Showing posts with label AIOps. Show all posts
Showing posts with label AIOps. Show all posts

Monday, August 30, 2021

How to Migrate Your Organization to a More Security-Minded Culture

Transcript of a discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: TraceableAI.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Bringing broader awareness of security risks and building a security-minded culture within any public or private organization has been a top priority for years. Yet halfway through 2021, IT security remains as much a threat as ever -- with multiple major breaches and attacks costing tens of millions of dollars occurring nearly weekly.

Why are the threat vectors not declining? Why, with all the tools and investment, are businesses still regularly being held up for ransom or having their data breached? To what degree are behavior, culture, attitude, and organizational dissonance to blame?

Stay with us now as we probe into these more human elements of IT security with a leading chief information security officer (CISO).


To learn more about adjusting the culture of security to make organizations more resilient, please join me in welcoming Adrian Ludwig, CISO at Atlassian. Welcome, Adrian.

Adrian Ludwig: Hi, Dana. Glad to be here.

Gardner: Adrian, we are constantly bombarded with headlines showing how IT security is failing. Yet, for many people, they continue on their merry way -- business as usual.

Are we now living in a world where such breaches amount to acceptable losses? Are people not concerned because the attacks are perceived as someone else’s problem?

Security on the forefront

Ludwig

Ludwig: A lot of that is probably true, depending on whom you ask and what their state of mind is on a given day. We’re definitely seeing a lot more than we’ve seen in the past. And there’s some interesting twists to the language. What we’re seeing does not necessarily imply that there is more exploitation going on or that there are more problems -- but it’s definitely the case that we’re getting a lot more visibility.

I think it’s a little bit of both. There probably are more attacks going on, and we also have better visibility.

Gardner: Isn’t security something we should all be thinking about, not just the CISOs?

Ludwig: It’s interesting how people don’t want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen.

But the reality is, within any organization, doing the right thing -- whether that be security, keeping track of the money, or making sure that things are going the way you’re expecting -- is a responsibility that’s shared across the entire organization. That’s something that we are now becoming more accustomed to. The security space is realizing it’s not just about the security folks doing a good job. It’s about enabling the entire organization to understand what’s important to be more secure and making that as easy as possible. So, there’s an element of culture change and of improving the entire organization.

Gardner: What’s making these softer approaches -- behavior, culture, management, and attitude – more important now? Is there something about security technology that has changed that makes us now need to look at how people think?

Ludwig: We’re beginning to realize that technology is not going to solve all our problems. When I first went into the security business, the company I worked for, a government agency, still had posters on the wall from World War II: Loose lips sink ships.

Learn More 

The idea of security culture is not new, but the awareness is, across organizations that any person could be subject to phishing, or any person could have their credentials taken -- those mistakes could be originating at any place in the organization. That broad-based awareness is relatively new. It probably helps that we’ve all been locked in our houses for the last year, paying a lot more attention to the media, and hearing about attacks that have been going on at governments, the hacking, and all those things. That has raised awareness as well.

Gardner:  It’s confounding that people authenticate better in their personal lives. They don’t want their credit cards or bank accounts pillaged. They have a double standard when it comes to what they think about protecting themselves versus protecting the company they work for.

Data safer at home or work?

Ludwig: Yes, it’s interesting. We used to think enterprise security could be more difficult from the user experience standpoint because people would put up with it because it was work.

But the opposite might be true, that people are more self-motivated in the consumer space and they’re willing to put up with something more challenging than they would in an enterprise. There might be some truth to that, Dana.

Gardner: The passwords I use for my bank account are long and complex, and the passwords I use when I’m in the business environment … maybe not so much. It gets us back to how you think and your attitude for improved security. How do we get people to think differently?

Ludwig: There’s a few different things to consider. One is that the security people need to think differently. It’s not necessarily about changing the behavior of every employee in the company. Some of it is about figuring out how to implement critical solutions that provide security without changing behavior.

Security people need to think differently. It's not necessarily about changing the behavior of every employee in the company. It's about implementing solutions that provide security without changing behavior.

There is a phrase, the paved path or road; so, making the secure way the easy way to do something. When people started using YubiKey U2F [an open authentication standard that enables internet users to securely access any number of online services with a single security key] as a second-factor authentication, it was actually a lot easier than having to input your password all over the place -- and it’s more secure.

That’s the kind of thing we’re looking for. How do we enable enhanced security while also having a better user experience? What’s true in authentication could be true in any number of other places as well.

Second, we need to focus on developers. We need to make the developer experience more secure and build more confidence and trustworthiness in the software we’re building, as well as  in the types of tools used to build.

Developers find strength

Gardner: You brought up another point of interest to me. There’s a mindset that when you hand something off in an organization -- it could be from app development into production, or from product design into manufacturing -- people like to move on. But with security, that type of hand-off can be a risk factor.

Beginning with developers, how would you change that hand-off? Should developers be thinking about security in the same way that the IT production people do?

Ludwig: It’s tricky. Security is about having the whole system work the way that everybody expects it to. If there’s a breakdown anywhere in that system, and it doesn’t work the way you’re expecting, then you say, “Oh, it’s insecure.” But no one has figured out what those hidden expectations are.

A developer expects the code they write isn’t going to have vulnerabilities. Even if they make a mistake, even if there’s a performance bug, that shouldn’t introduce a security problem. And there are improvements being made in programming languages to help with that.

Certain languages are highly prone to security being a common failure. I grew up using C and C++. Security wasn’t something that was even thought of in the design of those languages. Java, a lot more security was thought of in the design of that language, so it’s intrinsically safer. Does that mean there are no security issues that can happen if you’re using Java? No.

Similar types of expectations exist at other places in the development pipeline as well.

Gardner: I suppose another shift has been from applications developed to reside in a data center, behind firewalls and security perimeters. But now -- with microservices, cloud-native applications, and multiple application programming interfaces (APIs) being brought together interdependently -- we’re no longer aware of where the code is running.

Don’t you have to think differently as a developer because of the way applications in production have shifted?

