CIO Exchange Podcast

The Challenge of Cloud Compliance and Security - Guest: Hillery Hunter, GM and CTO at IBM Cloud

Episode Summary

Hillery Hunter is the GM of Industry Clouds and Solutions and CTO at IBM Cloud. In this episode, she speaks about the challenges of compliance and security, as well as her vision for protecting sensitive data in the cloud.

Episode Notes

Understanding the use of cloud, its context, and how things are quickly changing is top of mind for many companies today. Safety of information and management of risks are paramount when trying to keep up with the changes, while also making sure to not slow down important and necessary workflows. When it comes to compliance and security, Hillery Hunter has visibility across the challenges and success of some of the largest companies across multiple industries.

In this episode, we interview the GM of Industry Clouds and Solutions and  CTO at IBM Cloud to learn more about storing sensitive data in the cloud. Hillery explains how radical cloud models can work to your advantage, including co-design and approaching compliance as a group. During the discussion, she names some challenges of cloud adoption, then describes how to overcome those barriers. Hillery also describes the best cloud adoption practices she’s seen over the course of her career, and why these transformations are so important to the success of a business. 

---------

Key Quotes:

“It's not just whether or not somebody has a cloud certification, right? It's the context in which they're doing their work and it's the skills of the CISO organization, it's the skill of the risk management organization, et cetera, in understanding the cloud context and how all those things are changing and have to be measured differently as well.”

“Make sure that public cloud is an appropriate landing place even for the most sensitive data.  It is possible to take this security and compliance and put it into structured programs and ways of protecting things on the cloud. So that all of these inherent barriers to adoption can be overcome.”

“When the metric is too narrow, and placed only on the IT organization for the outcomes of a cloud migration, you miss the opportunity to be talking about end to end value creation… When you're doing that, then everyone understands that the cloud migration and digital transformation is in service of a higher level objective, and it's not just trying to save money on the HR system or something else like that.”

“When you make a public cloud choice, industry cloud contextualizes the requirements of that industry. It includes things like security and compliance, and enables the public cloud to be a safe enough and compliant enough place for you to grab other content that lives there. It also allows you to move your data there and trust that you are still upholding your responsibilities.”

---------

Time stamps:

2:00 Barriers to cloud adoption

3:00 Managing security and controls

4:50 Cloud migration pitfalls

5:20 Cloud adoption can be transformative

7:30 Committees can lead a successful cloud deployment

9:50 Creating an objective for cloud adoption

11:20 Making the cloud a safe space for data

13:20 Dealing with disruptors

15:15 Exploring what’s available in cloud

17:00 Establishing trust in the industry

19:40 Taking it to the board

20:40 Future opportunities for cloud

---------

Links:

Hillery Hunter on LinkedIn: https://www.linkedin.com/in/hillery-hunter-97962a14/

CIO Exchange on Twitter: https://twitter.com/vmwcioexchange
Yadin Porter de León on Twitter: https://twitter.com/porterdeleon 

[Subscribe to the Podcast] 
On Apple Podcast: https://podcasts.apple.com/us/podcast/cio-exchange-podcast/id1498290907 
For more podcasts, video and in-depth research go to https://www.vmware.com/cio

---------

Keywords: 

cio, cio exchange, VMware, innovation, leadership, DevOps, Developer, operations, IT, information technology, business, technology, cto, cloud, public cloud, privacy, security, cloud adoption

Episode Transcription

Hillery Hunter (00:01):

Make sure that public cloud is an appropriate landing place even for the most sensitive data. It is possible to take this security and compliance and put it into structured programs and ways of protecting things on the cloud so that all of these inherent barriers to adoption can be overcome.

Yadin Porter de Leon (00:18):

Welcome to the CIO Exchange Podcast where we talk about what's working, what's not, and what's next. I'm Yadin Porter de Leon. Securing data and workloads across cloud environments and maintaining compliance across geographies has been one of the top challenges for technology leaders. Safety of information and management of risks are paramount when trying to keep up with the changes while also making sure to not slow down the business or miss new opportunities. When it comes to compliance and security, Hillery Hunter has visibility across the challenges and successes of some of the largest companies across multiple industries. In this episode we talk with Hillery who is the GM of Industry Clouds and Solutions and CTO at IBM Cloud. To learn more about storing sensitive data in the cloud, Hillery explains how radical cloud models can work to your advantage, including co-designing and approaching compliance as a group across teams.

