines, social media, or other forums. Organizations can lose out on the sales of their innovative products with bad customer support
  • As a CDO it is important to focus on Data Literacy and educated leadership on the importance of investing in both direct and indirect value generators for the organization

 

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction…?

A:

  • Business growth will be major data priorities, but for that to happen you expect data that can be trusted, highly secure and gaining the confidence of the customers and making them feel their data is safe and secure
  • Improving operational efficiencies can eventually be an indirect factor for business growth

 

Q: Have you developed a business driven data strategy; is there support for it and is your Organization becoming more data-driven? What steps are you taking to ensure all areas of the business are data driven?

A:

  • Yes, I have been developing business drive data strategies across multiple organizations over the years. As a CDO I have the responsibility of gaining the support from the right stakeholders within the organization
  • A common challenge I encountered while gaining support is helping the business leadership understand the value proposition. Everybody comes in with a “What’s in it for me?” mindset and I as the data leader have the responsibility of explaining the benefits of investing (and not investing!) and supporting the data strategy
  • Steps I have taken to ensure I focus on all areas of business are the following
    •  Understand the most impactful area from which you can get catalysts to your initiatives
    • Identify low hanging fruits with quick easy wins
    • Prioritize your areas of focus. Remember none of us can do everything at the same time
    • Show the business stakeholder what they get from this. This is highly critical
    • Communicate, Collaborate, Coordinate and Educate

 

 

Phanindra Pydimarri – Senior Director of AI & Advanced Analytics at Stanley Black & Decker

Phanii is a Global Data Analytics Leader with over 15 years of experience in end-to-end Data Management with key focus areas in Data Strategy, Data Analytics, Data Science and transforming organizations into data-driven culture.

Phanii started his career as a BI Consultant, traveling across the US and working for various clients in different industries. He is a strong believer of economies of scale, is outcome driven and is passionate about solving key business challenges by using Data as a key corporate asset. He has strong experience using Data Science to improve key operational challenges and have experience standing up Data Governance programs across various public and private sector organizations. Over the years, Phanii has transformed cultures and showcased data as a value-added resource that can be leveraged to deliver measurable improvements at Bose Corporation, Sabre Corporation, Dallas Area Rapid Transit and many other global organizations.

Phanii is currently working as the Senior Director of AI & Advanced Analytics at Stanley Black & Decker. 

 

Piloting Data & Analytics Transformation With Ashish Agarwal

Apex talks to Ashish Agarwal, Vice President – Head of Data at LendingTree. Ashish delves into the evolving role of a CDO, business transformation, and navigating the trends and challenges of data and analytics.

 

Q: What is the difference between a Chief Data Officer and a Chief Analytics Officer? Are they one in the same?  

A: The Chief Data Officer is responsible for facilitating the use of data as a strategic asset within an enterprise, to impact business outcomes. They seek to empower every part of the business to make data-driven decisions, with speed. The Chief Data Officer is expected to curate the data strategy, oversee data management and governance processes, and in many companies lead the data analytics function as well. 

Sometimes a company may designate a Chief Analytics officer, to dedicate focus on data analytics, in order to create value and draw useful insights from the data available within the organization. This role typically leads reporting, data visualization and business intelligence teams. 

 

Q: How have you seen the role of CDO change? Have you encountered any challenges facing the CDO function?  

A: The CDO role has continued to evolve, since its inception. Initially, the focus of the CDO was on compliance and data governance, particularly security, privacy, and accuracy of the data. These “data defense” responsibilities are now considered table stakes. Increasingly, companies want insights into the changing customer expectations and the highly competitive business landscape. Hence, the CDOs are expected to also power “data offense” initiatives, to grow revenues, profits and customer loyalty, through advanced analytics and data science. 

As far as challenges, there are several. Let me name a few that are common: 

First, misaligned or unrealistic expectations by the organization, when trying to become data-driven. The job is not done, by just recruiting a CDO. It requires adoption of new ways of working, and ongoing unwavering support from the senior leadership team, including the CEO. 

Second, prematurely promoting analytics, before establishing a sound data foundation. Many a times discussions center around expediting self-service analytics, while the organization is missing a strong and effective information governance program. Such situations make it extremely difficult and at times impossible, to realize the benefits of a given analytics initiative. Hence, the onus is on the CDO to reset the collective mindset towards a data culture, even when it may not appear to be the most exciting thing to do. 

Finally, creating transparency into the data available within an enterprise, without compromising security and privacy policies. I walk this line by standardizing and automating data discoverability. Mind you that is different from providing unfettered access to data. Imagine provisioning a catalog or index of available data, supported by a swift process to provision access for the right reasons and right people. 

  

Q: What were some of the challenges and pitfalls to watch for, when driving transformations and standing up data/analytics processes? What advice do you have to effectively address them? 

A: The overarching challenge is to effectively and safely bridge the gap between the eagerness to use data, and establishing a world class data ecosystem and organizational culture.   

Typically, the data and analytics transformation programs begin with a significant amount of optimism, followed by misdirected fear due to the complexity. Hence, the first order of business should be to educate the stakeholders and quickly even out the hype within the company, so you can start talking about business opportunities and scaling. Following that, it’s all about rolling up your sleeves, doing the work and addressing issues head-on. 

Let me take you through a few examples: 

First, data exists in silos for companies that are not born digital or those that have grown through acquisitions. Further, people tend to get territorial and think they have exclusive rights over their data. So, when attempting to break down silos and creating governance, be sensitive about people dynamics.  

Next, collecting data can open up a company to regulatory risks and privacy issues. It is important to acknowledge that mining and refining data, while it can lead to all kinds of opportunities, it also leads to immense risks. Therefore, setting up strong risk management and governance programs is fundamental. 

That said, simply balancing democratization of data and governance is also not enough. It is critical to enable adoption of products, by providing assistance in the moment to analysts learning the new way. 

Finally, you need the right team behind you. Hire the right talent, one that is not only savvy in the use of the modern data tools, but also people skills. 

 

Q: How do your teams comply with risk and compliance requirements around data security and data privacy? 

A: The key is to invest in a strong and effective information governance program that is built to enable growth and innovation. Start by asking the question – How can we turn data governance into a source of competitive advantage and a strategic differentiator? Then no longer risk and compliance remain a regulatory requirement, we must fulfill.   

A few key tenets of this approach include:  

  • Take a security-first perspective and achieve a state of continuous compliance, against own set policies and industry compliance standards. You can do that by leveraging tools and automation, to get a unified view of all cloud accounts, generate regular compliance reports and send alerts on security threats in real-time. 
  • Be maniacal about operational consistency. From a compliance perspective, the more an organization drives consistency of operations, the easier it is to respond to audit requests and enforce security. For example, extend effective operational security and compliance functions that exist on-premises, also to respective cloud services. 
  • Keep up with the evolving standards, through a flexible change management process and a comprehensive blueprint that reconciles and rationalizes requirements for industry standards, such as PCI-DSS, GDPR, CCPA, HIPAA etc.  

 

Q: What are the current data trends and how will it impact your organization?  

A: This is a great time to be involved with data. Here are a few noteworthy trends, that I am excited about: 

  • Augmented analytics, that automates data analysis using Machine learning and Natural Language processing. As data continues to arrive in higher volumes and varied sources, use of automation is the key to finding redundancies and errors rapidly. This can help organizations accelerate the path towards efficiently identifying trends and patterns, within their data.
  • Data-as-a-service, which makes data readily accessible internally and from external sources, such as data marketplaces on the Cloud, using a range of modes and interfaces. This new way of delivering information to a user or system, regardless of organizational or geographical barriers, is very empowering and can bring tremendous agility to a business, promote self-service and improve productivity.
  • DataOps, which brings lean principles of removing waste and relentless focus on quality into the data domain. Similar to how software development has been embracing the best practices of lean manufacturing, the development and operations of data can greatly benefit by incorporating Agile and automation practices, to yield greater productivity and quality. 
  • Quantum computing, that will radically advance the speed and scale of data processing through the use of quantum computers, compared to classical computers. This technology has the promise to revolutionize several industries, such as data security, finance, medicine and communications. 