Ludwig: Yes, it’s definitely made a big difference. We used to describe applications as being monoliths. There were very few parts of the application that were exposed.

At this point, most applications are microservices. And that means across an application, there might be 1,000 different parts of the application that are publicly exposed. They all must have some level of security checks being done on them to make sure that if they’re handling an input that might be coming from the other side of the world that it’s being handled correctly.

Learn More 

So, yes, the design and the architecture have definitely exposed a lot more of the app’s surface. There’s been a bit of a race to make the tools better, but the architectures are getting more complicated. And I don’t know, it’s neck and neck on whether things are getting more secure or they’re getting less secure as these architectures get bigger and more exposed.

We have to think about that. How do we design processes to deal with that? How do you design technology, and what’s the culture that needs to be in place? I think part of it is having a culture of every single developer being conscious of the fact that the decisions they’re making have security implications. So that’s a lot of work to do.

Gardner: Another attitude adjustment that’s necessary is assuming that breaches are going to happen and to stifle them as quickly as possible. It’s a little different mindset, but the more people involved with looking for anomalies, who are willing to have their data or behaviors examined for anomalies makes sense.

Is there a needed cultural shift that goes with assuming you’re going to be breached and making sure the damage is limited?

Assume the worst to limit damage

Ludwig: Yes. A big part of the cultural shift is being comfortable taking feedback from anybody that you have a problem and that there’s something that you need to fix. That’s the first step.

Companies should let anybody identify a security problem -- and that could be anybody inside or outside of the company. Bug bounties. We’re in a bit of a revolution in terms of enabling better visibility into potential security problems.

But once you have that sort of culture, you start thinking, “Okay. How do I actually monitor what’s going on in each of the different areas?” With that visibility, exposure, and understanding what’s going in and out of specific applications, you can detect when there’s something you’re not expecting. That turns out to be really difficult, if what you’re looking at is very big and very, very complicated.

Decomposing an application down into smaller pieces, being able to trace the behaviors within those pieces, and understanding which APIs each of those different microservices is exposing turns out to be really important.

If you combine decomposing applications into smaller pieces with monitoring what’s going on in them and creating a culture where anybody can find a potential security flaw, surface it, and react to it -- those are good building blocks for having an environment where you have a lot more security than you would have otherwise.

Gardner: Another shift we’ve seen in the past several years is the advent of big data. Not only can we manage big data quickly, but we can also do it at a reasonable cost. That has brought about machine learning (ML) and movement to artificial intelligence (AI). So, now there’s an opportunity to put another arrow in our quiver of tools and use big data ML to buttress our security and provide a new culture of awareness as a result.

Most applications are so complicated -- and have been developed in such a chaotic manner -- it's impossible to understand what's going on inside of them.Give the robots a shot and see if we can figure it out by turning the machines on themselves.

Ludwig: I think so. There are a bunch of companies trying to do that, to look at the patterns that exist within applications, and understand what those patterns look like. In some instances, they can alert you when there’s something not operating the way that is expected and maybe guide you to rearchitecting and make your applications more efficient and secure.

There are a few different approaches being explored. Ultimately, at this point, most applications are so complicated -- and have been developed in such a chaotic manner -- it’s impossible to understand what’s going on inside of them. That’s the right time that the robots give it a shot and see if we can figure it out by turning the machines on themselves.

Gardner: Yes. Fight fire with fire.

Let’s get back to the culture of security. If you ask the people in the company to think differently about security, they all nod their heads and say they’ll try. But there has to be a leadership shift, too. Who is in charge of such security messaging? Who has the best voice for having the whole company think differently and better about security? Who’s in charge of security?

C-suite must take the lead

Ludwig: Not the security people. That will be a surprise for a lot of people to hear me say that. The reality is if you’re in security, you’re not normal. And the normal people don’t want to hear from the not-normal person who’s paranoid that they need to be more paranoid.

That’s a realization it took me several years to realize. If the security person keeps saying, “The sky is falling, the sky is falling,” people aren’t going to listen. They say, “Security is important.” And the others reply, “Yes, of course, security is important to you, you’re the security guy.”

If the head of the business, or the CEO, consistently says, “We need to make this a priority. Security is really important, and these are the people who are going to help us understand what that means and how to execute on it,” then that ends up being a really healthy relationship.

The companies I’ve seen turn themselves around to become good at security are the ones such as Microsoft, Google, or others where the CEO made it personal, and said, “We’re going to fix this, and it’s my number-one priority. We’re going to invest in it, and I’m going to hire a great team of security professionals to help us make that happen. I’m going to work with them and enable them to be successful.”

Learn More 

Alternatively, there are companies where the CEO says, “Oh, the board has asked us to get a good security person, so I’ve hired this person and you should do what he says.” That’s the path to a disgruntled bunch of folks across the entire organization. They will conclude that security is just lip service, it’s not that important. “We’re just doing it because we have to,” they will say. And that is not where you want to end up.

Gardner: You can’t just talk the talk, you have to walk the walk and do it all the time, over and over again, with a loud voice, right?

Ludwig: Yes. And eventually it gets quieter. Eventually, you don’t need to have the top level saying this is the most important thing. It becomes part of the culture. People realize that’s just the way – and it’s not that it’s just the way we do things, but it is a number-one value for us. It’s the number-one thing for our customers, too, and so culture shift ends up happening.

Gardner: Security mindfulness becomes the fabric within the organization. But to get there requires change and changing behaviors has always been hard.

Are there carrots? Are there sticks? When the top echelon of the organization, public or private, commits to security, how do you then execute on that? Are there some steps that you’ve learned or seen that help people get incentivized -- or whacked upside the head, so to speak, when necessary?

Talk the security talk and listen up

Ludwig: We definitely haven’t gone for “whacked upside the head.” I’m not sure that works for anybody at this point, but maybe I’m just a progressive when it comes to how to properly train employees.

