Thursday, September 09, 2021

How HPE Pointnext Complete Care Transforms Edge-to-Cloud Support to Enable Business-Wide Outcomes

Transcript of a discussion on how complexity and fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise Pointnext Services.

Dana Gardner: Hello, and welcome to the next edition of the BriefingsDirect Voice of Tech Services Innovation podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on how IT services and support have entered a new era.

Today’s diversity of hybrid IT models and environments demands that IT services and support accommodate more digital variables than ever. Nonetheless, the burgeoning complexity and fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology -- from every edge to every cloud -- in one bold stroke.

That’s the market driver behind a new pan-IT services offering from Hewlett Packard Enterprise (HPE) Pointnext Services called HPE Pointnext Complete Care. The all-inclusive approach moves past product-based experiences of support to an all-IT-environment-wide experience. It both reaches back to provide legacy and product support and extends to the intelligence-driven and proactive optimization of all digital business services.

Stay with us now as we examine how HPE Pointnext Services has developed solutions to satisfy this broad new definition of complete IT tech support.

To learn more about bringing what amounts to a warm blanket of support across the entire IT environment we’re joined by Gerry Nolan, Director of Operational Services Portfolio at HPE Pointnext Services. Welcome back, Gerry.

Gerry Nolan: Hi, Dana. Great to be with you.

Gardner: Gerry, how has the world changed since HPE Datacenter Care arrived back in 2012? I guess we can no longer define IT by a datacenter metric -- it’s now gone much broader and wider.

Nolan: You said it, Dana. I feel a bit old thinking that 2012 was just yesterday. But back then the momentum was all around IT consolidation, the move to virtualization, and customers moving to x86 platforms.

IT’s not 2012 anymore

Nolan

At the time, studies showed that average downtime was about 97 minutes per year, with the average cost at $8,000 a minute. The most common cited reason for failure was the hardware, along with people making mistakes. At the time, about 50 percent of the downtime was caused by hardware failure and 50 percent by human error.

Today, studies show that the world is a totally different place. Now it’s all about hyper converged infrastructure (HCI), hybrid IT, and cloud computing in all its various forms. The move to edge is a significant trend. And, of course, the move to digital transformation has been accelerated by the COVID-19 pandemic. And that means it’s all about IT as an experience and bringing differentiated experiences to the market.

Look at areas outside of IT. If you think about buying a car and how Tesla has transformed that experience or going on a vacation and how web sites such as Airbnb or Booking.com have totally transformed that. The experiences define those use cases -- and IT is no different.

In 2020, studies showed that downtime is even more scary -- with the average cost of a minute of downtime up from $8,000 to $17,000. With the move to digital, any downtime or impact to your digital platform has massive implications not just with the direct revenue and orders impact, but they can seriously damage your reputation and brand for years.

With the move to digital, any downtime or impact to your digital platform has massive implications not just with the direct revenue and orders impact, but they can seriously damage your reputation and brand for years.

An IDC study that jumped out at me last year, for example, says having a support experience around IT shouldn’t be viewed like it was back in 2012, as an insurance policy. Today it’s more important to think about partnership agreements that drive better service-level agreement (SLAs) and overall performance. It’s about driving the business forward and enabling the business.

IDC found the enterprises that had these types of agreements saved an average of 634 hours of unplanned downtime. And 200 hours of that were the benefit of the proactive nature of using artificial intelligence (AI) and other tools, as well as having access to smart people who help mitigate against the bad things from happening.

So, yes, the world really has changed a lot since we first introduced HPE Datacenter Care back in 2012.

Gardner: Sure, so we’ve seen the change of vendor and support relationships to more of a partnership in supporting the full business. But there’s been a progression to getting to what we now call HPE Pointnext Complete Care. And one of those big steps was with HPE Pointnext Tech Care. How did that fit into the progression? How should we think about this as an evolution?

Nolan: Yes, we are transforming the overall support experience for our customers. The first step out of the gate was differentiating the experience with our HPE products by crafting a new, totally transformed support experience called HPE Pointnext Tech Care. We launched that in April on our HPE Server product line. It will be fully available across all products by August.

Time to transform how we work

It transforms and uplifts the user experience when dealing with HPE products by bringing to bear a whole range of new aspects, including a new digital platform, to allow customers much easier access to both the knowledge they need as well as multiple ways of accessing our experts around the world. They can do that through video, chat, moderated forums, and live conversations. It also embeds AI, so the telemetry built into our products feeds back to the mothership and then delivers a wide array of dashboards, alerts, insights, and recommendations back to the customers.

As a result, the users have a beautiful, rounded, broader suite of capabilities that allows them to gain more information to more easily self-solve and self-serve. But, of course, they also have broad access to knowledge and expertise when and how they need it. That’s what HPE Pointnext Tech Care, which replaces HPE Foundation Care and HPE Proactive Care, is all about.

For those familiar with those services, which have been around for many years, HPE Pointnext Tech Care is the new, single product support experience for all HPE products. We’re very proud of it and we’re getting great feedback from our initial customers. They love that they can go to a single portal and see these dashboards. They now have many ways of accessing our experts, and, of course, everyone’s different. Some people like to talk live to experts, while others like to watch videos or go to moderated forums to talk with peers and other customers. Our experts are also in those forums responding and providing links to various articles.

It’s a very rich -- and we believe -- transformative experience that takes support to the next level. And, with HPE Pointnext Complete Care, we’re going to elevate that even more by taking support beyond the products and looking at the entire environment.

Gardner: Another big differentiator for HPE Pointnext Services is that this not just for HPE support -- this is pan-vendor support. You’ve been agnostic in supporting -- with one throat to choke, if you will -- a vast universe of technology. How does HPE Pointnext Complete Care advance that concept of all under the same support umbrella?