 

Q: How important is it to have a data driven culture? Have there been obstacles to building a data culture and if so, how have you resolved them?  

A: To sustain in business today, being data driven is not a choice, but a requirement. How well you contextualize and personalize the experience for a customer, can make the difference between retaining or losing them to your competition. 

Yet the biggest obstacle enterprises face is evolving the business model that made them successful in the past, into what is necessary for the business to survive and thrive in the future. This is particularly seen at legacy companies with tenured leaders, who have been phenomenally successful in producing results. I address this challenge, by facilitating data literacy to provide coaching not only to the people on the ground, but also top leadership on the new ways of working, where strategic decisions are driven by sound data analysis, and not just gut feel or how it has always been done.  

The other obstacle is underestimating the investment and commitment it takes, to build a foundation of technology and disciplined  data driven practices. This is not just about buying new technologies, which can be daunting, but committing time and energy of already busy people to a set of activities, which may seem mundane, like reviewing error logs and tweaking data quality rules to accommodate data drift. Further, it requires making hard decisions on breaking down data silos and overcoming ownership issues to facilitate data access, but not compromising on security and compliance policies. 

Finally, there is a tremendous amount of turnover in the job market, due to shortage of relevant skills. Hence employee retention needs to become a critical focus area for the management team. My strategy is to invest in the future of the employees, by offering an environment of learning, and creating opportunities that allow them to have fun, while performing meaningful work. 

 

 

 

Ashish Agarwa – Vice President, Head of Data at LendingTree

Ashish Agarwal is a transformational business-technology executive, passionate about harnessing the power of Digital and Data, to deliver superior customer experiences and achieve ambitious business goals.

Ashish is the Vice President – Head of Data at LendingTree, where he is helping the business grow and become strategic with Data.

Prior to joining LendingTree, he served as Senior Director – Enterprise Data/Analytics and Digital at Ally Financial. Ashish was responsible for innovating and transforming the Digital channels, modernizing the Data ecosystem, developing Fintech partnerships and influencing strategic investments, while building a phenomenally successful engineering centric organization and culture.

Before Ally, Ashish drove business critical Digital and Big Data technology solutions for high performance security trading and consumer lending platforms, at Bank of America and Fidelity Information services.

Ashish is an avid agilist and enjoys bringing together diverse mindsets, and empowering multi-disciplinary teams, to produce transformational business results. 

Ashish holds an M.B.A from Georgia State University, M.S. in Computer Science from Kent State University, and is certified in Data Science/Machine Learning from UC Berkeley and Harvard University.

 

Paving The Future of Data Strategy With Dane Bamburry

Apex talks to Dane Bamburry, Director of Enterprise & Solutions Architecture at Cox Enterprises. Dane is a technology leader with over 23 years of experience within the IT industry. Together let’s dive into organizational priorities and technological trends today and tomorrow in the post COVID era.

 

Q: What are the current data trends and how will it impact your organization?

A: Current data trends in the ongoing COVID-workplace are focused on employee centric data. This includes analyzing the productivity of remote vs. on-premise work efforts, employee engagement via collaboration tools/technology and cybersecurity data. From a productivity perspective, organizations are investigating how intelligent automation can augment the productivity of an organization while ensuring employees are still contributing. Remote work has introduced new metrics around increased workforce productivity as well as measuring employee burnout due to always being connected. Employee data trends will also focus on if/when organizations return to the office and the shift in productivity. Collaboration and communication data trends have significantly increased over the past 18 months. Metrics such as total number of video calls vs. audio calls and the impact it has on an organization’s workforce are becoming standard trends that will need to be tracked even after returning to the office. Data trends around cybersecurity have significantly increased given the rise in cyber-attacks, especially on the remote workforce. Organizations will need to remain focused especially as some organizations will implement true hybrid working models where a percentage of the workforce will remain at home while the rest return to the office.

 

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction…?

A: Top data priorities include data security/privacy, application portfolio management and employee engagement from a collaboration/communication perspective. Data security is an obvious one as organizations have to be more diligent in the proactive cybersecurity strategy. From an application portfolio management perspective, we need to understand our application ecosystem given the significant shift to cloud technology solutions to better management costs and duplication of capabilities across the IT landscape. Communication and collaboration will be more associated with productivity in a post COVID workplace than we have ever seen at any point in time, so it is a top priority to make sure we understand it and utilize the analysis effectively.

 

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Yes, we shelved some very specific initiatives due to COVID-19. This was a collective effort to re-prioritize what is most important to keeping the lights on (KTLO) and what supporting projects are needed to transition to a remote working environment. As we approach the future, we will have to balance re-introducing shelved initiatives with new ones that are supporting our go-forward strategy. It will require a more fine-tuned alignment of organizational and technology strategies than ever before.

 

Q: What advice would you give an early stage CIO or CDO joining an enterprise organization?

A: Build a technology strategy with the business in the room contributing all the way. The COVID-19 disruption has taught technology leaders a very important lesson in that when you are significantly out of sync with the business, major disruptions such as a pandemic will quickly expose your flaws and unpreparedness.

 

Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working?

A: Yes, but in some cases, it is not about finding new vendors, it is about leveraging the full suite of capabilities of existing vendors where you did not see the need pre-pandemic. This has driven home the message of defining business capabilities not only for the current state but also for the future state. The future state may be short or long term, but they still need to be defined. In the past, organizations would be very concerned about disaster recovery as a future state business capability, but the focus was more on the technology and not so much on the workforce. Going forward, business capabilities will have to be defined in areas, which will further create a need for new vendors. A simple example of this is mail delivery, most organizations did not have a plan to get physical mail to a remote workforce during the pandemic, so they quickly came up with a makeshift solution to address this.

 

Dane Bamburry – Director, Enterprise & Solutions Architecture at Cox Enterprises

Dane Bamburry is a technology leader with over 23 years of experience within the IT industry. In his current role, Dane currently serves as the Director of Enterprise & Solutions Architecture at Cox Enterprises Inc. His experience includes digital strategy, technology transformation, software integration, enterprise architecture, portfolio & program management, and identity & access management. He has served as the technical lead on various multi-million dollar transformational technology projects, including Financial, ERP, Communication & Collaboration solutions. He is a past recipient of the iCMG Enterprise & IT Architecture Excellence Award for Mergers & Acquisitions. He is also a contributing writer to DMI: Review, a quarterly publication by the Design Management Institute with the article titled “Drones: The Future of Product Delivery.” He also authored an article in the upcoming book “97 Things Every Information Security Professional Should Know: Practical and Approachable Advice from the Experts”

Bamburry is a strong advocate for mentoring and developing young minds. He is a member of the CIS Advisory Board for Georgia State University. He is a past board member of the non-profit organization YES! Atlanta, which is an organization focused on providing at-risk teenagers an opportunity to experience personal success. He has mentored students at both Georgia State University and Chamblee Charter High School. When not mentoring students, he is mentoring a wide range of professionals across multiple industries. He was featured in CIO.com’s article “Solving IT’s looming leadership crisis,” which discusses how mentorship can help develop the next generation of technology leaders. Currently, he serves as a member of the Board of Directors of ITSMF, which increases the representation of black professionals at senior levels in technology.

Bamburry graduated with a bachelor’s degree in Management Information Systems and a concentration in Industrial Design from the University of Notre Dame. He also holds an MBA with a focus in Organizational Leadership from Ashford University’s Forbes School of Business & Technology. 

 

 

Changing Lives Through Digital Transformation

Apex talks to Siva Balu, Vice President and Chief Information Officer at YMCA OF THE USA about Digital Transformation and what it means to him and his organization. With 20+ years as an industry leader, his perspective is a must read! 

 

Q: What does Digital Transformation mean to you?

A: Digital Transformation is to reimagine running your business in a new way using digital technology thereby exponentially changing the experiences of your consumers

Digital transformation is not just for your consumers, it is also transforming the experiences of your employees and stakeholders for the better. 