What we have seen work is just talking about it on a regular basis, asking about the things that we’re doing from a security standpoint. Are they working? Are they getting in your way? Honestly, showing that there’s thoughtfulness and concern going into the development of those security improvements goes a long way toward making people more comfortable with following through on them.

A great example is … You roll out two-factor authentication, and then you ask, “Is it getting in the way? Is there anything that we can do to make this better? This is not the be-all and end-all. We want to improve this over time.”

That type of introspection by the security organization is surprising to some people. The idea that the security team doesn’t want it to be disruptive, that they don’t want to get in the way, can go a long way toward it feeling as though these new protections are less disruptive and less problematic than they might otherwise feel.

Gardner: And when the organization is focused on developers? Developers can be, you know …

Ludwig: Ornery?

Gardner: “Ornery” works. If you can make developers work toward a fabric of security mindedness and culture, you can probably do it to anyone. What have you learned on injecting a better security culture within the developer corps?

Ludwig: A lot of it starts, again, at the top. You know, we have core values that invoke vulgarity to both emphasize how important they are, but also how simple they are.

One of Atlassian’s values is, “Don’t fuck the customer.” And as a result of that, it’s very easy to remember, and it’s very easy to invoke. “Hey, if we don’t do this correctly, that’s going to hurt the customer.” We can’t let that happen as a top-level value.

We also have “Open company, no-bullshit”. If somebody says, “I see a problem over here,” then we need to follow up on it, right? There’s not a temptation to cover it up, to hide it, to pretend it’s not an issue. It’s about driving change and making sure that we’re implementing solutions that actually fix things.

There are countless examples of a feature that was built, and we really want to ship it, but it turns out it’s got a problem and we can’t do it because that would actually be a problem for the customer. So, we back off and go from there.

How to talk about security

Gardner: Words are powerful. Brands are powerful. Messaging is powerful. What you just said made me think, “Maybe the word security isn’t the right word.” If we use the words “customer experience,” maybe that’s better. Have you found that? Is “security” the wrong word nowadays? Maybe we should be thinking about creating an experience at a larger level that connotes success and progress.

Ludwig: Super interesting. Apple doesn’t use the word “security” very much at all. As a consumer brand, what they focus on is privacy, right? The idea that they’ve built highly secure products is motivated by the users’ right to privacy and the users’ desire to have their information remain private. But they don’t talk about security.

Apple doesn't use the word security very much at all. The idea that they've built highly secure products is motivated by the users' right to privacy and  the users' desire to have their information remain private. But they don't talk about security.

I always thought that was a really an interesting decision on their part. When I was at Google, we did some branding analysis, and we also came up with insights about how we talked about security. It’s a negative from a customer’s standpoint. And so, most of the references that you’ll see coming out of Google are security and privacy. They always attach those two things together. It’s not a coincidence. I think you’re right that the branding is problematic.

Microsoft uses trustworthy, as in trustworthy computing. So, I guess the rest of us are a little bit slow to pick up on that, but ultimately, it’s a combination of security and a bunch of other things that we’re trying to enable to make sure that the products do what we’re expecting them to do.

Gardner: I like resilience. I think that cuts across these terms because it’s not just the security, it’s how well the product is architected, how well it performs. Is it hardened, in a sense, so that it performs in trying circumstances – even when there are issues of scale or outside threats, and so forth. How do you like “resilience,” and how does that notion of business continuity come into play when we are trying to improve the culture?

Ludwig: Yes, “resilience” is a pretty good term. It comes up in the pop psychology space as well. You can try to make your children more resilient. Those are the ones that end up being the most successful, right? It certainly is an element of what you’re trying to build.

Learn More 

A “resilient” system is one in which there’s an understanding that it’s not going to be perfect. It’s going to have some setbacks, and you need to have it recoverable when there are setbacks. You need to design with an expectation that there are going to be problems. I still remember the first time I heard about a squirrel shorting out a data center and taking down the whole data center. It can happen, right? It does happen. Or, you know, you get a solar event and that takes down computers.

There are lots of different things that you need to build to recover from accidental threats, and there are ones that are more intentional -- like when somebody deploys ransomware and tries to take your pipeline offline.

Gardner: To be more resilient in our organizations, one of the things that we’ve seen with developers and IT operations is DevOps. Has DevOps been a good lesson for broader resilience? Is there something we can do with other silos in organization to make them more resilient?

DevOps derives from experience

Ludwig: I think so. Ultimately, there are lots of different ways people describe DevOps, but I think about taking what used to be a very big thing and acknowledging that you can’t comprehend the complexity of that big thing. Choosing instead to embrace the idea that you should do lots of little things, in aggregate, and that they’re going to end up being a big thing.

And that is a core ethos of DevOps, that each individual developer is going to write a little bit of code and then they’re going to ship it. You’re going to do that over and over and over. You are going to do that very, very, very quickly. And they’re going to be responsible for running their own thing. That’s the operations part of the development. But the result is, over time, you get closer to a good product because you can gain feedback from customers, you’re able to see how it’s working in reality, and you’ll be able to get testing that takes place with real data. There are lots of advantages to that. But the critical part of it, from a security standpoint, is it makes it possible to respond to security flaws in near real-time.

Often, organizations just aren’t pushing code frequently enough to be able to know how to fix a security problem. They are like, “Oh, our next release window is 90 days from now. I can’t possibly do anything between now and then.” Getting to a point where you have an improvement process that’s really flexible and that’s being exercised every single day is what you get by having DevOps.

And so, if you think about that same mentality for other parts of your organization, it definitely makes them able to react when something unexpected happens.

Gardner: Perhaps we should be looking to our software development organizations for lessons on cultural methods that we can apply elsewhere. They’re on the bleeding edge of being more secure, more productive, and they’re doing it through better communications and culture.

Ludwig: It’s interesting to phrase it that way because that sounds highfalutin, and that they achieved it out of expertise and brilliance. What it really is, is the humbleness of realizing that the compiler tells you your code is wrong every single day. There’s a new user bug every single day. And eventually you get beaten down by all those, and you decide you’re just going to react every single day instead of having this big thing build up.

