Disrupt or Be Disrupted

Miriam McLemore:
Welcome to “Conversations with Leaders”. My name is Miriam McLemore, and I'm a former CIO. I'm joined today by my colleagues, Clarke Rodgers, former CISO and Chris Hennesey, former CFO. And our topic today is business resiliency. And, at least when I was a CIO, business resiliency was more about a business continuity plan or it was about security straight up. And so as a former CISO, Clarke, how would you define business resiliency?

Clarke Rodgers:
Well, I think you're absolutely right. It all starts off typically with the infrastructure view, like, “Do I have redundancy from an infrastructure perspective so I can serve my product to my clients?” That type of thing. But I think through my conversations with customer CISOs, resiliency is a lot more from a security perspective. So there's resiliency in your development pipelines. There's resiliency in your security culture. And why is that important? It's so we can provide value back to the business. Give the business that confidence that you are resilient against attacks, you're resilient against internal problems, fat-fingering code, whatever the case may be. And by doing that, you allow the organization to take a lot more risks, really speed towards innovation and then delight their customers. So that's how I look at resiliency.

Miriam McLemore:
And I agree with that, but Chris, from a CFO perspective, there's a broader definition of resiliency for a company.

Chris Hennesey:
Yeah, definitely technology is one angle, but a lot of the financial stability of the organization is considered, and there's a lot of ways to help manage that. One is make sure you have plenty of reserves available to handle and weather the storm. Secondly, is around revenue differentiation. So, ensuring you have diversification of business lines, of products, so that as things may go up or down with one, you can lean on the others. And the last is about having really good cost-control measures. So what are the dials and the levers you can pull based on varying circumstances?

So it's all about not only managing and mitigating risks, but it's also seizing opportunities. Financially, when companies are in distress or you may be in distress, there's opportunities to double down or expand your business. So, if you really are resilient, you have the ability to take advantage of some of those circumstances.

Miriam McLemore:
Yeah, and I think from a CIO's standpoint, in today's world, it's about getting rid of tech debt. It's about having platforms that can carry you into the future. The access to data that we need to leverage tools like generative AI. If you are a company that's behind in cloud, in generative AI, you've got an issue with your resiliency going forward.

Miriam McLemore:
So, we think about resiliency. We think about innovative companies What are the traits? If you thought, “This company really has kind of figured it out,” what would the traits be?

Clarke Rodgers:
So I think this may come across as a bit counterintuitive, but what I've found is that the highly-regulated companies, so your financial services, your healthcare, life sciences, et cetera, they have spent so much time and effort and money investing in their security infrastructure, their security programs, their compliance programs, that they're the ones who can take advantage of things like generative AI or whatever else we'll be talking about in several years from now because they have the mechanisms in place, they have the training in place, they understand that security and compliance are important. So as generative AI comes on board, they know how to deal with it. Their data is classified. They know where their data is. They know how to protect it in accordance with whatever regulations they have to abide by. So then they can embrace these kinds of things and move a lot quicker. It's some of these other industries where you would think might be a little bit more nimble who have those challenges because they haven't had to make those types of investments.

Miriam McLemore:
Chris, you came from a regulated world.

Chris Hennesey:
I think the ability to move quickly, this notion of “fail fast” is an element we talk to a lot of customers about, but I think your ability to adapt, and move quickly, and be flexible is really important, so that would be a trait. I think another trait that I would consider as you go through this, in a lot of companies, is having an open environment where you can communicate information and there's trusted relationships. So I think a trait is having that culture within the organization that you can raise concerns when you adapt quickly and share information versus holding it in. You can move quickly to adjust to whatever may be coming your way and the disruptions ahead.

Clarke Rodgers:
And a no-blame culture I think is important too.

Chris Hennesey:
What about you? What are your thoughts?