Nolan: Yes, we’ve been doing that for years, adding significant multivendor capabilities. With HPE Pointnext Complete Care, it focuses further on providing a complete support experience for the customer. That includes whatever capabilities exist -- both from inside of HPE or some of our partners – and brings all of that into a complete, single framework for the client. That means covering the customers’ complete IT environment, however they define it, by acting as their single point of contact for whatever they define as their IT. In these days, of course, that can be quite a wide and varied scope.

For example, a casino I recently talked to is actively acquiring new companies in different parts of the world. They’re bringing onboard those companies, all with their own IT setups. The chief information officer (CIO) is looking to bring all of that together under a single framework with a single partner to work with them. They want to evolve to control what they have, as well as take it all to a more standard framework.

Another company that jumps to mind is a large international bank looking to move to an increasingly hybrid IT structure, with some on-premises cloud services to support their legacy IT. They’re migrating from that legacy to an x86, container-based, heavily automated private cloud. They need a single partner to help them through that digital transformation and through that evolution. The goal is to help them operate and manage their old, while also taking care of all of that new technology.

HPE Pointnext Complete Care brings it all under one umbrella to give the customer a single team and a single point of contact. Whatever IT they have, they can work with that single partner to optimize the entire environment.

There are many aspects to HPE Pointnext Complete Care in terms of helping a customer in those different use cases. It’s not just HPE products. It’s many different IT technologies. Today that includes things such as hyper-converged, edge, and Internet of Things (IoT). There’s a lot of open source use, and a plethora of other software including some of the new automation tools.

HPE Pointnext Complete Care brings all of that under one umbrella to give the customer a single team and a single point of contact. So whatever they have in their IT -- wherever their IT is -- they can work with that single partner to operate and optimize that entire environment.

Gardner: The timing seems perfect because, as you mentioned, there’s so much more complexity to providing a business service that ultimately reaches back into multiple service providers, using multiple technologies.

Nolan: Exactly.

Gardner: We need those services to be robust. If there are issues, there’s no time to point fingers but instead to find the root causes and assign responsibility for fixing it. You need to look at the whole picture, and the speed element is something here that strikes me as essential.

Nolan: Absolutely.

Gardner: It seems to me that we’re looking at an awfully complex undertaking. How do you mitigate the complexity?

Comprehend complexity and manage it

Nolan: Yes, customers are challenged. We’re still in the pandemic. We’ve learned a lot from our customers as they have worked through all the various implications. The response has elevated the whole move to digital, as I mentioned. It’s really important that customers have a strong handle on the digital aspects of their businesses.

Whether you’re ordering coffee, buying a car, or doing some banking, you’re working with some level of digital platforms these days. Therefore, that becomes a critical aspect of enabling the business. We want to make sure we can help customers set up, run, and optimize their digital platforms – and that’s something HPE Pointnext Complete Care is set up to do.

Risk mitigation is critical. We see customers challenged with just trying to get ahead of issues before those issues cause downstream impact to their businesses. They want access to expertise and best practices. They are obviously always looking to get the best bang for the buck because customers are still under tight cost constraints.

They also have struggles due to the finger-pointing that comes with managing multiple vendors and as they bring on more open source software and automation tools. There are more and more companies involved, and so more and more and different relationships to manage. All of this can be challenging.

If you’re struggling with bandwidth and budget while trying to mitigate risk -- all these factors build to create challenges across all of those dimensions. Having a single point of contact is something we see customers challenged with -- and something they value a lot.

We also see organizations aim to reduce their carbon footprint and achieve new corporate-wide sustainability goals. So, that’s something we’re also building into the HPE Pointnext Complete Care value. Working with our financial services organization within HPE allows customers to benefit from their programs. They can monetize old hardware, and we can buy that hardware back and give the customer a payment that they can then invest in newer technologies -- more carbon friendly and sustainable approaches. So, we’re excited about how we can help customers across all these different dimensions.

Gardner: As a recap from our earlier discussion when HPE Pointnext Tech Care came out back in the spring, one of the things that was very impressive to me was the use of technology to better manage – technology. At HPE Pointnext Services, you’re using technology to trace and discover IT assets and use that data to gain a complete view of what’s going on in an organization.

Working with our financial services organization within HPE allows customers to benefit, too. They can monetize old hardware. HPE will buy it back so they can invest in newer technologies -- more carbon friendly and sustainable approaches.

It’s allowing not just break-fix reactions but the capability to get out in front and to be proactive on maintenance, patching, and to quickly identify anomalies to head them off before they become breakdowns. So, the advent of the technology that you’re able to use to satisfy these problems is also very powerful, and HPE Pointnext Tech Care demonstrated that. 

Nolan: Absolutely, well said.

Gardner: All right, let’s go to HPE Pointnext Complete Care in more detail. This has just arrived. People are trying to wrap their heads around it. What’s the grand vision for HPE Pointnext Complete Care now that we’ve moved through this evolution from HPE Pointnext Tech Care and better understand the IT environment that we’re in?

A warm blanket of IT support

Nolan: I view the HPE Pointnext Complete Care experience as that “warm blanket” of support that we can put around the entire customer’s IT environment. The beauty of the framework is we’re going to be delivering and evolving this over the coming months to provide a modular approach. That means we can provide flexibility across an extensive and growing menu of capabilities. 

Whether it’s looking at your security, compliance, or performance – this includes all the different aspects of your IT. It means managing your assets, be it hardware or the software licenses. And then we provide the innovative solutioning tools to our partners as well as our own staff to enable personalization for each of those different customer use cases I mentioned.

Yet every customer is different. They’re all starting from a different point on their journey. We will wrap around all those requirements that the customer has a single framework, a single team, a single contract, and a single invoice.

Everything needs to be simpler for the customer, even as their use cases have gotten more complex. It requires the wealth of HPE’s capabilities across all the technology -- or in the multi-vendor space. We have a massive capability globally to fix and repair non-HPE products. So, whether it’s Dell servers, or IBM systems, or Brocade switches, or NetApp storage arrays -- customers are often surprised that we can provide the same level of support on their non-HPE technology as their HPE technology.