So, yes, I think DevOps is a good example but it’s a result of realizing how many flaws there are more than anything highfalutin, that’s for sure.

Gardner: The software doesn’t just eat the world; the software can show the world the new, better way.

Ludwig: Yes, hopefully so.

Future best security practices

Gardner: Adrian, any thoughts about the future of better security, privacy, and resilience? How will ML and AI provide more analysis and improvements to come?

Ludwig: Probably the most important thing going on right now in the context of security is the realization by the senior executives and boards that security is something they need to be proponents for. They are pushing to make it possible for organizations to be more secure. That has fascinating ramifications all the way down the line.

If you look at the best security organizations, they know the best way to enable security within their companies and for their customers is to make security as easy as possible. You get a combination of the non-security executive saying, “Security is the number-one thing,” and at the same time, the security executive realizes the number-one thing to implement security is to make it as easy as possible to embrace and to not be disruptive.

And so, we are seeing faster investment in security that works because it’s easier. And I think that’s going to make a huge difference.

There are also several foundational technology shifts that have turned out to be very pro-security, which wasn’t why they were built -- but it’s turning out to be the case. For example, in the consumer space the move toward the web rather than desktop applications has enabled greater security. We saw a movement toward mobile operating systems as a primary mechanism for interacting with the web versus desktop operating systems. It turns out that those had a fundamentally more secure design, and so the risks there have gone down.

The enterprise has been a little slow, but I see the shift away from behind-the-firewall software toward cloud-based and software as a service (SaaS) software as enabling a lot better security for most organizations. Eventually, I think it will be for all organizations.

Those shifts are happening at the same time as we have cultural shifts. I’m really optimistic that over the next decade or two we’re going to get to a point where security is not something we talk about. It’s just something built-in and expected in much the same way as we don’t spend too much time now talking about having access to the Internet. That used to be a critical stumbling block. It’s hard to find a place now that doesn’t or won’t soon have access.

Gardner: These security practices and capabilities become part-and-parcel of good business conduct. We’ll just think of it as doing a good job, and those companies that don’t do a good job will suffer the consequences and the Darwinian nature of capitalism will take over.

Ludwig: I think it will.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on building security-minded cultures within public and private organizations.

And we’ve learned how behavior, culture, attitude, and organizational shifts create both hurdles and solutions for making businesses more intrinsically resilient by nature.


So, join me in thanking our guest, Adrian Ludwig, CISO at Atlassian. Thank you so much, Adrian, I really enjoyed it.

Ludwig: Thanks, Dana. I had a good time as well.

Gardner: And a big thank you to our audience for joining this BriefingsDirect IT security culture discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Traceable AI-sponsored BriefingsDirect interviews.

Stay tuned for our next podcast in this series, with a deep-dive look at new security tools and methods with Sanjay Nagaraj, Chief Technology Officer and Co-Founder at Traceable AI.

Look for other security podcasts and content at www.briefingsdirect.com.

Thanks again for listening. Please pass this along to your business community and do come back for our next chapter.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable.ai.

Transcript of a discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

      How API security provides a killer use case for ML and AI

      Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks

      Rise of APIs brings new security threat vector -- and need for novel defenses

      Learn More About the Technologies and Solutions Behind Traceable.ai.

      Three Threat Vectors Addressed by Zero Trust App Sec

      Web Application Security is Not API Security

      Does SAST Deliver? The Challenges of Code Scanning.

      Everything You Need to Know About Authentication and Authorization in Web APIs

      Top 5 Ways to Protect Against Data Exposure

      TraceAI : Machine Learning Driven Application and API Security

Monday, March 29, 2021

How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solutions and Support


Transcript of a discussion on how HPE Pointnext Services has developed solutions to satisfy the new era of IT tech support expectations. 

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise Pointnext Services.

Dana Gardner: Hello, and welcome to the next BriefingsDirect Voice of Tech Services Innovation podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on how services and support for enterprise IT have entered a new era.

For IT technology service providers, the timing of the news couldn’t be better. Those now consuming tech support are demanding higher-order value -- such as higher worker productivity from hybrid services delivered across many more remote locations.

At the same time, the underlying technologies and intelligence to enhance traditional helpdesk-type support are blossoming to deliver proactive -- and even consultative -- enhancements.

Stay with us now as we examine how Hewlett Packard Enterprise (HPE) Pointnext Services has developed new solutions to satisfy this new era of higher IT tech support expectations.

We will now learn about HPE’s new generation of readily-at-hand IT expertise, augmented remote services, and ongoing product-use guidance that together propel businesses to exploit their digital domains -- better than ever.

Here to share the Pointnext vision for the future of advanced IT operational services is Gerry Nolan, Director of Operational Services Portfolio, at HPE Pointnext Services. Welcome, Gerry.


Gerry Nolan:
Hi, Dana. Great to be here. Thank you.

Gardner: We are also here with Rob Brothers, Program Vice President, Datacenter and Support Services, at IDC. Welcome, Rob.

Rob Brothers: Hi, Dana. Thank you very much for having me on the show.

Gardner: Rob, what are enterprise IT leaders and their consumers demanding of tech support in early 2021? How are their expectations different from just a year or two ago?

IT evolves from fix-it to forward-thinking

Brothers: It’s a great question, Dana. I want to jump back a little bit further than just a year or so ago. That’s because support has really evolved so much over the past five, six, or seven years.

Brothers
If you think about product support and support in general back in the day, it was just that. It was an add-on. It was great for fix services. It was about being able to place a phone call to get something fixed.

But that evolved over the past few years due to the fact that we have more intelligent devices and customers are looking for more proactive, predictive capabilities, with direct access to experts and technicians. And now that all has taken a fast-track trajectory during the pandemic as we talk about digital transformation.

During COVID-19, customers need new ways to work with tech-support organizations. They need even more technical assistance. So, we see that a plethora of secure, remote-support capabilities have come out. We see more connected devices. We see that customers look for expertise over the phone -- as well as via chat or via augmented reality. Whatever the channel, we see a trajectory and growth that has spurred on a lot of innovation -- and not just the innovation itself, but the consumption of that innovation.