Miriam McLemore:
Yeah, I completely agree. Culture, which I think is missed when you talk about resiliency, is so critical because your people have to be willing to see a problem and not just finger point, right? You have to be willing to adapt, address, figure out, “Okay, did we go too far,” right? How do we pull back? How do we pivot? Often organizations don't address that aspect, don't make resiliency the responsibility of everyone. And so it falls to the security team. They’re going to say, “Well, security will check,” or “Security will let us know.” And we're going to be in a bad spot pretty quickly if that's the case.

Clarke Rodgers:
And as you all well know, at AWS, we make sure that security is everyone's responsibility. And then as part of that no-blame culture, we will say, "If you think you have a security problem, you have a security problem." Until proven otherwise. So we have a robust ticketing system or you can call through the help desk, whatever the case may be. If you have a problem, you open up the ticket. A security professional will look into it. If it's nothing, they say “Thank you.” If it's something, they also say “Thank you,” right? And that encourages people to be more open about it and be looking in their line of business because as we all know, the closer you are to the business, the closer you are to whatever problems there may be, whether it's resiliency or anything else, but you get that feedback mechanism that it's okay to call out issues within the organization. And sometimes you actually may be saving the organization from something and maybe something it's not so bad, but at the end of the day, you're all part of a team and you realize it's all part of your same mission.

Chris Hennesey:
Yeah, I think being really proactive with some of the controls and the dynamics is important because you can mitigate a lot of the risks as they come up. There's a lot of reputational risk you need to manage as you think about resiliency, the experiences for your customers. This can be a big differentiator for you and your organization if you have proactive controls and environments and planning in place. Scenario planning comes up a lot, I know, as I talk to customers around resiliency. So, thinking about the tabletop exercises, “What would we do in the scenario?” elements? That type of robust proactive planning goes a long way to your preparedness when things actually do occur.

Clarke Rodgers:
I'd love to jump on that just for a second. When we're talking about incident response playbooks, right? It's not enough for the security team or the infrastructure team or people who you traditionally think are responsible for that. You need to have the CEO participating in that. You need to have the business leaders participating in that. Some of our customers bring their board members into it. The idea is, “Let's go through the game day when nothing bad is happening so we can have those difficult discussions.” What do we do with ransomware? What do we do if we're DDoSed? What do we do if we misconfigure something and a service is not available? Answering those questions when it's easy, that's great, but you get the right people involved, you develop your comms plans and that builds a tremendous amount of resiliency as well.

Miriam McLemore:
And it's not just the attacks, it's also, to me, business resiliency and the ability to respond to an opportunity. There's something that's available now that we can pivot to quickly. And that, for me, finance was a key player because we have an opportunity. I got to have a budget, I got to be able to sign resources. I got to go. And that, is that something that you all put in place?

Chris Hennesey:
Yeah, I think you see a lot of customers having available capacity, either cash reserves or budget capacity. Some organizations will also leave an “open-to-buy,” an element of available funds to take advantage of opportunities that are there. So you need to be well capitalized and prepared for that. And thinking about resiliency as you go through your planning processes goes a long way to ensuring you can have those funds available.

Miriam McLemore:
We talk all the time about being more innovative. We talk to customers about creating a culture of innovation. How do you synch business resiliency and leaning in and innovating?

Clarke Rodgers:
One example I like to use with customers, and again, it starts off with a security lens, but it actually ends up with an innovation benefit. When we start the development life cycle, right? We come up with an ideation for a new product, start thinking about security and compliance issues then. So then that first time you're writing code, you're writing it securely. You're thinking about security and all the downstream benefits of that. Throughout the pipeline, security is addressed so when you get to production, you're actually just releasing into production. You're not having that traditional fistfight, can I get it into production? But it's not secure. Well, what are we going to do? And have all that debate.
    