We will keep investing in the digital platforms to bring forward all the AI and telemetry and make it more broadly available, as well as enriching the dashboards, alerts, and insights provided to customers that have the HPE Pointnext Complete Care framework. We will constantly make it better and help customers manage the lifecycle -- not just provide support.

If customers need to look at their strategy plans, we can bring in our strategy consultants. If they have a need for flexibility around payment plans or to monetize their older assets, we can partner with our financial services colleagues and bring them to the table. All of this can be done through a single HPE Pointnext Complete Care framework. It delivers a complete, end-to-end suite of value to cover all needs. That’s what makes our vision quite exciting for me. 

Gardner: When I first learned about HPE Pointnext Complete Care, I said to myself, “Wow, this is pretty ambitious.” And one of the things I wondered is how you’re able to manage being all inclusive -- providing a single point of contact -- yet at the same time personalize and customize the support experience for every customer. How are you able to pull that off, Gerry, to be  all-inclusive and simplified, but also customized and tailored to each company?

Nolan: That’s one of the beautiful things about HPE Pointnext Complete Care. We have a big benefit in that we’ve been doing this for – and I’m embarrassed because I’ve been here most of these -- 40 years. We’ve been doing support of customer’s technology -- whether it’s HP, HPE, or non-HPE technologies -- for a very long time. We’ve built up amazing global capabilities, whether it’s supply chain or expert teams that specialize in different areas like SAP HANA or security or VMware or Linux or automation or containers -- name your tech topic. We built up deep teams of experts that we can draw upon.

HPE Pointnext Complete Care is a big toolbox of capabilities across the company. We have teams that can readily help customers regardless of where they are on their journey. We're able to do this due to the sheer breadth of capabilities available to us.

If you can imagine, HPE Pointnext Complete Care is this big toolbox of capabilities across the company, as well as working with our partners, and that helps speak to a customer. You can view that customer in their own unique scenario. It’s very helpful when you can turn around and talk to your consulting colleagues and bring in some strategy or help for the customer who has a desire to move to cloud. They may need some help figuring out, “How do I architect a good solution for all my various workloads?”

Because we know that not every workload is going to work in the cloud, we know that customers don’t typically throw out all their old technology. They want to keep their old technology but also get the most from it for as long as possible while they move to the newer models. And we have teams within our organization that can readily help customers regardless of where they are on that journey.

Again, we’re able to do this due to the sheer breadth and depth of the capabilities available to us. It allows us to turn up and develop what appears a custom-built solution for each customer. But, in fact, we’re leveraging capabilities that have been built up over 40-plus years. We’re putting them together uniquely for each client and we have the flexibility to do that. We are not tied to any one model, whether it’s on-premises, off-premises, hybrid cloud, IoT, edge, and containers.

We don’t have any specific bias to pushing a customer in one direction. We have so many tools in our toolkit, we do the best for that customer and give them the outcome that best satisfies their unique needs with HPE Pointnext Complete Care. That’s the value proposition and the beauty of the framework. We pick and choose the tools, assets, and capabilities and we map those to each individual client.

Gardner: Let’s chunk this out a bit. What are the major modules in HPE Pointnext Complete Care? How should we think about it in terms of how it’s constructed and architected?

Personalized, customer-centric care

Nolan: Because we’ve been doing this for a while, we carry forward into HPE Pointnext Complete Care all those proven key elements that customers love and are already delivering value. That includes key elements like having an assigned team with named individuals that work with the customer. That’s the first thing we will do with an HPE Pointnext Complete Care customer. 

While we’re onboarding them, we enhance that by adding new roles into that assigned team and providing new profiling capabilities. We get to know that customer’s business, their key objectives and priorities, and then we build that into the plan and make sure anyone interacting with that customer has full visibility to what’s important to that specific customer.

For example, say I’m working with you, the customer, and you have a big customer event next week. We’re going to make sure that the entire HPE team working with you is ready to support you in that big event. We are going to make sure we mitigate all possible risks, and we’re going to have extra staff on hand to support you during that event. It’s important to have that level of detail of profiling. So, that assigned team is the first critical element.

In the broader scope, with HPEPointnext Complete Care, we’re expanding the products and software that we can cover in the customer framework agreement. That helps to enhance the incident management capabilities. When bad things do happen – because, at the end of the day, hardware will at some point fail, or somebody will make a mistake -- we make sure we can mitigate that. Whenever bad things occur, we’re enhancing the way that we manage those incidents. It makes for the best possible experience.

And, of course, we’re expanding the menu of new support capabilities; things like, broader services for open-source assets. We see many customers challenged with deploying the different varieties of open source products. And the move to automation and containers is accelerating the push to use of open source. Many of our customers are saying, “Boy, this is hard. It’s more complex than we imagined. It sounded, easy, fast, and cheap, but it’s none of those things.”

There are many benefits to moving to open source, but it is quite challenging. So that’s an area we’re going to help customers with. We have a lot of open source expertise within our company. We’re going to ramp that up with the launch of HPE Pointnext Complete Care to offer customers a single point of contact for all their open source tools.

And then, aligned with that, is our big focus on software in general. We see customers -- especially coming out of COVID – who had companies such as Microsoft, Oracle, and others open up access to free licenses. But now, coming out of the pandemic, those vendor companies rightfully are saying, “Well, gee, we need to monetize this now. We need to audit what software is being used by our customers.” And, of course, those customers in many cases are struggling to know what software is in their estate. They have huge estates, now with remote software to enable their global remote workforce, and in many cases that’s gotten out of control. We see customers who don’t know what software they have. Nor do they have a good handle on the associated costs, compliance issues, and security risks.

We help customers find all their software licenses. We show them via different dashboards what's being used. They can also see compliance risks, as well as where they're spending too much. They can even manage their software estate.

As a result, another HPE Pointnext Complete Care module we’re launching focuses on software asset management (SAM). We help customers find all their software licenses. We show them via different dashboards what’s being used. They can also see where they have security and compliance risks, as well as what they’re spending -- and perhaps where they’re spending too much. It shows how they could save money via recommendations in those dashboards. If they’d like, we can even do the management of their software estate thanks to the new SAM capabilities in HPE Pointnext Complete Care.

