HPE is bringing thousands of customers, partners, and industry experts back to Las Vegas for HPE Discover 2022. We’re holding an open call for presentations January 18 – February 25. This is your chance to get involved and share your experiences, knowledge, and expertise. Submit your proposal today.  Learn more about HPE Discover 2022.

 

Today’s diversity of hybrid IT models and environments demands that IT services and support accommodate more digital variables than ever. This burgeoning complexity and the fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology — from every edge to every cloud — in one bold stroke.

That’s the market driver behind a new pan-IT services offering from Hewlett Packard Enterprise (HPE) Pointnext Services called HPE Pointnext Complete Care. The all-inclusive approach moves past product-based experiences of support to an all-IT-environment-wide experience. It both reaches back to provide legacy and product support and extends to the intelligence-driven and proactive optimization of all digital business services.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. 

The next BriefingsDirect Voice of Tech Services Innovation series interview examines how HPE Pointnext Services has developed this solution to satisfy the broad new definition of complete IT tech support.

To learn more about bringing what amounts to a warm blanket of support across the entire IT environment please welcome Gerry Nolan, Director of Operational Services Portfolio at HPE Pointnext Services. The interview is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. Here are some excerpts:

Gardner: Gerry, how has the world changed since HPE Datacenter Care arrived back in 2012? I guess we can no longer define IT by a datacenter metric — it’s now gone much broader and wider.

Nolan: You said it, Dana. I feel a bit old thinking that 2012 was just yesterday. But back then the momentum was all around IT consolidation, the move to virtualization, and customers moving to x86 platforms.

IT’s not 2012 anymore

At the time, studies showed that average downtime was about 97 minutes per year, with the average cost at $8,000 a minute. The most common cited reason for failure was the hardware, along with people making mistakes. At the time, about 50 percent of the downtime was caused by hardware failure and 50 percent by human error.

Today, studies show that the world is a totally different place. Now it’s all about hyper converged infrastructure (HCI), hybrid IT, and cloud computing in all its various forms. The move to edge is a significant trend. And, of course, the move to digital transformation has been accelerated by the COVID-19 pandemic. And that means it’s all about IT as an experience and bringing differentiated experiences to the market.

Look at areas outside of IT. If you think about buying a car and how Tesla has transformed that experience or going on a vacation and how web sites such as Airbnb or Booking.com have totally transformed that. The experiences define those use cases — and IT is no different.

In 2020, studies showed that downtime is even more scary — with the average cost of a minute of downtime up from $8,000 to $17,000. With the move to digital, any downtime or impact to your digital platform has massive implications not just with the direct revenue and orders impact, but they can seriously damage your reputation and brand for years.

With the move to digital, any downtime or impact to your digital platform has massive implications not just with the direct revenue and orders impact, but they can seriously damage your reputation and brand for years.

An IDC study that jumped out at me last year, for example, says having a support experience around IT shouldn’t be viewed like it was back in 2012, as an insurance policy. Today it’s more important to think about partnership agreements that drive better service-level agreement (SLAs) and overall performance. It’s about driving the business forward and enabling the business.

IDC found the enterprises that had these types of agreements saved an average of 634 hours of unplanned downtime. And 200 hours of that were the benefit of the proactive nature of using artificial intelligence (AI) and other tools, as well as having access to smart people who help mitigate against the bad things from happening.

So, yes, the world really has changed a lot since we first introduced HPE Datacenter Care back in 2012.

Gardner: Sure, so we’ve seen the change of vendor and support relationships to more of a partnership in supporting the full business. But there’s been a progression to getting to what we now call HPE Pointnext Complete Care. And one of those big steps was with HPE Pointnext Tech Care. How did that fit into the progression? How should we think about this as an evolution?

Nolan: Yes, we are transforming the overall support experience for our customers. The first step out of the gate was differentiating the experience with our HPE products by crafting a new, totally transformed support experience called HPE Pointnext Tech Care. We launched that in April on our HPE Server product line. It will be fully available across all products by August.

Time to transform how we work

It transforms and uplifts the user experience when dealing with HPE products by bringing to bear a whole range of new aspects, including a new digital platform, to allow customers much easier access to both the knowledge they need as well as multiple ways of accessing our experts around the world. They can do that through video, chat, moderated forums, and live conversations. It also embeds AI, so the telemetry built into our products feeds back to the mothership and then delivers a wide array of dashboards, alerts, insights, and recommendations back to the customers.

 

As a result, the users have a beautiful, rounded, broader suite of capabilities that allows them to gain more information to more easily self-solve and self-serve. But, of course, they also have broad access to knowledge and expertise when and how they need it. That’s what HPE Pointnext Tech Care, which replaces HPE Foundation Care and HPE Proactive Care, is all about.

For those familiar with those services, which have been around for many years, HPE Pointnext Tech Care is the new, single product support experience for all HPE products. We’re very proud of it and we’re getting great feedback from our initial customers. They love that they can go to a single portal and see these dashboards. They now have many ways of accessing our experts, and, of course, everyone’s different. Some people like to talk live to experts, while others like to watch videos or go to moderated forums to talk with peers and other customers. Our experts are also in those forums responding and providing links to various articles.

It’s a very rich — and we believe — transformative experience that takes support to the next level. And, with HPE Pointnext Complete Care, we’re going to elevate that even more by taking support beyond the products and looking at the entire environment.

 

Gardner: Another big differentiator for HPE Pointnext Services is that this not just for HPE support — this is pan-vendor support. You’ve been agnostic in supporting — with one throat to choke, if you will — a vast universe of technology. How does HPE Pointnext Complete Care advance that concept of all under the same support umbrella?

Nolan: Yes, we’ve been doing that for years, adding significant multivendor capabilities. With HPE Pointnext Complete Care, it focuses further on providing a complete support experience for the customer. That includes whatever capabilities exist — both from inside of HPE or some of our partners – and brings all of that into a complete, single framework for the client. That means covering the customers’ complete IT environment, however they define it, by acting as their single point of contact for whatever they define as their IT. In these days, of course, that can be quite a wide and varied scope.

For example, a casino I recently talked to is actively acquiring new companies in different parts of the world. They’re bringing onboard those companies, all with their own IT setups. The chief information officer (CIO) is looking to bring all of that together under a single framework with a single partner to work with them. They want to evolve to control what they have, as well as take it all to a more standard framework.

Another company that jumps to mind is a large international bank looking to move to an increasingly hybrid IT structure, with some on-premises cloud services to support their legacy IT. They’re migrating from that legacy to an x86, container-based, heavily automated private cloud. They need a single partner to help them through that digital transformation and through that evolution. The goal is to help them operate and manage their old, while also taking care of all of that new technology.

HPE Pointnext Complete Care brings it all under one umbrella to give the customer a single team and a single point of contact. Whatever IT they have, they can work with that single partner to optimize the entire environment.

There are many aspects to HPE Pointnext Complete Care in terms of helping a customer in those different use cases. It’s not just HPE products. It’s many different IT technologies. Today that includes things such as hyper-converged, edge, and Internet of Things (IoT). There’s a lot of open source use, and a plethora of other software including some of the new automation tools.

HPE Pointnext Complete Care brings all of that under one umbrella to give the customer a single team and a single point of contact. So whatever they have in their IT — wherever their IT is — they can work with that single partner to operate and optimize that entire environment.

Gardner: The timing seems perfect because, as you mentioned, there’s so much more complexity to providing a business service that ultimately reaches back into multiple service providers, using multiple technologies.

Nolan: Exactly.

Gardner: We need those services to be robust. If there are issues, there’s no time to point fingers but instead to find the root causes and assign responsibility for fixing it. You need to look at the whole picture, and the speed element is something here that strikes me as essential.

Nolan: Absolutely.

Gardner: It seems to me that we’re looking at an awfully complex undertaking. How do you mitigate the complexity?

Comprehend complexity and manage it

Nolan: Yes, customers are challenged. We’re still in the pandemic. We’ve learned a lot from our customers as they have worked through all the various implications. The response has elevated the whole move to digital, as I mentioned. It’s really important that customers have a strong handle on the digital aspects of their businesses.

Whether you’re ordering coffee, buying a car, or doing some banking, you’re working with some level of digital platforms these days. Therefore, that becomes a critical aspect of enabling the business. We want to make sure we can help customers set up, run, and optimize their digital platforms – and that’s something HPE Pointnext Complete Care is set up to do.

 

Risk mitigation is critical. We see customers challenged with just trying to get ahead of issues before those issues cause downstream impact to their businesses. They want access to expertise and best practices. They are obviously always looking to get the best bang for the buck because customers are still under tight cost constraints.

They also have struggles due to the finger-pointing that comes with managing multiple vendors and as they bring on more open source software and automation tools. There are more and more companies involved, and so more and more and different relationships to manage. All of this can be challenging.

If you’re struggling with bandwidth and budget while trying to mitigate risk — all these factors build to create challenges across all of those dimensions. Having a single point of contact is something we see customers challenged with — and something they value a lot.

We also see organizations aim to reduce their carbon footprint and achieve new corporate-wide sustainability goals. So, that’s something we’re also building into the HPE Pointnext Complete Care value. Working with our financial services organization within HPE allows customers to benefit from their programs. They can monetize old hardware, and we can buy that hardware back and give the customer a payment that they can then invest in newer technologies — more carbon friendly and sustainable approaches. So, we’re excited about how we can help customers across all these different dimensions.

Gardner: As a recap from our earlier discussion when HPE Pointnext Tech Care came out back in the spring, one of the things that was very impressive to me was the use of technology to better manage – technology. At HPE Pointnext Services, you’re using technology to trace and discover IT assets and use that data to gain a complete view of what’s going on in an organization.

Working with our financial services organization within HPE allows customers to benefit, too. They can monetize old hardware. HPE will buy it back so they can invest in newer technologies — more carbon friendly and sustainable approaches.

It’s allowing not just break-fix reactions but the capability to get out in front and to be proactive on maintenance, patching, and to quickly identify anomalies to head them off before they become breakdowns. So, the advent of the technology that you’re able to use to satisfy these problems is also very powerful, and HPE Pointnext Tech Care demonstrated that.

Nolan: Absolutely, well said.

Gardner: All right, let’s go to HPE Pointnext Complete Care in more detail. This has just arrived. People are trying to wrap their heads around it. What’s the grand vision for HPE Pointnext Complete Care now that we’ve moved through this evolution from HPE Pointnext Tech Care and better understand the IT environment that we’re in?

A warm blanket of IT support

Nolan: I view the HPE Pointnext Complete Care experience as that “warm blanket” of support that we can put around the entire customer’s IT environment. The beauty of the framework is we’re going to be delivering and evolving this over the coming months to provide a modular approach. That means we can provide flexibility across an extensive and growing menu of capabilities.

Whether it’s looking at your security, compliance, or performance – this includes all the different aspects of your IT. It means managing your assets, be it hardware or the software licenses. And then we provide the innovative solutioning tools to our partners as well as our own staff to enable personalization for each of those different customer use cases I mentioned.

 

Yet every customer is different. They’re all starting from a different point on their journey. We will wrap around all those requirements that the customer has a single framework, a single team, a single contract, and a single invoice.

Everything needs to be simpler for the customer, even as their use cases have gotten more complex. It requires the wealth of HPE’s capabilities across all the technology — or in the multi-vendor space. We have a massive capability globally to fix and repair non-HPE products. So, whether it’s Dell servers, or IBM systems, or Brocade switches, or NetApp storage arrays — customers are often surprised that we can provide the same level of support on their non-HPE technology as their HPE technology.

We will keep investing in the digital platforms to bring forward all the AI and telemetry and make it more broadly available, as well as enriching the dashboards, alerts, and insights provided to customers that have the HPE Pointnext Complete Care framework. We will constantly make it better and help customers manage the lifecycle — not just provide support.If customers need to look at their strategy plans, we can bring in our strategy consultants. If they have a need for flexibility around payment plans or to monetize their older assets, we can partner with our financial services colleagues and bring them to the table. All of this can be done through a single HPE Pointnext Complete Care framework. It delivers a complete, end-to-end suite of value to cover all needs. That’s what makes our vision quite exciting for me.