(01:12):

During the discussion, she names some challenges of cloud adoption then describes how to overcome those barriers. Hillery also describes the best cloud adoption practices she's seen over the course of her career and why these transformations are so important to the success of the business. Hillery, you have a lot of conversations with technology leaders across industries, across companies. How has compliance and security been perceived as a real challenge for companies when it comes to cloud adoption, multi-cloud adoption, that journey is seen different for everyone. How are you seeing technology leaders struggle with these?

Hillery Hunter (01:45):

It's interesting and in some ways it's always great to get data behind these things because I never want the particular conversations I have with folks to cloud my judgment too much. We just released a cloud transformation index and in that we surveyed hundreds of leaders globally and the top thing that was cited as a barrier in cloud adoption and really digital transformation overall was actually security and security and compliance, followed shortly by management of complex environments. And when you think about management of complex environments, a lot of that really is about compliance as well, ensuring consistency of operations and such. And the data that we've been looking at recently as well as the client conversations I'm in, all suggest that when you go to cloud, a lot changes. People have different responsibilities suddenly.

Yadin Porter de Leon (02:33):

It's not just a technology shift, it's a cultural shift, it's a team shift, it's an organizational shift. And also the leaders have to change as well. This is not just a shift in okay, "Everyone has to do I think different, but my leadership style is going to say the same. My perspective is going to stay." All that stuff has to evolve with that transition.

Hillery Hunter (02:48):

It's a difference for example, that network engineering might own firewall set up on premises, but in the cloud a bunch of stuff gets deployed with scripts and suddenly you have virtual appliances for things and virtual private clouds are set up via Terraform and there's no network engineer involved. And security and controls can be complex to manage and can be a concern simply even because it's different people in the organization. You don't know necessarily whether or not they understand your security rules. They've never had to worry about it in development before.

Yadin Porter de Leon (03:19):

Exactly. I think that's a fantastic point and I think I want to just pull on that a little bit because I think that's one thing that might get missed then in that conversation is that same people are not going to be responsible for the same things. I love that the fact you talked about the survey you did because a lot of the survey results say and I'm involved with too is talent is a really key component of that. And do you feel like that may get lost in the really beautiful PowerPoints that leaders show when they say what the transformations they're going to do, there may be a gap in their understanding of how to approach transforming teams, transforming organizations?

Hillery Hunter (03:50):

I think there's a responsibility on leaders to recognize that it's not just how many headcount do I need that have a cloud certification, but how do the processes in my organization interact so that those skills can actually do their jobs? It's also skills in the sense of how people interact and how organizations are running processes. How do you even approve the security for the cloud? How do you monitor it? Et cetera. It's not just whether or not somebody has a cloud certification, it's the context in which they're doing their work and it's the skills of the CISO organization, it's the skill of the risk management organization, et cetera in understanding the cloud context and how all those things are changing and have to be measured differently as well.

Yadin Porter de Leon (04:29):

I love the fact that interaction is one of the key parts of what you just talked about because having teams and there's the whole DevSecOps conversation, there's the combined teams, there's integration, there's teams sharing metrics and sharing goals and integrating better. There's a thing where at the top of the conversation we talk about how compliance and securities have been perceived as a challenge, but I think maybe what's missed in the way that, and even I set that question up is what does that mean security compliance as a challenge? Is that not necessarily a technology, we don't have the right tool sets. What you're describing Hillery, is that we haven't approached the problem of compliance and security in a way that whether we don't have the tribal knowledge, we don't necessarily have the talent.

(05:11):

It's not about how many headcount with certifications, it's about how the team works together. It's about those understanding the new environments and having an on-ramp for those maybe who need to be up-leveled, who need skills, who need certifications and also need to be onboarded into that cultural shift. What approaches are you seeing that companies are having when it comes to shifting that mindset of not just the organization and team but also themselves? Because a lot of the barriers are created by leadership because they're doing the same thing in the same way and maybe give me perspective on how some companies are doing it right.