Those are a couple of the big differences I’ve seen in just the past couple of years. It’s about the need for newer support models, and a different way of receiving support. It’s also about using a lot of the new, proactive, and predictive capabilities built inside of these newer systems -- and really getting connected back to the vendor.

Those enterprises that connect back to their vendors are getting that improved experience and can then therefore pass that better experience to their customers. That's the important part of the whole equation.

Those enterprises that connect back to their vendors are getting that improved experience and can then therefore pass that better experience to their customers. That’s the important part of the whole equation -- making sure that better IT experiences translate to those enterprise customers. It’s a very interesting time.

Gardner: I sense this is also about more collective knowledge. When we can gather and share how IT systems are operating, it just builds on itself. And now we have the tools in place to connect and collaborate better. So this is an auspicious time -- just as the demand for these services has skyrocketed.

Brothers: Yes, without a doubt. I find the increased use of augmented reality (AR) to deliver support extremely interesting, too, and a great use case during a pandemic.

If you can’t send an engineer to a facility in-person, maybe you can give that engineer access to the IT department using Google Glass or some other remote-access technology. Maybe you can walk them through something that they may not have been able to do otherwise. With all of the data and information the vendor collects, they can more easily walk them through more issues. So that’s just one really cool use case during this pandemic.

Gardner: Gerry, do you agree that there’s been auspicious timing when it comes to the need for these innovative support services and the capability to deliver them technically?

Pandemic accelerates remote services

Nolan: Yes, there’s no question. I totally agree with Rob. We saw a massive spike with the pandemic in terms of driving to remote access. We already had significant remote capabilities, but many of our customers all of a sudden have a huge remote workforce that they have to deal with.

Nolan
They have to keep their IT running with minimal on-site presence, and so you have to start quickly innovating and delivering things such as AR and virtual reality (VR), which is what we did. We already have that solution.

But it’s amazing how something like a pandemic can elevate that use to our thousands and thousands of technical engineers around the world who are now using that technology and solution to virtually join customer sites and help them triage, diagnose, and even do installations. It’s allowing them to keep their systems and their businesses running during a very tough period.

Another insight is we’ve seen customers struggling, even before the pandemic, with having enough technical personnel bandwidth. You know, how they need more people resources and skills as more new technologies hit the streets.

To Rob’s point, it’s difficult for customers to keep pace with the speed of change in IT. There’s more hunger for partners who can go deep on expertise across a wide plethora of technologies. So, there’s a variety of new support activities going on.

Brothers: Yes, around those technical capabilities, one of the biggest things I hear from enterprises is just trying to find that talent pool. You need to get employees to do some of the technical pieces of the equation on a lot of these new IT assets. And they’re just not out there, right?

They need programmers and big data data scientists. Getting folks to come in to assist on that level is more and more difficult. Hence, working with the vendor for a lot of these needs and that technical expertise really comes in handy now.

Gardner: Right, when you can outsource -- people do outsource. That’s been a trend for 10 or 15 years now.

What are the challenges enterprises -- as the IT vendors and providers -- have in closing that skills gap?

DX demands collaboration

Brothers: I actually did a big study around digital transformation. One of the big issues I’ve seen within enterprises is a lot of siloed structures. The networking team is not talking to the storage team, or not talking to the server team, and protecting their turf.

As an alternative, you can have the vendor come in and say, “Look, we can do this for you in a simpler fashion. We can do it a little bit faster, too, and we can keep downtime out of your environment.”

But trying to get the enterprise convinced [on the outsourcing] can sometimes be tricky and difficult. So I see that as one of the inhibitors to getting some of these great tech services that the vendors have into these environments.

A lot of these legacy systems are mixed in with the newer systems. This is where you see a struggle within enterprises. It's still the stovepipe silos in enterprises that can make transitions very difficult.

A second big challenge I see is around the big, legacy IT environments. This goes back to that connectedness piece I talked about. A lot of these legacy systems are mixed in with the newer systems. This is where you see a struggle within enterprises. They are asking, “Okay, well, how do I support this older equipment and still migrate to this new platform that I want to do a lot of cloud-based computing with and become more operationally efficient?” The vendors can assist with that, but it’s still the stovepipe silos you sometimes see in enterprises that can make transitions very difficult.

Gardner: Right. The fact is we have hybrid everything, and now we have to adjust our support and services to that as well.

Gerry, around these challenges, it seems we also have some older thinking around how you buy these tech services. Perhaps it has been through a warranty or a bolt-on support plan. Do we need to change the way we think about acquiring these services?

Customer experience choice

Nolan: Yes, customers are all about experiences these days. Think about pretty much every part of your life -- whether you’re going to the bank, booking a vacation, or even buying an electric car. They’ve totally transformed the experience in each of those areas.

IT is no different. Customers are trying to move beyond, as Rob was saying, that legacy IT thinking. Even if it’s contacting a support provider for a break-fix issue, they want the solution to come with an end-to-end experience that’s compelling, engaging, and in a way that they don’t need to think about all the various bits and pieces. The fewer decisions a customer has to make and the more they can just aim for a particular outcome, the more successful we’re going to be.

Brothers: Yes, when a customer invested $1 million in a solution set, the old mindset was that after three or four years it would be retired and they would buy a new one -- but that’s completely changed.

Now, you’re looking at this technology for a longer term within your environment. You want to make sure you’re getting all the value out of it, so that support experience becomes extremely important. What does the system look like from a performance perspective? Did I get the full dollar value out of it?


That kind of experience is not just between the vendor and with my own internal IT department, but also in how that experience correlates out to my end-user customer. It becomes about bringing that whole experience circle around. It’s really about the experience for everybody in the environment -- not just for the vendor and not just for the enterprise. But it’s for the enterprise’s customers.
 

Gardner: Rob, I think it behooves the seller of the IT goods if they’ve moved from a CapEx to an OpEx model so that they can make those services as valuable as possible and therefore also apply the right and best level of support over time. It locks the customer in on a value basis, rather than a physical basis.

