CIO Exchange Podcast

Innovating at the Speed of DevOps - Guest: Ashish Kakran, Principal of Thomvest Ventures

Episode Summary

This conversation is part of our Lead/Forward series, where we talk with technology leaders about the real stories behind the themes of innovation, talent, and experience. In this episode, we interview Ashish Kakran, Principal of Thomvest Ventures to find out how his organization nurtures the future of technology and advancement by investing in companies to help them become leaders in their fields.

Episode Notes

This conversation is part of our Lead/Forward series, where we talk with technology leaders about the real stories behind the themes of innovation, talent, and experience. In this episode, we interview Ashish Kakran, Principal of Thomvest Ventures to find out how his organization nurtures the future of technology and advancement by investing in companies to help them become leaders in their fields. During the discussion we tackle the technology challenges related to multi-cloud, including infrastructure, security in DevOps, and continually scaling workloads. We delve into how covid played a big role in speeding up the digital transformation, and how CSOs and CIOs are working to enable innovation without inhibiting applications or compromising their companies.


Time stamps:

01:00 Convergence of Security

05:15 View of the Market as an Investor

07:51 Multi-cloud Expansion and Usage

12:00 Multi-cloud logistics and security

15:30 Future dominance and structure of multi-cloud

18:00 AI and ML Impact on Customer Experience

23:00 Impact of Culture, Team Structure, and Tech on Customers

30:00 CIO and CSO Realignment Reservations

32:00 Transform or Die

34:00 CSOs with a Seat at the Table

36:00 Security Economics

37:00 What Companies are Doing Right and Wrong



Ashish Kakran on LinkedIn:

CIO Exchange on Twitter:
Yadin Porter de León on Twitter: 

[Subscribe to the Podcast] 
On Apple Podcast: 
For more podcasts, video and in-depth research go to



cio, cio exchange, VMware, innovation, leadership, IT, information technology, business, technology, cto, entrepreneurship, entrepreneur, investment, cloud, multi-cloud, security, devops, devsecops, artificial intelligence, machine learning

Episode Transcription

Ashish Kakran (00:02):

Security used to be an afterthought. You would build your application, and just when you're about to hit launch, throw it over the fence to the security team. Today, you're basically developing a shared model of ownership when it comes to security.

Yadin Porter De Leon (00:15):

Welcome to the CIO Exchange Podcast, where we talk about what's working, what's not, and what's next. I'm Yadin Porter de León. This conversation is part of our Lead Forward series, where we talk with technology leaders about the real stories behind the themes of innovation, talent, and experience. In this episode, we interview Ashish KaKran, Principal of Thomvest ventures to find out how his organization nurtures the future of technology and advancement by investing in companies to help them become leaders in their fields.

Yadin Porter De Leon (00:42):

We tackle the technology challenges related to multi-cloud, including infrastructure, security, and DevOps, and continually scaling workloads. We also delve into how chief security officers and CIOs are working to enable innovation without inhibiting application velocity or compromising their companies.

Yadin Porter De Leon (01:04):

Ashish, when you have a convergence of cloud infrastructure and security and all the different... I know two big topics, we're not going to cover them all today, but we're going to kind of talk about some of the convergence. Is security really the hardest thing when you're trying to address in an organization, scaling cloud infrastructure, scaling your hybrid infrastructure, scaling multi-cloud infrastructure; is security really that biggest thing? Do you feel like it's not being addressed or people just can't wrap their head around it? Where do you feel like that intersection is creating tension or issues or hurdles with organizations?

Ashish Kakran (01:35):

I think as a security practitioner, if you really think about it, you have to be correct a hundred percent of the time, but the hackers need you to be wrong just once.

Yadin Porter De Leon (01:44):

That's tough. How do you deal with that?

Ashish Kakran (01:46):

Yeah, think about it, right? I'll go back to the SolarWinds hack. The hackers were really patient. They added some code to your code base, and then they waited patiently for months. After that they started stealing data, and it was basically just by chance that one of the multi-factor authentication code went to an employee which triggered an alert and which led to investigation. It's scary to think that there might be multiple search supply-chain issues that might be out there in the open, which we haven't caught yet. That's the challenge. When you think about the CSOs and CIOs, this is what you're dealing with.

Ashish Kakran (02:21):

When talking about multi-cloud really let's think about where is the technology challenge coming from. One the recent COVID basically accelerated the digital transformation. So what you were planning to do in the next four to five years, basically you had no choice and you had to wrap it up within a matter of a year. Now your employees and your vendors are basically accessing your critical applications from coffee shops, shared workspaces, so you need to protect against that.

Ashish Kakran (02:47):

The second one is when it comes to multi-cloud, there are dynamically scaling workloads. Back in the day, you would have, let's say, 50 virtual machines. Your job was to protect them. It was a fairly relatively easy job compared to what it is today. Today you have containers which are ephemeral in nature. You have Kubernetes clusters and they're here today and maybe end of the day, they're not there. So how do you protect against that because now your attack surface is massive.