Hillery Hunter (05:43):

Let me give you maybe two bookends if I may. But the one end of the challenge of this, just to articulate why it's a challenge where I've seen an organization that executed cloud migration and then security and compliance were checks that came in after environments were stood up and development had been done. That almost always results in security and compliance being put in a place of saying, "Nope." And then the risk teams say, "Nope, too risky, don't do it." And that's a terrible experience for everyone involved because the developers, the infrastructure of the IT department, they all feel like their time was wasted and they're going to have to go back and rip things up to get the security right, get the compliance right in the new context of the cloud.

(06:24):

That's one bookend and I see that in a lot of organizations one signal is many fewer apps migrated to cloud than you expected. There are other causes of that. But that late stage integration of security and compliance and having it be a check at the end is one of the causes sometimes of why things move more slowly.

Yadin Porter de Leon (06:43):

It seems like it should be a problem that have been solved. Because everyone talks about why is it security always at the end? And people talk about how security needs to be integrated, security is going to be intrinsic and then you realize still you still are set up with a lot of the same processes and procedures throughout companies and security's still a bolt on it. It's interesting that that's still an entrenched issue in companies and I know that's one end of the two bookends you were going to be talking about.

Hillery Hunter (07:05):

I think it's okay, I don't mean to totally schmear that style in the sense of it's okay in a mature organization. If the processes and the tooling and everything are built in and you're just checking that everyone did what they were supposed to do, it's an okay way to run things because security is imbued from the beginning into what's happening. But the cloud conversation is often transformational. It's new, a lot of things have changed and so that model can then become a bottleneck. I think maybe my two favorite examples of where I've seen organizations do somewhat more radical models. One is an organization that I've talked to that has taken their risk in security people and embeds them with developers and the day one of their sprint.

(07:45):

Before, for example, a three-week sprint process security and compliance is sitting there with them during the definition of that sprint every three weeks and those teams rotate around actually. The sprints are staggered out through the days. One set of security and compliance people can handle five teams for example and they co-design. And that's a radical version of co-design of security and compliance when you're trying to do something completely new.

Yadin Porter de Leon (08:10):

That's interesting because a lot of the times when you talk about product design too, like in Apple, a lot of people who started in the early days of Apple talk about how all these people from different disciplines got together and designed together. And I thought that was really interesting because that was so well studied and it was so well articulated and shared but you still don't see it repeated even though it has just phenomenal results and the people talk about how rich the experience was and it's all engagement and retention and talent productivity are just really wonderful outputs. But what's stopping people from doing that more? Why aren't people following the footsteps of those who do that that way?

Hillery Hunter (08:41):

Let me describe the second best practice that came to my mind because I think it answers this question. The second best practice that I've seen is where cloud transformation and move to cloud is not the responsibility of a cloud transformation leader or of an IT leader. It's actually a committee. And at the top, at the C-suite and just underneath it there's a committee that literally includes the IT practice, the applications, the information security people, the compliance people and the risk team. And when that type of leadership is sitting there feeling joint accountability for the number of workloads that are migrated to cloud and the successful deployments, I think that can enable those underneath to then start to think about actually different ways of even running development and sprints. Those are two different organizations I was referring to, but I do think the permissioning of being able to run development and do that type of integration, it does probably start with the leadership.

Yadin Porter de Leon (09:32):

That's an excellent point too. And also too, maybe there's some words of caution that you might have for those who are putting those communities together or center of excellence or whatever that happens to be of digital transformation and then all these people are going to get together, they're not going to agree on anything and everything's going to just grind to a halt. What would you say to those who have experienced firsthand those types of committees that have not enhanced in a process or with a north star that could get them headed in the right direction?

Hillery Hunter (09:57):

I got to partner recently with the IBM Institute for Business Value, what we call IBV, and we were studying this topic around ROI, and how do you get a larger organization to really understand the value? But the conclusion from that study that we published recently really is that you have to take a step up above the IT metrics and not burden the IT organization with, "The cost savings of going to cloud," for example. But it's where the metric is too narrow and placed only on the IT organization for the outcomes of a cloud migration, you miss the opportunity to be talking about end-to-end value creation, the time that it takes to go from concept for a new product to the time that that's generating cash with customers. Let's look at it that level. And then how does the cloud bring fundamental change to our processes and methodologies and such?

(10:43):

And at that level you're having a business conversation around value creation, value generation, and you have metrics actually that are shared between the line of business and the IT folks. When you're doing that, then everyone understands that the cloud migration and digital transformation is in service of a higher level objective and it's not just trying to save money on the HR system or something else like that.

Yadin Porter de Leon (11:03):

You're touching, Hillery, on the power of storytelling. And I was talking to Rob Carter, CIO of FedEx, about how powerful pictures and stories are when you're having a board level conversation when you need to ask for, I don't know, a hundred million dollars to transform something. And it is really powerful once you can articulate something, "Time to value is X and here's the reason why this is actually going to be able to accelerate that time to value. Here's how we can get ideas to market faster. How are we going to get there ahead of the competition and be able to disservice and deliver and bill for it and maintain it and support it?"

(11:33):

That's all done through technology and I think maybe that's when the cloud, the multi-cloud starts to come in, compliance and security are the critical pieces that are still holding people back. And you've just mentioned some successful pieces as well. And I think one interesting thing that I was reading in an article you were quoted in and how industry specific clouds that automate configuration management, regulation tracking, et cetera, and one cloud doesn't fit all and maybe that's how people need to look at and give you a perspective on how the differences industries actually would create industry specific clouds, which I think is an interesting concept.

Hillery Hunter (12:13):

Absolutely. I think there's two pieces in answering the question. We did a good job of scaring everyone that this is a problem, there are answers.

Yadin Porter de Leon (12:20):

Sufficiently scared.

Hillery Hunter (12:20):

This is solvable, there are answers. When we look at this overall, going back to that cloud transformation index, it very much affirmed my experiences, which is that I think was 71% of leaders said that hybrid cloud is key to how they're going to be successful in accomplishing digital transformation and also in how they address these concerns. And in that landscape of hybrid cloud meaning the flexibility to run things consistently between on-premises and in public cloud to deal with the realities of data gravity, for example, to deal with certain data sovereignty constraints or whatever you're dealing with if you're a multinational. But also then when you make a public cloud choice, industry cloud contextualizes the requirements of that industry including things like security and compliance and enables the public cloud to be a safe enough and compliant enough place for you to grab other content that lives there and move your data there and trust that you are still upholding your responsibilities to steward.

(13:14):

And our Pro 10 cloud for financial services really has been to co-design. What does that mean? What does that contextualization of cloud for financial services to co-design that with banks, with those that look at regulations and such in different regulatory bodies globally for that industry and make sure then that public cloud is an appropriate landing place even for the most sensitive data? And it is possible to take this security and compliance and put it into structured programs and ways of deployment and ways of protecting things on the cloud so that all of these inherent barriers to adoption can be overcome.

Yadin Porter de Leon (13:49):

When something like a financial services organization is thinking about going to cloud and they're thinking about how that sort of contextualized cloud experience like you're describing can really bake in a lot of the security compliance things for the data that they need to steward, the laws they need to abide by, should they be thinking about it in a way that, "Okay, this is the unique value that my company creates, this is what we're really good at, we don't need to be good at scaling cloud environments or spinning up X, Y, Z environments, scaling this or dealing with storage, all those other things, either hyperscaler or some hybrid cloud solution could easily tackle. And then we could focus on what we do best, which is delivering products and service to our customers. And this hyperscaler or whatever environment is going to be able to help accelerate that, help shift that in a company coming to that conclusion, evaluating what they're good at." How does somebody really make sure that they're not just spending more time learning something new and really focusing on what they're really good at as a company?

Hillery Hunter (14:47):

I think you nailed it in the dimensions of finding value in a cloud. One of the key pieces in addressing what you just talked about there with regard to value in cloud and segmentation of skills and deciding what businesses you're going to be in, so to say in terms of your own skills within your enterprise is looking at what's available in cloud from an innovation ecosystem perspective. There are so many disruptors in so many different industries, FinTechs, InsurTech, HealthTech, et cetera. Those capabilities are often born on cloud and become part of that reason of that value. When am I going to invest in transforming certain parts of my business? Or is there a disruptor out there, a SaaS provider? Could be a big company. Is there a SaaS provider or a FinTech or some other function that I may be able to take even entire business processes, fraud analytics or my payment system or other things like that? And actually get to a better place with those things because of it being provided as a service on cloud.