Brothers: Yes, that’s one great mindset change I’ve seen over the past five years. I did a study about six years ago, and I asked customers how they bought support. Overwhelmingly they said they just bought a blanket support contract. It was the same contract for all of the assets within the environment.

But just recently, in the past couple of years, that’s completely changed. They are now looking at the workloads. They’re looking at the systems that run those workloads and making better decisions as to the best type of support contract on that system. Now they can buy that in an OpEx- or CapEx-type manner, versus that blanket contract they used to put on it.


It’s really great to see how customers have evolved to look at their environments and say, “I need different types of support on the different assets I have, and which provide me different experiences.” That’s been a major change in just the past couple of years.

Nolan: We’re also seeing customers seek the capability to evolve and move from one support model to another. You might have a customer environment where they have some legacy products where they need help. And they’re implementing some new technologies and new solutions, and they’re developing new apps.

It’s really helpful for that customer if they can work with a single vendor -- even if they have multiple, different IT models. That way they can get support for their legacy, deploy new on-premises technologies, and integrate that together with their legacy. And then, of course, having that consumption-as-a-service model that Rob just talked about, they also have a nice easy way of transitioning workloads over to hybrid models where appropriate.

I think that’s a big benefit, and it’s what the customers seem to be looking for more and more these days.

Gardner: Gerry, what’s the vision now behind HPE to deliver on that? What’s Pointnext Services doing to provide a new generation of tech support that accommodates these new and often hybrid environments?

Tech Care’s five steps toward support

Nolan: We’re very excited to launch a new support experience called HPE Pointnext  Tech Care. It’s all about delivering on much of what’s just been said in terms of moving beyond a product break-fix experience to helping customers get the most out of that product -- all the way from purchasing through its lifecycle to end-of-life.

Our main goal for HPE Pointnext Tech Care is to help customers maximize and expose all the value from that product. We’re going to do that with HPE Pointnext Tech Care through five key elements.

Products are going to be embedded with a support experience called HPE Pointnext Tech Care. It's a very simple experience. It has some choices on the SLA side, but it's going to dramatically simplify the buying and owing experience at HPE.

The first is to make it a very simple experience. Today, we have four different choices when you’re buying a product as to which experience you want to go with. Now with HPE Pointnext, products are going to be sold embedded with a support experience called HPE Pointnext Tech Care. It’s a very simple experience. It has some choices on the service-level-agreement (SLA) side, but it’s going to dramatically simplify the buying and owning experience for our HPE customers.

The second aspect is the digital-transformation component that we see everywhere in life. That means we’re embedding a lot of data telemetry into the products. We have a product called HPE InfoSight that’s now embedded in our technology being deployed.

InfoSight collects all that data and sends it back to the mother ship, which allows our support experts to gain all of those insights and provide help with the customer in mitigating, predicting, planning capacity, and helping to keep that system running and optimized at all times. So, that’s one element of the digital component.

The other aspect is a very rich support portal, a customer engagement platform. We’ve already redone our support center on hpe.com and customers will see it’s completely changed. It has a new look and feel. Over the coming quarters, there will be more and more new capabilities and functionality added. Customers will be able to see dashboards, personalized views of their environments, and their products. They’ll get omni-channel access to our experts, which is the third element we are providing.

We have all this great expertise. Traditionally, you would connect with them over the telephone. But going forward, you’re going to have the capability, as Rob mentioned, for customers to do chat. They may also want to watch videos of the experts. They may want to talk to their peers. So we have a moderated forum area where customers can communicate with each other and with our experts. There’s also a whole plethora of white papers and Tech Tip videos. It’s a very rich environment.

Then the fourth HPE Pointnext Tech Care element touches on a key trend that Rob mentioned, which goes beyond break-fix. With HPE Pointnext Tech Care, you’ll have the capability to communicate with experts beyond just talking about a broken part of your system. This will allow you to contact us and talk about things such as using the product, or capacity planning, or configuration information that you may have questions about. This general tech guidance feature of HPE Pointnext Tech Care, we believe, is going to be very exciting for customers, and they’re going to really benefit from it.

And lastly, the fifth component is about a broader spectrum of full lifecycle help that our customers want. They don’t just want a support experience around buying the product, they want it all the way through its lifetime. The customer may need help with migration, for example, or they may need help with performance, training their people, security, and maybe even retiring or sanitizing that asset. 

With HPE Pointnext Tech Care, they will have a nice, easy mechanism where you have a very robust, warm-blanket-type of support that comes with the product and can easily be augmented with other menu choices. We’re very excited about launch of HPE Pointnext Tech Care and it comes with those five key elements. It’s going to transform the support experience and help customers get the most from their HPE products.

Gardner: Rob, how much of a departure do you sense the HPE Pointnext Tech Care approach is from earlier HPE offerings, such as HPE Foundation Care? Is this a sea change or a moderate change? How big of a deal is this?

Proactive, predictive capabilities

Brothers: In my opinion, it’s a pretty significant change. You’re going to get proactive, predictive capabilities at the base level of the HPE Pointnext Tech Care service that a lot of other vendors charge a real premium for.

I can’t stress enough how important it is for those proactive, predictive capabilities to come with environments. A survey that I did not long ago supported a cost-downtime study. In that study, customers saw approximately 700 or so hours of downtime per year across their environments. These are servers, storage, networking, and security, and take human error into account. If customers enabled proactive, predictive capabilities, they saw approximately 200 hours of saved downtime. That’s because of what those corrective, predictive capabilities can do at that base layer. They allow you to do the one big thing that prevents downtime -- and that's patch management and patch planning.

Now, those technical experts that Gerry talked about can access all of this beautiful, feature-rich information and data. They can feed it back to the customer and say, “Look, here’s how your environment looks. Here’s where we see some areas that you can make improvements, and here's a patch plan that you can put in place.”