Gardner: When I first learned about HPE Pointnext Complete Care, I said to myself, “Wow, this is pretty ambitious.” And one of the things I wondered is how you’re able to manage being all inclusive — providing a single point of contact — yet at the same time personalize and customize the support experience for every customer. How are you able to pull that off, Gerry, to be all-inclusive and simplified, but also customized and tailored to each company?

Nolan: That’s one of the beautiful things about HPE Pointnext Complete Care. We have a big benefit in that we’ve been doing this for – and I’m embarrassed because I’ve been here most of these — 40 years. We’ve been doing support of customer’s technology — whether it’s HP, HPE, or non-HPE technologies — for a very long time. We’ve built up amazing global capabilities, whether it’s supply chain or expert teams that specialize in different areas like SAP HANA or security or VMware or Linux or automation or containers — name your tech topic. We built up deep teams of experts that we can draw upon.

HPE Pointnext Complete Care is a big toolbox of capabilities across the company. We have teams that can readily help customers regardless of where they are on their journey. We’re able to do this due to the sheer breadth of capabilities available to us.

If you can imagine, HPE Pointnext Complete Care is this big toolbox of capabilities across the company, as well as working with our partners, and that helps speak to a customer. You can view that customer in their own unique scenario. It’s very helpful when you can turn around and talk to your consulting colleagues and bring in some strategy or help for the customer who has a desire to move to cloud. They may need some help figuring out, “How do I architect a good solution for all my various workloads?”

Because we know that not every workload is going to work in the cloud, we know that customers don’t typically throw out all their old technology. They want to keep their old technology but also get the most from it for as long as possible while they move to the newer models. And we have teams within our organization that can readily help customers regardless of where they are on that journey.

Again, we’re able to do this due to the sheer breadth and depth of the capabilities available to us. It allows us to turn up and develop what appears a custom-built solution for each customer. But, in fact, we’re leveraging capabilities that have been built up over 40-plus years. We’re putting them together uniquely for each client and we have the flexibility to do that. We are not tied to any one model, whether it’s on-premises, off-premises, hybrid cloud, IoT, edge, and containers.

We don’t have any specific bias to pushing a customer in one direction. We have so many tools in our toolkit, we do the best for that customer and give them the outcome that best satisfies their unique needs with HPE Pointnext Complete Care. That’s the value proposition and the beauty of the framework. We pick and choose the tools, assets, and capabilities and we map those to each individual client.

Gardner: Let’s chunk this out a bit. What are the major modules in HPE Pointnext Complete Care? How should we think about it in terms of how it’s constructed and architected?

Personalized, customer-centric care

Nolan: Because we’ve been doing this for a while, we carry forward into HPE Pointnext Complete Care all those proven key elements that customers love and are already delivering value. That includes key elements like having an assigned team with named individuals that work with the customer. That’s the first thing we will do with an HPE Pointnext Complete Care customer.

While we’re onboarding them, we enhance that by adding new roles into that assigned team and providing new profiling capabilities. We get to know that customer’s business, their key objectives and priorities, and then we build that into the plan and make sure anyone interacting with that customer has full visibility to what’s important to that specific customer.

For example, say I’m working with you, the customer, and you have a big customer event next week. We’re going to make sure that the entire HPE team working with you is ready to support you in that big event. We are going to make sure we mitigate all possible risks, and we’re going to have extra staff on hand to support you during that event. It’s important to have that level of detail of profiling. So, that assigned team is the first critical element.

 

In the broader scope, with HPE Pointnext Complete Care, we’re expanding the products and software that we can cover in the customer framework agreement. That helps to enhance the incident management capabilities. When bad things do happen – because, at the end of the day, hardware will at some point fail, or somebody will make a mistake — we make sure we can mitigate that. Whenever bad things occur, we’re enhancing the way that we manage those incidents. It makes for the best possible experience.

And, of course, we’re expanding the menu of new support capabilities; things like, broader services for open-source assets. We see many customers challenged with deploying the different varieties of open source products. And the move to automation and containers is accelerating the push to use of open source. Many of our customers are saying, “Boy, this is hard. It’s more complex than we imagined. It sounded, easy, fast, and cheap, but it’s none of those things.”

There are many benefits to moving to open source, but it is quite challenging. So that’s an area we’re going to help customers with. We have a lot of open source expertise within our company. We’re going to ramp that up with the launch of HPE Pointnext Complete Careto offer customers a single point of contact for all their open source tools.

And then, aligned with that, is our big focus on software in general. We see customers — especially coming out of COVID – who had companies such as Microsoft, Oracle, and others open up access to free licenses. But now, coming out of the pandemic, those vendor companies rightfully are saying, “Well, gee, we need to monetize this now. We need to audit what software is being used by our customers.” And, of course, those customers in many cases are struggling to know what software is in their estate. They have huge estates, now with remote software to enable their global remote workforce, and in many cases that’s gotten out of control. We see customers who don’t know what software they have. Nor do they have a good handle on the associated costs, compliance issues, and security risks.

We help customers find all their software licenses. We show them via different dashboards what’s being used. They can also see compliance risks, as well as where they’re spending too much. They can even manage their software estate.

As a result, another HPE Pointnext Complete Care module we’re launching focuses on software asset management (SAM). We help customers find all their software licenses. We show them via different dashboards what’s being used. They can also see where they have security and compliance risks, as well as what they’re spending — and perhaps where they’re spending too much. It shows how they could save money via recommendations in those dashboards. If they’d like, we can even do the management of their software estate thanks to the new SAM capabilities in HPE Pointnext Complete Care.

Those are some of the new exciting modules. It’s a long list, but those are a couple that jump to mind in terms of some of the new exciting capabilities we’re now introducing.

Gardner: As a global organization, HPE is helping each of these companies deal with these issues. That means what you learn in one part of world from one type of company can be applied to everybody else. There’s a vast amount of data gathered, and that can be applied and reapplied. It’s a very exciting time.

Gerry, let’s talk about your go-to-market strategy. This isn’t just an HPE-only entry point. What are you doing to make HPE Pointnext Complete Care available across a channel partner ecosystem?

Harness the power of partnerships

Nolan: HPE, like so many big companies, relies on our trusted partners around the world. We have an awesome network of partners, and we’re very excited with HPE Pointnext Complete Care to be opening that experience up to our channel partners.

Many partners have the desire to create an experience like HPE Pointnext Complete Care and deliver it to their end customers. But they may not have the full suite of capabilities. So, combining our capabilities with their capabilities, they all might be able to directly quote proposals to their end customers.

That would include HPE Pointnext Complete Care plus their own value. That’s a new capability available with HPE Pointnext Complete Care. We provide a new solutioning platform, which channel partners can directly access themselves. They can create proposals, basically on their own, and then bring in all the value of HPE plus their own value and be compensated to do that. So, it’s good for the customer, it’s good for the channel partner, and, of course, it’s jointly good for us as well. So, everybody wins.

Gardner: We’ve addressed the vast IT heterogeneity and how HPE Pointnext Complete Care will address that. But looking a little bit closer to home, within the HPE family of products, this has also given you an opportunity to unify around your HPE GreenLake as-a-service economics. You can put that umbrella over your product lines, such as Nimble storage, Cray for HPC, Ezmeral, and Aruba for networking and edge. So, tell us how HPE Pointnext Complete Care not only unifies a vendor ecosystem but unifies the HPE ecosystem and procurement models as well?

Nolan: One of the reasons we chose the name HPE Pointnext Complete Care is we are delivering that complete experience of bringing together a consistent, single point of support for the customer across all our products. I’m excited to say that, “Yes, we’re expanding the scope of HPE Pointnext Complete Care.”

 

So it includes all the products you just mentioned. Whether you have Nimble in your environment or HPE’s new container platform, called Ezmeral, or Cray, or even Aruba on the edge — all of that can be included alongside your servers, storage, and the non-HPE everything you have under a single HPE Pointnext Complete Care contract.

And, of course, the other nice thing about HPE Pointnext Complete Care is HPE GreenLake, our as-a-service-offering model for those customers who want to buy their IT — whether it’s on-premises or a colocation – and pay on an as-you-go basis, with a monthly bill for whatever they use. HPE GreenLake is the solution. In every HPE GreenLake engagement, at the heart of it, also has HPE Pointnext Complete Care. HPE Pointnext Complete Care carries the part that delivers the support and optimizes the performance of all that IT.

HPE GreenLake, we’re very excited to say, is called the “cloud that comes to you” because it delivers all the benefits of hybrid IT but with HPE Pointnext Complete Care in that expanded scope for support. We cover all the products you mentioned, all the elements of HPE GreenLake, and we’ll be adding to that as we learn and get more feedback from customers. We’re pretty excited.

Gardner: It’s near the end of summer 2021, and this is new to the market. But do you have any early adopters or beta customers that you can look to and say, “Yes, we’ve been describing this, but here’s how it’s working in practice?” Where is this being used first, and what are they getting for it?

A case in point takes flight

Nolan: A recent example comes to mind. A major aircraft manufacturer is struggling with a large, complex IT environment. By the nature of their business, it’s a very sensitive IT environment. They need to work with clusters and proven partners. We in 2021 signed a five-year engagement with that organization.

HPE is their sole IT support provider. We’re providing HPE Pointnext Complete Care coverage for their entire IT environment, including support for more than 20 different vendors. That means all types of hardware and software — way beyond just the HPE products. It includes managing all their software licenses, a very large software estate across their environment. It includes helping them operate all the IT operations — from planning through to support. We will take on the relationships with their other vendors, and we’ll provide that customer a single view, a single dashboard, and map to their key performance indicators (KPIs).

We’re providing HPE Pointnext Complete Care coverage for their entire IT environment, including support for more than 20 different vendors. That means all types of hardware and software. It includes helping them operate all the IT — from planning to support. We provide a single dashboard view and a map to the KPIs.

It’s an exciting engagement. And, of course, every customer will be measuring the value this way — the idea of aligning with the customer on what KPIs are. Then we’ll constantly review and update those with the customer as we jointly make progress together.

This large deal is a good proof-point. It has most of the elements of HPE Pointnext Complete Care that I’ve been talking about. We are in discussions with many other customers in similar types of use case scenarios, where HPE Pointnext Complete Care provides that single point of contact across their complete IT estate. And, of course, we’re bringing to bear that complete suite of value.

Gardner: Is there a crawl, walk, run approach to HPE Pointnext Complete Care? How do you get started? How do you learn more?

Nolan: You can absolutely start with a small HPE Pointnext Complete Care contract, perhaps for one key part of your infrastructure or environment, and then grow from that over time. It’s totally flexible. I encourage anyone who believes that this might be an experience that would help them to engage through their authorized channel partner or directly with an HPE account manager representative.

There’s also a wealth of information on the HPE.com website in the HPE Pointnext Services area. We would love to come in and just discuss what’s going on in the customer’s environment. What are some of their challenges? What are some of their desired IT estate goals? And then just figure out, how we can help. And if we can help them and put together something that works for them.

Gardner: Gerry, what comes next? It sounds to me when you combine HPE GreenLakeand HPE Pointnext Complete Care that we’re reverse engineering from the business outcomes back to what the IT requirements as services are. We’re revolutionizing IT. Even the economics of IT shift.

How does the advent of HPE Pointnext Complete Care work with some of these other trends to reinvent IT? Are we really looking at something that’s substantially different?

The IT solution revolution

Nolan: As vendors, we really need to continually step-up the game. As we’re trying to do here, we need to bring more value to customers who in turn are having to do that with their end customers. This spans the entire IT lifecycle – from helping customers with strategy, all the way through to operating and managing the IT estate.

It’s no longer good enough to just provide support, the sort of break-fix support. Instead, we must provide an end-to-end lifecycle experience for all IT, where we’re bringing in advice, help, insights, recommendations, and, of course, best-in-class support. For us, that includes continued investment in scaling up our people and building new solutions, as well as extending our AI and machine learning (ML) to bring about entirely new types of insights.