Ashish Kakran (03:13):

The third part here is in open source a lot of your software developers are integrating libraries, hacking into those and integrating those. If you're not careful with security, you are going to introduce new vulnerabilities in your code base. As a key decision maker, this is kind of my lay of the land. I'm dealing with this. On top of it now think about regulation. I had a conversation recently with a CIO who deals with over 20,000 applications, and one of the big things he said is, "I really care about security and regulation and compliance." We have all heard about CCPA and GDPR, but that's not the end of it. Every state is drafting its regulation. European Union is drafting a new regulation for AI and machine learning. So you have to do things in a way that is compliant.

Ashish Kakran (03:56):

Then I would also add from a technology point of view as a CSO, how are you going to enable innovation at the speed of DevOps without inhibiting your applications and without compromising on the quality of your security?

Yadin Porter De Leon (04:09):

I like that, innovating the speed of DevOps. Would you say DevSecOps? I know that's a whole other branch that we go into, but would you really just be an advocate of the DevSecOps movement?

Ashish Kakran (04:19):

Yes. It's basically part of the shifting left trend overall. As a software developer, you're used to writing code, I've been a software developer. I would write code. I would check it to make sure that new features are working as expected. I'm not degrading the application with the new version. Security used to be an afterthought. You would build your application, and just when you're about to hit launch, throw it over the fence to the security team. Today you are basically developing a shared model of ownership when it comes to security. So your DevOps team now works hand in hand with your security team. Your developers are basically writing code that is getting tested frequently.

Ashish Kakran (04:54):

We are actually investors in a company called ShiftLeft, which enables you to check your code, whether it's custom written, whether it's open source library that you're integrating in your code base for vulnerabilities which are known, and it's like 40, 50X faster than competition?

Yadin Porter De Leon (05:09):

Yeah. I think that's actually a good point to pivot as you've got a great perspective of that convergence of security of multi-cloud, cloud infrastructure and DevOps, DevSecOps. What are you doing right now in your work with the company you work with, the companies you invest in; give me a sense of where you sit right now and how what's your view of the market and what you do day in, day out?

Ashish Kakran (05:30):

At Thomvest we are thesis-driven investors. We believe cybersecurity and cloud infrastructure are secular trends. Last couple of years, cybersecurity kind of has really taken off where they look at the number of exits, IPOs. The pain point is massive. The way it works is every three to four years your technology stack is changing significantly. 10 years ago, you were building monolithic applications hosted on your private data centers. You were managing all of that infrastructure. It was a capital expenditure.

Yadin Porter De Leon (05:59):

We call them the good old days.

Ashish Kakran (06:00):

You'll be surprised some of the mainframe computers, actually a lot of them are still active. When we talk to financial services-

Yadin Porter De Leon (06:08):

Are COBOL coders still needed? Do we need COBOL coders out there still on some of those?

Ashish Kakran (06:13):

Well, I think if you can code in COBOL, I think you have job security today. So going back, starting from that world, then you moved into a service-oriented architecture. VMware was a fundamental innovation, which made it possible for you to virtualize your infrastructure and then five years ago there was this big shift towards microservices, towards containers and Kubernetes, APIs became a thing. Every few years this ecosystem is changing. This is rapid. So organizations have to adapt to it.

Ashish Kakran (06:44):

Following that is cyber security. As organizations keep making these changes, you have a larger attack surface that you need to protect against. We think that is kind of a fundamental way a lot of great cybersecurity companies are created because there's great moments like this. Right now we are living in one such world, markets have changed for example, and for cybersecurity founders this might be a great time to start something interesting.

Ashish Kakran (07:10):

I'll also talk about data here a little bit. When we are talking about these massive macro shifts, Window applications, your networking has moved to the cloud, and then now storage is also in the cloud. Five years ago, there was a big talk about Hadoop and services providers that were making it easy for you to adopt Hadoop. Today the modern data stack has emerged to keep businesses agile and help them better store, manage and get value of their data on the cloud. Whenever these big kind of macro changes happen, we see massive opportunity for driven founders to create category-creating companies. So we are investors. We have been fortunate to be investors in companies like Harness and Clarity.

Ashish Kakran (07:49):

I would also like to add, if you are listening to this podcast, if I can help in any way, don't hesitate to reach out.

Yadin Porter De Leon (07:57):

Excellent. I think the show notes will have your contact information and we'll also do it at the end of the show to make sure everyone knows where to reach out to you. I think what fascinates me is that you're at the cusp of all of the problems converging, people understanding what the value prop is of solutions and understanding why they really need these things.

Yadin Porter De Leon (08:13):

Before I get too deep on that, I wanted just to get a quick step back. Give me a sense of where do you feel like multi-cloud is and where do you feel like that need is to have multi-cloud, so you have that agility, so you have that scalability? Does it have to be hyperscalers? Can it be off-prem, on-prem? Where do you feel like people should really say this is how they should really think about multi-cloud and this is why multi-cloud actually matters. This is what it will help you with. It will help you with time to market, it helps you with compliance, regulation, all the things that you talked about. Maybe we could just take a quick step back and just say, what is multi-cloud in your mind? What do you feel like the real advantage of that is for an organization to really affect the bottom line?