Those are some of the new exciting modules. It’s a long list, but those are a couple that jump to mind in terms of some of the new exciting capabilities we’re now introducing.

Gardner: As a global organization, HPE is helping each of these companies deal with these issues. That means what you learn in one part of world from one type of company can be applied to everybody else. There’s a vast amount of data gathered, and that can be applied and reapplied. It’s a very exciting time.

Gerry, let’s talk about your go-to-market strategy. This isn’t just an HPE-only entry point. What are you doing to make HPE Pointnext Complete Care available across a channel partner ecosystem?

Harness the power of partnerships

Nolan: HPE, like so many big companies, relies on our trusted partners around the world. We have an awesome network of partners, and we’re very excited with HPE Pointnext Complete Care to be opening that experience up to our channel partners.

Many partners have the desire to create an experience like HPE Pointnext Complete Care and deliver it to their end customers. But they may not have the full suite of capabilities. So, combining our capabilities with their capabilities, they all might be able to directly quote proposals to their end customers.

That would include HPE Pointnext Complete Care plus their own value. That’s a new capability available with HPE Pointnext Complete Care. We provide a new solutioning platform, which channel partners can directly access themselves. They can create proposals, basically on their own, and then bring in all the value of HPE plus their own value and be compensated to do that. So, it’s good for the customer, it’s good for the channel partner, and, of course, it’s jointly good for us as well. So, everybody wins.

Gardner: We’ve addressed the vast IT heterogeneity and how HPE Pointnext Complete Care will address that. But looking a little bit closer to home, within the HPE family of products, this has also given you an opportunity to unify around your HPE GreenLake as-a-service economics. You can put that umbrella over your product lines, such as Nimble storage, Cray for HPC, Ezmeral, and Aruba for networking and edge. So, tell us how HPE Pointnext Complete Care not only unifies a vendor ecosystem but unifies the HPE ecosystem and procurement models as well?

Nolan: One of the reasons we chose the name HPE Pointnext Complete Care is we are delivering that complete experience of bringing together a consistent, single point of support for the customer across all our products. I’m excited to say that, “Yes, we’re expanding the scope of HPE Pointnext Complete Care.”

So it includes all the products you just mentioned. Whether you have Nimble in your environment or HPE’s new container platform, called Ezmeral, or Cray, or even Aruba on the edge -- all of that can be included alongside your servers, storage, and the non-HPE everything you have under a single HPE Pointnext Complete Care contract.

And, of course, the other nice thing about HPE Pointnext Complete Care is HPE GreenLake, our as-a-service-offering model for those customers who want to buy their IT -- whether it’s on-premises or a colocation – and pay on an as-you-go basis, with a monthly bill for whatever they use. HPE GreenLake is the solution. In every HPE GreenLake engagement, at the heart of it, also has HPE Pointnext Complete Care. HPE Pointnext Complete Care carries the part that delivers the support and optimizes the performance of all that IT.

HPE GreenLake, we’re very excited to say, is called the “cloud that comes to you” because it delivers all the benefits of hybrid IT but with HPE Pointnext Complete Care in that expanded scope for support. We cover all the products you mentioned, all the elements of HPE GreenLake, and we’ll be adding to that as we learn and get more feedback from customers. We’re pretty excited.

Gardner: It’s near the end of summer 2021, and this is new to the market. But do you have any early adopters or beta customers that you can look to and say, “Yes, we’ve been describing this, but here’s how it’s working in practice?” Where is this being used first, and what are they getting for it?

A case in point takes flight

Nolan: A recent example comes to mind. A major aircraft manufacturer is struggling with a large, complex IT environment. By the nature of their business, it’s a very sensitive IT environment. They need to work with clusters and proven partners. We in 2021 signed a five-year engagement with that organization.

HPE is their sole IT support provider. We’re providing HPE Pointnext Complete Care coverage for their entire IT environment, including support for more than 20 different vendors. That means all types of hardware and software -- way beyond just the HPE products. It includes managing all their software licenses, a very large software estate across their environment. It includes helping them operate all the IT operations -- from planning through to support. We will take on the relationships with their other vendors, and we’ll provide that customer a single view, a single dashboard, and map to their key performance indicators (KPIs).

We're providing HPE Pointnext Complete Care coverage for their entire IT environment, including support for more than 20 different vendors. That means all types of hardware and software. It includes helping them operate all the IT -- from planning to support. We provide a single dashboard view and a map to the KPIs.

It’s an exciting engagement. And, of course, every customer will be measuring the value this way -- the idea of aligning with the customer on what KPIs are. Then we’ll constantly review and update those with the customer as we jointly make progress together.

This large deal is a good proof-point. It has most of the elements of HPE Pointnext Complete Care that I’ve been talking about. We are in discussions with many other customers in similar types of use case scenarios, where HPE Pointnext Complete Care provides that single point of contact across their complete IT estate. And, of course, we’re bringing to bear that complete suite of value.

Gardner: Is there a crawl, walk, run approach to HPE Pointnext Complete Care? How do you get started? How do you learn more?

Nolan: You can absolutely start with a small HPE Pointnext Complete Care contract, perhaps for one key part of your infrastructure or environment, and then grow from that over time. It’s totally flexible. I encourage anyone who believes that this might be an experience that would help them to engage through their authorized channel partner or directly with an HPE account manager representative.

There’s also a wealth of information on the HPE.com website in the HPE Pointnext Services area. We would love to come in and just discuss what’s going on in the customer’s environment. What are some of their challenges? What are some of their desired IT estate goals? And then just figure out, how we can help. And if we can help them and put together something that works for them.

Gardner: Gerry, what comes next? It sounds to me when you combine HPE GreenLake and HPE Pointnext Complete Care that we’re reverse engineering from the business outcomes back to what the IT requirements as services are. We’re revolutionizing IT. Even the economics of IT shift.