We can stop the bad things from happening before they happen. And technologies like augmented reality (AR) will help elevate the experience, allowing us to better support remote sites and every type of computing and business edge. We already support customers on ships, on oil rigs, and on the tops of mountains. There’s nowhere our support can’t go.We’re constantly innovating and coming up with new solutions, which is why we’re making these investments. We see these as critical as the customers do. Business doesn’t stop, innovation doesn’t stop, and we’re going to stay ahead. That’s what we’re trying to do with HPE Pointnext Complete Care.

Gardner: Yes, you’re changing the relationship with your customers. It’s truly a partnership. When they succeed, you succeed, and vice-versa — and you’ll need to work together to make that continue. It’s an exciting opportunity.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Hewlett Packard Enterprise Pointnext Services.

YOU MAY ALSO BE INTERESTED IN:

• How HPE Pointnext Tech Care changes the game for delivering enhanced IT solutions and support

• How HPE Pointnext ‘Moments’ provide a proven critical approach to digital business transformation

• How to industrialize data science to attain mastery of repeatable intelligence delivery

• The journey to modern data management is paved with an inclusive edge-to-cloud Data Fabric

• The IT intelligence foundation for digital business transformation rests on HPE InfoSight AIOps

• How Digital Transformation Navigates Disruption to Chart a Better Course to the New Normal

• How the right data and AI deliver insights and reassurance on the path to a new normal

• How IT modern operational services enables self-managing, self-healing, and self-optimizing

• How HPE Pointnext Services ushers businesses to the new normal via an inclusive nine-step plan

Bringing broader awareness of security risks and building a security-minded culture within any public or private organization has been a top priority for years.

Yet halfway through 2021, IT security remains as much a threat as ever — with multiple major breaches and attacks costing tens of millions of dollars occurring nearly weekly.

Why are the threat vectors not declining? Why, with all the tools and investment, are businesses still regularly being held up for ransom or having their data breached? To what degree are behavior, culture, attitude, and organizational dissonance to blame?

Join us here as BriefingsDirect probes into these more human elements of IT security with a leading chief information security officer (CISO).

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

To learn more about adjusting the culture of security to make organizations more resilient, please welcome Adrian Ludwig, CISO at Atlassian. The interview is conducted by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Adrian, we are constantly bombarded with headlines showing how IT security is failing. Yet, for many people, they continue on their merry way — business as usual.

Are we now living in a world where such breaches amount to acceptable losses? Are people not concerned because the attacks are perceived as someone else’s problem?

Ludwig: A lot of that is probably true, depending on whom you ask and what their state of mind is on a given day. We’re definitely seeing a lot more than we’ve seen in the past. And there’s some interesting twists to the language. What we’re seeing does not necessarily imply that there is more exploitation going on or that there are more problems — but it’s definitely the case that we’re getting a lot more visibility.

I think it’s a little bit of both. There probably are more attacks going on, and we also have better visibility.

Gardner: Isn’t security something we should all be thinking about, not just the CISOs?

Ludwig: It’s interesting how people don’t want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen.

But the reality is, within any organization, doing the right thing — whether that be security, keeping track of the money, or making sure that things are going the way you’re expecting — is a responsibility that’s shared across the entire organization. That’s something that we are now becoming more accustomed to. The security space is realizing it’s not just about the security folks doing a good job. It’s about enabling the entire organization to understand what’s important to be more secure and making that as easy as possible. So, there’s an element of culture change and of improving the entire organization.

Gardner: What’s making these softer approaches — behavior, culture, management, and attitude – more important now? Is there something about security technology that has changed that makes us now need to look at how people think?

Ludwig: We’re beginning to realize that technology is not going to solve all our problems. When I first went into the security business, the company I worked for, a government agency, still had posters on the wall from World War II: Loose lips sink ships.

Learn More  

About Traceable.ai

The idea of security culture is not new, but the awareness is, across organizations that any person could be subject to phishing, or any person could have their credentials taken — those mistakes could be originating at any place in the organization. That broad-based awareness is relatively new. It probably helps that we’ve all been locked in our houses for the last year, paying a lot more attention to the media, and hearing about attacks that have been going on at governments, the hacking, and all those things. That has raised awareness as well.

Gardner: It’s confounding that people authenticate better in their personal lives. They don’t want their credit cards or bank accounts pillaged. They have a double standard when it comes to what they think about protecting themselves versus protecting the company they work for.

Data safer at home or work?

Ludwig: Yes, it’s interesting. We used to think enterprise security could be more difficult from the user experience standpoint because people would put up with it because it was work.

But the opposite might be true, that people are more self-motivated in the consumer space and they’re willing to put up with something more challenging than they would in an enterprise. There might be some truth to that, Dana.

Gardner: The passwords I use for my bank account are long and complex, and the passwords I use when I’m in the business environment … maybe not so much. It gets us back to how you think and your attitude for improved security. How do we get people to think differently?

Ludwig: There’s a few different things to consider. One is that the security people need to think differently. It’s not necessarily about changing the behavior of every employee in the company. Some of it is about figuring out how to implement critical solutions that provide security without changing behavior.

Security people need to think differently. It’s not necessarily about changing the behavior of every employee in the company. It’s about implementing solutions that provide security without changing behavior.

There is a phrase, the paved path or road; so, making the secure way the easy way to do something. When people started using YubiKey U2F [an open authentication standard that enables internet users to securely access any number of online services with a single security key] as a second-factor authentication, it was actually a lot easier than having to input your password all over the place — and it’s more secure.

That’s the kind of thing we’re looking for. How do we enable enhanced security while also having a better user experience? What’s true in authentication could be true in any number of other places as well.

Second, we need to focus on developers. We need to make the developer experience more secure and build more confidence and trustworthiness in the software we’re building, as well as in the types of tools used to build.

Developers find strength

Gardner: You brought up another point of interest to me. There’s a mindset that when you hand something off in an organization — it could be from app development into production, or from product design into manufacturing — people like to move on. But with security, that type of hand-off can be a risk factor.

Beginning with developers, how would you change that hand-off? Should developers be thinking about security in the same way that the IT production people do?

Ludwig: It’s tricky. Security is about having the whole system work the way that everybody expects it to. If there’s a breakdown anywhere in that system, and it doesn’t work the way you’re expecting, then you say, “Oh, it’s insecure.” But no one has figured out what those hidden expectations are.

A developer expects the code they write isn’t going to have vulnerabilities. Even if they make a mistake, even if there’s a performance bug, that shouldn’t introduce a security problem. And there are improvements being made in programming languages to help with that.

Certain languages are highly prone to security being a common failure. I grew up using C and C++. Security wasn’t something that was even thought of in the design of those languages. Java, a lot more security was thought of in the design of that language, so it’s intrinsically safer. Does that mean there are no security issues that can happen if you’re using Java? No.

Similar types of expectations exist at other places in the development pipeline as well.

Gardner: I suppose another shift has been from applications developed to reside in a data center, behind firewalls and security perimeters. But now — with microservices, cloud-native applications, and multiple application programming interfaces (APIs) being brought together interdependently — we’re no longer aware of where the code is running.

Don’t you have to think differently as a developer because of the way applications in production have shifted?

Ludwig: Yes, it’s definitely made a big difference. We used to describe applications as being monoliths. There were very few parts of the application that were exposed.

At this point, most applications are microservices. And that means across an application, there might be 1,000 different parts of the application that are publicly exposed. They all must have some level of security checks being done on them to make sure that if they’re handling an input that might be coming from the other side of the world that it’s being handled correctly.

Learn More  

About Traceable.ai

So, yes, the design and the architecture have definitely exposed a lot more of the app’s surface. There’s been a bit of a race to make the tools better, but the architectures are getting more complicated. And I don’t know, it’s neck and neck on whether things are getting more secure or they’re getting less secure as these architectures get bigger and more exposed.

We have to think about that. How do we design processes to deal with that? How do you design technology, and what’s the culture that needs to be in place? I think part of it is having a culture of every single developer being conscious of the fact that the decisions they’re making have security implications. So that’s a lot of work to do.

Gardner: Another attitude adjustment that’s necessary is assuming that breaches are going to happen and to stifle them as quickly as possible. It’s a little different mindset, but the more people involved with looking for anomalies, who are willing to have their data or behaviors examined for anomalies makes sense.

Is there a needed cultural shift that goes with assuming you’re going to be breached and making sure the damage is limited?

Assume the worst to limit damage 

Ludwig: Yes. A big part of the cultural shift is being comfortable taking feedback from anybody that you have a problem and that there’s something that you need to fix. That’s the first step.

Companies should let anybody identify a security problem — and that could be anybody inside or outside of the company. Bug bounties. We’re in a bit of arevolution in terms of enabling better visibility into potential security problems.

But once you have that sort of culture, you start thinking, “Okay. How do I actually monitor what’s going on in each of the different areas?” With that visibility, exposure, and understanding what’s going in and out of specific applications, you can detect when there’s something you’re not expecting. That turns out to be really difficult, if what you’re looking at is very big and very, very complicated.

Decomposing an application down into smaller pieces, being able to trace the behaviors within those pieces, and understanding which APIs each of those different microservices is exposing turns out to be really important.

If you combine decomposing applications into smaller pieces with monitoring what’s going on in them and creating a culture where anybody can find a potential security flaw, surface it, and react to it — those are good building blocks for having an environment where you have a lot more security than you would have otherwise.

Gardner: Another shift we’ve seen in the past several years is the advent of big data. Not only can we manage big data quickly, but we can also do it at a reasonable cost. That has brought about machine learning (ML) and movement to artificial intelligence (AI). So, now there’s an opportunity to put another arrow in our quiver of tools and use big data ML to buttress our security and provide a new culture of awareness as a result.

Most applications are so complicated — and have been developed in such a chaotic manner — it’s impossible to understand what’s going on inside of them.Give the robots a shot and see if we can figure it out by turning the machines on themselves.

Ludwig: I think so. There are a bunch of companies trying to do that, to look at the patterns that exist within applications, and understand what those patterns look like. In some instances, they can alert you when there’s something not operating the way that is expected and maybe guide you to rearchitecting and make your applications more efficient and secure.

There are a few different approaches being explored. Ultimately, at this point, most applications are so complicated — and have been developed in such a chaotic manner — it’s impossible to understand what’s going on inside of them. That’s the right time that the robots give it a shot and see if we can figure it out by turning the machines on themselves.

Gardner: Yes. Fight fire with fire.

Let’s get back to the culture of security. If you ask the people in the company to think differently about security, they all nod their heads and say they’ll try. But there has to be a leadership shift, too. Who is in charge of such security messaging? Who has the best voice for having the whole company think differently and better about security? Who’s in charge of security?

C-suite must take the lead 

Ludwig: Not the security people. That will be a surprise for a lot of people to hear me say that. The reality is if you’re in security, you’re not normal. And the normal people don’t want to hear from the not-normal person who’s paranoid that they need to be more paranoid.

That’s a realization it took me several years to realize. If the security person keeps saying, “The sky is falling, the sky is falling,” people aren’t going to listen. They say, “Security is important.” And the others reply, “Yes, of course, security is important to you, you’re the security guy.”If the head of the business, or the CEO, consistently says, “We need to make this a priority. Security is really important, and these are the people who are going to help us understand what that means and how to execute on it,” then that ends up being a really healthy relationship.

The companies I’ve seen turn themselves around to become good at security are the ones such as Microsoft, Google, or others where the CEO made it personal, and said, “We’re going to fix this, and it’s my number-one priority. We’re going to invest in it, and I’m going to hire a great team of security professionals to help us make that happen. I’m going to work with them and enable them to be successful.”

Learn More  

About Traceable.ai

Alternatively, there are companies where the CEO says, “Oh, the board has asked us to get a good security person, so I’ve hired this person and you should do what he says.” That’s the path to a disgruntled bunch of folks across the entire organization. They will conclude that security is just lip service, it’s not that important. “We’re just doing it because we have to,” they will say. And that is not where you want to end up.

Gardner: You can’t just talk the talk, you have to walk the walk and do it all the time, over and over again, with a loud voice, right?