Ashish Kakran (08:49):

So when we think about multi-cloud and hybrid cloud or agile, really it's coming out of the maniacal focus on the customer. I'll start there that as you design, the best companies are obsessively customer focused. The customer is the center of all decision making and all product roadmaps basically emerge from these customer pain points. Then you start working backwards from that to solve these challenges at scale. The best companies today deploy code multiple times a day. Not too long ago, it was once every six to nine months. So agile processes basically make it possible for you to ship delightful customer experiences at the speed of DevOps.

Ashish Kakran (09:28):

Now, when you are in this kind of world, multi-cloud basically enables that transition for your organization. Well cloud is basically you're renting your cloud, your storage, networking, and compute from someone else. Someone else is managing your core infrastructure in a data center somewhere. Now these could be multiple hyperscalers. You may have your own private cloud that you manage. The best companies we have seen have a multi-cloud strategy because it helps them in a few different ways.

Ashish Kakran (09:56):

I'm going to highlight two or three of them, which are really, really critical. The first one is vendor lock in. I know we have talked about this for a very, very long time.

Yadin Porter De Leon (10:07):

It's always top of mind, but everyone's always trying to get their head around it. Well, okay, I want vendor lock in, but I also want efficiency and I want to leverage the skillset of the people that I've got working for me. I don't want to have to hire a bunch of new people or learn a bunch of new skills or learn a bunch of new toolsets.

Ashish Kakran (10:20):


Yadin Porter De Leon (10:21):

But maybe that's not the trade-off anymore. Maybe that's a false trade-off.

Ashish Kakran (10:24):

Yeah. I'll tell you some of the smaller players that we talk to vendor lock-in they don't really care about it. It'll be a surprise to you but as the size of the organization changes, vendor lock-in becomes a pain. For mid-size organization where they want to move fast and not break things, vendor lock-in they don't really care about it.

Yadin Porter De Leon (10:42):

I like that. Move fast, that'll be like the tagline for the episode, move fast and don't break things.

Ashish Kakran (10:47):

If you're a cybersecurity expert, you cannot afford to break things. Vendor lock-in is one key issue. The second one is, and sometimes it's talked about, is data gravity. Wherever your data lives, your ecosystem, workflows, your applications develop around it. If you have committed to one particular cloud, it will be very hard for you to move your data. Multi-cloud strategy basically helps you there because it makes that transition easier. For example, Snowflake is a company that initially really took off because of their multi-cloud support. Individual hyperscalers are not incentivized to make it easy for you to move your applications and data around.

Ashish Kakran (11:24):

The third reason really is resilience. If Amazon East goes down, your application is down or slow the revenue impact is immediate. You're going to see customer churn. You want some kind of backup, and that's where having a multi-cloud strategy really helps you because you can effectively deal with outages and have your backup and recovery plans in place.

Yadin Porter De Leon (11:47):

What really gets me interested in that conversation is you want to have a backup. You want to have another cloud. You want to be able to either fail over or have multiple availability zones. How hard is it, specially from a security standpoint, from a logistics standpoint to have those multi clouds work together and to be seamless? Is it apps in one cloud and other apps in another cloud, or is it apps across multiple clouds? Where are you seeing success there?

Ashish Kakran (12:13):

Yeah, absolutely. It is challenging. Having a multi-cloud strategy-

Yadin Porter De Leon (12:18):

These aren't easy problems. We're going to solve them today, Ashish. We're going to get this done.

Ashish Kakran (12:23):

We think about these issues a lot and our investments are an outcome of this process. When you think about multi-cloud, you may have an application that's broken down in multi-tier application. You may have your model view and controller, or you may have your application that talks to a database, which is kind of serving some kind of API, so multiple architectures are possible. You want to basically design it for failover, resilience and get cost benefit.

Ashish Kakran (12:50):

Now, when you actually operationalize it's challenging because each cloud has its own complexity, its own type of instances it can be running, its own compliance and regulation that it comes with. It has its own bells and whistles. So if you as a software developer or as a key decision maker start designing applications it's challenging. If you want to build your CI/CD pipeline end-to-end, which is one that basically helps you accelerate your code delivery and delight your customers, it is going to be challenging.

Ashish Kakran (13:20):

That's where tools like Harness, which is one of the companies that we have invested in, make it really easy for you. The way it works is you basically start with your CI or CD module. You drop it into the application and the tools basically handle all of the underlying complexity. So you, as an end user, do not have to worry much about knowing the individual way the different clouds work. That complexity is abstracted, and now you can basically easily move your workloads around. So start with Cis, move to CD.

Ashish Kakran (13:48):

Then along the way you can keep adding modules. That could be your security module to make sure you're not introducing new vulnerabilities. Chaos Engineering is another module that you can add to make sure that your application, when something goes down can recover. Chaos Engineering is a term that was made really popular by Netflix, where intentionally you take part of your infrastructure down-

Yadin Porter De Leon (14:08):

That freaked a lot of people out. They're like, wait a minute, we want to break stuff on purpose? Things like Chaos Monkey and other things sort came up here where you just throw something in your infrastructure and it shows it where it could break, but it also shows how when it breaks, it fixes itself. I mean it's a fascinating model. This all seems very focused on the developer experience, and does that remove a lot of the onus on the operations where you say, okay... because ultimately you just want to remove all the complexity away from developers, people who write code just want to write code.

Yadin Porter De Leon (14:41):

Ultimately we're talking about to deliver value, like you said the customer is the center of everything. We have a multi-cloud strategy, we've got a secure CI/CD pipeline component so that developers can just delight customers and ideas can go from ideas to the market in half the time or 10X faster, or however you're able to construct that too. I think what's really the opportunity here, and you can give me your perspective on this; is this something that's just attainable for all companies, should all companies be looking at this and it should be like, no, this is going to be a competitive differentiator where you take all the things that the hyperscalers do and the management and security pieces outsource that because that's not core to your business? Your core to your business is your ideas or taking advantage of new regulation or getting new sales opportunities into the market. Do you see companies shifting to that, and do you see multi-cloud just being more dominant in the future?

Ashish Kakran (15:34):

Absolutely. I would say organizations of all sizes can benefit from this kind of strategy. It's not just developers that are part of the puzzle now. You also have your DevOps engineers. I think it's important to have this conversation. When you think about DevOps, it's not just technology, it's also culture. It's also the way different teams work together. Developers want to write code, but once the code is written, it has to be tested. You have to deploy it in a certain way so that infrastructure can manage it, can scale with it. Then you have to keep testing it in production for deviation in performance. You have to have observability, log-in tracing, monitoring. If you have developers and you're writing code, and if you leave them to manage all of that complexity, you're going to have problems.

Yadin Porter De Leon (16:20):

That's not a good developer experience.

Ashish Kakran (16:22):

Right, so if you have DevOps engineers working hand in hand with these developers, think of kind of agile teams, like two pizza teams, like four or five developers working with two to three DevOps engineers working hand to hand-

Yadin Porter De Leon (16:33):

Like you said, two pizza teams, not just one pizza. There needs to be two pizzas there, two teams working together.

Ashish Kakran (16:39):

There are multiple different ways you can structure your teams to make sure that DevOps is actually successful. If you don't have this holistic view, there might be issues. When you have kind of Dev and Ops working together, that's when the magic happens. I would also draw a parallel between infrastructure and data as well because same problem happens in data. When we talk about MLOps, for example, data scientists want to do their modeling. They want to create models, which are high accuracy, low false positive, low false negative, but I think it ends there. They don't care about shipping it to production. They don't care about monitoring it, and that's where you need your AI engineer, Ops engineer. So Ops piece I think is now... The impact is kind of magnified when they work closely hand in hand with developers.

Yadin Porter De Leon (17:26):

What I think really fascinates me is that the component you're leaning into it right now, which is we're talking about, there's a purpose to all this multi-cloud, DevOps, DevSecOps security, all this stuff has a purpose, and that is delighting your customers. The pieces of that I think that you can take advantage of, these hyperscalers or this multi-cloud environment you kind of touched on which is, we're running code, but there's also opportunity for that AI ML to inform, or to build or train these models so that you can get more insights out of the data that you're talking about being housed in the cloud. You can create better experience for your customers. Since we're kind of moving to that area, can you describe how now that we've got this secure multi-cloud CI/CD pipeline great we want to get these ideas out, but how do we get better ideas out and how does AI and ML help increase that sort of delightful customer experience that ultimately is that goal?

Ashish Kakran (18:19):

When we really focus on customers, the reason is today applications don't just support the business. Your application is the business. If your eCommerce app is down-

Yadin Porter De Leon (18:29):

I love that. That's a great perspective.

Ashish Kakran (18:31):

You're basically not working technology out. You're working use case in, so you don't start with I'm going to have a multi-cloud ,secure hybrid cloud strategy. You start with, where are my customers located? How can I best serve them? Then you work backwards from that. As a result of that, maybe multi-cloud is not the best strategy if your users are located in a particular region who are basically subject to a particular type of compliance. Now, when we take that further and add data to the complexity... So data is massive, right? It's exploding across volume, velocity and variety. By the way, we talked about the same three things when the Hadoop innovation happened a few years ago, there are a few ways.

Ashish Kakran (19:13):

Then one of the questions could be is it the old wine in the new bottle? Well, I would push back against that a little bit because today the innovation is coming because of the move to the cloud. Organizations are now okay with keeping their data, which was traditionally kept in your private data centers locked somewhere with limited authentication or authorization to different entities; now you're okay with moving into the cloud. Well, as soon as you move data to the cloud, think about you have massive scale, massive compute and storage available. Now you can use data to your advantage.

Ashish Kakran (19:45):

How do you do that? I'll give you a few specific example, Oil fields, for example, you may have a particular hardware sensor at each oil well which basically tracks multiple metrics like your humidity temperature, which is very, very expensive if you have a massive oil field with a few thousand oil Wells; or you can virtualize all of that and have a virtual meter, which basically takes your historical data from multiple actual physical meters. Now you can start creating prediction, and as soon as there is an anomaly you generate an alert. Same thing in testing of planes, whether it's large companies like Boeing and others, and in pure software as well, if you're an E-commerce player like eBay and others, what kind of recommendations are you generating? Where is an ad showing up on the dashboard? All of that is kind of being decided real time today.

Ashish Kakran (20:34):

There's a lot of historical analysis and there is a lot of predictive analysis. When you have this massive of data, the same things that you kind of solve for cloud with DevOps, now you're kind of starting to solve with MLOps.

Yadin Porter De Leon (20:45):

I like that, MLOps. So Machine Learning Ops, that's the new DevSecOps is now MLOps. Is that a two pizza thing or is that one pizza?

Ashish Kakran (20:52):

It is a two pizza thing and there are new team structures evolving, and we can talk about that. Really what I'm trying to say is DevOps really made cloud adoption possible. Like a decade ago there were questions whether cloud is real. Am I okay with letting go of some of the controls that I have when I'm managing my own on-prem infrastructure and DevOps really made it possible for you to successfully adopt cloud and move your application to the cloud, whether that's lift or shift or whether it's creation of new applications on the cloud.

Ashish Kakran (21:20):

Today organizations are struggling with operationalizing machine learning. There was a number that I saw from Gartner, less than 50% of models that are successfully running on a data scientist machine actually make it to production and MLOps is going to make it possible for you to move those to production and successfully incorporate machine learning, deep learning in your application. It's a fundamental shift, and while right now it might seem a little wild wild west we think some great companies will be created in this category.

Yadin Porter De Leon (21:51):

So what are you talking about? How there's an opportunity there for... You think you've got the technology there, you think you have it in place, you've got a working model and you said only was it half actually make it into production? That's a massive opportunity, really, it's sort of a lost opportunity where you're losing a whole bunch of good predictive, decision-making information turned into knowledge to actually make real decisions with. That then is being left on the table in part because, probably what gets me really excited is talking about that way that you organize teams to be able to actually accommodate and to execute and to operationalize a lot of these things. I think that's a lot of the missing pieces of some conversations because technology moves really, really fast. There's a framework where technology moves much faster than cultural technology. Our cultural technology, which is the ways, the habits we have, the way we're formed, the way we're organized, the way we're incentivized, all those different pieces have to keep pace in order to actually execute and deliver on the value of these technology pieces.

Yadin Porter De Leon (22:55):

You've touched on this a few times, how do organizations really need to, and so those listening to this, what do they really need to start thinking about when they're working from that customer experience backwards to the technology? Then they're thinking about, okay, I'm going to do this transformation, but how do I transform the people that are going to be doing this transformation? How do I make sure the cultural technology keeps up with the other technology that I'm implementing? I would love to get your perspectives on how technology leaders really need to make sure that culture technology keeps pace.

Ashish Kakran (23:28):

That's a great question and great segue into this discussion about culture. Let's start with maybe traditional selling. The way it worked was very top down. As a vendor, I would reach out to your top decision makers and somehow after spending two to three months get a meeting with your CIO, sign the deal. Then an email goes out. There is some training for my employees. Then at the end of the year, adoption is low and there is churn. That used to be the model back in the day.

Ashish Kakran (23:56):

Today, organizations are enabling their developers to basically make their own decisions. What they do today is they sign up for self-service trial, free trial, and then the tool starts expanding inside the organization. One team adopts it, then another and low and behold, all of a sudden, most of your organizations are using the standardizing around the same kind of CI or CD tool or DevOps, DevSecOps tool.

Ashish Kakran (24:19):

As a CIO or as a vendor, now you meet somewhere in the middle. First, there is a bottoms up kind of adoption, developer led like maybe there's open source, maybe there's a freemium model. Then once you have delivered kind of critical features and value to the enterprise, now you can start having reasonable conversations top down. Really it's a cultural shift where your developers are enabled to do their own testing experiment with new tools and pick the best of breed. That's the main thing, you want the best of breed, whether it's CI, CD, or what kind of cloud; maybe one cloud is heavily optimized for your data, one is heavily optimized for compute in a particular region. Those are some of the questions that people on the ground have the best visibility into.

Ashish Kakran (25:08):

Then by enabling them, maybe you create separate infrastructure like two to three months POC, where you provide them with some data which may be a replica of your existing data, but they can run their tests. They can do machine learning training on top of those, that particular infrastructure; they can run their security test and once all goes well, now you can have a meaningful conversation with the vendor.

Ashish Kakran (25:31):

Taking it a step forward when we look at the team structures, you have to have the optimal team structure because just technology is not going to solve your problem.

Yadin Porter De Leon (25:40):

Exactly. I think that's missed sometimes in the conversation. It's like, well it's new technology but we need a new mindset and a new team structure.

Ashish Kakran (25:46):

You need a new mindset for these initiatives to be successful. Otherwise, we are looking at unfortunate failures and lost opportunity. When it comes to data, for example, there's a new team that is evolving, which is the central platform team, which is made of data engineers. A lot of these engineers basically deal with your data warehouses, data lakes, lakehouses all of those tools that touch the data, but your end users, who are the consumers of that data whether it's your product teams, whether it's your sales and marketing teams, they don't really care about. Then that platform team that interacts with either the [inaudible 00:26:22] team if you're talking about the historical analysis, really understanding what happened with our customers, where is the churn coming from; or they're serving the data science teams and these are core PhDs who have deep expertise in building the best performing machine learning models that can scale. Then that data and those ML models then get fed into your product to efficiently serve your customers.

Ashish Kakran (26:43):

When it comes to enabling these teams, the budgeting becomes important as well. By enabling your let's say sales team to hire a data scientist, to solve problems just for the sales and a sales team. Then that team that works with your central platform team, which basically reports to your Chief Data Officer or CIO, they have their own budget. This is how you can create an optimal structure, so every team is empowered. There is no blocker in communication and collaboration between different teams. When you have an organizational structure like that, I think technology adoption becomes easier because individuals are empowered to make those decisions.

Yadin Porter De Leon (27:25):

In addition to being empowered, which I think is great because that's one I think critical part so you're not like you saying, create blockers; where would you say shared goals, metrics and KPIs would start to fit in? Where when teams start to share the same metrics like, "Hey look at, I don't have my different QBRs and my different slides are in different metrics", and we're now competing against each other because we're optimizing to make sure those metrics go up, do you see a place where if those metrics and KPIs are shared between teams, now you have aligned incentives and you have people really working together on things because they're both basically in the same boat?

Ashish Kakran (28:02):

Absolutely. There are some standard KPIs emerging. When you think about DevOps, for example, there is a term called DORA metrics, which is basically mean time to resolution. How quickly can your system come up and running if it is down or slow, your time to delivery, time to value. Those are the three or four core metrics. Again, I'll go back to the customer delight part. Start with the net promoter score. Are your customers talking positively about your products and telling others to go check out whatever you're doing? If your NPS score is high or low and trending positive over time, you're doing something right. That could be a starting point. Then you optimize for individual teams and their KPIs.

Yadin Porter De Leon (28:42):

No, I think that's fantastic. Teams that are usually just building and testing and optimizing, if they're now tying what they're doing to an actual score that represents how well these customers are receiving the products, I think that's just fabulous. Then that changes the way that they optimize for the inputs that then ultimately result in that score. I think that's a fantastic way to connect those two.

Ashish Kakran (29:07):

Absolutely. I think if your customers are happy, they're delighted. You have advantage over anyone else. After that, I think technology can be an afterthought in a way. If your customers are happy, you don't need to change your strategy, whatever works for your customers. If they're excited, they are renewing their contracts. I think you're in good shape unless something really fundamental changes in the technology in two to three years down the line. That's something the key decision makers have to be really aware of, like our conversations with the CIOs really their focus is, "Hey, I don't want to invest millions of dollars on a tool that may be redundant in the next two to three years. I want to see what's coming down the pipe. What are the latest innovations in technology?"

Yadin Porter De Leon (29:51):

I think that's actually a really great point to dive into because when you're talking to a CIO and they're like, "I don't want to spend X millions of dollars on this particular tool." There's also the conversation of, "I don't want to spend X time and energy and resources reorganizing my team to execute around a particular technology." If I don't maybe have full visibility, confidence, there's that hesitance as well. We can talk through why a technology leader is hesitant to reorganize a team, because it sounds great. Great, we're going to have two pizzas or we're going to have these teams have shared KPIs and we're going to reorganize this and we're going to transform the way that culture works and incentives are worked.

Yadin Porter De Leon (30:32):

There's risk. First you start saying reorganize there's risk involved and that's risk with the technology may be shifting, that's risk with the team skills maybe not aligning. What are your conversations with executives around that risk of, "yeah, I know you're telling me, I have to reorganize and do all these things, but I'm hesitant because of these reasons"? What are those headwinds that you're seeing that are stopping companies from doing it?

Ashish Kakran (30:56):

Let's talk about the CIOs themselves. You'll see a few CIOs who are basically open to using the cutting edge, latest and greatest kind of technologies. They are open to taking risk and they have kept part of their budgets assigned to spend on latest and greatest technologies in startups. Then there are some who focus on basically check boxes where innovation is an afterthought, and it's more like I want to make sure my applications are up and running, my infrastructure and workflows they are not massively disrupted by something that I'm doing. What we have seen is over time the careers of CIOs and CSOs who make bets on early stage companies that really take off, their careers grow with them. Those are the transformational leaders and they are basically leading the cutting edge technology companies that you see out there today.

Ashish Kakran (31:45):

I'll give you one specific example. Same thing is happening even in financial services industry. Traditionally we know low risk infrastructure is really ancient-

Yadin Porter De Leon (31:56):

Moves slow and don't break things.

Ashish Kakran (32:01):

I directly experience it because I used to be a software developer. We built and shipped an application a long time ago to Federal Bank and their feedback was well, "the app doesn't work" and we're like, "Well, we have tested it on all versions of the browser everywhere. It works fine." We learned they were using internet Explorer Six. Now we had to go back and re-architect the application, made it work. Even there this change is happening because it's basically the situation is transform or die in many, many of these cases If you look at Capital One cloud first, entirely on cloud.

Ashish Kakran (32:34):

If you look at some of the larger players and I wouldn't like to name names here, but in one case, they spent a few years, millions of dollars to operationalize machine learning. Then they hire a new head of AI, and in a matter of six to nine months, it's in production because they're using cloud. Certainly it's a mindset shift for the organization. The hesitance basically got out of the way because of the value that you see in delighting your customers and moving fast. Yes, there can be some hesitance because when you're leading your organization, which is like 3,000, 5,000 people strong change can be hard to execute, but we have seen the best ones are kind of early adopters of cutting edge technologies. When they see the value, whether it's in terms of delivery, cost or more efficient kind of workforce; those conversations are relatively easier about change at that point.

Yadin Porter De Leon (33:29):

Yeah, I know because you have to convince those from the Board all the way down that, "Hey, this change is going to be accretive. It's going to be valuable for long term." Those are tough conversations to have. One of the key things is that a lot of executives across the board, not just technology leaders, is communication is so incredibly critical and being able to tell effective stories and being able to describe the value of something from a business perspective when you're asking people who can't even really wrap their head around, they can't spell Kubernetes, but they're going to write you a really big check. You're going to convince them that this is going to be what's going to delight the customers and make you guys the next billion dollars. I imagine that's tough, but being able to tell those powerful stories and convince people is one of those key critical things.

Ashish Kakran (34:16):

I'' actually add a little bit here because Boards are now kind of coming down heavily on CSOs. Simple question, are we more secure than last year? It's a very hard thing to answer that is because my infrastructure has changed. My team has changed. How do I answer that question? Now I need all of these tools that basically collect metrics from other security tools that I'm using so that there is some dashboard which shows last year to this year, there is some positive trending thing that is going on that CSOs now have a seat at the table.

Yadin Porter De Leon (34:46):

It's not like you just flip a bit where it's like there's that one line of code where it's like secure equals yes and then you're done, great. That's my line. I see it. Did you see, it says secure equals yes here? That's secure. That's interesting that you pointed out though that CSOs have a seat at the table because it it's tough because a lot of times they'll look at this as insurance policies. Great. We want to be able to get this halftime to market for applications and beat out the competition because we want to be able to delight our customers and be faster, but we want to do it secure. It's like, okay, how secure?

Yadin Porter De Leon (35:21):

Almost then it starts to be like, great, we're doing multi-cloud, we're doing all this great stuff, but how secure can we be? Do we have to be, can we get away with? I think that sounds like that's a dangerous mindset to be in sort that gray area or that sliding scale of security versus agility. It seems like more and more it seems to be that it's a false trade off. The companies don't need to think about slowing down and being secure or slowing down to be secure. Is that the way you're seeing it happen now? Then there's been a shift. Is that shift or is there still something there to that?

Ashish Kakran (35:57):

I think that trade off does exist. For example, if your developers want to spin up a Kubernetes clusters, do we enable them to do that or do they need to wait for the right permissions from the right security teams before they're even able to spin up some cluster somewhere in the cloud?

Yadin Porter De Leon (36:11):

I know they just want to spin it up. They just want to swipe a card and spin up the cluster and say, "look it, we made this work".

Ashish Kakran (36:19):

As a security leader, really like you want... I was recently listening to a podcast and it basically talked about how security should be thought of as a profit center and not as a cost center.

Yadin Porter De Leon (36:30):

Oh, I like that. I think that everyone wants to figure out how to do that. How do leaders do that? How will they turn security into a profit center?

Ashish Kakran (36:38):

Right? I think the first question that this CSO leader and is a good friend of mine, the ex-CSO of Levis. His first question to any vendor is basically don't sell me your product. Don't sell me what you do. Tell me how are you going to help me sell more jeans? And then the conversation just completely change.

Yadin Porter De Leon (36:56):

A lot of people scratch their heads at first They're like, "Oh, jeans. We don't know how to sell jeans."

Ashish Kakran (37:02):

It's a mind mindset shift. I think security leaders are innovative. CSOs, CIOs are innovative. We are seeing just as the infrastructure on the technology side is changing, they are also rapidly adapting to make sure that their workforce is able to handle all of that complexity.

Yadin Porter De Leon (37:20):

All right. One of those things that I think we covered, we have a section where we talk about the Board and I think we've already covered that, what do you think is working right now that companies really need to invest more and they need to lean in more? What do they need to stop doing so that they can achieve a lot of the stuff that multi-cloud, AIML, Agility, CI/CD, DevSecOps to realize all of that; what should they start doing or keep doing, or what should they stop?

Ashish Kakran (37:48):

I would say in terms of keep doing the first one is open source. I think we are big believers in open source because when a community comes together, it's a really sticky kind of product that you can create the value that you deliver to your enterprises. It grows significantly with the community adoption. There might be some hesitance in using open source technology, but I think when used correctly, when you put the security controls in place, it can be a enabler for your company as you build and ship products to your customers.

Yadin Porter De Leon (38:19):

Sorry, just to be clear, is that rolling your own and running open source or is that having somebody else run that open source for you?

Ashish Kakran (38:26):

Great question. I would say a combination of both. You want to be a contributor to an open source community. You don't have to open source your own [inaudible 00:38:34] projects, but if there is an open source project that you're adopting give back. I think community appreciates and accepts that, and then it acts as a magnifier for your organization. Open source, I think is a key enabler. If you have questions about it, I think those mindset needs to be changed because developers that basically shifted towards this now, they use open source libraries, they hack into those. They forward them and create their own products to delight their customers. So that's one.

Ashish Kakran (39:03):

The second one I would say is shifting left, which is the shared model of security. So that at every step of creation of the software, you're thinking about security and security is not an afterthought. Now you're thinking about your engineers, your DevOps engineers, and security practitioners working in collaboration in a continuous DevOps loop so that you are not shocked at the end of the release cycle. Oh, something went wrong. You are basically testing for those vulnerabilities at each step of the process when your code is getting built. And.

Ashish Kakran (39:33):

Finally, I would say the DevOps CI/CD is a secular trend. It gives you advantage long term. If you can ship code that delights your customer multiple times a day, you're already ahead of your customer. If you haven't invested in that already, which I think that number is pretty small. Either organizations are already on that train, or they're experimenting as we speak right now. Those are the two or three things I think that can really help organizations stay ahead of the competition and delight the customers.

Yadin Porter De Leon (40:03):

To finalize it, is there anything that you're saying that people should just stop doing? They're like, "They're doing this, you need to stop." Whether that's Waterfall or mainframes, all of the things, but seriously where are the key things that are continuing to be entrenched that you feel like really need to stop being a part of the way they're organized?

Ashish Kakran (40:22):

Yeah. It's great that you point out Waterfall, because I don't see a lot of Waterfall anymore.

Yadin Porter De Leon (40:27):

That's good.

Ashish Kakran (40:28):

It may be because of sampling bias because of the type of companies and people we speak with. Yes, if you are using Waterfall, if at the end of this massive software development cycle, if you're not taking inputs from your customers at a regular cadence, I think that mindset needs to change. I would highly recommend Agile kind of DevOps way of building software.

Yadin Porter De Leon (40:48):

Some people fall into the Agile fall category. They feel like they're being Agile, but really it's like you said, they're not taking those inputs throughout that process, and then they're ending up with something that's not quite what that they think. They're just increasing their backlog at an exponential rate.

Ashish Kakran (41:04):

Oh my God. Yeah. You don't want to do that. You don't want to not do Waterfall or not do Agile properly either. I see organizations do some version of a combination of those two and that's a recipe for disaster in some of these situations. I would say if you are doing Agile, do it right, go all in, build your DevOps team, design your culture around it so that you can ship with confidence with minimum vulnerabilities. Security it will never be like a situation of a hundred percent secure. I think you're more worried about if there's a breach that happens how can I quickly get back up and running? That could be an interesting mindset when you are shipping code.

Yadin Porter De Leon (41:42):

Well, Ashish it's just been fantastic talking with you today, give the listeners the understanding of where can they find you? Where can they hear more about you, what you're doing and where they can reach out to you at?

Ashish Kakran (41:52):

Yeah, absolutely. So, like I said, I'm an investor at Thomvest ventures. I love working with technical founders who are solving key problems in cybersecurity, cloud and data infrastructure. We have been fortunate to have backed category-defining companies like Harness Clarity. More recently, I invested in companies like Opaque, which is in the confidential computing space that makes it really easy for you to do machine learning analytics on top of encrypted data. Isovalent is another one of our companies, which is basically disrupting the distributed networking market. It's bringing together networking, observability and security. Most of these companies have some notion of open source.

Ashish Kakran (42:31):

If you are building something amazing or even if not, you're in the brainstorming phase, feel free to reach out to me over LinkedIn, I'm easily accessible. I try to be very, very responsive to founders because I've been in your shoes. I understand how hard it is to build a company. I can empathize with the challenges that you're facing and I'll try to be responsive when you reach out.

Yadin Porter De Leon (42:50):

Excellent. Well Ashish, thank you for joining the CIO Exchange Podcast.

Ashish Kakran (42:53):

Thanks so much for having me Yadin.

Yadin Porter De Leon (42:55):

Thank you for listening to this latest episode. Please consider subscribing to the show on Apple Podcasts, Spotify, or wherever you get your podcasts and for more insights from technology leaders, as well as global research on key topics, visit