Now technical experts can access all of this beautiful, feature-rich information and data. They can feed it back to the customer to make improvements. That's precious information and data.

Then all of the data comes back from enterprises, saying, “If I do a better job of that patching and patch planning that just saves a copious amount of unplanned and planned downtime out of my environment because I now do a better job of that.” That’s precious information and data.

That’s the big fundamental change. They’re showing the real value to the customer so they don’t have to buy some of those premium levels. They can get that kind of value in the base level, which is extremely important and provides that higher-order experience to end-user customers. So I do think that’s a huge fundamental shift, and definitely a new value for the customers.

Gardner: Rob, correct me if I’m wrong, but having this level of proactive, baked-in-from-the-start support comes at an auspicious time, too, because people are also trying to do more automation with their security operations. It seems to me that we’re dovetailing the right approaches for patching and proactive maintenance along with what’s needed for security. So, there’s a security benefit here as well?

Brothers: Oh, massive. Especially if you look at this day-and-age with a lot of the security breaches we just had just over the past year due to new security remote access to a lot of systems. Yes, it definitely plays a major factor in how enterprises should be thinking about how they’re patching and patch planning.

Gardner: Gerry, just to pull on that thread again about data and knowledge sharing, the more you get the relationship that you’re describing with HPE Pointnext Tech Care -- the more back and forth of the data and learning what the systems are doing -- and you have a virtuous cycle. Tell us how the machine learning (ML) and data gathering works in aggregate and why that’s an auspicious virtuous cycle.

Nolan: That’s an excellent question and, of course, you’re spot-on. The combination is of the telemetry built into the actual products through HPE InfoSight, our back-end experts, and the detailed knowledge management processes. We also have our experts who are watching, listening, and talking to customers as they deal with issues.

That means you have two things going on. You have the software learning over time and we have rules being built in there so that when it spots an issue it can go and look for all the other similar environments and then help those customers mitigate and predict ahead of time.


Secondly our experts can engage better because they’re also dealing with and seeing various challenges happening around the world in various environments. The combined knowledge management process means we’re constantly building more and more content, more and more knowledge, and we’re immediately making that available through the new digital customer platforms.

That means that customers will immediately get the benefit of all of this knowledge. It might be a Tech Tip video. It might be a white paper. It might be an item or an article in a moderated forum. There’s this rich back-and-forth between what’s available in the portal and what’s available in the knowledge that the software will build over time. And all of this just comes to bear in a richer experience for the customer, where they can help either self-solve or self-serve. But if they want to engage with our experts, they’re available in multiple different channels and in multiple different ways.

Gardner: Rob, another area where 2+2=5 is when we can take those ML and data-driven insights that Gerry described across a larger addressable market of installed devices. And then, we can augment that with MyRoom-type technologies and the VR and AR capabilities that you described earlier.

What’s the new sum value when we can combine these insights with the capability to then deliver the knowledge remotely and richly?

Autonomous IT reduces human error

Brothers: That’s a really great point. The whole idea is to attain what we call autonomous IT. That means to have IT systems that are more on the self-repair side, and that have product pieces shipped prior to things going wrong.

One of the biggest and most-costly pieces of downtime is from human error. If we can pull the human touch and human interaction out of the IT environment, we save each company hundreds of thousands of dollars a year. That’s what all this data and information will provide to the IT vendors. They can then say, “Look, let’s take the human interactions out of it. We know that’s one of the most-costly sides of the equation.”

If we can pull the human touch and interaction out of the IT environment we save money and reduce human error. We can optimize systems. It gets to the point where we're relying on the intelligence of the systems to do more. That's the direction we're heading in.

If we can do that in an autonomous fashion -- where we’re optimizing systems on a regular basis, equipment is being shipped to the facility prior to anything breaking, we can schedule any downtime during quiet times, and make sure that workloads are moved properly -- then that’s the endgame. It gets to the point where the human factor gets more removed and we’re relying more on the intelligence of the systems to do more.

That’s definitely the direction we’re moving in, and what we’re seeing here is definitely heading in that direction.

Gardner: Yes, and in that case, you’re not necessarily buying IT support, your buying IT insurance.

Brothers: Yes, exactly. That gets back to the consumption models. HPE is one of the leaders in that space with HPE GreenLake. They were one of the pioneers to come up with a solution such as that, which takes the whole IT burden off of IT’s plate and puts it back on the vendor.

Nolan: We have a term for that concept that one of my colleagues uses. They call it invisible IT. That’s really what a lot of customers are looking for. As Rob said, we’re still some ways from that. But it’s a noble goal, and we’re all in to try and achieve it.

Gardner: So we know what the end-goal is, but we’re still in the progression to it. But in the meantime, it’s important to demonstrate to people value and return on investment (ROI).

Do we have any HPE Pointnext Tech Care examples, Gerry? Rob already mentioned a few of his studies that show dramatic improvements. But do we have use cases and/or early-adoption patterns? How do we measure when you do this well and you get?

Benefits already abound

Nolan: There are a ton of benefits. For example, we already have extensive Tech Tip video libraries. We have chat implemented. We have the moderated forums up and running. We have lots of different elements of the experience already live in certain product areas, especially in storage.

Of course, many HPE products are already connected through HPE InfoSight or other tools, which means those systems are being monitored on a 24 x 7 basis. The software already monitors, predicts, and mitigates issues before they occur, as well as provides all sorts of insights and recommendations. This allows both the customer and our support experts to engage and take remediation action before anything bad happens. 

Customers seem to love this more-rich experience approach. Yes, there’s a lot more data and a lot more insights. But to have those experts on-hand, to be able to gain or build an action plan from all of that data, is really important.

Now, in terms of some of the benefits that we’re seeing in the storage space, those customers that are connected are seeing 73 percent fewer trouble tickets and 69 percent faster time-to-resolution. To date, since InfoSight was first deployed in that storage environment alone, we’ve measured about 1.5 million hours of saved productivity time.