Ludwig: Yes. And eventually it gets quieter. Eventually, you don’t need to have the top level saying this is the most important thing. It becomes part of the culture. People realize that’s just the way – and it’s not that it’s just the way we do things, but it is a number-one value for us. It’s the number-one thing for our customers, too, and so culture shift ends up happening.

Gardner: Security mindfulness becomes the fabric within the organization. But to get there requires change and changing behaviors has always been hard.

Are there carrots? Are there sticks? When the top echelon of the organization, public or private, commits to security, how do you then execute on that? Are there some steps that you’ve learned or seen that help people get incentivized — or whacked upside the head, so to speak, when necessary?

Talk the security talk and listen up

Ludwig: We definitely haven’t gone for “whacked upside the head.” I’m not sure that works for anybody at this point, but maybe I’m just a progressive when it comes to how to properly train employees.

What we have seen work is just talking about it on a regular basis, asking about the things that we’re doing from a security standpoint. Are they working? Are they getting in your way? Honestly, showing that there’s thoughtfulness and concern going into the development of those security improvements goes a long way toward making people more comfortable with following through on them.

A great example is … You roll out two-factor authentication, and then you ask, “Is it getting in the way? Is there anything that we can do to make this better? This is not the be-all and end-all. We want to improve this over time.”

That type of introspection by the security organization is surprising to some people. The idea that the security team doesn’t want it to be disruptive, that they don’t want to get in the way, can go a long way toward it feeling as though these new protections are less disruptive and less problematic than they might otherwise feel.

Gardner: And when the organization is focused on developers? Developers can be, you know …

Ludwig: Ornery?

Gardner: “Ornery” works. If you can make developers work toward a fabric of security mindedness and culture, you can probably do it to anyone. What have you learned on injecting a better security culture within the developer corps?

Ludwig: A lot of it starts, again, at the top. You know, we have core values that invoke vulgarity to both emphasize how important they are, but also how simple they are.

One of Atlassian’s values is, “Don’t fuck the customer.” And as a result of that, it’s very easy to remember, and it’s very easy to invoke. “Hey, if we don’t do this correctly, that’s going to hurt the customer.” We can’t let that happen as a top-level value.

We also have “Open company, no-bullshit”. If somebody says, “I see a problem over here,” then we need to follow up on it, right? There’s not a temptation to cover it up, to hide it, to pretend it’s not an issue. It’s about driving change and making sure that we’re implementing solutions that actually fix things.

There are countless examples of a feature that was built, and we really want to ship it, but it turns out it’s got a problem and we can’t do it because that would actually be a problem for the customer. So, we back off and go from there.

How to talk about security

Gardner: Words are powerful. Brands are powerful. Messaging is powerful. What you just said made me think, “Maybe the word security isn’t the right word.” If we use the words “customer experience,” maybe that’s better. Have you found that? Is “security” the wrong word nowadays? Maybe we should be thinking about creating an experience at a larger level that connotes success and progress.

Ludwig: Super interesting. Apple doesn’t use the word “security” very much at all. As a consumer brand, what they focus on is privacy, right? The idea that they’ve built highly secure products is motivated by the users’ right to privacy and the users’ desire to have their information remain private. But they don’t talk about security.

Apple doesn’t use the word security very much at all. The idea that they’ve built highly secure products is motivated by the users’ right to privacy and the users’ desire to have their information remain private. But they don’t talk about security.

I always thought that was a really an interesting decision on their part. When I was at Google, we did some branding analysis, and we also came up with insights about how we talked about security. It’s a negative from a customer’s standpoint. And so, most of the references that you’ll see coming out of Google are security and privacy. They always attach those two things together. It’s not a coincidence. I think you’re right that the branding is problematic.

Microsoft uses trustworthy, as in trustworthy computing. So, I guess the rest of us are a little bit slow to pick up on that, but ultimately, it’s a combination of security and a bunch of other things that we’re trying to enable to make sure that the products do what we’re expecting them to do.

Gardner: I like resilience. I think that cuts across these terms because it’s not just the security, it’s how well the product is architected, how well it performs. Is it hardened, in a sense, so that it performs in trying circumstances – even when there are issues of scale or outside threats, and so forth. How do you like “resilience,” and how does that notion of business continuity come into play when we are trying to improve the culture?

Ludwig: Yes, “resilience” is a pretty good term. It comes up in the pop psychology space as well. You can try to make your children more resilient. Those are the ones that end up being the most successful, right? It certainly is an element of what you’re trying to build.

Learn More  

About Traceable.ai

A “resilient” system is one in which there’s an understanding that it’s not going to be perfect. It’s going to have some setbacks, and you need to have it recoverable when there are setbacks. You need to design with an expectation that there are going to be problems. I still remember the first time I heard about a squirrel shorting out a data center and taking down the whole data center. It can happen, right? It
does happen. Or, you know, you get a solar event and that takes down computers.

There are lots of different things that you need to build to recover from accidental threats, and there are ones that are more intentional — like when somebody deploys ransomware and tries to take your pipeline offline.

Gardner: To be more resilient in our organizations, one of the things that we’ve seen with developers and IT operations is DevOps. Has DevOps been a good lesson for broader resilience? Is there something we can do with other silos in organization to make them more resilient?

DevOps derives from experience

Ludwig: I think so. Ultimately, there are lots of different ways people describe DevOps, but I think about taking what used to be a very big thing and acknowledging that you can’t comprehend the complexity of that big thing. Choosing instead to embrace the idea that you should do lots of little things, in aggregate, and that they’re going to end up being a big thing.

And that is a core ethos of DevOps, that each individual developer is going to write a little bit of code and then they’re going to ship it. You’re going to do that over and over and over. You are going to do that very, very, very quickly. And they’re going to be responsible for running their own thing. That’s the operations part of the development. But the result is, over time, you get closer to a good product because you can gain feedback from customers, you’re able to see how it’s working in reality, and you’ll be able to get testing that takes place with real data. There are lots of advantages to that. But the critical part of it, from a security standpoint, is it makes it possible to respond to security flaws in near real-time.

Often, organizations just aren’t pushing code frequently enough to be able to know how to fix a security problem. They are like, “Oh, our next release window is 90 days from now. I can’t possibly do anything between now and then.” Getting to a point where you have an improvement process that’s really flexible and that’s being exercised every single day is what you get by having DevOps.

And so, if you think about that same mentality for other parts of your organization, it definitely makes them able to react when something unexpected happens.

Gardner: Perhaps we should be looking to our software development organizations for lessons on cultural methods that we can apply elsewhere. They’re on the bleeding edge of being more secure, more productive, and they’re doing it through better communications and culture.

Ludwig: It’s interesting to phrase it that way because that sounds highfalutin, and that they achieved it out of expertise and brilliance. What it really is, is the humbleness of realizing that the compiler tells you your code is wrong every single day. There’s a new user bug every single day. And eventually you get beaten down by all those, and you decide you’re just going to react every single day instead of having this big thing build up.

So, yes, I think DevOps is a good example but it’s a result of realizing how many flaws there are more than anything highfalutin, that’s for sure.

Gardner: The software doesn’t just eat the world; the software can show the world the new, better way.

Ludwig: Yes, hopefully so.

Future best security practices

Gardner: Adrian, any thoughts about the future of better security, privacy, and resilience? How will ML and AI provide more analysis and improvements to come?

Ludwig: Probably the most important thing going on right now in the context of security is the realization by the senior executives and boards that security is something they need to be proponents for. They are pushing to make it possible for organizations to be more secure. That has fascinating ramifications all the way down the line.

If you look at the best security organizations, they know the best way to enable security within their companies and for their customers is to make security as easy as possible. You get a combination of the non-security executive saying, “Security is the number-one thing,” and at the same time, the security executive realizes the number-one thing to implement security is to make it as easy as possible to embrace and to not be disruptive.

And so, we are seeing faster investment in security that works because it’s easier. And I think that’s going to make a huge difference.

There are also several foundational technology shifts that have turned out to be very pro-security, which wasn’t why they were built — but it’s turning out to be the case. For example, in the consumer space the move toward the web rather than desktop applications has enabled greater security. We saw a movement toward mobile operating systems as a primary mechanism for interacting with the web versus desktop operating systems. It turns out that those had a fundamentally more secure design, and so the risks there have gone down.

The enterprise has been a little slow, but I see the shift away from behind-the-firewall software toward cloud-based and software as a service (SaaS) software as enabling a lot better security for most organizations. Eventually, I think it will be for all organizations.

Those shifts are happening at the same time as we have cultural shifts. I’m really optimistic that over the next decade or two we’re going to get to a point where security is not something we talk about. It’s just something built-in and expected in much the same way as we don’t spend too much time now talking about having access to the Internet. That used to be a critical stumbling block. It’s hard to find a place now that doesn’t or won’t soon have access.

Gardner: These security practices and capabilities become part-and-parcel of good business conduct. We’ll just think of it as doing a good job, and those companies that don’t do a good job will suffer the consequences and the Darwinian nature of capitalism will take over.

Ludwig: I think it will.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: TraceableAI.

YOU MAY ALSO BE INTERESTED IN:

●      How API security provides a killer use case for ML and AI

●      Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks

●      Rise of APIs brings new security threat vector — and need for novel defenses

●      Learn More About the Technologies and Solutions Behind Traceable.ai.

●      Three Threat Vectors Addressed by Zero Trust App Sec

●      Web Application Security is Not API Security

●      Does SAST Deliver? The Challenges of Code Scanning.

●      Everything You Need to Know About Authentication and Authorization in Web APIs

●      Top 5 Ways to Protect Against Data Exposure

●      TraceAI : Machine Learning Driven Application and API Security

Self-awareness as an individual attribute provides the context to better understand others and to find common ground. But what about self-awareness of entire generations?

Are those born before the mass appeal and distribution of digital technology able to make the leap in their awareness of those who have essentially been Born Digital? Does the awareness gap extend to an even more profound disconnect between how today’s younger generations think and those more likely to be in the leadership positions in businesses?

Do the bosses really get their entry-level cohorts? And what, if any, impact has the COVID-19 pandemic had in amplifying these perception and cognition gaps?

Stay with us as BriefingsDirect explores new research into what makes the Born Digital generation tick. And we’ll also unpack ways that the gap between those born analog and more recently can be closed.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

To learn more about the paybacks and advantages of understanding and embracing the Born Digital Effect, please welcome Tim Minahan, Executive Vice President of Business Strategy and Chief Marketing Officer at Citrix, and Amy Haworth, Senior Director of Employee Experience at Citrix. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tim, your latest research into what makes those Born Digital tick bucks conventional wisdom. Why did Citrix undertake this research in the first place?

Minahan: This is the first generation to grow up in an entirely digital world. In another decade or so, the success or failure of businesses — the entire global economy — will be in the hands of this Born Digital generation.

We wanted to get inside their heads to see what makes them tick. That helps us to help our customers design their post-pandemic work environments and work models to best support the needs of this emerging group of leaders.

The good news is that the Born Digital generation — those born after 1997 — is primed to deliver significant economic gains — some $1.9 trillion in corporate profits. But there certainly were some divergences in what they need to do that and how they view work.

Certainly, the pandemic has forever changed the way we all work, but it had a particularly profound impact on the Born Digital generation. Many of them began or had their early careers during the crisis. Remote and technology-driven work is all that they have ever known. Organizations need to be aware of these scenarios as they plan for the future so as to not leave out or disengage from this future generation of leaders.

The Born Digital difference

Gardner: Tim, like me, you were born analog. What surprised you most about this generation?

Minahan: Certain key findings debunked a lot of the myths around what motivates these workers. Our research reveals a fundamental disconnect. First, job stability and work-life balance are what matter most to these employees.

Citrix Research Shows Leaders Disconnected From Younger Employees.

Learn How to Unlock Their Full Potential.

Largely faced with an uncertain job environment, these younger workers are most focused on fundamental work factors like career stability and security. They also want to work in their own way. So, they are looking for a good work-life balance and more flexible work models.

And this is poorly understood by leaders, who — in the same research — showed that they think, behind access to technology, the Born Digital generation values opportunities for training and meaningful, impactful work. And, while those are important, they’re further down the list.