Digital Transformation is not a project but a continuum where you continuously strive to rethink on how to accomplish your business strategy through digital technology.

I consider there are three foundations of Digital Transformation: technology, security, and data. 

 

Q: What are some of the challenges of Digital Transformation?

A: Well, to start with, Digital Transformation has become a buzzword. It is very important to spend time in strategic thought leadership on what Digital Transformation means to your organization. How will Digital Transformation impact your consumers and how will it help you grow your business, reduce overhead, significantly increase the customer experience. The first challenge is to define what Digital Transformation means to your organization through a strategic roadmap. Then, it is important to get the stakeholder buy-in. Digital Transformation is not an IT project. It is an asset that needs to be thoughtfully planned. The last challenge would be strategic investment. In many cases, Digital Transformation initiatives tend to run multiple years. It is important to stay the course.

 

 

Q: What does Digital Transformation mean to your organization?

A: We are in the early stages of digital transformation where we are rethinking how we interact with our constituents in various areas including branding, marketing, communications, virtual interactions, mobile experience, etc. We are reimagining delivery of fitness and wellness through virtual and mobile platforms. We are looking to connect our digital products to our digital ecosystems. This will help us to tap into the big data in the backend for business intelligence and data analytics. This will also help us curate the consumer experience.

In addition, we are developing secure digital products to deliver chronic disease prevention programs to the program participants. We are currently getting inputs from various stakeholders to identify use cases for our digital transformation, including mental health programs, diversity content and more. 

This is an exciting time to be able to use digital to have a measurable impact in people’s lives. 

 

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction…?

A: Some of our top priorities are foundation to our technology ecosystem and our digital transformation. For example, information security and privacy are non-negotiable. We look at data to help enhance our brand value. We use data to empower and enhance our consumer experience and in the long run identify areas where we need to focus on. Diversity, Equity, and Inclusion is an utmost priority for us. We use big data to help us identify where we need to provide programs and services where there may be a need. We are looking to transform our customer relationship management through our digital transformation initiatives. 

 

 

Q: How are you justifying the cost needed to evolve and adapt IT to support the speed and agility required by the business?

A: I am smiling thinking about this question. Whether your organization is for-profit, non-profit, government agency or NGO, and irrespective of your industry, everyone is faced with the question of cost at some point. 

This is where having a strong strategic direction, along with stakeholder buy-in is very important. Another issue I have both seen and experienced is, the key stakeholders and leadership treating IT as a silo department. The IT assets belong to the organization, not just to IT. In my experience, any time when there is a need to find efficiencies or cut costs, IT becomes the first target. This is because IT is perceived as expensive by the corresponding stakeholders. So, the challenges of cost justification are real.  

The best approach that has worked for me to continue to evaluate the IT costs and balance it with the business value proposition. The head of the IT team needs to think, act, and react like a business owner. Some of the fundamental values I have practiced are transparency, strategic alignment, constant communication, stakeholder buy-in, not being territorial and most important is to build trust.  Taking the stakeholders through the journey of what is being developed in IT and how it is going to help the organization, answering questions, being objective and open minded will ease the cost justification conversations. 

At the end, showing results will speak for itself. For the IT leaders, while it will be important to justify costs, it is equally important to continuously show the progress and results to your stakeholders.

 

 

Q: How would you define “Enterprise AI” in a non-digital native enterprise like your organization?

A: First, every organization will be digital-native in the near future, if not already. Then the premise is, how do we define “Enterprise AI”? It is a question of ‘when’ and not ‘if’. I predict every organization will be using AI in some form or the other in three to five years, most of it will be through integrating with strategic partners and products. AI will help organizations propel into the digital age, provided they have the right use cases identified to focus on. Just like how we moved from mainframes to client-servers, on-premises data centers to cloud, etc., we will move our analytics and business intelligence to AI models. And it will become second nature. There is also a perceived barrier to entry to AI, as there are cost and skillset barriers. We will see more and more vendors providing products powered by AI that will be used at an enterprise level.

 

 

Q: How is your organization leveraging Big Data and AI and machine learning to transform their businesses and what opportunities does it present to the business? What are the challenges, and how can these be best overcome?

A: In our newly developed digital platform as part of our digital transformation, we deliver virtual and mobile digital products. We are creating AI models to start using the data to train and deliver the highest level of experience to our consumers through curated content. The challenge we see is with the data, both the quality and the context. We are working on tuning our algorithms to continue to improve our models. 

 

 

Q: What operating model and cultural changes have you considered as you shift to a digital business? What parts of your business would benefit the most from a greater digital foundation?

A: I believe the entire organization can benefit from a strong digital foundation. Within the technology team, we are completely in an agile delivery model. We continue to deliver, learn from our mistakes, and keep making relentless forward progress. It may take a bit more time to educate all the cross-functional teams and bring them on the digital journey. We are off to a good start. 

 

 

Q: How has DevOps and cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?

A: We are a 100% DevOps and Cloud Services shop. This has indeed tremendously helped us move ahead in lightning speed to focus on our digital platform and products, and most importantly to deliver to our consumers. What this has given us is to avoid the distraction of maintaining the legacy systems, time delays due to hardware purchases or other similar challenges one could face by not using cloud services. On the flip side, the DevOps approach helps us focus on the work needed to operate and secure our infrastructure. We encourage a culture of collaboration among all teammates and partners.

 

 

Q: What advice would you give an early-stage CIO or CDO joining an enterprise organization?

A: First, understand where your personal and professional passion is. We are all humans who bring our personal self to a professional place of work. Take time to understand the business, the strategy, and the stakeholders. Your team is your important asset. Develop, coach, and build a strong team.  Focus on building trust and credibility. Trust and credibility are built over time by keeping up one’s commitments and delivering consistently.

 

Siva Balu – Vice President & Chief Information Officer at YMCA OF THE USA

Siva Balu is the Vice President and Chief Information Officer at YMCA OF THE USA. In this role, he is working to rethink the work of Y-USA’s information technology strategy to meet the changing needs of Y-USA and YMCAs throughout the country.

YMCA of the USA is the national resource office for the nation’s YMCAs. The Y is the leading nonprofit in 10,000 communities across the nation delivering positive change through 2,700 YMCAs focusing on youth development, healthy living and social responsibility.

Siva is the creator of the new Y Cloud digital platform to deliver digital, virtual and mobile products to members across the nation. Y Cloud is the world’s first digital platform built for non-profits by non-profit.  

As the CIO, Siva works with the key stakeholders across the nation’s YMCAs in achieving the strategic vision. He leads the creation and execution of the technology strategy through collaboration and thought leadership including digital transformation, data strategy, cloud strategy, information security, project management, mobile apps, social media, CRM, data warehouses & business intelligence, IT infrastructure & operations to support the YMCA movement.

Prior to his current role, Siva has 20 years of healthcare technology experience in leadership roles for Blue Cross Blue Shield, the nation’s largest health insurer, which provides healthcare to over 107 million members—1 in 3 Americans. He most recently led the Enterprise Information Technology team at the Blue Cross Blue Shield Association (BCBSA), a national federation of Blue Cross and Blue Shield companies. He has created several highly scalable innovative solutions that cater to the needs of members and patients throughout the country in all communities. He provided leadership in creating innovative solutions and adopting new technologies for national and international users.

Siva earned a bachelor’s degree in electronics and communication engineering from Bharathiar University in India, a master’s in business administration from Lake Forest Graduate School of Management and executive master’s degrees from Harvard and MIT in Innovation, Strategy and Artificial Intelligence.

In his free time, he volunteers and contributes to several charities, including Special Olympics, Chicago Food Depository, Challenged Athletes Foundation, Beyond Hunger, The Pack Shack, Cradles to Crayons and Gardeneers. Siva is a Board Member at Sarah’s Inn, a non-profit supporting individuals and families impacted by domestic violence, and at The Soondra Foundation, a non-profit that provides healthcare to the poor working class in India. 