So there are real benefits when you combine being connected with ML tools such as InfoSight. When the rich value available in HPE Pointnext Tech Care comes together, it further reduces downtime, improves performance, and helps reach the end-goal that Rob talked about, the autonomous IT or invisible IT. 

Gardner: Rob, we started our conversation about what’s changed in tech support. What’s changed when it comes to the key performance indicators (KPIs) for evaluating tech support and services?

Brothers: The big, new KPIs that we’re seeing do not just evaluate the experience that the enterprise has with the IT vendors. Although that’s obviously extremely important, it’s also about how does that correlate to the experiences my end-users are receiving?


You’re beginning to see those measurements come to the fore. An enterprise has its own SLAs and KPIs with its end-users. How is that matching to the KPIs and SLAs I have back to my IT vendors? You’re beginning to see those merge and come together. You’re beginning to see new matrices put in place where you can evaluate the vendor through how well you’re delivering user experiences to your own end-users.

It takes a bit of time and energy to align that because it’s a fairly complex measurement to put in place. But we’re beginning to see that from enterprises, to seek that level of value from the vendors. And the vendors are stepping up, right? They’re beginning to show these dashboards back to the enterprise that say, “Hey, here’s the SLA, here are the KPIs, here are the performance matrices that we’re collecting and that should correlate fairly well to what you’re providing to your end-user customers.”

Gardner: Gerry, if we properly align these values, it better fits with digital transformation because people have to perceive the underlying digital technologies as an enabler, not as a hurdle. Is HPE Pointnext Tech Care an essential part of digital transformation when we think about that change of perception?

Incident management transforms

Nolan: It totally is. One of our early Pointnext customers is a large, US retailer. They’ve gone through a situation where they had a bunch of technology. Each one had its own individual support contract. And they’ve moved to a more centralized and simpler approach where they have one support experience, which we actually deliver across each of their different products -- and they’re seeing huge benefits.

They’ve gone from firefighting and having their small IT team predominantly focused on dealing with issues and support calls regarding hardware- and update-type issues and all of a sudden, they were measuring themselves on incidents -- how many incidents -- and they were trying to keep that at a manageable level.

One large, US retailer has moved to a more centralized and simpler approach where they have one support experience -- and they're seeing huge benefits.

Well, now, they’ve totally changed. The incidents have almost disappeared -- and now they’re focused on innovation. How fast can they get new applications to their business? How fast can they get new projects to market in support of the business?

They’re just one customer who has gone through this transformation where they’re using all of the things we just talked about and it’s delivering significant benefits to them and to their IT group. And the IT group, in turn, are now heroes to their business partners around the US.

Gardner: I want to close with some insights into how organization should prepare themselves. Rob, if you want to gain this new level of capability across your IT organization, you want the consumers of IT in your enterprise to look to IT for solutions and innovation, what should you be thinking about now? What should you put in place to take advantage of the offerings that organizations such as HPE are providing with HPE Pointnext Tech Care?

Evaluating vendor experiences

Brothers: It all starts with the deployment process. When you’re looking and evaluating vendors, it’s not just, “Hey, how is the product? Is the product going to perform and do its task?”

Some 99 percent of the time, the stand-alone IT system you’re procuring is going to solve the issue you’re looking to solve. The key is how well is that vendor going to get that system up and running in your environment, connected to everything it needs to be connected to, and then supports it optimizes it for the long run.

It’s really more about that life cycle experience. So, as an enterprise, you need to think differently on how you want to engage with your IT vendor. You need to think about all the different performance KPIs, and match that back to your end-user customer.

The thought process of evaluating vendors, in my opinion, is shifting. It’s more about the type of experience I get with this vendor versus the product and its job. That’s one of the big transitional phases I’m seeing right now. Enterprises are thinking about more the experience they have with their partners, more so then if the product is doing the job. 

Gardner: Gerry, what do you recommend people do in order to get prepared to take advantage of such offerings as HPE Pointnext Tech Care?

Nolan: Following on from what Rob said, customers can already decide what experience they would like. HPE Pointnext Tech Care will be the embedded support experience that comes with their HPE products. It’s going to be very easy to buy because it’s going to be right there embedded with the product when the product is being configured and when the quote is being put together.

HPE Pointnext Tech Care is a very simple, easy, and fully integrated experience. They’re buying a full product experience, not a product -- and then choose their support experience on the side. If they want something broader than just a product experience -- what I call the warm blanket around their whole enterprise environment -- we have another experience called Datacenter Care that provides that.

We also have other experiences. We can, for example, manage the environment for them using our management capabilities. And then, of course, we have our HPE GreenLake as-a-service on-premises experience. We’ve designed each of these experiences so they can totally live together and work together. You can also move and evolve from one to the other. You can buy products that come with HPE Pointnext Tech Care and then easily move to a broader Datacenter Care to cover the whole environment.

We can take on and manage some of that environment and then we can transition workloads to the as-a-service model. We’re trying to make it as easy and as fast as possible for customers to onboard through any and all of these experiences.

Gardner: I’m afraid we’ll have to leave it there. We’ve been exploring how today’s consumers of IT tech support are demanding higher-order value to get the most from their hybrid systems and services.

And we’ve learned how HPE Pointnext Services has matched these new IT tech support expectations with a new generation of readily at-hand expertise, augmented on-location services, and ongoing guidance that will propel businesses to exploit their digital domains better than ever. 


Please join me in thanking our guests, Gerry Nolan, Director of Operational Services Portfolio at HPE Pointnext Services. Thank you very much, Gerry.

Nolan: Thank you, Dana.

Gardner: And we’ve also been here with Rob Brothers, Program Vice President, Datacenter and Support Services, at IDC. Thank you so much, Rob.

Brothers: Thanks, Dana. Thanks, Gerry.

Gardner: And a big thank you as well to our audience for joining us for this sponsored BriefingsDirect Voice of Tech Services Innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HPE-supported discussions.

Thanks again for listening. Please pass this along to your IT community, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise Pointnext Services.

Transcript of a discussion on how HPE Pointnext Services has developed solutions to satisfy the new era of IT tech support expectations. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in: