Pandemic Accelerates Cyber, Digital Innovation
Google Cloud’s Sunil Potti and Deloitte’s Arun Perinkolam discuss how the rapid digital and cyber transformations put in place to counter pandemic-related disruption may lay the groundwork for future gains.
Hardship and necessity often lead to rapid innovation, as many organizations that launched digital transformation initiatives in the wake of pandemic-related disruption have demonstrated.
[wsj-responsive-image P=”//deloitte.wsj.com/riskandcompliance/files/2020/08/Sunil-Potti-photo.jpg” J=”//deloitte.wsj.com/riskandcompliance/files/2020/08/Sunil-Potti-photo.jpg” M=”//deloitte.wsj.com/riskandcompliance/files/2020/08/Sunil-Potti-photo.jpg” caption=”Sunil Potti” credit=”” placement=”Wrap” suppressEnlarge=”true” attachment=”8506″]
“One of the most interesting aspects of the COVID-19 crisis is that, for many companies, the pandemic was more of an accelerator than an obstacle,” observes Sunil Potti, a vice president and general manager for Google Cloud. “Whether they were launching digital transformations, new workforce-access models, or updated customer interaction technologies, many proactive companies used the crisis to make things better—to get to a ‘safer and better normal,’” he says.
From a cyber risk perspective, these rapid transformations encompassed initiatives related to technology operations and secure remote workforce engagement, with the latter addressing issues affecting a wide user base including employees, customers, business partners, and contractors. “Many of the effective pandemic-spurred transformations include three foundational cybersecurity tenets,” says Arun Perinkolam, a principal in the Cyber Risk practice of Deloitte & Touche LLP and Deloitte’s Google Cloud Cyber Alliance leader.
“First, the organizations made a commitment to put in place the appropriate organizational, process, and technology controls to securely handle a pivot to the new digital, all-remote user environment. The second tenet was a ‘no compromise’ mindset with respect to cybersecurity,” adds Perinkolam. That is, the pivot effectively addressed preventing, detecting, and responding to an increase in cyber threats and threat actors such as pandemic-related malware, phishing, and fraud.
[wsj-responsive-image P=”//deloitte.wsj.com/riskandcompliance/files/2020/08/Arun-Perinkolam-IMAGE.jpg” J=”//deloitte.wsj.com/riskandcompliance/files/2020/08/Arun-Perinkolam-IMAGE.jpg” M=”//deloitte.wsj.com/riskandcompliance/files/2020/08/Arun-Perinkolam-IMAGE.jpg” caption=”Arun Perinkolam” credit=”” placement=”Wrap” suppressEnlarge=”true” attachment=”8509″]
The third tenet addresses cyber sustenance and scalability. “We are going to be in this mode of uncertainty for some time,” says Perinkolam. “Modern cyber programs need to have the agility to sustain the next normal, scale seamlessly, and flip between remote, in-person, and hybrid user experience and operating models.”
Such a digital transformation should introduce several operational improvements. For example, it should revamp security awareness and training programs to reinforce remote-work etiquette and related security and privacy concerns. It offers an opportunity to evaluate cost reduction and outsourcing options for existing security operations and talent models. What’s more, such a transformation can accelerate a move to a “zero-trust” mindset and approach to digital and cyber initiatives, promoting increased security, operational simplicity, agility, and automation.
Perinkolam explains that a zero-trust architecture continually monitors and authenticates users, constantly determining the level of risk they pose based on who they are, what they access, and when and from where they gain access. “Executives seem to increasingly understand the benefits of adopting an agile and dynamic security foundation that is resilient in the face of organizational change and flexible enough to meet modern business, workforce, and technology challenges,” says Perinkolam.
In some cases, the recognition that flexibility and enhanced cybersecurity are becoming business imperatives seems to be shortening digital transformation timelines from years to weeks, according to Potti. “If companies have the right underlying architecture—secure, cloud-native, flexible, and global—they can quickly respond to threats and opportunities that affect the business, even amid a global shutdown,” he observes.
In a recent conversation, Perinkolam and Potti discussed several cybersecurity issues precipitated by pandemic-related disruption, including the security concerns of a remote workforce, the “consumerization of the enterprise,” and why a zero-trust architecture may be needed now more than ever to help combat cyber threats.
Perinkolam: From a cybersecurity perspective, what are the digital transformation initiatives that seem to be helping companies cope more effectively with pandemic-related disruption?
Potti: Most initiatives seem to fall into two categories: simplifying operations and executing new priorities. When operations are simplified, it is easier for employees and contractors to connect to apps and get their work done—regardless of where they sit. With respect to executing on new priorities, an initiative might focus on changing consumer demand. For instance, a retailer discovers that 50% of its store or branch traffic is now online, and the company launches a digital transformation to take advantage—perhaps permanently—of that shift.
Simplifying operations and executing new priorities may not sound groundbreaking, but using a crisis to accelerate these projects is quite innovative. Transformations can start small. For example, an initiative might mitigate the risk of customer account fraud while scaling up e-commerce capabilities. An organization with transparent access to apps regardless of where an employee works might add similar access to a third-party call-center app to enable contractors to continue working.
Would you elaborate on the notion that the COVID-19 crisis brought so-called consumerization of the enterprise into full view and discuss the cybersecurity ramifications?
Consumerization of the enterprise generally refers to consumer apps that are simpler and require less IT support than those used in commercial or industrial settings. We’ve all heard stories about employees who complain that the consumer file storage or email service they use at home is simpler, faster, and more reliable than what they use at work. However, consumerization looks different when it’s viewed through a security lens.
[wsj-responsive-pullquote html=”The safer, better normal presents a unique opportunity for enterprises to modernize by blending aspects of consumer and enterprise computing. Companies will require an architecture that can not only absorb but thrive from change.” tagline=”Sunil Potti, vice president and general manager, Google Cloud” smallhead=”” newsletter=”” placement=”Inline”]
Consumer security is usually less effective than enterprise security. Users work on untrusted networks; they may share devices with spouses, children, or roommates; and they might use the same, potentially privileged, account to surf the web. Such behaviors can expose corporate networks to new threat access points and associated risks. Moreover, employees may not be able to access adequate support if a problem occurs on a consumer network.
Suppose it is 11:30 p.m., an employee has a critical midnight deadline, the VPN can’t connect, and the IT team is unreachable. How will the deadline be met? The implications are straightforward: The safer, better normal presents a unique opportunity for enterprises to modernize by blending aspects of consumer and enterprise computing. Companies will require an architecture that can not only absorb but also thrive from this change.
What are some examples of initiatives that can be launched to navigate a distributed modern workplace more effectively?
Some projects will be natural outcomes of IT evolution. For instance, as more applications become browser-based, fewer apps will be installed on employee computers. In fact, most of us at Google no longer use apps that require a local install. By shrinking the bulk of installed software, we’ve reduced complexity and security risk while increasing simplicity.
Zero-trust access is another initiative for companies to consider. Many organizations are moving to a more modern architecture that allows workers to connect simply and securely from anywhere without VPNs or web gateways. Google operates this way, to the point where many of us have forgotten how clunky access via a VPN can be. A safer, better normal comes from building modern processes for supporting employees, protecting customers, and running the new processes on secure platforms.
What role does a zero-trust architecture play in helping companies arrive at a safer normal?
The underlying technologies we use at Google for corporate computing have evolved, enabling ways of working that aren’t just more secure but much simpler, to the point of invisibility. For the cybersecurity team, a zero-trust approach looks like this: a universal secure client (Chrome browser with two-factor keys), a blazing-fast global network, a policy-driven proxy that assesses every app request, and a secure connection to any backend apps or services.
To our employees, zero trust looks different: Open Chrome, click a URL, and get to the web app instantly, from anywhere, with no worry about account hijacking, downloading malware, getting phished, or hoping a VPN connects. Zero trust done right means a team gets its work done as quickly and easily as possible and on time.
—by Marie Leone, Deloitte Services LP, editor for Deloitte Insights for executives with risk management oversight responsibilities
Editor’s note: This article is part of an ongoing series of interviews with C-suite and other senior executives. Mr. Potti’s participation in this article is solely for educational purposes based on his knowledge of the subject, and the views expressed by him are solely his own. This article should not be deemed or construed to be for the purpose of soliciting business for Google, nor does Deloitte advocate or endorse the services or products provided by Google.
[wsj-responsive-related-content id=”0″]
[/wsj-responsive-related-content]