Siva developed a passion for long-distance running a few years ago starting with a 5k, and then to marathons and to running multiple ultramarathons. He has run multiple 100-mile races. He recently ran what is referred to as ‘the world’s toughest foot race,’ Badwater 135-miler in Death Valley, and one of the world’s coldest races, Tuscobia 160-miler.

 

 

 

The complexity of DevSecOps with Maria Schwenger

Apex talks to Maria Schwenger, AVP – Enterprise Digital Risk – Head of Application Security and Data Protection at American Family Insurance, to discuss how application security has changed with the rapid cloud adoption and what are some of the new approaches to application security and data protection.

 

Q: You have been leading digital transformation programs working exclusively in the DevSecOps space for several years now – according to your words “even before we could’ve imagined such a term”. What remained the same and what has changed in the DeSecOps implementations today? What are some of the new DevSecOps transformation strategies?

A: One thing that will always stay fundamentally the same is the very essence of the DevOps approach – the promise of speed in delivering value and the opportunity to adapt to the market needs at scale. This is the very reason why companies implement DevOps and more recently DevSecOps. The DevSecOps (also sometimes referred as Rugged DevOps) brings the additional notion of having the security implemented as early as possible into the development  process and in every phase of the Software Development Life Cycle (SDLC). The DevSecOps approach allows the security to be also applied in an agile manner by incrementally maturing the security practices within the CI/CD pipeline while accounting for the possible vulnerabilities and risks. These are the fundamentals of the 2 terms. 

Today we see a certain controversy between these 2 terms – some professionals get annoyed by having to talk about DevSecOps as a separate approach. They believe that if DevOps is done right, security will always be an integral part of the DevOps process. And, this is probably a fair statement. It is so nice if we can implement the security practices in a way that the security feels as an enabler (not a show stopper) to the DevOps process. Today, this is probably one of the most important transformation strategies around how we develop, release, and maintain code – the goal of having visibility and clear understanding of the vulnerabilities and the associated risk (the probability of being exploited and the possible impact to the business). No one will dispute the importance of end-to-end automation and tight integration of the security processes and tooling within the CI/CD pipeline, and why not – let’s experiment and sprinkle some Artificial Intelligence (AI) to additionally optimize the DevSecOps process! 

My take is simple – no matter what we call the process or combination of processes we decide to adopt (DevOps, DevSecOps, SecDevOps, SecOps, etc.) – the main goal is to establish and deepen the transparency and the trust between the 3 teams – development, security, and operations – and simplify the traditionally complex shared ownership in keeping our businesses on-line, safe, and agile. 

 

Q: What are some of the challenges of the modern DevSecOps? Where and how should we expect the security approach to change? 

A: I am glad to realize that more and more companies today understand the value of the tight integration between Dev, Sec, and Ops, and are attempting to establish the right level of automation and extended collaboration within their organizations. Every security and DevOps professional today knows that for a while the security was lagging behind the rapid agility required by DevOps, but now I see how companies are stepping forward to the right path addressing 4 main areas: 

  • Slow security processes contradicting the DevOps perspective of rapid agile/iterative delivery – traditionally the security processes were more manual and sequential, not iterative and fast and that caused delays into the DevOps cycle. The new approach here is to use the very opportunity specified by the “agile” definition – iteration!  If the development process is iterative and continuous (CI/CD means “continuous integration” and “continuous delivery”), the logical solution is to build also a “continuous security”. This is a huge opportunity for the security professionals today. 
  • Securing of new technologies at scale – By its own rapid experimentation nature, DevOps has rapidly adopted many new technologies that the security teams were not ready to support at the same rapid scale. The challenges came from adoption of new architectures (i.e., API, micro services), new technologies (i.e., cloud, containers, serverless), the role open source plays in the way we develop software today, etc. 
  • Another major area is the security and the efficiency of the DevOps process itself. Do we have a holistic view of the end-to-end development process? Can we guarantee that it is fully protected and secured? What is the best way to integrate “continuous security” into the DevOps cycle? Because, let’s make no mistake – an unsecure development process will most likely translate into unsecure production environment. We also know that the remediation of vulnerability findings is time consuming and can be complex requiring specific skills. This is an area where the “Sec” part of DevSecOps team should play a leading role. 
  • Last, but not least, every company should spend the time to rethink their global SDLC process according to the definition of their own digital transformation where security can never be an afterthought. Let’s not forget that DevSecOps is a people and cultural transformation as much as it is a technical, tooling, and process evolution. 

 

Q: You stated that due to the rapid cloud adoption and the agile DevOps, it seems that the traditional security tools and practices of application security simply cannot keep up with this demand? What is the new way to think about implementing application security? How do you see the DevSecOps vendors supporting these needs today and in the future? 

A: Yes, sadly enough, this is correct! In the last few years, application security has been seen as a hold up by the software development teams – something that is inefficient, takes time, is hard to do, and, in many cases, only available as a manual activity. 

The right approach is to rethink the entire SDLC process in a whole new way and to enhance it to a security enabled application development and deployment process. That means that security is an integral part of each step of the SDLC process. Let me throw a few terms out there, which are all targeting to establish the continuous security approach within DevOps and SDLC. Some colleagues talk about SSDLC – Secure Software Development  Life Cycle, meaning that we fully integrate the application security practices within every step of the development process. This also yields to yet another term – “Shift Left”, which is defined by moving the security testing as early (to the left) into the development process when there will be less changes required compared to remediating findings at a later time when the code is ready to be released. 

The security teams should also become enablers for the adoption of new technologies like Web Application firewalls, etc. that provide run time protection of the application layer. 

The vendor support here is an extremely important topic. Yes, we need modern application scanning tools that are easy to integrate within the CI/CD pipeline or, even better,  already pre-integrated within the development environment. I fully support the notion of testing the application code “from inside out”/”from within”. And, these tools should be intended to protect applications at both deployment and run time.  

 

Q: You have been helping many clients to move to the cloud as part of their digital transformation strategy. What are some of the most common challenges and what role does DevSecOps play in this? 

A: Oh, this is such a big topic – probably, for an entirely separate conversion. Let me see how I can summarise my thoughts at a high level. 

Many businesses today are defining and implementing their own “cloud first” strategy and the migration of applications to cloud is foremost in line. Since we are now entering a quite well established era of cloud adoption, the companies are looking to get more benefits from the digital transformation relying alike on both cloud adoption (for speed and cloud economics) and on DevOps (for agility and time to market.) Of course, any cloud adoption should be underpinned by effective security practices.

There are so many similarities between Cloud computing and DevSecOps. They are both pillars of digital transformation leading the business growth, both are accelerators for streamlining  processes and advanced automation, both are facilitators of global collaboration. They are also both accelerators for each other. Cloud provides “on demand” usage and scalability needed to develop and run applications. DevSecOps is often asked to be the bridge towards the cloud adoption – to lead in adopting the new architectures and new technologies, to perform the “stretch” within a hybrid cloud, and to integrate securely across the new business practices. 

Some of the common challenges are naturally coming from the above details. Companies need to grow skills and expertise to support their new cloud environments, to establish effective ways to manage their cloud spendings, budget, and forecasting while retaining full control over security of systems and data and compliance regulations. DevSecOps engineers need to lead with new technologies and architectures, executing “lift and shift” or building new “cloud native “ applications, handling multitude of deployments to new cloud environments with complex cloud configs, etc. The security (still listed as number one major concern) needs to handle extended access management controls and secure a much wider perimeter while being flexible and agile. Multi cloud adoption and complex integrations with 3rd party SaaS offerings often require additional skills and attention. In addition, all teams need to get used to the shared responsibility model where the cloud service provider is also part of the multidimensional collaboration.

There is a phrase that the cloud is a journey and not a destination (paraphrasing here). In respect to cloud and DeSecOps, it is a journey of building capabilities that enable our digital transformation for rapid business growth. 

 

Q: Looking at all security incidents, exposures, ransomware attacks, etc. today, what are some of the lessons learned in terms of Application security? For example – what are some of the Application Security takeaways from the Solarwind breach?

A: The SolarWinds incident brought a new dilemma to the AppSec practitioners. It showed clearly that our internal SDLC process can be compromised by attackers even though we do apply most of  the best practices of secure engineering, and that even companies who have in place most controls can still become vulnerable by using a trusted vendor.  We can review this from 2 separate angles: 

  • In house SDLC or security of our “software factory” – How well secured is our own application development process ( build, test, and deploy)? Is everything we do routinely today in the App Sec space enough to protect and secure our custom developed software, our homegrown applications? Do we have an end-to-end visibility over the SDLC  – from the moment a developer creates code and checks it into the repository all the way to what happens with this code when it is deployed in production and upgraded there? How effective is our security review process if the attackers had compromised the entire build process and used legitimate certificates to sign their code? 
  • Secure Vendor management – what is the best way to continuously evaluate and monitor the 3rd party software products and SaaS offerings we are utilizing today?

It is obvious, we need to be vigilant about our SDLC process and proactively monitor the way we design, build, and deploy our homegrown apps, as well as all integrations with 3rd party software. I see 2 main positive factors we can apply – “Shift left security” within the CI/CD pipelines within our DevSecOps process, and Zero Trust Architecture (ZTA) to protect our assets via continuous verification between systems, devices, applications, data stores, etc. based on “never trust – always verity” approach.

 

Q: You mentioned implementing a Zero Trust Architecture and you recently presented on Zero Trust at one of our Apex events. What was most exciting to you about this panel? 

A: I believe that the concept of Zero Trust is an imperative for our post-pandemic world. I am always excited to discuss the new approach to Zero Trust and what the organizations need to consider to successfully implement the Zero Trust Architecture today. 

Although Zero Trust is not new as a concept (I believe it was introduced sometime in 2010),  most conversations in the past have been around securing the perimeter and led in large by our networking and IAM teams. And, this is to be expected – our data was mainly located in the corporate data centers and accessed from the corporate network, with the implicit trust to everyone inside and generally protecting from external threats. However, our IT landscape has significantly changed today – data and applications are spread between “on premise” and multiple cloud providers and accessed based on the principles of “anywhere – anytime”. We also worry about both internal and external threat actors, and the trust is never given by default and always verified – and not only once, but continuously verified. For these reasons, the new approach to ZTA today is to invite new areas of expertise – people like me, who bring into the conversation the new perspectives of application/workflows and inter-system trust, the knowledge of data security life cycles, machine identity, etc. There is also a strong connection between ZTA and DevSecOps – both are seen as accelerators for the business, and both are bringing a new mindset, building a new culture across the enterprises. 

 

Q: You are also leading a Data Protection program. What are some of the top priorities of a modern Data Protection program? What role does DevSecOps play in it? Any secrets you can share?

A: With about 4000 confirmed data breaches in 2020, of which close to 60% targeted compromised PII, the data protection today is a critical segment of the enterprise cybersecurity readiness. (The data I cited by memory is from the Verizon 2020 Data Breach Investigation Report). Of course, the ultimate priority of any Data protection program is to ensure successful growth of the business based on secure and compliant data practises. A lot of emphasis and even enforcement today is also put on the data privacy function explicitly granting the consumers the rights to their data.  Establishing a good Data Protection Program includes building many capabilities across the areas of data security, data privacy, data governance, addressing audit/legal/regulatory concerns, driving expense reduction, etc. Lately though, I catch myself continuously explaining the importance of data classification because, in my mind, the data classification rules. Let me explain. How would we know what network segmentation or access controls are required for a newly implemented data flow or what safeguards and controls need to be put in palace (i.e., encryption/tokenization for PCI data)? The only way to gain this knowledge is to classify the data according to the company’s policies, understand the type of the data elements, and then – design appropriately.

DevSecOps plays a very important role within the Data Protection implementation. Not only that the data scientists benefit from the consolidated CI/CD process, but If properly applied, the Devsecops  practices bring automation, control, repeatability, auditability, ensure velocity, prevent misconfigurations, enforce permissions and and data retention policies, etc. These are all very important capabilities of the Data Loss protection/prevention (DLP).

To answer your last question – Unfortunately, there are no secrets here. The Data Protection and more specifically the DLP, require a great understanding of the business and its data, utilizing quite an expensive set of tools, and applying effective processes across the entire company. Although not easy, this is entirely possible when we keep the doors open for a wide, cross company collaboration. 

 

Q: I know you are writing a new book on cloud – can you give us some preview? What is the book about and what is the specific “cloud” point of view that you selected to write about? 

A: Now that the adoption of cloud is consistent and no longer just a hype, there have been many great publications in the wide spectrum of cloud topics – from the financial and business benefits of cloud adoption to the best practices or particular technical challenges like management of cloud resources in multi-cloud platform, migration to cloud, adoption of cloud native technologies, specifics of cloud security – you name it!  There are so many important topics to write about! However, after talking to many of my colleagues and cloud practitioners, I selected a bit of an unusual point of view. The book is intended to explore the value and the potential of cloud adoption as part of the rapid digital transformation of 21 century in our post-pandemic world. We try to answer questions like: “How cloud adoption can fuel the business growth and support the agility every company (big and small) needs in order to effectively compete today?” and “What is the impact of the pandemic on cloud adoption and all technologies fueled by cloud?”, etc.   It is a practical book that discusses some of the most common questions posed by IT leaders and cloud practitioners today and provides a point of view expressed by use cases to back up the new, post pandemic, cloud strategies. 

 

Q: You enjoy presenting at conferences, and it seems that people like your presentation style. Can you give us a few tips on creating a technical presentation? 

A: Oh, I am not sure I am an expert here, but here we go! Usually, I like to keep the presentation entertaining and interactive – asking the audience questions, giving a lot of examples, building up on a story or two, and using meaningful (sometimes provocative) images. Remember -”a picture is worth 1000 words” – there is a good reason why this expression originated in the early 20 century and is still very popular. A good idea is to keep the slides “uncluttered” although I tend to have some “busy” textual slides…(guilty here!) Also, I like to have a clear outline with crisp introduction and summary or lessons learned. I always try to leave the attendees with some kind of a follow up – like “Next steps” or a “Conversation starter”. Something to inspire people to keep thinking about the topic and bring the conversation to their companies and colleagues. 

 

Maria Schwenger – AVP – Enterprise Digital Risk – Head of Application Security and Data Protection at American Family Insurance

Maria is an innovative DevSecOps and Data Protection Leader well-known for leading multiple successful implementations of the vision of modern DevSecOps and her leadership in executing digital transformation in areas like IOT/Edge, AI, and Big Data Analytics. 

She specializes in leading organizations to effectively adopt and utilize new cloud technologies and new architecture paradigms like API/micro services, containerization, orchestration, serverless, etc. and applying DevSecOps and Agile best practices of secure Continuous Integration and Continuous Delivery. The results of her work on building “5 Star DevSecOps experience” demonstrate a multitude increase of efficiency and productivity gains in the development process leading to fast and secure product improvements. 

Currently Maria is concentrating on creating a comprehensive, but simple to implement DevSecOps practice that can be easily adopted across the board based on the best practices of secure engineering and data protection.

 

 

The Security Landscape with Rick Doten

Rick Doten, VP, Information Security at Centene Corporation, and CISO of Carolina Complete Health based in Charlotte, NC has spent his 25+  year cybersecurity career teaching, speaking and consulting . Today he speaks with Apex about his journey and outlook on what comes next and how we get there. 

 

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

The CIO is responsible for developing and maintaining the technical infrastructure to run the business. The CISO is responsible for protecting from threats and managing risks that could impact the security and resiliency of that infrastructure.

 

Q: What is the biggest challenge for a CISO today?

Honestly, keeping the organization focused. There are so many security issues popping up in the news from Solarwinds, ransomware, spyware on phones, etc, that it becomes a frequent task to respond to executives who read these stories and ask “what are we doing about this?”.

Obviously, staying on top of these new threats and issues is important, and verifying what the risk might be to the business, but they should just influence the security strategy. Keep to the plan you’ve established and are following, and try not to get distracted by specific events.  Because otherwise, it’s like chasing dogs that burst out of the front door every time you open it. 

 

Q: How has the role of the CIO/CISO changed over your career?

I have been in the business long enough to see how the role evolved from when Steve Katz was appointed the first CISO in the mid-1990s. 

Initially, it was more technically focused, to find and close security gaps; then in the early 2000s, became compliance-focused. At that time, when I was a consultant, one of my CISO customers said he didn’t fear the hackers, as much as the auditors. In fact, in the mid-2000s, I saw many CISOs start to go to law school to better understand the rising regulatory landscape. Up to this time, the CISOs were reporting to the CIO. 

Then in the early 2010’s I saw the shift to risk management. IT security governance programs were more commonly being stood up more broadly, and we saw CISOs come out from under CIOs and to CEOs, COOs, CROs, CFOs, etc. This is where we started getting a seat at the executive table and board room on a regular basis, not just when there was a security breach.  

Today, it’s understood that CISO’s are part of the business, and that technology risk is a business risk. Business executives have come to realize that CISO’s have more of a role than just being the “in case of emergency, break glass” person; because a trusted, secure, stable, resilient infrastructure is a business enabler.  

 

Q: How do you stay abreast of the trends and what your peers are doing?

I am part of a local CISO group here in Charlotte that meets once a month. Because everything has been virtual the last 18 months, I’ve been able to do so much more networking with my peers than before. I do a number of CISO virtual roundtables, speak on panels, and conduct Keynotes at security conferences. I’m also on  Security Podcasts. 

 

Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?

Understand the business you are in: How does it make money? Who are its customers? What obligations does it have to customers, regulators, or industry?  Develop a governance process first to link the business requirements to IT risk management goals. Develop an incident response plan and process to make sure you can respond when things go wrong. With technical controls, focus on the fundamentals, don’t chase the hot trends or threats. Technology is the easy part, don’t focus on finding the best tools, focus on the outcomes of the process—tools support a process.

 

 Q: How has DevOps and cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?

I spent years doing application security consulting, from Ethical hacking online banking apps back in the late 90s, to training developers on application security, to helping firms integrate security within the application life cycle. Cloud is now part of the application security process.  The Cloud is an application itself. With infrastructure as code, governance as code, micro-services, and APIs in the cloud, applications and cloud have to be integrated. And also multiple diverse teams are now involved, not just developers, DBAs, and server admins. We’ve moved from design, build, run; to collaborate, integrate, and orchestrate.

 

Q: What are some of the personal experiences — or compelling arguments — that have influenced your thinking around gender and technology and have motivated you to get involved in being an advocate for change?

Cybersecurity talent is much more about personality and aptitude than education and certifications.  I think we have made the industry too intimidating for people who think they need to be geniuses, good at math, or have a certification to be a practitioner.  

There are specific personality traits that make a good cybersecurity person: inquisitiveness, correlation, pattern matching, tenacity, and not being afraid to try something that has never been done before.  These are not qualities you can train effectively into people who don’t have them natively.  But you can train people on tools and procedures.  

I’m a big fan of the Cyber Aptitude and Talent Assessment (CATA) test. This test doesn’t ask anything about security practices, controls, or standards, just questions to gauge how a person thinks. It has been used successfully in the UK and US militaries to identify potential cybersecurity talent. Anyone who has an interest in this industry should take the test, no matter the background, education, age, race, sex, disability–it levels the field to measure a person on aptitude.

 

 

 

Rick Doten – VP, Information Security, Centene Corporation & CISO of Carolina Complete Health

Rick is VP, Information Security at Centene Corporation, and CISO of Carolina Complete Health based in Charlotte, NC.  Rick supports both the NC health plan and corporate Centene in a cybersecurity leadership role. 

In his prior role, Rick worked as Virtual CISO supporting international companies. Rick also developed the curriculum for a Cybersecurity Master’s degree program for an International University.

Rick is an avid speaker at cybersecurity conferences, a guest on cybersecurity podcasts, and is a member of The CyberWire Hashtable.  Rick is on the Board of his local ISC2 chapter.

 He is part of the editorial panel of the CIS Critical Security Controls, and was the lead author on the newest version 8 of the Controls.  Rick has a YouTube channel where he is doing an overview of updates and changes into each of the 18 new CIS CSC v8 Controls.

Rick has alternated between being a management consultant and CISO throughout his 25+ year cybersecurity career, where he has run ethical hacking, incident response and forensics, and risk management teams.

The role and the focus of a CISO with Benjamin Corll

With 25 years of experience in the IT Industry, the insight, advice and perspective of Benjamin Corll, CISO, Coats is fascinating. His views on the relationship between the CIO and CISO, the importance of knowing the business and collaboration among teams are some of many areas that Corll shares through this Apex 1 on 1. 

 

Q: What is IT security doing to support innovation in the enterprise?

InfoSec has been an underpin for enterprise innovation for decades. We have been a force for change, yet we have operated behind the scenes for many years. Yes, we have had a bad reputation as it has long been believed that the InfoSec team is the “office of no”. However, I do like to say that we’re the team of the “office of the know”. And by this I mean that we have monitoring of the organization. We have an obligation to use this data to feed the other teams and to help them make better data-driven decisions. By doing this, we are driving (or supporting) innovation in the organization.

 

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

As in most organizations, the CISO generally reports to the CIO. This means that the CISO has a tight relationship with the CIO. There should be mutual respect. I truly believe that the CIO and CISO are only successful when they are closely aligned. Security and IT should be aligned in objectives and strategy. The CIO is focused on availability and the integrity of the computing environment. The CIO is only going to be successful when the CISO is successful, as the CIO suffers when the network is breached, when applications are unavailable, and when desktops are compromised. The fate of the CIO and CISO are intertwined.

I have heard many times that it is said that it is a conflict of interest having the CISO report to the CIO. Can this be true? Yes, if the CIO is ignoring the risks that the CISO is reporting in order to prioritize uptime for the sake of availability. Yet, if the CIO understands that her success is tied to the CISO, then she should partner with and support the CISO. When that happens, there shouldn’t be a conflict of interest.

 

Q: What is the biggest challenge for a CISO today?

 Prioritization is the biggest challenge for a CISO today. The threat landscape continues to evolve. Our budgets will never be large enough and our teams big enough to address every risk. We cannot do it all. There will always be more to do. And we cannot remove all risk as that would be too cumbersome to end users or it would remove the ability for users to do their jobs.

Security teams will have to stay nimble and pivot. This doesn’t mean that security has to be only reactive, yet it does mean that they need to be flexible. A roadmap can still be developed and delivered upon, yet it is not to be written in stone as new threats may be revealed and require a shift in focus, a reallocation of funds, and full support put into a new initiative. 

This is why I believe prioritization is the key challenge for a CISO today.

  

Q: How do you stay abreast of the trends and what your peers are doing?

Collaboration & sharing is how I stay up to date on trends and with what my peers are doing. Joining organizations which enable sharing of ideas and experiences in a trusted and controlled environment is invaluable. Some of these are free, some of them actually have a subscription model. Both are good.

 There are curated lists of news which do save time. This allows me to know what some of the top articles and happenings are from around the globe without having to spend a lot of time scouring websites. What this enables me to do is answer questions if my executive staff calls me and asks me about something they may have seen in the news. So long as I have read my lists, I am rarely uninformed of the topics they’ve inquired about.

 

Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?

Learn your business. Don’t focus on your silo’d role. Learn what the company does and the workflows required to produce the goods or service that drives revenue. This is going to help with two main things:

  1.       You’ll discover what the true crown jewels and critical systems are
  2.       You’ll learn how to align your organization with the business objectives

Talk to the business. Empower your stakeholders. Listen to listen. And when you make a promise or commitment, do everything to keep it. Even if you have to go back and tell them that something isn’t possible after all, still go back and have that conversation (and learn not to overpromise when you’re not absolutely certain). Stakeholder management and setting proper expectations goes a long way to being successful.

