Vation Ventures' Roundtable Sessions regularly bring together senior IT leaders from across the globe for unique, peer-to-peer discussions on the issues that drive significant trends in the IT space.
Vation Ventures' Roundtable Sessions regularly bring together senior IT leaders from across the globe for unique, peer-to-peer discussions on the issues that drive significant trends in the IT space. Each quarter, hundreds of CIOs, CISOs, CTOs, and other executive leaders convene via this unique - and uniquely insightful - format to engage in frank, intimate discussions on the latest burning topics in the field.
This past quarter was no exception, as some of the brightest minds in enterprise IT put their heads together to explore, examine and break down everything from digital customer experiences to third-party risk management to data visibility as a means of empowering culture to the future of hybrid work. And, while the subject matter of our Roundtable Sessions over the past few months may have varied, a handful of common themes has emerged. Our intelligence team analyzed each of our Sessions in Q3 to provide a breakdown of the main themes.
Perhaps the most universal theme to surface in our Q321 sessions was that of taking things one step at a time when it comes to rolling out large-scale technology initiatives.
With the increase in remote work accelerating digital transformation and re-shaping the cybersecurity landscape, it's essential to aim for quick wins that will result in buy-in from the company for long-term initiatives. One participant, an EVP, and CTO at a fintech company said that widespread employee buy-in is much easier to achieve by building on smaller victories, given that all parties tend to feel like they're contributing. Another participant, the CEO of a cybersecurity firm, agreed that quick wins can be great for overall morale and momentum, though he stressed that they still must build to the greater picture.
As more and more departments within a business take to deploying technology solutions, "de-siloing" has become more critical than ever, not only to help eradicate "shadow IT" and reduce security vulnerabilities but to integrate data from different business units with the goal of engendering a we're-all-in-this together mindset toward digital transformation.
Among recently-elected New York City mayor Eric Adams' campaign promises was an effort to de-silo data collected by the city to address government waste and make city services more accessible to residents. In addition to hiring an "efficiency czar" to oversee the effort, Adams proposed combining the data gathered by various city agencies to help streamline bureaucracy and track individual agency performance.
Across our sessions, another topic that arose time and again was the need to more tightly control network access in the face of new, pandemic-induced security threats.
Given the hasty digital ramp-up necessitated by the spread of COVID-19, many businesses were forced to prioritize remote access over security, leaving networks prone to threats until there was time to go back and address vulnerabilities. As noted by a healthcare IT executive, with the pandemic turning telehealth into a must-have overnight, security initially took a backseat- given that getting patients online access was the immediate priority. Similarly, a cybersecurity company executive said a considerable influx in online registrations necessitated patience as they adapted to gathering user information in roll-outs rather than scare off users by trying to grab all their information right away.
While many leaders and organizations thought they were going back to the office in August or September, COVID variants and increased cases have spurred most companies to delay return plans until 2022. According to Deloitte, leaders have pivoted to creating "adaptive workplaces and technologies" to support their workforces through and beyond the pandemic. This approach emphasizes virtual collaboration tools and technologies, new architectures and infrastructure deployment to support new internal and external demands and an increased focus on cybersecurity due to the increased attack surface.
Late last year, as companies prepped for an initial return to "normal," some of the biggest names in tech unveiled plans for accommodating very different-looking workforces. Not only did Reddit announce that it would allow most employees to choose a remote, in-office, or hybrid arrangement, it also pledged not to reduce employees' pay should they decide to relocate. Meanwhile, Dropbox vowed a "virtual-first" return that gives its roughly 3,000 employees the ability to work primarily remotely with periodic office visits for collaboration and team building. Finally, cryptocurrency exchange Coinbase plans to go remote-first as well, giving employees the option to either work remotely or in an office.
The use of third-party software has become standard practice for businesses, and demand is only increasing, leading to questions about security and access visibility.
With their ever-increasing reliance on third-party software vendors, businesses need to focus more tightly on vendor due diligence. Such efforts should include establishing a third-party risk assessment policy and issuing questionnaires or evaluations to help secure vendor relationships and clarify the types of access third parties are allowed. The CISO for a university said that while trust in vendors was previously implicit, increased reliance on third parties and an increase in the amount of data being hosted has required them to take a second look at the security of such relationships. Further, an IT executive at a hedge fund explained that standardizing an organization-wide questionnaire for vetting third-party vendors has helped significantly elevate the level of security, trust, and onboarding speed at his firm.
The SolarWinds hack in early 2020 hack accelerated broad changes in the cybersecurity industry and opened the door to a new era of supplier risk management. In short, it's no longer enough to have a manual, annual process. Instead, companies are turning to new methods that assume there have already been breaches rather than merely reacting to attacks after they're discovered. There are also signs that the Solarwinds attack may lead to a stronger relationship between the cybersecurity industry and the US government, with the private sector helping federal officials fight off nation-state attacks and bad actors from other countries.
Just weeks ago, Microsoft announced it had learned that Nobelium, the Russian hacking group reportedly responsible for the SolarWinds breach, has begun targeting software and cloud service resellers. According to Microsoft, at least 140 resellers and tech service providers have become the group's focus, given the direct access they have to their customers' IT systems. Thus far, 14 cases of compromise from the new hacking campaign have been confirmed.
Digital transformation tends to require an all-hands-on-deck approach, so the establishment of relevant metrics can be critical to the success of such efforts.
When undergoing digital transformation, it can be challenging to look back and measure success. That being the case, it's crucial to map out what success looks like at the outset of such a journey while at the same time being open to adapting to other, unexpected measures of success. The CTO of a fintech firm said that basing success metrics on getting the whole company to "speak the digital language" helped the company take a huge step forward in digital transformation. Additionally, a government sector CIO explained that defining success metrics for his organization has meant building agile, adaptable systems that can be easily updated instead of more throwaway architectures.
The diversity of metrics used to measure success across an organization can be a hindrance to defining it. For example, revenue may not be relevant to the security team, and time-to-remediation for security events isn't important to the sales team. Further, data teams are often backlogged with metrics requested for study for different business units. Data democratization helps companies resolve these sorts of issues by arming business units with data tools relevant to their needs, accelerating aggregation, and eliminating backlogs. By moving users closer to their data sets, time-to-answer is reduced, and each department can implement efficiencies in an agile fashion.
Data observability platform Datafold recently raised a $20m Series A round from backers NEA and Amplify Partners based mainly on its capacity to facilitate data democratization, which gives employees outside the specifically-trained-and-nearly-always-shorthanded data teams the ability to build data products themselves.
Between expanded IoT efforts, software supply chains, and remote work, securing a company's network has never been more important – or more complicated.
When it comes to network security, it's critical to decide who owns which aspects of an organization's security strategy. Still, placing ownership on a single team while also emphasizing security earlier in a product's lifecycle or practice can result in shove-left security issues, leading to friction among teams and decreasing overall production. One executive in our sessions, the Enterprise Information Security Officer & AVP for a financial services company, said his organization hired someone external to come in to manage and own the software supply chain directly. While it is working well, it is very slow. "I don't see a way to speed it up a lot. We are, structurally, a slow organization to do things. It would have helped if I'd brought someone in directly because they would have known everything. In this case, we brought in someone that senior management and the CEO liked . . . they were very good at traditional vendor management, but they're not very good at new technology at all."
Regardless of size, industry, or region, assigning security ownership is crucial to an organization's success. However, security ownership can vary based on the evolution of a company's security roles evolved and their technology requirements. While IT is generally considered the owner of security, they also serve as the custodians of applications, systems, and infrastructure. What's more, security teams have evolved over time to patch what is necessary at each point, so certain use cases do not necessarily apply across an entire organization. As such, it is necessary to take a step back, take proper inventory of all assets and design a strategy for protection, detection, and response for all unique threat vectors.
In a recent interview with ITWire, Lawrence Crowther, an executive at developer security unicorn Snyk, stressed that developers must take ownership of security, from the code they write all the way down to the infrastructure level. To address this, Crowther recommends that organizations invest in reskilling such that developers can also become security specialists. Just a couple of weeks before that, CRN quoted Snyk executive Asanga Wanigatunga, saying, "the market is moving faster than ever before as organizations realize that developers need to take ownership of security and are equipped to address issues as they arise."