It turns out that job satisfaction, career stability and security, and a good work-life balance ranks above compensation and the manager they work with.

And it’s become very clear — business leaders overestimate the appeal of the office. Ninety percent of Born Digital generation employees do not want to return to the office full-time post-pandemic. They prefer a more flexible or hybrid model, which is in stark contrast to the leadership where 58 percent believe that young workers will want to spend most or all their time working in an office. And this is a real Catch-22 that we’re all going to need to grapple with not years from now but in the next few months.

Gardner: Amy, does the way companies misinterpret their employees mean we need an employee experience reboot?

Haworth: After reading this research, I felt an overwhelming sense of the importance of listening. That means getting really curious, and not only curious at big moments, like returning to the office or moving a vast number of employees out of offices — but getting curious all the time.

If we design employee experience strategies around old assumptions, we’re missing each other in the workplace. Experiences are built in the day-to-day moments. We need to build the hybrid workplace around trust and inclusivity.

It was so clear to me that if we are designing employee experience strategies around old assumptions, we’re missing each other in the workplace. One of the frameworks for employee experience we use heavily at Citrix is the idea that experiences are built in the day-to-day moments. The touchpoints that employees have in the human space, the physical space, and the digital space. At Citrix, we have rethought and rebooted our own experience, coming back into a hybrid workplace, and built around the idea of trust and inclusivity.

And it’s interesting in this research how much trust in autonomy and in inclusivity emerged as critical components for the Born Digitals. Interestingly, that seems to extend into other generations as well. It became the framework for us and our approach to hybrid work — a philosophy — and a way to build the infrastructure for that. We wanted to record and cultivate trust in our own culture.

Work together, even when apart

Minahan: Visionary leaders are using this moment in time to rethink future of work models and turn their work environments to competitive advantage. A growing number of our customers are now trying to navigate through these situations in their post-pandemic work model planning.

One of the big topics is not just about where people work. I think there’s a false-positive that some executives are doing with the belief that everyone wants to get back to the office full-time. Because the initial burst of productivity has declined, they’re using the last 15 months as a proxy for what remote work is.

Let’s be clear. The last year and a half has not been remote work, it’s been remote isolation. There needs to be a deeper level of understanding, as Amy said, as you move into your planning of what truly motivates people. You need to truly understand what’s going to attract the right talent and importantly what’s going to engage them and allow them to be successful in driving the business outcomes that you’re hoping for them to achieve.

Gardner: I find it not just a little ironic that we’re going to be seeking to better listen and better communicate when we’re not together in an office. There may be an inability to see the trees for the forest when you’re in the same office going through the same work patterns. Maybe breaking that pattern leads to even better communication. Amy?

Haworth: I think you are spot-on, Dana. One of the metaphors I’ve come to love is the idea of being at the ocean. If you’ve ever been anywhere where the tide comes in, at first you can’t see certain things. Then as the tide goes back out, there are tide pools full of life and vibrancy. They have been there all along, but you just couldn’t see them.

And that clearly emulates what is happening in organizations. These opportunities around hybrid work give us another chance to break the script. It helps us discover pieces in our organizations that may not have been working that great to start with and were causing friction all along.

Distributed work is happening. We’re having to be more explicit about the conversations around communication, collaboration, the expectations of each other, and what it means to help each other. Raising up those things anew is so important no matter the setting, no matter the workplace.

We’re now in a unique environment where we have this window of time to get very specific and not take it for granted — but to rebuild with intention. I truly hope that organizations are smart and do that with a concerted effort, with concerted energy, and then reap the rewards.

Distributed and dynamic workplaces

Minahan: Amy hits on two great points. One is there’s a real risk, as we move to hybrid work, that we create a culture of unintentional biases for those office-first-focused folks who may be conducting meetings or collaboration styles that preclude, or don’t include, folks working remotely.

It isn’t just about having the right technology in place, it’s also about having the right policies in place. The cultural aspects and expectations need to create a workplace that has inclusivity and equality — no matter where work is done. The reality is we are going to continue to work in a very distributed mode, where certain team members won’t all be in the same room.

Those Born Digital Will Soon Determine Your Business’s Success.

Here’s How to Understand Them Better.

You must harness technology, institute policies, and set the expectations that remote workers are still active participants in the process and that information flows freely. That means investing in collaborative work management solutions that create a secure digital collaboration environment. These solutions align people around similar goals and objectives and key results (OKRs) that have visibility into the status and into how projects are progressing, whether you’re in the office or somewhere else.

By understanding the dependencies between the dispersed teams and other actions that need to be done, you create the business outcomes you want. These are the types of tools and policies that support the hybrid work environments that people are so desperately trying to create right now.

Gardner: The last year and a half has given us an opportunity to change the playbook. What we’re hearing from the younger generations is they’re not opposed to that. As we seek to best change the playbook, what has the Citrix research told you?

Born free to choose how to work

Minahan: We engaged with two external research partners on this, Coleman Parkes Research and Oxford Analytica. They surveyed and did qualitative interviews with more than 1,000 business leaders and more than 2,000 knowledge workers across 10 countries. To prepare for the future, it was very clear that leaders need to get a grip on the expectations and motivations of this Born Digital generation and adapt their work models, workplaces, and work practices to better cultivate them.

There were three primary findings. You should focus on where this generation wants to work. Prepare them for success in distributed work environments. Companies need to give employees freedom to choose where they work best.

You should focus on where this generation wants to work. Prepare them for success in distributed work environments. Companies need to give employees freedom to choose where they work best.

To Amy’s point, it’s about fit and function. Sometimes it is important to come together in offices for collaboration and social and cultural connections. For other forms of work, it is optimal for individuals to have the space they need to think, be creative, and succeed. The Born Digital cohort wants and needs that flexibility — to have both work environments purpose-fit for the work they need to get done.

Secondly, beyond where they work, the five-day work week that has vestiges of the industrial revolution is probably not appropriate. Same for the 9 am to 5 pm workday. We’re finding that a lot of folks need to take a break mid-day to recharge. So instead of thinking about one big block of time, think about sub-blocks that allow workers to optimize the work-life balance and to recharge. That drives the best energy to do your best work. And this is a very clear finding from the study on how the Born Digital want to work.

The last part is about how they work. They want autonomy and the opportunity to work in a high-trust environment. They want to have the right tools to have transparency, collaborate, and drive connectivity with their co-workers and peers — even if they’re not physically in the room together. They want compensation that recognizes and rewards performance, as well as strong and visible leadership.

And so those are some of the key attributes that are important as companies design their new work models.

Gardner: Amy, we’re now talking about things like trust and motivation. It seems to me that those are universally important, whether you’re born with digital technology or not.

Why does the digital technology generation have a stronger concept around trust and motivation? Is there a connection between being Born Digital and those intrinsic-but-profound values?

Haworth: Think about how these Born Digital knowledge workers have come into the workforce. Most have had some level of college education. They were used to being very autonomous university students as they figured out their activity-based work habits. How do they get the most done? Where does work happen best — in the library, or in their dorm rooms, or apartments?

The Future of Work Demands Flexibility,

Choice, and Autonomy.

Lean to Foster a More Engaged Workforce.

The transition into an office is simply another step in developing a capability that they’ve been building for years. And so, if organizations are not leading with trust, transparency, autonomy, and allowing the digital tools they’ve come to expect and leverage in their educational path, that feels like there’s a massive disconnect. They’re not only undoing some of the amazing self-leadership that these Born Digitals have grown within themselves, but organizations are also depriving themselves of rethinking the ideas that the Born Digital generation is coming up with.

They are more accustomed than some of their predecessor generations to having seniority when it comes to using digital tools. And as we take an opportunity to flip our mindset, most of the time business leaders with more seniority are thinking, “Well, we have to groom this next generation of leaders.”

We may want to flip that mindset. Instead, think about how this new generation of leaders can groom the current leadership through things like reverse-mentorships or by sharing their voices. A manager with a team that includes Born Digitals can ask for their input and give permission for them to help shape the future of work together.

The organizations that do so are going to be much more well-suited to the economic benefits of this talent, as Tim highlighted at the beginning. It’s latent talent until we unlock it. It will take a conscious decision of leadership to think about how they can we best learn from this generation. They have a whole lot of things to teach us from what they envision as the future of work.

Increase your app-titude

Minahan: Amy brings up a good point that showed up in the research. That is dissonance between what older workers and leaders perceive as their experience and that of the Born Digital generation. That gap extends to both in the tools they use to do their work, as well as on how they communicate.

On the technology side, for example, young workers and leaders inhabit very different digital worlds. The research found that only 21 percent of business leaders use instant messaging apps such as Slack or WhatsAppfor work, as compared with 81 percent of Born Digital employees.

If you want to build trust and communication, it’s very hard if you are not hanging out in the same places. Similarly, only 26 percent of business leaders like using these apps for work compared to 82 percent of the Born Digitals. Clearly, there are very different work habits and work tools that the Born Digitals prefer. As leaders look to cultivate, engage with, and recruit these Born Digital workers, they are going to need to understand what tools to use to communicate to foster the next generation of leaders.

Haworth: That statistic also caught my eye; that 26 percent of business leaders like using these apps for work compared with 82 percent of Born Digital workers. Every organization that I have spoken with in my career, honestly, but especially in the last 36 months, has talked about how hard it is to get messages out into the organization. And when you step back and say, “Well, how are you trying to communicate that message?” Oftentimes what I hear is a company intranet or email.

Citrix Research Shows Leaders Disconnected From Younger Employees.

Learn How to Unlock Their Full Potential.

If we take something as incredibly important as communication and think about what could be applied from this data to specific segments — to communication, to leadership, to recruiting — this becomes a really salient point and very relevant for the planning and strategy of how to best reach these workers.

In the employee experience space, one of the key ideas is not everybody is the same. Employee experience is built around personalization. Much of this research data is rich with aligning a strategy to personalize the experience for the Born Digitals for both their own benefit as well as the benefit of the organization. If people only take one thing from this report, to me that could be it right there.

Minahan: Yes, we could fill up a whole list of Slack conversations with that topic, absolutely!

Gardner: It strikes me that there is a propensity for these younger workers to naturally innovate. If you give them a task, they are ready and willing to figure out how to do it on their own. Older workers wait around to be told how to do things.

I wonder if this innovation propensity in the younger workers is an untapped, productivity boom, and that allowing people to do things their own way — as long as the job gets done — is a huge benefit to all.

Innovation generation integrates AI

Minahan: I think you are onto something there. With the do-it-yourself or YouTube generation, you see it in your own children, they teach themselves or find ways to figure things out — whether it’s a math problem or a hobby.

Best practice sharing mentoring as a benefit applies to solving problems, of how to adapt and learn. Reverse mentoring, formal or informal, has a big opportunity to raise all boats.

Amy mentioned earlier the importance of reverse-mentoring, and that’s no joke. We first talked about it as teaching the older generation how to use technology. But there is a best-practice-sharing benefit as applies to solving problems, of how to constantly adapt, and continue to learn. That reverse mentoring, whether it’s formal or informal, has a real big opportunity to lift all boats.

Gardner: As these folks innovate, we also now have the means to digitally track what they are doing. We can learn, on a process basis through the data, what works better, which allows us to improve our processes constantly and iteratively. Before, we were all told how to do things. We did it, and then we redid it, and not much changed.

Is there an opportunity here to create a new business style combining the data-driven capability to measure what people are doing as well as having them continue to do it in an experimental fashion?

Haworth: Yes, there is now an amazing opportunity to think about how machine learning (ML) and artificial intelligence (AI) can become a guide. As the data fuels insights, those insights can help make workers more effective and potentially far more productive.

When I think of reverse-mentoring, I not only would love to have a Born Digital mentor me on technology, but I also wouldn’t mind having an AI coach tap into places where I’m missing things. They could intervene and help me find a better way, to guide my work, or to think about who else might be interested in this topic. That could fuel an interesting discussion and help me make connections within my organization.

Those Born Digital Will Soon Determine Your Business’s Success.