And then for the CISO, look at things from a risk based perspective. And when someone comes with a request, rarely answer with a “no”. Instead, answer with “Yes, and…”. Include the and to be the required guardrails or stipulations that you would be comfortable with the request. If possible, give multiple options. Allow the requestor to decide the path forward or if they don’t want to proceed. This makes the decision a joint decision and stops it from being an adversarial relationships.

 

Q: What can organizations do to get more women into senior level and executive positions? What can companies do to address unconscious bias at all levels of the organization?

How do we get more women into senior and executive positions? Be intentional. We need to get diversity in our organizations. This is also a diversity in thinking. I don’t want to hire anyone who thinks exactly the way I do. I need other thought processes and perspectives, else I’m going to continue to make the same types of decisions that I’ve always made. So I have to be intentional to hire people who do not think the same way I do. So I, like others, need to be quite intentional to require my recruiters to bring me a diverse group of candidates. And then I need to be open to those who have the right mindset, even if they don’t have all the experience that I want. For security, a mindset is more important than technology experience. I can teach someone the technology, yet I cannot teach them how to be curious, skeptical, or persistent.

 As for getting people into executive roles, organizations need to require a diverse group of candidates when a role is available.

 

Q: Has security been more of a challenge to manage while your teams have shifted to a Work From Home structure? 

My organization was friendly to a non-traditional office location for our administrative work force. However, it wasn’t exactly ready for everyone to not be able to ever be in the office, and certainly not for a year. 

How has this impacted the security? The engagement of users is more interesting. We need to make sure people stay engaged as they are more likely to follow the standards and security awareness when they feel engaged, empowered, and involved.

 

Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working

One of the most innovative companies we found was one that has enabled us to use our existing cameras within our facilities to allow our health & safety team to monitor the environment. The H&S team can get real-time / near-real-time alerts to unsafe activities. It allows remote monitoring of locations while still being able to detect undesirable activities and incidents.

 

Benjamin Corll, CISO, Coats

I’ve been in the IT industry for about 25 years now. I started in the US military as a small computer systems specialist, also known as a UNIX systems administrator. Being versed in CLI and IPTables, I was assigned to taking care of the firewalls and perimeter devices. This started a transition from sysadmin to security administrator. 

During the dot.com boom, I transitioned from military life into technology consulting. I spent the next several years deploying network and security devices before deciding it was time to settle down and begin building and maturing organizational security programs. I was fortunate enough to be a founding member of the US Postal Service’s Computer Incident Response Team (CIRT) where we built a world-class response organization with engagement with other CIRT/CSIRT/SOC’s around the globe.

 After a few years of building programs from a security engineering perspective, I shifted to building programs as an InfoSec Director. This allowed me to shift to a more strategic perspective and build programs that not only focused on risk management and protecting my organizations but also build programs that align security with business objectives.

 

The Evolving Role of a CDO with Bojan Duric

Bojan Duric is the Chief Data Officer (CDO) of the City of Virginia Beach where he promotes a data-driven and citizen-centric culture at all levels of the organization. Bojan’s rich experience in data science and business analytics span multiple industries including government, transportation, healthcare, and consumer packaged goods (CPG). He shares with Apex how he has watched the role of a CDO evolve throughout his tenure and discusses the current data trends that can impact an organization.  

 

Q: What is the difference between a Chief Data Officer (CDO) and a Chief Analytics Officer (CAO)? Are they one in the same?

A: I personally wear both hats and view these roles as being one in the same. However, depending on the size of the organization, its culture, and individual skills and personalities, the roles might be different. Both roles often play change agent with the same end goal, utilizing data and people to support organizational growth, enhance operational efficiency, and deliver an exceptional and personalized customer experience. The CDO is often incorporating both roles, while the CAO might come from the business side, focusing on data utilization without data governance, data infrastructure and other more technical data-related responsibilities.

 

Q: How have you seen the role of CDO change? Have you encountered any challenges facing the CDO function?

A: If we look at any business capability from a technology, people and process framework perspective, we can see that data plays an integral part and sits in the middle, acting almost as a glue. Projecting this view onto the CDO role clearly indicates that the role is evolving as our customers, processes and technology evolve, especially regarding overall responsibilities and organizational expectations. The role has become more mature and better-defined over the last few years, but the major leadership traits of possessing a well-balanced approach to technology and process while being an overall good negotiator and conversational leader to empower and inspire an entire organization to embrace data-driven practices remains a challenge. As an organization matures in its data and analytics journey, the role is growing by fine-tuning and expanding certain responsibilities. When I assumed the CDO position with the City of Virginia Beach, we defined our purpose as “to promote a data-driven culture at all levels of the decision-making process by supporting and enabling business capabilities with relevant and right information accessible securely anytime, anywhere, on any platform.” We were early in our data adoption journey, and our main goals were to address challenges such as breaking data silos, building internal data and analytics human capital, implementing an enterprise analytics platform and becoming cloud ready. By focusing on these challenges for two years and successfully closing the identified gaps, we enhanced our purpose to include digital transformation and innovation which changed the CDO role and responsibilities. It requires 360-degree support from leadership, peers, customers and fellow data and analytics practitioners. To secure buy-in from all stakeholders, it is very important to define an agreeable and achievable customer-centric purpose statement and start delivering on the promise. I have been able to get the necessary buy-in and continuously grow my team by frequently engaging customers and taking on new responsibilities to deliver actionable insights and relevant analytics solutions.

 

Q: How is your Organization leveraging Big Data and AI and machine learning to transform their businesses and what opportunities does it present to the business? What are the challenges, and how can these be best overcome?

A: Both Big Data and AI have been occasionally used as “buzzwords.” Big Data almost started to fade after failing to deliver on high expectations from all the hype a few years ago. Thanks to AI, Big Data is getting its second wind. AI, particularly narrow AI (NAI) seems to be able to deliver quick wins by automating processes and integrating chatbots, paving a good foundation for wider more sophisticated AI-backed solutions. So Big Data as a backbone of AI is getting attention again more from variety and veracity with way better outcomes than a few years ago when most business could not comprehend its applicability. Bots, RPAs and virtual assistants make AI applicability tangible and relevant to the business users. We have seen this transformation and its direct, positive and measurable impact on our organization with simple bot integration to handle basic, repetitive yet frequent tasks such as password resets and knowledge base searches. After one successful implementation, a floodgate of other use cases opened. Just one case, demonstrating seeing makes believing, has inspired great demand while cloud services along with human capital skills has proved to be able to scale appropriately and meet the increasing demand. Further automation and NLP adoption have huge potential, not only as a new solution but as an extension of existing business capabilities, almost AI as a service and product enhancement. For example, we all have access to personal assistants not only senior management as was the rule in past decades, but we do not utilize it in our everyday tasks to be more productive. The key to marginal improvements and adoption on a larger scale to gain huge organizational impact and operational efficiency involves freeing the creative mind to deliver new values. It requires unlearning old habits, relearning existing ones and learning new approaches. 

 

Q: What are the current data trends and how will it impact your organization?

A: Data is growing exponentially and new trends are emerging almost frequently but I would focus on a few that can make a huge impact on our lives as data consumers as well as on data practitioners such as data sharing and data privacy. It seems these are on opposite sides but not mutually exclusive rather data ethics inclusive. It does not mean that private data cannot be shared or that sharing means opening up all data. There is governance in place to ensure appropriate levels of privacy and security. It requires a good understanding of existing data compliance as well as your role to support and enforce data governance processes. I found that “data owners” are most reluctant to open up and share their data even in instances where there are no legal, compliance or business restrictions. I always use the analogy of home ownership when trying to explain data governance and especially, the term “data owner.” I ask the group to raise their hands if they are homeowners. You will notice most people in the room raising their hands. Second, I ask them if they would still be homeowners after failing to pay their mortgages for 12 months to raise their hands? Only a few hands would stay up (those who owned their homes outright and no longer had a mortgage). It is the same with the data; we own certain data and it is protected and regulated depending on industry and compliance, but in the most cases we as data practitioners are data trustees. We take good care of our homes, we follow regulations, do home improvements to enjoy our homes, improve quality of life, and build equity. We certainly do not mind keeping our neighbors accountable if we see that their neglect can jeopardize our living conditions and diminish equity potential. Why should it be different with data? If your home is one of your biggest assets, and we continue promoting ‘data as an asset’, then we should manage it as an asset. Data sharing is one way of improving and enriching your data. It also promotes data reusability, significantly reducing the number of requests for new datasets which force highly-skilled data engineers to perform unnecessary and redundant ETL processes. I have to admit that the data sharing implementation might be painfully slow, but we will see enormous efficiency among our customers even with small improvements around data sharing. Streamlining the process and annotating data on small samples eliminates not only silos but unnecessary errors and increases trust in existing data. Thus again showing the importance of being a data trustee.   