How does the advent of HPE Pointnext Complete Care work with some of these other trends to reinvent IT? Are we really looking at something that’s substantially different?

The IT solution revolution

Nolan: As vendors, we really need to continually step-up the game. As we’re trying to do here, we need to bring more value to customers who in turn are having to do that with their end customers. This spans the entire IT lifecycle – from helping customers with strategy, all the way through to operating and managing the IT estate.

It’s no longer good enough to just provide support, the sort of break-fix support. Instead, we must provide an end-to-end lifecycle experience for all IT, where we’re bringing in advice, help, insights, recommendations, and, of course, best-in-class support. For us, that includes continued investment in scaling up our people and building new solutions, as well as extending our AI and machine learning (ML) to bring about entirely new types of insights.

We can stop the bad things from happening before they happen. And technologies like augmented reality (AR) will help elevate the experience, allowing us to better support remote sites and every type of computing and business edge. We already support customers on ships, on oil rigs, and on the tops of mountains. There’s nowhere our support can’t go.



We’re constantly innovating and coming up with new solutions, which is why we’re making these investments. We see these as critical as the customers do. Business doesn’t stop, innovation doesn’t stop, and we’re going to stay ahead. That’s what we’re trying to do with HPE Pointnext Complete Care.

Gardner: Yes, you’re changing the relationship with your customers. It’s truly a partnership. When they succeed, you succeed, and vice-versa -- and you’ll need to work together to make that continue. It’s an exciting opportunity.

I’m afraid we’ll have to leave it there. You’ve been exploring how today’s diversity of hybrid IT models and environments demand that IT services and support accommodate more digital variables than ever.

And we’ve learned how HPE Pointnext Services has developed solutions to satisfy this broad new definition of complete IT tech support. It’s a coverage that amounts to a “warm blanket” of support across the entire IT environment.

So, please join me in thanking our guest, Gerry Nolan, Director of Operational Services Portfolio at HPE Pointnext Services. Thank you so much, Gerry.

Nolan: Thank you, Dana. It’s been great.

Gardner: And a big thank you also to our audience for joining this sponsored BriefingsDirect Voice of Technology Services Innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HPE Pointnext-supported discussions.

Thanks again for listening. Please pass this along to your IT community, and do come back next time. 

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise Pointnext Services.

Transcript of a discussion on how complexity and fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

Monday, August 30, 2021

How to Migrate Your Organization to a More Security-Minded Culture

Transcript of a discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: TraceableAI.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Bringing broader awareness of security risks and building a security-minded culture within any public or private organization has been a top priority for years. Yet halfway through 2021, IT security remains as much a threat as ever -- with multiple major breaches and attacks costing tens of millions of dollars occurring nearly weekly.

Why are the threat vectors not declining? Why, with all the tools and investment, are businesses still regularly being held up for ransom or having their data breached? To what degree are behavior, culture, attitude, and organizational dissonance to blame?

Stay with us now as we probe into these more human elements of IT security with a leading chief information security officer (CISO).


To learn more about adjusting the culture of security to make organizations more resilient, please join me in welcoming Adrian Ludwig, CISO at Atlassian. Welcome, Adrian.

Adrian Ludwig: Hi, Dana. Glad to be here.

Gardner: Adrian, we are constantly bombarded with headlines showing how IT security is failing. Yet, for many people, they continue on their merry way -- business as usual.

Are we now living in a world where such breaches amount to acceptable losses? Are people not concerned because the attacks are perceived as someone else’s problem?

Security on the forefront

Ludwig

Ludwig: A lot of that is probably true, depending on whom you ask and what their state of mind is on a given day. We’re definitely seeing a lot more than we’ve seen in the past. And there’s some interesting twists to the language. What we’re seeing does not necessarily imply that there is more exploitation going on or that there are more problems -- but it’s definitely the case that we’re getting a lot more visibility.

I think it’s a little bit of both. There probably are more attacks going on, and we also have better visibility.

Gardner: Isn’t security something we should all be thinking about, not just the CISOs?

Ludwig: It’s interesting how people don’t want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen.

But the reality is, within any organization, doing the right thing -- whether that be security, keeping track of the money, or making sure that things are going the way you’re expecting -- is a responsibility that’s shared across the entire organization. That’s something that we are now becoming more accustomed to. The security space is realizing it’s not just about the security folks doing a good job. It’s about enabling the entire organization to understand what’s important to be more secure and making that as easy as possible. So, there’s an element of culture change and of improving the entire organization.

Gardner: What’s making these softer approaches -- behavior, culture, management, and attitude – more important now? Is there something about security technology that has changed that makes us now need to look at how people think?

Ludwig: We’re beginning to realize that technology is not going to solve all our problems. When I first went into the security business, the company I worked for, a government agency, still had posters on the wall from World War II: Loose lips sink ships.

Learn More 

The idea of security culture is not new, but the awareness is, across organizations that any person could be subject to phishing, or any person could have their credentials taken -- those mistakes could be originating at any place in the organization. That broad-based awareness is relatively new. It probably helps that we’ve all been locked in our houses for the last year, paying a lot more attention to the media, and hearing about attacks that have been going on at governments, the hacking, and all those things. That has raised awareness as well.

Gardner:  It’s confounding that people authenticate better in their personal lives. They don’t want their credit cards or bank accounts pillaged. They have a double standard when it comes to what they think about protecting themselves versus protecting the company they work for.

Data safer at home or work?

Ludwig: Yes, it’s interesting. We used to think enterprise security could be more difficult from the user experience standpoint because people would put up with it because it was work.

But the opposite might be true, that people are more self-motivated in the consumer space and they’re willing to put up with something more challenging than they would in an enterprise. There might be some truth to that, Dana.

Gardner: The passwords I use for my bank account are long and complex, and the passwords I use when I’m in the business environment … maybe not so much. It gets us back to how you think and your attitude for improved security. How do we get people to think differently?