Here’s How to Understand Them Better.

The Born Digital generation also specified in the Citrix report how distinct their experiences are when it comes to building new connections within organizations. Technology can play a role in that, not only by removing friction to give us time to connect with other human beings, but to also guide us to where those connections might be productive ones. And by productive, I don’t necessarily mean only output, but where it leads to idea generation, further innovation, scaling, and to creating coalitions and influence that lead to desirable outcomes.

Minahan: The world is moving so quickly today. Technology is advancing at such a rapid pace; it’s changing how we engage and do business. The growth-hack skillset for the individual career right now is those who can continuously learn and quickly adapt. That’s going to be critical.

We think the Born Digital generation has a lot to offer on that front, and they can teach the entire culture to support that. As Amy said, then augmenting that culture with AI or ML and other tools so that it becomes an institutional upgrade in skills, knowledge, and best-practice-sharing — so that everyone is absolutely performing at their best and everyone can begin to see around corners and adapt much quicker — that’s what’s going to create the high-performing, curious, and growth-oriented organizations of the future.

Gardner: How do we now take this research into action? How do we move from the observation that there is an awareness and perceptions gap — and maybe $1.9 trillion at stake — and go about self-evaluating and changing?

Listen fully to learn and lead

Haworth: Number one for me is to listen. And listening is hard for some. It requires time, but I will advocate that it doesn’t take a lot of time.

I have a little game to offer everyone. It’s called 5 for 5, which means talk to five people with five questions, and ask those five questions to all of them. Don’t defend. Don’t explain. Just get genuinely curious — and start with your Born Digitals. Most organizations have an easy way for leaders to find them. They might be on your team. They might be your kids, your nieces, your nephews, or a neighbor down the street. But spend a little bit of time just listening.

And from those five people, we know you are likely to find some themes, just those five conversations. And then put it on your calendar to do that at least once a quarter. These are the most interesting opportunities leaders have to inform strategy, to think about what’s next, and to learn something about a person that they may never have known before.

Talk to five people and ask five questions of all of them. Start with your Born Digitals. You are likely to find themes that will inform strategy for leaders.

We recently went through a cycle of this internally at Citrix as part of our hybrid philosophy building and to help develop the capabilities and tools we need in the organization for teams to be effective. I happened to be aligned to interview our Born Digital segment. Most of them were fairly new in their careers, and some had started during COVID.

My favorite question was, “If you were a manager right now, what would you be focused on?” Across the board, each of these interviewees, employees at our organization, said, “I would be very clear on what’s expected as far as working hours and when it’s okay to log off.”

That insight alone was validated in the research. Not only is this generation looking for job stability and security, but they are also very likely to not be the ones to ask for permission. They are looking around to figure out what’s okay and not okay.

We need to be clear about helping them define boundaries and to model those boundaries because Born Digital doesn’t mean born burnt out. We want to be sure that we keep the engagement, curiosity, innovation, creativity, and energy that the Born Digital population brings into organizations. We need to help them be successful by developing a sustainable pattern for work.

Gardner: Tim, how do you see us closing the gap in the near term?

Keep it simple to reduce daily din

Minahan: The convergence of the digital workspace demands tools that facilitate open and equitable collaboration and transparency across teams, whether they are in the office or working remotely. That includes driving continuous learning and best-practice-sharing and achieving better business outcomes together. The physical workplace needs to be fitted for purpose when is it important to come together, when we do benefit from that, whether it’s for collaborative projects or the social aspects, such as for creating that water-cooler dynamic.

The Future of Work Demands Flexibility,

Choice, and Autonomy.

Lean to Foster a More Engaged Workforce.

As Amy just mentioned, which I think is so critically important, the ultimate success in this is going to require how you transition your culture. How do you make it okay for people to turn off in this always-connected world? How do you set norms on how we create an equitable, inclusive workplace for those that work in the office and those who work remotely?

Amy has put in place here at Citrix a very good framework. Similar to that, we are advising our customers to triangulate between a Venn diagram of creating the right digital workplace, coupling it with the right purpose-built workspace, and then enabling it all with common policies and culture that foster equality, inclusiveness and focus on business outcomes.

Gardner: Is there something about the way technology itself has been delivered into the marketplace by vendors, including Citrix, that also needs to change? When we talk about culture, behavior, and motivations, that’s not the way that technology has been shaped and delivered. Is there a lesson from this research?

Haworth: Great employee experiences are shaped by empowerment of employees at a very personal level. When technology guides and automates work experiences to free the person up from the noise, the friction, of having to log-in to multiple tools, to context switch — all of that creates a draining effect on a human. The technology is now positioned to remove that friction by letting technology do what technology does best, which is to automate, guide, and organize based on personal preferences.

New innovations from platforms such as Citrix help unite work all in one place to simplify tasks for the employee. It means there is more that the employee doesn’t have to think about. It’s seamless. That quality of interaction is a key lever in creating positive employee experiences, which lead to engagement and commitment to an organization in a world that is fraught right now with finding talent, with fighting attrition, and cultivating the right talent to innovate into the future. All of these elements really matter, and technology has a big role to play.

Gardner: It sounds like automation is another word we should be using. We talked about using ML and AI to help, but the more you can automate, even though that sounds in conflict with allowing people to be flexible, is important.

Minahan: Amy hit the nail on the head. It is about automating and guiding employees, but it’s also removing the noise from their day. The dirty little secret in business is each of these individual tools that we have introduced into our workday on their own added productivity, helping us do our jobs, but collectively they have created such a cacophony of noise and distraction in our day, it’s actually frustrating employees.

If you think back to pre-pandemic, one of the dynamics was a Gallup study that showed employees were more disengaged than at any other time in history. Some 86 percent of employees felt they were disengaged at work because they were frustrated with the complexity of the work environment, all the tools, the apps, and chat channels that were interrupting them from doing their jobs. And that’s only been exacerbated throughout the pandemic as people don’t even have a clearly defined beginning and end to their days. And so it continues.

As we introduce technology, we need to mute the noise. We need to automate mundane tasks so employees don’t change context every two seconds. Create a unifying workspace that allows access to all tools and content in the right context.

One of the things we need to be thinking about as technologists, as we introduce technology or we build solutions, is how do you mute this noise? How do you automate some of the mundane tasks so that employees don’t need to switch context every two seconds? How do you create a unifying workspace that allows them to have access to all the tools, all the apps, all the content, all the business services they need to get their job done without needing to remember multiple passwords and go everywhere else?

And how do you begin to literally use things like AI and ML to guide them through their day, presenting them with the right information at the right time, not all the information, allowing them to execute tasks without needing to navigate multiple different environments? Then, how do you create a collaborative workspace that is equitable and provides transparency and a common place for folks to align around common goals, execute against projects, understand the status, no matter whether they are working in an office in a conference room together or are distributed to all corners of the globe?

Gardner: For those older leaders or younger entrants into the workspace who want to learn more about this research, how can they? And what comes next for Citrix research?

Design the future of work

Minahan: Anyone can find this research available on citrix.com. This research effort, as well as future research efforts, are part of an initiative we took together with academia, research organizations, and governments starting well over a year ago called the Work 2035 Project to try to understand the skills, organizational structures, and role technology plays in shaping the future of work. The only difference is the future of work is arriving a heck of a lot faster than any of us ever expected.

The next big event is that we are hosting a thought leadership event that will be based in part on the latest research effort in October, a virtual summit we are calling Fieldwork, where we are going to bring together some of the industry thought leaders around the topic of how the future of work is evolving and have an open dialogue, and we will be providing more information on that as we get closer.

Gardner: Amy, for those organizations that may have learned more about the employee experience function of governance, leadership, and management, what advice do you have for organizations should they be interested in setting up an employee experience organization?

Haworth: First, I say congratulations to those organizations for investing and taking the time to invest in understanding what employee experience means in the context of their particular desire for business outcomes and in their particular culture.

Citrix published this year some very helpful research around the employee experience operating model. It can be found on citrix.com in the Fieldwork section. I personally have leveraged this in setting up some of the key pillars of our own philosophy and approach to employee experience. It is deep and it will also be a great springboard for moving forward with establishing both a mindset and some practices and programs leading to exceptional stronger employee experiences.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Citrix.

You may also be interested in:

• Creating business advantage with technology-enabled flexible work

• Rethinking employee well-being means innovative new support for the digital work-life balance

• Work from anywhere unlocks once-hidden productivity and creativity talent gems

• Here to stay, remote work promises to deliver new levels of engagement, productivity, and innovation

• COVID-19 teaches higher education institutes to embrace latest IT to advance remote learning

• Work in a COVID-19 world: Back to the office won’t mean back to normal

• Why flexible work and the right technology may Just close the talent gap

• Business readiness provides an agile key to surviving and thriving in these uncertain times

• Busy work is a dumpster fire and it’s time for something completely different

The last few years have certainly highlighted the need for businesses of all kinds to build up their operational resilience. With a rising tide of pandemic waves, high-level cybersecurity incidents, frequent technology failures, and a host of natural disasters — there’s been plenty to protect against.

As businesses become more digital and dependent upon end-to-end ecosystems of connected services, the responsibility for protecting critical business processes has clearly shifted. It’s no longer just a task for IT and security managers but has become top-of-mind for line-of-business owners, too.

Stay with us now as BriefingsDirect explores new ways that those responsible for business processes specifically in the financial sector are successfully leading the path to avoiding and mitigating the impact and damage from these myriad threats.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

To learn more about the latest in rapidly beefing-up operational resilience by bellwether finance companies, BriefingsDirect welcomes Steve Yon, Executive Director of the EY ServiceNow Practice, and Sean Culbert, Financial Services Principal at EY. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Sean, how have the risks modern digital businesses face changed over the past decade? Why are financial firms at the vanguard of identifying and heading off these pervasive risks?

Culbert: The category of financial firms forms a broad scope of types. The risks for a consumer bank, for example, are going to be different than the risks for an investment bank or from a broker-dealer. But they all have some common threads. Those include the expectation to be always-on, at the edge, and able to get to your data in a reliable and secure way.

There’s also the need for integration across the ecosystem. Unlike product sets before, such as in retail brokerage or insurance, customers expect to be brought together in one cohesive services view. That includes more integration points and more application types.

This all needs to be on the edge and always-on, even as it includes, increasingly, reliance on third-party providers. They need to walk in step with the financial institutions in a way that they can ensure reliability. In certain cases, there’s a learning curve involved, and we’re still coming up that curve.

It remains a shifting set of expectations to the edge. It’s different by category, but the themes of integrated product lines — and being able to move across those product lines and integrate with third-parties – has certainly created complexity.

Gardner: Steve, when you’re a bank or a financial institution that finds itself in the headlines for bad things, that is immediately damaging for your reputation and your brands. How are banks and other financial organizations trying to be rapid in their response in order to keep out of the headlines?

Interconnected, system-wide security

Yon: It’s not just about having the wrong headline on the front cover of American Banker. As Sean said, the taxonomy of all these services is becoming interrelated. The suppliers tend to leverage the same services.

Products and services tend to cross different firms. The complexity of the financial institution space right now is high. If something starts to falter — because everything is interconnected — it could have a systemic effect, which is what we saw several years ago that brought about Dodd-Frank regulations.

So having a good understanding of how to measure and get telemetry on that complex makeup is important, especially in financial institutions. It’s about trust. You need to have confidence in where your money is and how things are going. There’s a certain expectation that must happen. You must deal with that despite mounting complexity. The notion of resiliency is critical to a brand promise — or customers are going to leave.

One, you should contain your own issues. But the Fed is going to worry about it if it becomes broad because of the nature of how these firms are tied together. It’s increasingly important — not only from a brand perspective of maintaining trust and confidence with your clients — but also from a systemic nature; of what it could do to the economy if you don’t have good reads on what’s going on with support of your critical business services.

Gardner: Sean, the words operational resilience come with a regulatory overtone. But how do you define it?

The operational resilience pyramid

Culbert: We begin with the notion of a service. Resilience is measured, monitored, and managed around the availability, scalability, reliability, and security of that service. Understanding what the service is from an end-to-end perspective, how it enters and exits the institution, is the center to our universe.

