ARTICLES

Thinking About Cloud as a Shift in Culture Rather Than a Shift in Technology

Chris Hertz remembered a potential customer he was working with—a company that was considering migrating to the cloud. But the prospective client’s executives weren’t sure about this move, they told Hertz, who was the chief revenue officer of DivvyCloud at the time. And they hadn’t invested in the organizational changes or people that would be necessary to make it happen. The prospects looked dim.

Then support for the investment materialized from an unexpected source. The leader of the mainframe division went to his boss and pointed out that they had dozens of people focused on mainframes, but no one dedicated to public cloud. He threw down the gauntlet. If the company wasn’t willing to make that change, he was prepared to quit. And this man headed the mainframe division! That’s what it took to move the needle, Hertz said, adding that the company ultimately agreed and the former mainframe manager ended up leading the company’s Cloud Center of Excellence.

It’s not usually such a hard sell. There are lots of obvious benefits for a business, Hertz said. And often lawyers are quick to embrace the regulatory protections the move facilitates. But organizations like the one in his story can get wrapped up in the technology when that’s not the real issue. “Companies too often view this as a technological shift and not a cultural shift,” he said. That was the point of his story.

DivvyCloud was recently acquired by Boston-based Rapid7 and is now the cloud security division of the merged entity. As the VP of cloud security sales, Hertz was giving TAG Cyber analysts a briefing from this new perch.

He spoke often about innovation. That’s one of the big advantages, he said. Cloud and container environments provide unprecedented opportunities for businesses. These aren’t restricted to a command and control protocol, with only a few people calling the shots. The democratization gives more people a chance to experiment.

But the complexity can also render them susceptible to misconfiguration, compliance failures and data breaches. DivvyCloud offers businesses the ability to innovate securely, Hertz said. Its platform helps fill the gap between managed services and innovation by allowing a company to automate policies and protections, gain visibility into changes, and remediate problems in real- time.

For lawyers, the approach is particularly welcome, he noted. The DivvyCloud platform monitors all changes made to cloud services across Amazon Web Services, Microsoft Azure, Google Cloud Platform and other cloud service providers. The legal team can write policies that govern encryption and storage across all cloud environments, and can rest assured that they will be implemented and automated. DivvyCloud is also extensible and adaptable. Policies can be applied in some places and not others. And with a constantly changing database, programs can be set to alert IT if legal or regulatory standards are not met.

Sometimes technology is ahead of the regulators, Hertz said. And the lawyers have to educate them. DivvyCloud makes this easy. If regulators have questions, the lawyers can say, with authority, that the company has a single security policy, and can describe it in detail. And show them the changes.

What about the lawyers? I asked. They aren’t generally known as techies. Aren’t they sometimes left behind? Some lawyers are not up to speed and resist innovation, Hertz acknowledged. Lots of breaches occur “because legal does not want to come along.” The company sometimes has to say, “We’re going to do it anyway.” And it may be “because not doing it is more dangerous to the business than doing it.”

Lawyers can get wrapped up in the technology, which can slow the cultural shift. And sometimes, Hertz said, the board has to tell them that they must transform. But the best approach, he continued, is for the company to initiate extensive conversations with all of the key players well in advance of changes in technology. Airing out the issues will help prepare them all for the necessary shift in the company’s culture.

“It’s not about technology,” Hertz emphasized again. “It’s about teaching legal how to be agile. It’s teaching finance how to be agile. It’s teaching security how to be agile.” It’s going to affect them all. The sooner they embrace it, he concluded, the better the likely outcome.