Over time what tends to happen is that release velocity increases. So what does that do? That allows the business leaders to, we talked earlier about how do you pivot? That allows the business leader to say, “Well, I need this feature set out today instead of that one we were thinking about because our competitor was doing this or the market is doing that.” That gives a level of resiliency and security to the business that they typically don't realize at first glance. They look at it as a security project, but it's actually an innovation project at the same time.

Miriam McLemore:
And I think getting leadership, and I know Chris, you had to spend a lot of time coaching leadership from a technology standpoint. What are the financial implications of building new capabilities? That certainly is another aspect, is just getting the leadership comfortable with and engaging, as you said, Clarke, the CEO, the C-suite, in the conversation. Is that something that you had to do in your prior life?

Chris Hennesey:
Definitely. And I think a question that comes up a lot with customers is there's this balance between run and change or run and grow in terms of that investment capacity. And as you think about resiliency, obviously you want to be well-managed on the run, but most customers are looking for, "How do I get more capacity to invest?" So they're always looking for ways to drive efficiency and I loved your ideas around how can you automate some of the security checks? How do you get scale and leverage technology to reduce some of the run elements that could open up capacity to invest? And that will enable you to innovate more. There's typically a lot of agile principles are leveraged in software development, so really listening and working back from what do the product leaders want and the business leaders want? How do I support what that is from a technical standpoint? And how do we do that in a well-managed way from a resiliency standpoint?

Miriam McLemore:    
So I love our conversation, but how? You listen and say, “Yes, I need to be more resilient. I need to look at a broader spectrum of things to do.” Practical steps, at least for me, is one, sit down with the business leadership and explain the breadth of what we mean. It's not BCP, it's not Business Continuity Planning.

It’s a bigger strategy, right? And elevating that conversation from the beginning because otherwise it does tend to go low fast where we say it's a strategic capability and then we go tactical super quickly.

Clarke Rodgers:
I think a lot of it is understanding the C-suite's risk appetite, the board of directors’ risk appetite, and where they're comfortable with it, right? And what kind of risk they're going to take on, what kind of downtime, and again, not to go too far in the BCP area, but what kind of downtime can they tolerate?

Some businesses may be able to say, "Well, we can survive not taking orders for a couple of days, that's fine." Others can't survive a millisecond, right? So it's understanding that so then you can start building these programs that meet those needs.

Similar to 10 years ago when people were talking about "How should I evaluate this cloud thing?" Nobody was saying, “Just go put everything in the cloud at once.” You need to build the mechanisms, have the technical skills, everything else that goes into that. So, it's find a business unit or a workload within that business unit, and think about it, in this case as from a resiliency perspective, and previously we were talking about "How do we make this work in the cloud?" But from a resiliency perspective, from the risk, from the dollars, from the technology, everything that goes into it, build your model, build your mechanisms that go along with that, the staffing that goes along with that. And if that works, take it to the next one that makes sense. You want to be able to learn and iterate and make things better as you go, and then have that mechanism to go back and make that first business unit meet the criteria that you end up with.

Miriam McLemore:
And along with that, establishing some sponsors that are in the game, really motivated to create that kind of best in class example.

Clarke Rodgers:
And I think every organization has that. You know that one VP who is willing to step up and say, "Let me try something new. Let me be innovative. Let's go hard and go fast and really get it done."

Miriam McLemore:    
Because it's going to give them bandwidth to operate differently.

Clarke Rodgers:
Absolutely.

Chris Hennesey:
Yeah, and I think we all see in the customers we engage, incentives matter a lot inside of the organization. So as I think about a disruptor's mindset, what behaviors are you incenting? Especially when maybe failures occur or resiliency events occur. How do you treat people through that? What are you incentivizing through that? I think that is a big contributor towards the innovative mindset and the capacity that's there. Another practical thing, which I know we've all done, is just dedicating capacity to some of this. So I think a lot of this is mindshare inside of organizations and dedicating capacity just to jumpstart as a way to spark "What's the art of the possible, how do you inspire and then infuse that back into the teams?" Is a practical way to jumpstart things inside of organizations as well.