 

Q: How has DevOps and cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?

A: My decades of professional experience as a data practitioner and a leader have taught me that information is valuable and actionable only if received when needed—one day or even one hour late could easily make it irrelevant. A day-old newspaper is viewed as useless, almost like garbage to be recycled. My latest hire to lead data engineering efforts came from a strong DevOps and cloud background. I see strong, agile, and infrastructure scalable data engineering is a prerequisite for successful data science and data analytics practices. For those going to the gym regularly, data would be your legs and you never want to forget your leg day, while analytics is your upper body, the most visible thus getting the most attention. Data engineering is your core, abs and back. A weak core compromises your overall health and fitness. So strong data science without strong, agile data engineering is questionable too. I must be clear that DevOps is not a simple copy/paste to data engineering, but there are many similarities. The data engineer role is often used interchangeably to define data architect which requires a solid cloud understanding. It also requires good scripting skills where I pull parallel with software developers, and as every code, it requires versioning and collaboration. In previous years, we have managed to retool part of our DBAs practice and develop a data engineering team that is fully cloud-certified adopting DevOps principles with an ultimate goal to manage data via code repos rather than maintaining multiple data tables and views. On the analytics side, in addition to computing power and scale, the cloud offers production-ready, data science services which require borrowing DevOps methods. Both cloud and DevOps hugely accelerated a long-term need for data analytics and quick turnaround resulting in DataOps as not only a set of best practices but as its own methodology in data analytics.

 

Bojan Duric is the Chief Data Officer (CDO) of the City of Virginia Beach where he promotes a data-driven and citizen-centric culture at all levels of the organization. As CDO, Bojan is responsible for implementing data and information strategies across the enterprise with wide impact not only on Virginia Beach residents but whole Hampton Road region. Shortly after joining the city, he successfully implemented the highly demanded Data Academy Program, a data and analytics literacy initiative which enriches employees with data and analytics skills to support factual based decision-making process. Some key advances for the City of Virginia Beach in his short tenure include the implementation of the first data and analytics platform for collaboration and a framework for certifying both data and practitioners, as he likes to call “Data Governance in Practice”. He views data as an asset to empower employees, boost citizen engagement, and increase transparency.

Bojan’s rich experience in data science and business analytics span multiple industries including government, transportation, healthcare, and consumer packaged goods (CPG). He has held key roles in financial, operational, supply chain, and sales and marketing analytics. His vast business background includes providing management coaching, training, and consulting to Fortune 100 companies and government contractors, such as Norfolk Southern, Carlsberg A/S, and ADS Inc. He is proficient in several open source and proprietary technologies and has developed a range of data solutions and analytics products recognized by influential data communities, and both private and public organizations.

Bojan is a guest lecturer at the Old Dominion University (ODU). He is the advisory board member with ODU’s Computer Science and Engineering, and Storme College of Business. Bojan holds a Bachelor of Science degree in Computer Science with a minor in Mathematics from Rutgers University and a Master of Business Administration (MBA) from Old Dominion University. 

 

Apex 1 on 1 with John Arsneault: Insights from a CIO, venture capitalist and a startup advisor

With over 30 years in the technology industry, his expertise in strategy and execution within the realm of growing business has made his 1 on 1 with Apex fascinating. Read John’s perspective on how the legal industry is evolving in the current state and his five step process for managing an organization.

 

Q: Have you developed a business driven data strategy; is there support for it and is your organization becoming more data-driven? What steps are you taking to ensure all areas of the business are data driven?

A: We set out to develop a business systems architecture that modernized all of our back office systems utilizing a platform first strategy.  This included moving to SaaS only vendors with modern API’s which allows us to move data in and out of systems as needed without heavy effort.  With a SaaS architecture, systems are automatically updated with new features, allowing IT resources to focus on value-add efforts vs. system upgrades and maintenance.  The organization has an ever increasing appetite for data driven decision making around client preservation, revenue generation and back office decision making.  We believe that simplicity in systems architecture plays a big role in adoption of tools and idea generation around them.

 

Q: How do you balance the need to ensure that non-revenue generating data-driven transformation efforts receive the commitment and funding that are required to sustain these efforts?

A: We build business cases for IT initiatives and run those cases through a technology steering committee for selection of a diverse set of annual investments.  While ROI is a key driver in the selection process, a balanced approach to progress across the entire firm is a key guiding principle.  Keeping the overall firm healthy from a technology perspective only happens if we invest in all areas of the firm vs. focusing only on revenue generating activities.

 

Q: How are you justifying the cost needed to evolve and adapt IT to support the speed and agility required by the business?

A: We have been successful keeping IT costs relatively flat despite investing heavily in new systems.  This is accomplished primarily by utilizing SaaS solutions.  Migrations from managing data centers and DR facilities to being 100% cloud as well as cloud PBX adoption has cut traditional IT infrastructure costs substantially, which offsets the investment in new systems.

 

Q: What operating model and cultural changes have you considered as you shift to a digital business?

A: This is something that is very much in progress in the legal services space.  Some technologies such as e-signature capabilities have made an immediate impact on efficiency and client service. Others such as Zoom have cut travel expenditures significantly.  There are many examples of technologies that have adoption curves that take years, while others catch on quickly.  Emergencies (like a pandemic) or an extreme competitive disruption can accelerate adoption, most however take a little time.  Our firm has moved in a direction of digital work processes quite a bit in the last few years with a focus on speed of delivery for clients.   

 

Q: What is the current state of Big Data and AI investment and do you sense the pace of Big Data and AI investment changing?

A: This has been mostly an experimental space in the legal world.  The biggest issue holding back adoption of AI in legal is the lack of focus on UX.  The majority of focus is on the back end of the systems, resulting in solutions that are hard to use, limiting who can take advantage of them.  This follows a typical innovation curve of complex systems and I expect this to change in the next 3-5 years.  There is already an uptick of focus on the UX of AI systems in the legal space.

Q: What advice would you give an early stage CIO or CDO joining an enterprise organization?

A: I think it is important when you join an organization to learn the business at a high level and develop a multi-year (call it 3 years) technology strategy for the organization. If you get too bogged down in the weeds early on, it is very difficult to shift to strategic work. I try to follow a five step process for managing an organization:

  • Develop a strategy aligned with the industry you are in and get executive buy in.
  • Build a team of A level players that are excited about the strategy.
  • Break the strategy down into tactics (prioritization, resource management).
  • Show up each day and grind.  Be consistent and keep commitments. Your staff will mimic your habits.
  • Develop the art of saying no.  You will be inundated with requests and ideas.  If you allow these requests to disrupt your tactical plan, you will not succeed with your strategic plan.  This is art form – you need to learn to say no without making people feel like you don’t listen or care.  That is not easy but it is a vital skill.

 

Q: How has cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?

A: SaaS has changed everything.  You can focus on data and feature usage vs. deployments and maintenance.  Applications don’t get old, IT doesn’t have to choose what new features to give to the business because of limited resources.  There is no infrastructure to manage.  Tech access gets simplified, no VPNs, user experience is the same regardless of where you are or what device you are using.  The IT folks can focus on usage and value vs. keeping the lights on.  Product development can be more easily influenced with strategic vendors as they are now maintaining a single code base.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful. For full details, view our full privcy policy.