How To Have A Secure Cloud Transformation
Q&A With Analyst/Author Richard Stiennon
Although enterprises are moving to the cloud at a rapid pace, there are still some companies that haven’t dipped their toes into the cloud computing waters yet. A host of challenges and fears are obstructing some enterprises from making the move.
Enter Richard Stiennon — a former industry analyst with Gartner Research, current Chief Research Analyst with IT-Harvest, and author. Stiennon’s most recent book, Secure Cloud Transformation: The CIO'S Journey, was just published and released in February 2019. Through extensive research, Stiennon’s book provides some of the top strategies and best practices to help organizations embarking on their first cloud journey. It also documents the cloud journeys of some of the world’s largest enterprises, to serve as a blue print for cloud transformation.
In his first exclusive interview since the book’s release, Stiennon tells Enterprise Digitalization about the current state of cloud transformation, and what readers can expect to learn about from the book.
Enterprise Digitalization: Why is cloud transformation currently at the core of IT security?
Richard Stiennon: I've been an analyst for 19 years, and I've worked with IT departments back when they were called MIS. Over the years I realized the IT departments don't actually institute change. They don't adopt new technologies. In fact, they usually fight them. When I got into the internet business, I was selling internet connectivity and I would show people a business card with an email address on it, and these VPs would say, 'It'll be a cold day in hell before I have an email address on my business card.' It just become a truism that I keep track of because the IT department always resists change. Email, internet, WiFi: the first thing they do is push back and try to stop it. They can't, of course, because these forces are bigger than them. This was the same with cloud. Another name for it was rogue computing, which was when somebody in the marketing department would set up a cloud server to host websites, and IT would have no visibility into it. There's an attempt by IT to corral innovation. When researching this book, I talked to 16 people with people titles such as CTO or chief digital officer, people who had been tasked with digital transformation. All of them have the exact same story. Early on, five or six years ago, they said, 'Cloud is the future and we are going to be a cloud-first organization.' They're from General Electric to Siemens to Schneider Electric, and Fannie Mae — they all have this fascinating story to tell about how they saw the benefits. Almost immediately they started moving down that path. What gets me excited is this is an IT transformation that actually enhances security instead of everything else which opens up the enterprise to new threats. All of sudden, I was starting to become an optimist about the future of security.
ED: When you were doing the research for this book, did you uncover something about cloud transformation that most CIOs and CTOs might not be unaware of?
RS: I think it's mostly the architectural changes where there's a cost benefit. That transition starts even if you don't like hosting things yourself, all of your people have already shifted to using software-as-a-service. We have Netsuite for ERP or Salesforce for CRM, and all of those are out on the internet. Now all of your sales workers, all of your finance workers, and your HR workers are going to websites to do their work. You have no control over what's going on there and you're not securing that connection to a critical application. They're already there. Besides that, you have the network infrastructure that they built in the 80s for a hub-and-spoke system to haul all traffic from every office back to headquarters or the data center, and then filter it/protect it as it connects to the internet. All that infrastructure is sitting there. You're paying through the nose for it because you're back hauling all that traffic and then paying for internet traffic to get them out to where they're going, and you're introducing latency problems when somebody uses a remote VPN to get to headquarters on the corporate network. The big revelation for me was finally getting to local internet breakout. Every office just goes directly to the cloud without going through the corporate network and software-defined networking as part of that SD-WAN, or even the software defined perimeter, people are labeling it now. It's cheaper to buy a hundred megabits of connectivity than it is to buy a circuit from that remote office all the way back to headquarters over MPLS. If you've embraced this transformation, you start reducing the bandwidth of the circuits you pay for and you are often eliminating them. You recoup all the money that you're spending for that. Since it's still in your budget, so you might as well repurpose it for continuing the transformation by moving your applications to the cloud through refactoring or lifted shift.
ED: Why is this book a must-read for CIOs, CTOs, CEOs, and CISOs?
RS: Because it lays out that path. It gives you a working plan in order to accomplish that based on the experience of all these people who have accomplished their cloud transformation already.
ED: What do you think is the biggest challenge that enterprises are having now with cloud transformation?
RS: They have internal push-back, and of the people I talked to, this was a recurring theme. Kind of a fear of letting go because all of your internal networking people and your network security people frankly have their career and expertise at risk because they're no longer going to be sourcing fancy HP and Dell servers and configuring them for every single different project that's launched and having a 6-month rollout. As for the people who do vulnerability and patch management, their jobs, from one perspective, got a lot easier. However, another perspective is they might not be needed anymore to work on what they do every day. Their challenge is to find a role to play as all of their app servers get moved to the cloud.
ED: What should readers expect to learn in your book?
RS: The entire book has a story arc of a journey from your initial beginnings with software-as-a-service to transforming your applications to cloud-based instead of data center-based, then finally securing it with these cloud proxies that you either built yourself or outsourced to a third party. Cloud is all about outsourcing. It makes sense that there are cloud vendors that provide that capability. Interspersed in the book to reinforce the message are 16 stories from people who've been down this path. When I reread the book, as I do many times, I realize the best content in the book isn't what I wrote, but it's what each of the contributors gave me.
ED: What companies are some of these contributors from?
RS: It includes Great West Life (a Canadian insurance company), AutoNation (which is the biggest car retailer in the U.S.), two different perspectives from General Electric (a current CIO and a former CTO), Schneider Electric (one of the biggest manufacturers in the world), the PulteGroup (one of the biggest home sellers in the U.S.), and Fannie Mae, (even though they're fairly small organization, they probably control more assets than just about any other organization in the world). One of my favorites companies in the book is National Oilwell Varco, and they have a business that's highly dependent on the price of oil. After the financial crisis, the price of oil dropped dramatically. They could no longer be profitable and their stock reflected that. They were instituting massive cost cutting, and they decided to move to the cloud during that time. The reaction was cool from the end users inside the company. All of a sudden, they are using Microsoft Office 365 as a cloud app and they're getting all these new capabilities. They've got file sharing, chat, video conferencing, and all the things that come with it. The perception from the end users was that IT was on a spending spree, and yet they were cutting their budgets dramatically.
ED: What do you want readers to take away from this book?
RS: I want them to feel a sense of assurance that going to the cloud is the right thing to do, but also a sense of urgency if they want to be a part of the future and to help their organizations succeed and join the 21st century. But they have to move to the cloud as soon as possible. I hope to move somebody somewhere who was on the fence. I hope to move them forward. They can take this to their CEO or the board and say, 'This is the blueprint.'