Around that we have inbound threats to operational resilience. From the threat side, you want the capability to withstand a robust set of inbound threats. And for us, one of the important things that has changed in the last 10 years is the sophistication and complexity of the threats. And the prevalence of them, quite frankly.

We have COVID, we have proliferation of very sophisticated cyber attacks that weren’t around 10 years ago. Geopolitically, we’re all aware of tensions, and weather events have become more prevalent. It’s a wide scope of inbound threats.

If you look at the four major threat categories we work with — weather, cyber, geopolitical, and pandemics — pick any one of those and there has been a significant change in those categories. We have COVID, we have proliferation of very sophisticated cyber attacks that weren’t around 10 years ago, often due to leaks from government institutions. Geopolitically, we’re all aware of tensions, and weather events have become more prevalent. It’s a wide scope of inbound threats.

And on the outbound side, businesses need the capability to not only report on those things, but to make decisions about how to prevent them. There’s a hierarchy in operational resilience. Can you remediate it? Can you fix it? Then, once it’s been detected, how can minimize the damage. At the top of the pyramid, can you prevent it before it hits?

So, there’s been a broad scope of threats against a broader scope of service assets that need to be managed with remediation. That was the heritage, but now it’s more about detection and prevention.

Gardner: And to be proactive and preventative, operational resilience must be inclusive across the organization. It’s not just one group of people in a back office somewhere. The responsibility has shifted to more people — and with a different level of ownership.

What’s changed over the past decade in terms of who’s responsible and how you foster a culture of operational resiliency?

Bearing responsibility for services

Culbert: The anchor point is the service. And services are processes: It’s technology, facilities, third parties, and people. The hard-working people in each one of those silos all have their own view of the world — but the services are owned by the business. What we’ve seen in recognition of that is that the responsibility for sustaining those services falls with the first line of business [the line of business interacting with consumers and vendors at the transaction level].

Yon: There are a couple of ways to look at it. One, as Sean was talking about, the lines of defense and the evolution of risk has been divvied up. The responsibilities have had line-of-sight ownership over certain sets of accountabilities. But you also have triangulation from others needing to inspect and audit those things as well.

The time is right for the new type of solution that we’re talking about now. One, because the nature of the world has gotten more complex. Two, the technology has caught up with those requirements.

The move within the tech stack has been to become more utility-based, service-oriented, and objectified. The capability to get signals on how everything is operating, and its status within that universe of tech, has become a lot easier. And with the technology now being able to integrate across platforms and operate at the service level — versus at the component level – it provides a view that would have been very hard to synthesize just a few years ago.

What we’re seeing is a big shot in the arm to the power of what a typical risk resilience compliance team can be exposed to. They can manage their responsibilities at a much greater level.

Before they would have had to develop business continuity strategies and plans to know what to do in the event of a fault or a disruption. And when those things come out, the three-ring binders, the war room gets assembled and people start to figure out what to do. They start running the playbook.

What we’re seeing is a big shot in the arm to the power of what a typical risk resilience compliance team can be exposed to. They can manage their responsibilities at a mch greater level.

The problem with that is that while they’re running the playbook, the fault has occurred, the destruction has happened, and the clock is ticking for all those impacts. The second-order consequences of the problem are starting to amass with respect to value destruction, brand reputational destruction, as well as whatever customer impacts there might be.

But now, because of technology and moving toward Internet of things (IoT) thinking across assets, people, facilities, and third-party services, technology can self-declare their state. That data can be synthesized to say, “Okay, I can start to pick up a signal that’s telling me that a fault is inbound.” Or something looks like it’s falling out of the control thresholds that they have.

That tech now gives me the capability to get out in front of something. That would be almost unheard-of years ago. The nexus of tech, need, and complexity are all hitting right now. That means we’re moving and pivoting to a new type of solution rising out of the field.

Gardner: You know, many times we’ve seen such trends happen first in finance and then percolate out to the rest of the economy. What’s happened recently with banking supervision, regulations, and principles of operational resilience? 

Financial sector leads the way

Yon: There are similar forms of pressure coming from all regulatory-intense industries. Finance is a key one, but there’s also power, utilities, oil, and gas. The trend is happening primarily first in regulatory-intensive industries.

Culbert: A couple years ago, the Bank of England and the Prudential Regulation Authority (PRA) put out a consultation paper that was probably most prescriptive out of the UK. We have the equivalent over here in the US around expectations for operational resiliency. And that just made its way into policy or law. For the most part, on a principles basis, we all share a common philosophy in terms of what’s prudent.

A lot of the major institutions, the ones we deal with, have looked at those major tenets in these policies and have said they will be practiced. And there are four fundamental areas that the institutions must focus on.

One is, can it declare and describe its critical business services? Does it have threshold parameters logic assigned to those services so that it knows how far it can go before it sustains damage across several different categories? Are the assets that support those services known and mapped? Are they in a place where we can point to them and point to the health of them? If there’s an incident, can they collaborate around the sustaining of those assets?

As I said earlier, those assets generally fall into small categories: people, facilities, third parties, and technology. And, finally, do you have the tools in place to keep those services within those tolerance parameters and have other alerting systems to let you know which of the assets may well be failing you, if the services are at risk.

That’s a lay-person, high-level description of the Bank of England policy on operational risks for today’s Financial Management Information Systems (FMIS). Thematically most of the institutions are focusing on those four areas, along with having credible and actionable testing schemes to simulate disruptions on the inbound side. 

In the US, Dodd-Frank mandated that institutions declare which of those services could disrupt critical operations and, if those operations were disrupted, could they in turn disrupt the general economy. The operational resilience rules and regulations fall back on that. So, now that you know what they are, can you risk-rate them based on the priorities of the bank and its counterparties? Can you manage them correctly? That’s the letter-of-the-law-type regulation here. In Japan, it’s more credential-based regulation like the Bank of England. It all falls into those common categories.

Gardner: Now that we understand the stakes and imperatives, we also know that the speed of business has only increased. So has the speed of expectations for end consumers. The need to cut time to discovery of the problems and to find root causes also must be as fast as possible.

How should banks and other financial institutions get out in front of this? How do we help organizations move faster to their adoption, transform digitally, and be more resilient to head off problems fast? 

Preventative focus increases

Yon: Once there’s clarity around the shift in the goals, knowing it’s not good enough to just be able to know what to do in the event of a fault or a potential disruption, the expectation becomes the proof to regulatory bodies and to your clients that they should trust you. You must prove that you can withstand and absorb that potential disruption without impact to anybody else downstream. Once people get their head around the nature of the expectation-shifting to being a lot more
preventative versus reactive, the speeds and feeds by which they’re managing those things become a lot easier to deal with.

You’d get the phone call at 3 a.m. that a critical business service was down. You’d have the tech phone call that people are trying to figure out what happened. That lack of speed killed because you had to figure a lot of things out while the clock was ticking. But now, you’re allowing yourself time to figure things out.

Back when I was running the technology at a super-regional bank, you’d get the phone call at 3 a.m. that a critical business service was down. You’d have the tech phone call that people are trying to figure out what happened because they started to notice at the help desk that a number of clients and customers were complaining. The clock had been ticking before 3 a.m. when I got the call. And so, by now, by that time, those clients are upset.

Yet we were spending our time trying to figure out what happened and where. What’s the overall impact? Are there other second-order impacts because of the nature of the issue? Are other services disrupted as well? Again, it gets back to the complexity factor. There are interrelationships between the various components that make up any service. Those services are shared because that’s how it is. People lean on those things — and that’s the risk you take.

Before, the lack of speed literally killed because you had to figure a lot of those things out while the clock was ticking and the impact was going on. But now, you’re allowing yourself time to figure things out. That’s what we call a decision-support system. You want to alert ahead of time to ensure that you understand the true blast area of what the potential destruction is going to be.

Secondly, can I spin up the right level of communications so that everybody who could be affected knows about it? And thirdly, can I now get the right people on the call — versus hunting and pecking to determine who has a problem on the fly at 3 a.m.?

The nature of having speed is when you deal with an issue by buying time for firms to deal with the thing intelligently versus in a shotgun approach and without truly understanding the nature of the impact until the next day.

Gardner: Sean, it sounds like operation resiliency is something that never stops. It’s an ongoing process. That’s what buys you the time because you’re always trying to anticipate. Is that the right way to look at it?

Culbert: It absolutely is the way to look at it. A time objective may be specific to the type of service, and obviously it’s going to be different from a consumer bank to a broker-dealer. You will have a time objective attached to a service, but is that a critical service that, if disrupted, could further disrupt critical operations that could then disrupt the real economy? That’s come into focus in the last 10 years. It has forced people to think through: If you were if a broker-dealer and you couldn’t meet your hedge fund positions, or if you were a consumer bank and you couldn’t get folks their paychecks, does that put people in financial peril?

These involve very different processes and have very different outcomes. But each has a tolerance of filling in the blank time. So now it’s just more of a matter of being accountable for those times. There are two things: There’s the customer expectation that you won’t reach those tolerances and be able to meet the time objective to meet the customers’ needs.

And the second is that technology has made it more manageable as the domino or contagion effect of one service tipping over another one. So now it’s not just, “Is your service ready to go within its objective of half an hour?” It’s about the knock-on effect to other services as well. 

So, it’s become a lot more correlated, and it’s become regional. Something that might be a critical service in one business, might not be in another — or in one region, might not be in another. So, it’s become more of a multidimensional management problem in terms of categorically specific time objectives against specific geographies, and against the specific regulations that overhang the whole thing.

Gardner: Steve, you mentioned earlier about taking the call at 3 a.m. It seems to me that we have a different way of looking at this now — not just taking the call but making the call. What’s the difference between taking the call and making the call? How does that help us prepare for better operation resiliency?

Make the call, don’t take the call

Yon: It’s a fun way of looking a day in the life of your chief resiliency officer or chief risk officer (CRO) and how it could go when something bad happens. So, you could take the call from the CEO or someone from the board as they wonder why something is failing. What are you going to do about it?

You’re caught on your heels trying to figure out what was going on, versus making the call to the CEO or the board member to let them know, “Hey, these were the potential disruptions that the firm was facing today. And this is how we weathered through it without incident and without damaging service operations or suffering service operations that would have been unacceptable.”

We like to think of it as not only trying to prevent the impact to the clients but also from the possibility of a systemic problem. It could potentially increase the lifespan of a CRO by showing they can be responsible for the firm’s up-time, versus just answer questions post-disruption. It provides a little bit of levity but it’s also a truth that there are more than just the consequences to the clients, but also to those people responsible for that function within the firm. 

Gardner: Many leading-edge organizations have been doing digital transformation for some time. We’re certainly in the thick of digital transformation now after the COVID requirements of doing everything digitally rather than in person. 

But when it comes to finance and the services that we’re describing — the interconnections in the interdependencies — there are cyber resiliency requirements that cut across organizational boundaries. Having a moat around your organization, for example, is no longer enough.

What is it about the way that ServiceNow and EY are coming together that helps make operational resiliency an ongoing process possible? 

Digital transformation opens access

Yon: There are two components. You need to ask yourself, “What needs to be true for the outcome that we’re talking about to be valid?” From a supply-side, what needs to be true is, “Do I have good signal and telemetry across all the components and assets of resources that would pose a threat or a cause for a threat to happen from a down service?”

With the move to digital transformation, more assets and resources that compose any organization are now able to be accessed. That means the state of any particular asset, in terms of its preferential operating model, are going to be known.

With the move to digital transformation, more assets and resources that compose any organization are now able to be accessed. That means the state of any particular asset, in terms of its preferential operating model, are going to be known. I need to have that data and that’s what digital transformation provides.

Secondly, I need a platform that has wide integration capabilities and that has workflow at its core. Can I perform business logic and conditional synthesis to interpret the signals that are coming from all these different systems?

That’s what’s great about ServiceNow — there hasn’t been anything that it hasn’t been able to integrate with. Then it comes down to, “Okay, do I understand the nature of what it is I’m truly looking for as a business service and how it’s constructed?” Once I do that, I’m able to capture that control, if you will, determine its threshold, see that there’s a trigger, and then drive the workflows to get something done.