Miriam McLemore:
So Chris, in your conversations with customers, are there some emerging trends that you're seeing?

Chris Hennesey:
Yeah, when I engage with customers, a lot of times they're trying to assess one, “How do I assess resiliency inside of our organization?” but two, also, “How do I take advantage of cloud technology and asset management and contract management?” come up a lot when I talk. One, do we have a clear sense of what infrastructure we have? Which seems like it should be an easy question, but obviously as you all know, it's not an easy one to answer. And the other is, through asset management, is also the contractual licenses and dynamics that exist within customers.
    
So I've been reading more and more about this thing called “smart contracts”, where it takes and applies automation on top of your contractual agreements that you have. It really takes some of the human side out of this to ensure, one, you're complying to the contractual terms, but two, that you're also alerting and creating awareness more proactively so that you're managing any risk that may exist in terms of unlimited licensing for an element that we all know is going to come due at some point. Or if there's other terms inside of a contract that you need to be adhering to. It's very similar to the code deployment. How do we find automated means to do this? And applying that to contracts and applying that to asset management, I know is an area I've seen a lot of customers focus on.

Miriam McLemore:
I love that. Clarke, I'm assuming you've seen some emerging trends in this space.

Clarke Rodgers:
I have seen some emerging trends. From the security perspective. I've yet to speak to a CISO who has enough security staff. And, while in the past, security departments tried to do more with less within their departments, I'm now seeing a trend of "Let's spread security responsibility out throughout the organization." We talked earlier about the people who know the problems best are the ones who are closest to it. So in this example, the developers. So security organizations are spending a lot of time and effort not only building out the security culture of their organization, but making sure that they have programs like a Security Guardians program where there are specialized security people embedded with the development teams to make sure- and part of those development teams so they know what they're building, etc. But they make sure that it's being built securely. They have a back channel communication to the security org. But what this allows companies to do is to really scale. And when you're scaling the security org and you have it built into your product lines and your infrastructure lines and everywhere else, what are you doing? You're becoming more resilient.

Miriam McLemore:
The ability to forecast too, right? Get your entire team thinking about the opportunity, but importantly the risk. And so that security is everyone's job” training was something that in my conversations with customers, certainly, they are trying to figure out the best way to do it. Because like you said, we can't just keep adding.

Miriam McLemore:
As a closing question, traits of leaders that have a resilient mindset?

Chris Hennesey:
I think for me, this notion of adaptability or flexibility is a trait that's really important. I think the more you're hardened in the way things are done and you kind of exude that inside of your organization and in your role, that doesn't prepare you well to deal with circumstances. So I think this notion of having a resilient mindset, having that ability to be flexible and nimble when needed, and not only the individual but the teams. So organizationally, how do you prepare to be nimble and adapt as needed? I think is a trait that I think is there for good resiliency.

Clarke Rodgers:
The only thing I would add to that is part of that resilient mindset is to really think about things maybe from a negative perspective. Everything's going to fail at some point. And if you come to terms with that, as you're building new mechanisms, products, services, security organizations, whatever the case may be, that's always in the back of your mind. So then you're thinking about, “How do I make it ‘bulletproof’ to make sure that it doesn't break?”

Miriam McLemore:    
Yeah, I love all of the comments, but particularly kind of start small, build a model, inspire the team to drive it as a strategic capability, which it can be. But you're going to have to keep pushing yourself back up to the strategic, because it's one of those things that's so easy to just drop into “I've checked the boxes.”

And from my perspective, you know I'm a sports fan. And what do we value in athletes? Their ability to pivot when something happens, something changes. Their ability to change course. And that to me is so critical in the speed at which we have to work in today's world.

Guys, this has been great. Thank you.

Clarke Rodgers:
Thank you.

Chris Hennesey:
Thanks Miriam. Thanks Clarke.

Listen now

Listen now

Listen now