(15:40):

One of the areas I always encourage folks to look at is the innovation ecosystem available on cloud, not just what IT skills are you going to remain in the business. That's certainly important and I see a lot of clients saying, "We don't want to manage infrastructure and frankly we don't want to manage databases for example. I'm going to trust a cloud provider to do those things really well moving forward." If you move more into the things impacting lines of business, there's a lot of innovation available on a cloud. There are disruptors in financial services, FinTechs, there's HealthTech, there's InsurTech. And as you look to those higher level value creation streams that we were talking about earlier, am I going to keep this or that piece of my core business and its operations or is someone out there already doing that better than I was doing it?

Yadin Porter de Leon (16:24):

Exactly.

Hillery Hunter (16:25):

And I can take entire chunks and up-level the value because of consuming it as a service on the cloud.

Yadin Porter de Leon (16:31):

Absolutely. And there's a couple pieces to that. One is of course there's the whole range, a jungle if you will, of vendors who are going to come and say that they can absolutely do this and they can take over all the processes, they can save all this money. And then another part is what cloud am I going to? Who has my best interest in mind? And there's those two pieces of what SaaS provider or what cloud provider, and there's this analysis paralysis where you feel like you could help provide some high level perspective to help cut through that noise and see more signal to be clear about what vendor you want to use or what cloud you feel like is going to be best for that.

Hillery Hunter (17:03):

We see a lot of convergence in this conversation around vendors and SaaS providers and content on the cloud with where we started this conversation today around security and compliance. One of the things that we've been doing with our clients and regulated industries, especially in the financial services sector, is working with SaaS vendors to accomplish a high level of security and compliance through prescriptive process of deploying on our cloud and then having their security and compliance of their deployments checked. We refer to that as financial services validation of a SaaS provider. And there's so much conversation about supply chain integrity, third and fourth party risk, all those other kind of things. Everyone wants to know when I do take that strategic decision to outsource some chunk of what I'm doing, is it going to be as secure and compliant because you can't see inside the IT operations of a SaaS provider normally. Actually making that less abstract and making it actually super, super concrete by going through a prescriptive program for security and compliance with SaaS providers is how we've been approaching this problem.

(18:03):

And I think it's definitely something for folks to consider, not just what is the functionality, but how successful am I going to be in improving this provider for taking on my sensitive data? Are they going to handle PII? Are they going to handle my business data in the right ways? How is their data protected and secured on the cloud? We've been working with vendors on things like keep your own key based encryption and other things like that, that really ensure that the vendor can say to their end clients, "We've done everything possible to secure our data according to the highest possible standards." And that's a huge confidence builder for both parties in this overall conversation.

Yadin Porter de Leon (18:37):

That makes sense. And embedded in what you said, I think one of the key pillars of what you're just talking about is trust. And building trust is one of the hardest things, but one of the most important things to do. And I think this is a good point to pivot in the conversation, to talk about Hillery, what you do, you personally do in your role and how you're providing trust to those you work with. And they're then able to provide that trust again to their own customers. And give us a little bit of understanding of how you do that.

Hillery Hunter (19:01):

My day job is in overseeing our industry cloud programs within IBM Cloud and I also function as our CTO for IBM Cloud. And in that CTO persona, I get to have a lot of these very dynamic conversations with CIOs, with CTOs and enterprise clients and really just advise. Talk about what's going on in the industry, et cetera. Our products in the cloud for financial services space and what we're doing in Telco with healthcare providers, within government sectors, et cetera. We're really looking to contextualize things and we work with a lot of different partners. We do work with VMware. We've had long-standing partnership between VMware and IBM and in that context we've created special and secure patterns, for example, for VMware deployment on the cloud according to the standards of security and compliance and financial services.

(19:44):

We work with other vendors and partners like SAP that are working to transform the way that business operations and other things like that are done within enterprises. We work with a lot of partners to help create technologies that are industry aligned and we work with our own internal IBM products as well, to help our clients be able to do modernization. Also in things like their power systems and to protect their data in the cloud and other things like that, based on technologies that IBM has developed in-house. All of that comes together as a portfolio of offerings on our cloud that are important to help enterprise clients modernize.

(20:21):

Ultimately, a lot of this conversation on digital transformation is about modernization. It's about migration to the cloud and those partner activities together with our cloud native services enable our clients to have a variety of different motions that they can make. They can leverage a product to have consistency between their private cloud environment and their public cloud environment because we've done work together to create consistency across that full hybrid cloud landscape. And those conversations are really important because there's just a lot of diverse workloads that people are looking to bring to the cloud these days.

Yadin Porter de Leon (20:56):

And there's more than one cloud out there. And people are finding that they're either strategically multicloud or accidentally multicloud. And they're having to just manage across those insecurity appliances is one of our critical things that they've got to get right and it's a tough problem. One of the things that we like to do in the podcast is have this section called Ticket to the Board.

Speaker 3 (21:14):

In short, ladies and gentlemen of the board, costs are down, revenues are up, and our stock has never been higher.

Yadin Porter de Leon (21:22):

Since you talk to so many different companies, CIOs and CTOs and CISOs, what do you think is missing from that board level conversation that you feel like would be critical in moving forward with a lot of the transformations you're talking about to deliver real business value, to accelerate that time to market? If CIOs, CISOs, CEOs started to have this conversation more at the board level, what would that be?

Hillery Hunter (21:45):

I think one is to be able to articulate that there are answers to where we started in this conversation, which is that a lot of times there is remaining fear at the board level about the security and compliance posture of what happens on the cloud. How do I make sure that our enterprise here that I am advising is not going to be subject to the type of reach that company X, Y, or Z had? I see it in folks that I talked to about their board conversations that there's a lot of, "I read this in the newspaper, tell me that we're not also going to have problems along those lines." And I think it goes back to the structural conversations, the security and compliance transformation, how an organization is working together to ensure that these conversations are holistic. Not just move to the cloud, but move to the cloud. And honestly even improve your security and compliance posture is very much possible in a bunch of situations.

Yadin Porter de Leon (22:33):

That's a great point because there's things that cloud do better when it comes to security and compliance that could be greatly improved.

Hillery Hunter (22:38):

Absolutely. It's completely possible. One of my favorite questions to CISOs is, "Do you think it's going to be better or worse on the cloud?" They will consistently say, "If we do it right, it's going to be better because I don't have the debt that I may have had in my on-premises environments." And I think bringing that out, bringing out what the opportunity of cloud is on this topic to help explain, "If we don't do things holistically, those type of breaches could happen, but we have done things holistically. We are remediating tactical debt, we are getting to a better place actually through our cloud deployments." I think that's one huge opportunity.

(23:10):

And then I think secondly, it needs to be clearly articulated that it's possible to find solutions on the cloud that can be managed consistently with on-premises deployments, so you're not adding complexity. It can be managed in a way consistent with security and compliance that is at the highest possible standards for sensitive data in an enterprise. And once you're able to talk about the whole IT landscape and figure out where it should go, and you're not bound by, "Oh, only this stuff can go to the cloud webpage kind of things and marketing stuff," that really cracks open the opportunity then to actually be talking about digital transformation and value creation, not just, "Oh, the webpage, the front end of it got moved to the cloud."

Yadin Porter de Leon (23:52):

That makes sense. I think Hillery, this has just been a fabulous conversation. Can you give a sense the listener's word, they could find you online, anything that you'll be doing out there in the world?

Hillery Hunter (24:01):

Yeah, absolutely. I'm on LinkedIn, that's the best place to find me and reach out to me. I love to follow up with folks that reach out to me on LinkedIn. I'm always happy to chat with your audience.

Yadin Porter de Leon (24:10):

Excellent. Fabulous. Thank you, Hillery. I appreciate you joining the CIO Exchange Podcast.

Hillery Hunter (24:15):

Thanks so much for having me.

Yadin Porter de Leon (24:16):

Thank you for listening to this latest episode. Please consider subscribing to the show on Apple Podcasts, Spotify, or wherever you get your podcasts. And for more insights from technology leaders as well as global research on key topics, visit vmware.com/cio.