Ludwig: There’s a few different things to consider. One is that the security people need to think differently. It’s not necessarily about changing the behavior of every employee in the company. Some of it is about figuring out how to implement critical solutions that provide security without changing behavior.

Security people need to think differently. It's not necessarily about changing the behavior of every employee in the company. It's about implementing solutions that provide security without changing behavior.

There is a phrase, the paved path or road; so, making the secure way the easy way to do something. When people started using YubiKey U2F [an open authentication standard that enables internet users to securely access any number of online services with a single security key] as a second-factor authentication, it was actually a lot easier than having to input your password all over the place -- and it’s more secure.

That’s the kind of thing we’re looking for. How do we enable enhanced security while also having a better user experience? What’s true in authentication could be true in any number of other places as well.

Second, we need to focus on developers. We need to make the developer experience more secure and build more confidence and trustworthiness in the software we’re building, as well as  in the types of tools used to build.

Developers find strength

Gardner: You brought up another point of interest to me. There’s a mindset that when you hand something off in an organization -- it could be from app development into production, or from product design into manufacturing -- people like to move on. But with security, that type of hand-off can be a risk factor.

Beginning with developers, how would you change that hand-off? Should developers be thinking about security in the same way that the IT production people do?

Ludwig: It’s tricky. Security is about having the whole system work the way that everybody expects it to. If there’s a breakdown anywhere in that system, and it doesn’t work the way you’re expecting, then you say, “Oh, it’s insecure.” But no one has figured out what those hidden expectations are.

A developer expects the code they write isn’t going to have vulnerabilities. Even if they make a mistake, even if there’s a performance bug, that shouldn’t introduce a security problem. And there are improvements being made in programming languages to help with that.

Certain languages are highly prone to security being a common failure. I grew up using C and C++. Security wasn’t something that was even thought of in the design of those languages. Java, a lot more security was thought of in the design of that language, so it’s intrinsically safer. Does that mean there are no security issues that can happen if you’re using Java? No.

Similar types of expectations exist at other places in the development pipeline as well.

Gardner: I suppose another shift has been from applications developed to reside in a data center, behind firewalls and security perimeters. But now -- with microservices, cloud-native applications, and multiple application programming interfaces (APIs) being brought together interdependently -- we’re no longer aware of where the code is running.

Don’t you have to think differently as a developer because of the way applications in production have shifted?

Ludwig: Yes, it’s definitely made a big difference. We used to describe applications as being monoliths. There were very few parts of the application that were exposed.

At this point, most applications are microservices. And that means across an application, there might be 1,000 different parts of the application that are publicly exposed. They all must have some level of security checks being done on them to make sure that if they’re handling an input that might be coming from the other side of the world that it’s being handled correctly.

Learn More 

So, yes, the design and the architecture have definitely exposed a lot more of the app’s surface. There’s been a bit of a race to make the tools better, but the architectures are getting more complicated. And I don’t know, it’s neck and neck on whether things are getting more secure or they’re getting less secure as these architectures get bigger and more exposed.

We have to think about that. How do we design processes to deal with that? How do you design technology, and what’s the culture that needs to be in place? I think part of it is having a culture of every single developer being conscious of the fact that the decisions they’re making have security implications. So that’s a lot of work to do.

Gardner: Another attitude adjustment that’s necessary is assuming that breaches are going to happen and to stifle them as quickly as possible. It’s a little different mindset, but the more people involved with looking for anomalies, who are willing to have their data or behaviors examined for anomalies makes sense.

Is there a needed cultural shift that goes with assuming you’re going to be breached and making sure the damage is limited?

Assume the worst to limit damage

Ludwig: Yes. A big part of the cultural shift is being comfortable taking feedback from anybody that you have a problem and that there’s something that you need to fix. That’s the first step.

Companies should let anybody identify a security problem -- and that could be anybody inside or outside of the company. Bug bounties. We’re in a bit of a revolution in terms of enabling better visibility into potential security problems.

But once you have that sort of culture, you start thinking, “Okay. How do I actually monitor what’s going on in each of the different areas?” With that visibility, exposure, and understanding what’s going in and out of specific applications, you can detect when there’s something you’re not expecting. That turns out to be really difficult, if what you’re looking at is very big and very, very complicated.

Decomposing an application down into smaller pieces, being able to trace the behaviors within those pieces, and understanding which APIs each of those different microservices is exposing turns out to be really important.

If you combine decomposing applications into smaller pieces with monitoring what’s going on in them and creating a culture where anybody can find a potential security flaw, surface it, and react to it -- those are good building blocks for having an environment where you have a lot more security than you would have otherwise.

Gardner: Another shift we’ve seen in the past several years is the advent of big data. Not only can we manage big data quickly, but we can also do it at a reasonable cost. That has brought about machine learning (ML) and movement to artificial intelligence (AI). So, now there’s an opportunity to put another arrow in our quiver of tools and use big data ML to buttress our security and provide a new culture of awareness as a result.

Most applications are so complicated -- and have been developed in such a chaotic manner -- it's impossible to understand what's going on inside of them.Give the robots a shot and see if we can figure it out by turning the machines on themselves.

Ludwig: I think so. There are a bunch of companies trying to do that, to look at the patterns that exist within applications, and understand what those patterns look like. In some instances, they can alert you when there’s something not operating the way that is expected and maybe guide you to rearchitecting and make your applications more efficient and secure.

There are a few different approaches being explored. Ultimately, at this point, most applications are so complicated -- and have been developed in such a chaotic manner -- it’s impossible to understand what’s going on inside of them. That’s the right time that the robots give it a shot and see if we can figure it out by turning the machines on themselves.

Gardner: Yes. Fight fire with fire.

Let’s get back to the culture of security. If you ask the people in the company to think differently about security, they all nod their heads and say they’ll try. But there has to be a leadership shift, too. Who is in charge of such security messaging? Who has the best voice for having the whole company think differently and better about security? Who’s in charge of security?