For a hypothetical example, we’ve had an event so that we’re losing the trading floor in city A, therefore I know that I need to bring city B and its employees online and to make them active so I can get that up and running. ServiceNowcan drive that all automatically, within the Now Platform itself, or drive a human to provide the approvals or notifications to drive the workflows as part of your business continuity plan (BCP) going forward. You will know what to do by being able to detect and interpret the signals, and then based on that, act on it.

That’s what ServiceNow brings to make the solution complete. I need to know what that service construction is and what it means within the firm itself. And that’s where EY comes to the table, and I’ll ask Sean to talk about that.

Culbert: ServiceNow brings to the table what we need to scale and integrate in a logical and straightforward way. Without having workflows that are cross-silo and cross-product at scale — and with solid integration of capabilities – this just won’t happen.

When we start talking about the signals from everywhere against all the services — it’s a sprawl. From an implementation perspective, it feels like it’s not implementable.

The regulatory burden requires focus on what’s most important, and why it’s most important to the market, the balance sheet, and the customers. And that’s not for the 300 services, but for the one or two dozen services that are important. Knowing that gives us a big step forward by being able to scope out the ServiceNow implementation.

And from there, we can determine what dimensions associated with that service we should be capturing on a real-time basis. To progress from remediation to detection on to prevention, we must be judicious of what signals we’re tracking. We must be correct.

We have the requirement and obligation to declare and describe what is critical using a scalable and integrable technology, which is ServiceNow. That’s the big step forward.

Yon: The Now platform also helps us to be fast. If you look under the hood of most firms, you’ll find ServiceNow is already there. You’ll see that there’s already been work done in the risk management area. They already know the concepts and what it means to deal with policies and controls, as well as the triggers and simulations. They have IT and other assets under management, and they know what a configuration management database (CMDB) is.

These are all accelerants that not only provide scale to get something done but provide speed because so many of these assets and service components are already identified. Then it’s just a matter of associating them correctly and calibrating it to what’s really important so you don’t end up with a science fair integration project.

Gardner: What I’m still struggling to thread together is how the EY ServiceNow alliance operational resiliency solution becomes proactive as an early warning system. Explain to me how you’re able to implement this solution in such a way that you’re going to get those signals before the crisis reaches a crescendo.

Tracking and recognizing faults

Yon: Let’s first talk about EY and how it comes with an understanding from the industry of what good looks like with respect to what a critical business service needs to be. We’re able to hone down to talking about payments or trading. This maps the deconstruction of that service, which we also bring as an accelerant.

We know what it looks like — all the different resources, assets, and procedures that make that critical service active. Then, within ServiceNow, it manages and exposes those assets. We can associate those things in the tool relatively quickly. We can identify the signal that we’re looking to calibrate on.

Then, based on what ServiceNow knows how to do, I can put a control parameter on this service or component within the threshold. It then gives me an indication whether something might be approaching a fault condition. We basically look at all the different governance, risk management, and compliance (GRC) leading indicators and put telemetry around those things when, for example, it looks like my trading volume is starting to drop off.

Based on what ServiceNow knows how to do, I can put a control parameter on this service or component within the threshold. It then gives me an indication whether something might be approaching a fault condition.

Long before it drops to zero, is there something going on elsewhere? It delivers up all the signals about the possible dimensions that can indicate something is not operating per its normal expected behavior. That data is then captured, synthesized, and displayed either within ServiceNow or it is automated to start running its own tests to determine what’s valid.

But at the very least, the people responsible are alerted that something looks amiss. It’s not operating within the control thresholds already set up within ServiceNow against those assets. This gives people time to then say, “Okay, am I looking at a potential problem here? Or am I just looking at a blip and it’s nothing to worry about?”

Gardner: It sounds like there’s an ongoing learning process and a data-gathering process. Are we building a constant mode of learning and automation of workflows? Do we do get a whole greater than the sum of the parts after a while?

Culbert: The answer is yes and yes. There’s learning and there’s automation. We bring to the table some highly effective regulatory risk models. There’s a five-pillar model that we’ve used where market and regulatory intelligence feeds risk management, surveillance, analysis, and ultimately policy enforcement.

And how the five pillars work together within ServiceNow — it works together within the business processes within the organization. That’s where we get that intelligence feeding, risk feeding, surveillance analysis, and enforcement. That workflow is the differentiator, to allow rapid understanding of whether it’s an immediate risk or concentrating risk.

And obviously, no one is going to be 100 percent perfect, but having context and perspective on the origin of the risk helps determine whether it’s a new risk — something that’s going to create a lot of volatility – or whether it’s something the institution has faced before.

We rationalize that risk — and, more importantly, rationalize the lack of a risk – to know at the onset if it’s a false positive. It’s an essential market and regulatory intelligence mechanism. Are they feeding us only the stuff that’s really important?

Our risk models tell us that. That risk model usually takes on a couple of different flavors. One flavor is similar to a FICO score. So, have you seen the risk? Have you seen it before? It is characterizable by the words coming from it and its management in the past.

And then some models are more akin to a bar calculator. What kind of volatility is this risk going to bring to the bank? Is it somebody that’s recreationally trying to get into the bank, or is it a state actor?

Once the false-positive gets escalated and disposed of — if it’s, in fact, a false positive – are we able to plug it into something robust enough to surveil for where that risk is headed? That’s the only way to get out in front of it.

The next phase of the analysis says, “Okay, who should we talk to about this? How do we communicate that this is bigger than a red box, much bigger than a red box, a real crisis-type risk? What form does that communication take? Is it a full-blown crisis management communication? Is it a standing management communication or protocol?”

We take that affected function and very quickly understand the health or the resiliency of other impacted functions. We use our own proprietary model. It helps to shift from primary states to alternative states.

And then ultimately, this goes to ServiceNow, so we take that affected function and very quickly understand the health or the resiliency of other impacted functions. We use our own propriety model. It’s a military model used for nuclear power plants, and it helps to shift from primary states to alternative states, as well as to contingency and emergency states.

At the end, the person who oversees policy enforcement must gain the tools to understand where they should be fixing the primary state issue or moving on from it. They must know to step aside or shift into an emergency state.

From our perspective, it is constant learning. But there are fundamental pillars that these events flow through that deliver the problem to the right person and give that person options for minimizing the risk.

Gardner: Steve, do we have any examples or use cases that illustrate how alerting the right people with the right skills at the right time is an essential part of resuming critical business services or heading off the damage?

Rule out retirement risks

Yon: Without naming names, we have a client within Europe, the Middle East and Africa (EMEA) we can look at. One of the things the pandemic brought to light is the need to know our posture to continuing to operate the way we want. Getting back to integration and integrability, where are we going to get a lot of that information for personnel from? Workday, their human resources (HR) system of record, of course.

Now, they had a critical business service owner who was going to be retiring. That sounds great. That’s wonderful to hear. But one of the valid things for this critical business service to be considered operating in its normal state is to check for an owner. Who will cut through the issues and process and lead going forward?

If there isn’t an owner identified for the service, I would be considered at risk for this service. It may not be capable of maintaining its continuity. So, here’s a simple use case where someone could be looking at a trigger from Workday that asks if this leadership person is still in the role and active.

Is there a control around identifying if they are going to become inactive within x number of months’ time? If so, get on that because the regulators will look at these processes potentially being out of control.

There’s a simple use case that has nothing to do with technology but shows the integrability of ServiceNow into another system of record. It turns ServiceNow into a decision-support platform that drives the right actions and orchestrates timely actions — not only to detect a disruption but anything else considered valid as a future risk. Such alerts give the time to get it taken care of before a fault happens.

Gardner: The EY ServiceNow alliance operational resilience solution is under the covers but it’s powering leaders’ ability to be out in front of problems. How does the solution enable various levels of leadership personas, even though they might not even know it’s this solution they’re reacting to?

Leadership roles evolve

Culbert: That’s a great question. For the last six to seven years, we’ve all heard about the shift from the second to the first line of primary ownership in the private sector. I’ve heard many occasions for our first line business manager saying, “You know, if it is my job, first I need to know what the scope of my responsibilities are and the tools to do my job.” And that persona of the frontline manager having good data, that’s not a false positive. It’s not eating at his or her ability to make money. It’s providing them with options of where to go to minimize the issue.

The personas are clearly evolving. It was difficult for risk managers to move solidly into the first line without these types of tools. And there were interim management levels, too. Someone who sat between the first and the second line — level 1.5. or line 1.5. And it’s clearly pushing into the first line. How do they know their own scope as relates to the risk to the services?

Now there’s a tool that these personas can use to be not only be responsible for risk but responsive as well. And that’s a big thing in terms of the solution design. With ServiceNow over the last several years, if the base data is correctly managed, then being able to reconfigure the data and recalibrate the threshold logic to accommodate a certain persona is not a coding exercise. It’s a no-code step forward to say, “Okay, this is now the new role and scope, and that role and scope will be enabled in this way.” And this power is going to direct the latest signals and options.

But it’s all about the definition of a service. Do we all agree end-to-end what it is, and the definition of the persona? Do we all understand who’s accountable and who’s responsible? Those two things are coming together with a new set of tools that are right and correct.

Yon: Just to go back to the call at 3 a.m., that was a tech call. But typically, what happens is there’s also going to be the business call. So, one of the issues we’re also solving with ServiceNow is in one system we manage the nature of information irrespective of what your persona is. You have a view of risk that can be tailored to what it is that you care about. And all the data is congruent back and forth.

It becomes a lot more efficient and accurate for firms to manage the nature of understanding on what things are when it’s not just the tech community talking. The business community wants to know what’s happening – and what’s next? And then someone can translate in between. This is a real-time way for all those personas to become a line around the nature of the issue with respect to their perspective.

Gardner: I really look forward to the next in our series of discussions around operational resilience because we’re going to learn more about the May announcement of this solution. 

But as we close out today’s discussion, let’s look to the future. We mentioned earlier that almost any highly regulated industry will be facing similar requirements. Where does this go next?

It seems to me that the more things like machine learning (ML) and artificial intelligence (AI) analyze the many sources of data, they will make it even more powerful. What should we look for in terms of even more powerful implementations?

AI to add power to the equation

Culbert: When you set up the framework correctly, you can apply AI to the thinning out of false positives and for tagging certain events as credible risk events or not credible risk events. AI can also to be used to direct these signals to the right decision makers. But instead of taking the human analyst out of the equation, AI is going to help us. You can’t do it without that framework.

Yon: When you enable these different sets of data coming in for AI, you start to say, “Okay, what do I want the picture to look like in my ability to simulate these things?” It all goes up, especially using ServiceNow.

But back to the comment on complexity and the fact that suppliers don’t just supply one client, they connect to many. As this starts to take hold in the regulated industries — and it becomes more of an expectation for a supplier to be able to operate this way and provide these signals, integration points, telemetry, and transparency that people expect — anybody else trying to lever into this is going to get the lift and the benefit from suppliers who realize that the nature of playing in this game just went up. Those benefits become available to a much broader landscape of industries and for those suppliers.

Gardner: When we put two and two together, we come up with a greater sum. We’re going to be able to deal rapidly with the known knowns, as well as be better prepared for the unknown unknowns. So that’s an important characteristic for a much brighter future — even if we hit another unfortunate series of risk-filled years such as we’ve just suffered.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: ServiceNow and EY.

YOU MAY ALSO BE INTERESTED IN:

• How to gain advanced cyber resilience and recovery across the IT ops and SecOps divide

• The future of work is happening now thanks to Digital Workplace Services

• How security designed with cloud migrations in mind improves an enterprise’s risk posture top to bottom

• Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks

• Creating business advantage with technology-enabled flexible work

• How Unisys and Microsoft team up to ease complex cloud adoption for governments and enterprises

• Disaster recovery to cyber recovery — What is the new best future state?

• How an agile focus for Enterprise Architects builds competitive advantage for digital transformation

• Rethinking employee well-being means innovative new support for the digital work-life balance