With 17 years experience at Accenture, and top leadership roles at New Relic and VMware, Yvonne is sought after for her understanding in how to scale organizations/innovate with technologies while mitigating associated security/data risks. Her experience and insight made for great conversation as we discussed her views on how organizations can transform from ‘old tech’ to ‘new tech’ while enhancing their operations and market value.
M.R. Rangaswami: Where should companies invest their time and be most successful in an industry that talks about the importance of being “cloud-native”?
Yvonne Wassenaar: The world is undeniably becoming more complex and faster-paced than in the past and nowhere does this seem to be more true than with technology. A lot of the news today focuses on becoming “cloud native” and adopting containers as the new defacto way to build and deploy applications though for many it is not 100% clear what this means. It is undeniable that cloud and containers are changing how and where technology is built but this does not mean that every company is going to, or should, drop everything to move to container-based applications overnight.
For companies that have significant existing investments in more traditional IT environments (the node-centric applications running data centers) they are likely best having a blended approach where they move what they can in an efficient manner to the cloud (perhaps in containerized VMs) and build net-new applications in a cloud-native way taking advantage of the power of Kubernetes and new serverless capabilities.
That said, there may well be applications that are best left to “die in the data center.” Even for those more traditional data centre-based applications (and even more importantly for the workforce) there can be a lot of benefit in becoming more cloud-native even if you are not moving to the cloud or adopting containers.
Going cloud-native is a lot more than simply using containers – it is the compilation of leveraging microservices, employing DevOps practices and tools, moving to continuous integration/continuous delivery-deployment (CI/CD) AND using containers based architectures. There are ways you can start to migrate your organizations and technology to be more cloud-native before you even adopt a container-based architecture. For example, a large financial services customer is doing just this by moving to DevOps and CI/CD approaches into their data centers to benefit from these practices and start the cultural and organization shifts required for next gen architectures and help keep their talent engaged and empowered.
From a talent perspective, the hardest change is typically around the culture and organization pieces where we are seeing shifts in how work is best done. There can also be significant challenges associated with the overwhelming number of tools out in the marketplace. My recommendation, look to leverage solutions that span across this increasingly multi-cloud world and that abstract away a lot of the complexity of these new technologies. This, with an active programmatic effort to upskill your existing workers, is the best way I have seen to be able to deliver on business needs today while preparing for the future.
Not surprisingly, all of this is squarely where we are focusing Puppet: meeting our customers where they are and taking them to where they need to be both in terms of technology solutions and the surrounding DevOps practices.
M.R.: As an ex-CIO, and now the CEO of a leading infrastructure software company, what recommendations do you have for our readers on how they can strengthen the security profile of their companies?
Yvonne: It is true, the cyber-security risks companies are facing have never been more significant and they are only exponentially growing as technology is running more and more of the world around us. With all the recent headlines and associated negative business implications, cyber-security is now a C-level/Board issue and I often get asked the question you just asked: How can I strengthen the security profile of my company?
At a foundation level, the most basic thing that companies can do is to standardize and automate their infrastructure environments. Let’s face it, with technology running more and more of your business, do you want to leave your security up to manual processes that could create mistakes? One customer I was recently speaking with said that a retrospective they just completed on issues in their environment found close to 80% of their stability and security vulnerabilities were driven by human error. Human error is inevitable in our business and there are better answers than to beat yourself up or your team up when this happens. From my standpoint, a more productive path forward is to fix these challenges through standardization and automation to create the right foundation to more securely and reliably manage and scalable your environment going forward.
The next level up, beyond automating the work, is how you automate the work. Here at Puppet, we believe the best way to do this is using a declarative state approach. What this means is you tell the automation tools what you want the environment to look like and it determines what changes, if any, are required to your endpoints. This is in contrast with task-based automation where a developer says what steps it wants the tool to execute.
There are reasons to use both declarative and task-based automation in the course of any business. That said, for your core environment the benefit of a declarative approach is that you are always returning your environment to a known good state; something that is music to every Chief Security Officers ears.
But the opportunity is even greater than automating the environment. We have an increasing number of “smart tools” that can help you identify what might need to be fixed or not working as it should from a security standpoint today. By integrating this knowledge with the action engine that can make the needed changes – you are not just finding the problem, you are fixing it. Today we still have humans in the find it / fix it loop but I predict in the not too distant future there will see organizations move towards increasingly smart self-healing environments. This alone will free IT up to solve more abstract problems.
At Puppet we are working to help companies on this concept of “find it /fix it” today with something we call Puppet Remediate. Puppet Remediate integrates scanner data with the discovery, action capabilities of Puppet. Together this allows IT Ops teams the ability to much more quickly remediate the vulnerabilities that present the greatest risk to the company. Going forward, you will see us doing more to integrate the likes of Splunk and Service Now with Puppet to enable customers to have a close-loop, find it and fix it action loops. Exciting times!
M.R.: We are still in a world where diversity is scarce within the C-Suite. What are the best ways to build a more diverse leadership team and foster a culture of inclusion, especially among those that are not heavily represented in tech today?
Building a diverse team and fostering a culture of inclusion is rich and yet hard – it requires a high level of maturity to be able to listen and incorporate different ideas and experiences. I can’t claim to have a silver bullet to this challenge but I have learned some things over the years in my journey to create and nurture more diverse teams and more inclusive environments where everybody is afforded the ability to deliver at their true potential.
As starters, we have to be careful to not fall victim to self-fulfilling prophecies that diversity is too hard or there is not enough of a pipeline. We need to ensure teams don’t get caught up in tracking the types of diversity in a company without focus on the creation of inclusive environments and demonstration of potential and achievement for diverse team members. And, it is important to recognize that unconscious biases are hard to change without focus; sending people to training classes is helpful but insufficient.
So, how can you make a difference? I believe it requires a multi-faceted set of actions and continual focus. One of the most important actions you can take to drive change is to bring on diverse leaders at the highest level of the organization (the C-Suite & Board). This brings many benefits, these leaders represent potential for others like them in the company and the broader talent market, these leaders will often pull in others who “are like them” to help further build diversity across the organization, and these leaders are more likely to help the broader leadership team and company see, understand and address the inherent unconscious biases in the system.
Another powerful change agent is the creation of vocabulary and culture where people can name actions or words that may be creating exclusionary environments and have role models who demonstrate how you call these things out in a non-threatening and open way so that collectively we can address the challenge areas. For an example of how these actions can make a difference, I recommend you check out what Maria Klawe has done a Harvey Mudd College.
M.R. Rangaswami is the Co-Founder of Sand Hill Group.