C-suite must take the lead

Ludwig: Not the security people. That will be a surprise for a lot of people to hear me say that. The reality is if you’re in security, you’re not normal. And the normal people don’t want to hear from the not-normal person who’s paranoid that they need to be more paranoid.

That’s a realization it took me several years to realize. If the security person keeps saying, “The sky is falling, the sky is falling,” people aren’t going to listen. They say, “Security is important.” And the others reply, “Yes, of course, security is important to you, you’re the security guy.”

If the head of the business, or the CEO, consistently says, “We need to make this a priority. Security is really important, and these are the people who are going to help us understand what that means and how to execute on it,” then that ends up being a really healthy relationship.

The companies I’ve seen turn themselves around to become good at security are the ones such as Microsoft, Google, or others where the CEO made it personal, and said, “We’re going to fix this, and it’s my number-one priority. We’re going to invest in it, and I’m going to hire a great team of security professionals to help us make that happen. I’m going to work with them and enable them to be successful.”

Learn More 

Alternatively, there are companies where the CEO says, “Oh, the board has asked us to get a good security person, so I’ve hired this person and you should do what he says.” That’s the path to a disgruntled bunch of folks across the entire organization. They will conclude that security is just lip service, it’s not that important. “We’re just doing it because we have to,” they will say. And that is not where you want to end up.

Gardner: You can’t just talk the talk, you have to walk the walk and do it all the time, over and over again, with a loud voice, right?

Ludwig: Yes. And eventually it gets quieter. Eventually, you don’t need to have the top level saying this is the most important thing. It becomes part of the culture. People realize that’s just the way – and it’s not that it’s just the way we do things, but it is a number-one value for us. It’s the number-one thing for our customers, too, and so culture shift ends up happening.

Gardner: Security mindfulness becomes the fabric within the organization. But to get there requires change and changing behaviors has always been hard.

Are there carrots? Are there sticks? When the top echelon of the organization, public or private, commits to security, how do you then execute on that? Are there some steps that you’ve learned or seen that help people get incentivized -- or whacked upside the head, so to speak, when necessary?

Talk the security talk and listen up

Ludwig: We definitely haven’t gone for “whacked upside the head.” I’m not sure that works for anybody at this point, but maybe I’m just a progressive when it comes to how to properly train employees.

What we have seen work is just talking about it on a regular basis, asking about the things that we’re doing from a security standpoint. Are they working? Are they getting in your way? Honestly, showing that there’s thoughtfulness and concern going into the development of those security improvements goes a long way toward making people more comfortable with following through on them.

A great example is … You roll out two-factor authentication, and then you ask, “Is it getting in the way? Is there anything that we can do to make this better? This is not the be-all and end-all. We want to improve this over time.”

That type of introspection by the security organization is surprising to some people. The idea that the security team doesn’t want it to be disruptive, that they don’t want to get in the way, can go a long way toward it feeling as though these new protections are less disruptive and less problematic than they might otherwise feel.

Gardner: And when the organization is focused on developers? Developers can be, you know …

Ludwig: Ornery?

Gardner: “Ornery” works. If you can make developers work toward a fabric of security mindedness and culture, you can probably do it to anyone. What have you learned on injecting a better security culture within the developer corps?

Ludwig: A lot of it starts, again, at the top. You know, we have core values that invoke vulgarity to both emphasize how important they are, but also how simple they are.

One of Atlassian’s values is, “Don’t fuck the customer.” And as a result of that, it’s very easy to remember, and it’s very easy to invoke. “Hey, if we don’t do this correctly, that’s going to hurt the customer.” We can’t let that happen as a top-level value.

We also have “Open company, no-bullshit”. If somebody says, “I see a problem over here,” then we need to follow up on it, right? There’s not a temptation to cover it up, to hide it, to pretend it’s not an issue. It’s about driving change and making sure that we’re implementing solutions that actually fix things.

There are countless examples of a feature that was built, and we really want to ship it, but it turns out it’s got a problem and we can’t do it because that would actually be a problem for the customer. So, we back off and go from there.

How to talk about security

Gardner: Words are powerful. Brands are powerful. Messaging is powerful. What you just said made me think, “Maybe the word security isn’t the right word.” If we use the words “customer experience,” maybe that’s better. Have you found that? Is “security” the wrong word nowadays? Maybe we should be thinking about creating an experience at a larger level that connotes success and progress.

Ludwig: Super interesting. Apple doesn’t use the word “security” very much at all. As a consumer brand, what they focus on is privacy, right? The idea that they’ve built highly secure products is motivated by the users’ right to privacy and the users’ desire to have their information remain private. But they don’t talk about security.

Apple doesn't use the word security very much at all. The idea that they've built highly secure products is motivated by the users' right to privacy and  the users' desire to have their information remain private. But they don't talk about security.

I always thought that was a really an interesting decision on their part. When I was at Google, we did some branding analysis, and we also came up with insights about how we talked about security. It’s a negative from a customer’s standpoint. And so, most of the references that you’ll see coming out of Google are security and privacy. They always attach those two things together. It’s not a coincidence. I think you’re right that the branding is problematic.

Microsoft uses trustworthy, as in trustworthy computing. So, I guess the rest of us are a little bit slow to pick up on that, but ultimately, it’s a combination of security and a bunch of other things that we’re trying to enable to make sure that the products do what we’re expecting them to do.

Gardner: I like resilience. I think that cuts across these terms because it’s not just the security, it’s how well the product is architected, how well it performs. Is it hardened, in a sense, so that it performs in trying circumstances – even when there are issues of scale or outside threats, and so forth. How do you like “resilience,” and how does that notion of business continuity come into play when we are trying to improve the culture?

Ludwig: Yes, “resilience” is a pretty good term. It comes up in the pop psychology space as well. You can try to make your children more resilient. Those are the ones that end up being the most successful, right? It certainly is an element of what you’re trying to build.

Learn More 

A “resilient” system is one in which there’s an understanding that it’s not going to be perfect. It’s going to have some setbacks, and you need to have it recoverable when there are setbacks. You need to design with an expectation that there are going to be problems. I still remember the first time I heard about a squirrel shorting out a data center and taking down the whole data center. It can happen, right? It does happen. Or, you know, you get a solar event and that takes down computers.

There are lots of different things that you need to build to recover from accidental threats, and there are ones that are more intentional -- like when somebody deploys ransomware and tries to take your pipeline offline.

Gardner: To be more resilient in our organizations, one of the things that we’ve seen with developers and IT operations is DevOps. Has DevOps been a good lesson for broader resilience? Is there something we can do with other silos in organization to make them more resilient?

DevOps derives from experience

Ludwig: I think so. Ultimately, there are lots of different ways people describe DevOps, but I think about taking what used to be a very big thing and acknowledging that you can’t comprehend the complexity of that big thing. Choosing instead to embrace the idea that you should do lots of little things, in aggregate, and that they’re going to end up being a big thing.

And that is a core ethos of DevOps, that each individual developer is going to write a little bit of code and then they’re going to ship it. You’re going to do that over and over and over. You are going to do that very, very, very quickly. And they’re going to be responsible for running their own thing. That’s the operations part of the development. But the result is, over time, you get closer to a good product because you can gain feedback from customers, you’re able to see how it’s working in reality, and you’ll be able to get testing that takes place with real data. There are lots of advantages to that. But the critical part of it, from a security standpoint, is it makes it possible to respond to security flaws in near real-time.

Often, organizations just aren’t pushing code frequently enough to be able to know how to fix a security problem. They are like, “Oh, our next release window is 90 days from now. I can’t possibly do anything between now and then.” Getting to a point where you have an improvement process that’s really flexible and that’s being exercised every single day is what you get by having DevOps.

And so, if you think about that same mentality for other parts of your organization, it definitely makes them able to react when something unexpected happens.

Gardner: Perhaps we should be looking to our software development organizations for lessons on cultural methods that we can apply elsewhere. They’re on the bleeding edge of being more secure, more productive, and they’re doing it through better communications and culture.

Ludwig: It’s interesting to phrase it that way because that sounds highfalutin, and that they achieved it out of expertise and brilliance. What it really is, is the humbleness of realizing that the compiler tells you your code is wrong every single day. There’s a new user bug every single day. And eventually you get beaten down by all those, and you decide you’re just going to react every single day instead of having this big thing build up.

So, yes, I think DevOps is a good example but it’s a result of realizing how many flaws there are more than anything highfalutin, that’s for sure.

Gardner: The software doesn’t just eat the world; the software can show the world the new, better way.

Ludwig: Yes, hopefully so.

Future best security practices

Gardner: Adrian, any thoughts about the future of better security, privacy, and resilience? How will ML and AI provide more analysis and improvements to come?

Ludwig: Probably the most important thing going on right now in the context of security is the realization by the senior executives and boards that security is something they need to be proponents for. They are pushing to make it possible for organizations to be more secure. That has fascinating ramifications all the way down the line.

If you look at the best security organizations, they know the best way to enable security within their companies and for their customers is to make security as easy as possible. You get a combination of the non-security executive saying, “Security is the number-one thing,” and at the same time, the security executive realizes the number-one thing to implement security is to make it as easy as possible to embrace and to not be disruptive.

And so, we are seeing faster investment in security that works because it’s easier. And I think that’s going to make a huge difference.

There are also several foundational technology shifts that have turned out to be very pro-security, which wasn’t why they were built -- but it’s turning out to be the case. For example, in the consumer space the move toward the web rather than desktop applications has enabled greater security. We saw a movement toward mobile operating systems as a primary mechanism for interacting with the web versus desktop operating systems. It turns out that those had a fundamentally more secure design, and so the risks there have gone down.

The enterprise has been a little slow, but I see the shift away from behind-the-firewall software toward cloud-based and software as a service (SaaS) software as enabling a lot better security for most organizations. Eventually, I think it will be for all organizations.

Those shifts are happening at the same time as we have cultural shifts. I’m really optimistic that over the next decade or two we’re going to get to a point where security is not something we talk about. It’s just something built-in and expected in much the same way as we don’t spend too much time now talking about having access to the Internet. That used to be a critical stumbling block. It’s hard to find a place now that doesn’t or won’t soon have access.

Gardner: These security practices and capabilities become part-and-parcel of good business conduct. We’ll just think of it as doing a good job, and those companies that don’t do a good job will suffer the consequences and the Darwinian nature of capitalism will take over.

Ludwig: I think it will.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on building security-minded cultures within public and private organizations.

And we’ve learned how behavior, culture, attitude, and organizational shifts create both hurdles and solutions for making businesses more intrinsically resilient by nature.


So, join me in thanking our guest, Adrian Ludwig, CISO at Atlassian. Thank you so much, Adrian, I really enjoyed it.

Ludwig: Thanks, Dana. I had a good time as well.

Gardner: And a big thank you to our audience for joining this BriefingsDirect IT security culture discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Traceable AI-sponsored BriefingsDirect interviews.

Stay tuned for our next podcast in this series, with a deep-dive look at new security tools and methods with Sanjay Nagaraj, Chief Technology Officer and Co-Founder at Traceable AI.

Look for other security podcasts and content at www.briefingsdirect.com.

Thanks again for listening. Please pass this along to your business community and do come back for our next chapter.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable.ai.

Transcript of a discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

      How API security provides a killer use case for ML and AI

      Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks

      Rise of APIs brings new security threat vector -- and need for novel defenses

      Learn More About the Technologies and Solutions Behind Traceable.ai.

      Three Threat Vectors Addressed by Zero Trust App Sec

      Web Application Security is Not API Security

      Does SAST Deliver? The Challenges of Code Scanning.

      Everything You Need to Know About Authentication and Authorization in Web APIs

      Top 5 Ways to Protect Against Data Exposure

      TraceAI : Machine Learning Driven Application and API Security