CTO View from the Boardroom: How Ocado got buy-in for its Zero Trust Journey

Good afternoon and thank you for taking the time to join James and I for the session today as we're going to dive into the story of Ocado's Zero Trust journey. But before I let James introduce himself and before we get going, I wanted to just share a quick video that might help set the scene for some of the conversation in the next half an hour or so. So James, first of all, thank you so much for joining me here. I guess the reason I wanted to show the video was that for those of us who are from the UK, we may readily associate the name Ocado with the vans that we see on the street, the relationship that you have with some of the supermarkets here in the UK, but certainly not with things like that. So let me allow you the time to introduce yourself, maybe explain what I think is a relatively unique role that you have within Ocado technology. And then following that, we can get into some of the story around Zero Trust, the vision that you have for the organisation. And then of course, at the end, we'll give time for the audience to ask a few questions. So yeah, thanks. I think the video gives some really useful context, particularly for people from the UK of why the Zero Trust challenge is a little bit more interesting than it might have been. We have a lot of robotics and automation and systems running, not just in the UK, but globally. So it's great that you know us for the vans driving around, but there's a lot moving underneath the service, a lot more technology going on. So yeah, so my role, I've been at Ocado for over 18 years now, starting off in software engineering, then working in a whole bunch of parts of the business. And I have a remit now, which covers three main areas. So cyber and risk control and information security, those teams work in my area. They're kind of internal IT systems, so the enablement teams that look after our internal employees, but also the software and mechanical engineering tooling and cloud platforms that power our platform. So we have thousands of software engineers and hundreds of mechanical engineers, and they need advanced tooling as well. And that view across those three areas is reasonably unique, and actually there's a surprising amount of synergy and common problems that we face across those areas. So I think it's unique because certainly from my experience and working with a lot of big customers across the Europe, Middle East and Africa region, it's not very often that you meet the CTO who owns all of the business technology and the internal technology. It's usually in separate domains. So if you kind of go right back to the story, maybe we focus on the internal IT piece, because I think when we talk about Zero Trust, if I asked everybody in the audience here to define Zero Trust, I think we'd get probably 50, 60, 70 different explanations and examples of what it means in their organisation. So perhaps if we just spend a little bit of time going back to the sort of the start of the Ocado Zero Trust journey, I think it's important to understand that sort of foundationally, and then maybe just explain a little bit about how you see the evolution of that into some of the different areas that we saw in the video. Yes, I think we share a lot of history with a lot of companies you'll find out there. In the past, we had very much our own network, you're either on the network or outside the network. All of our protections were stopping people getting into that network. But once you were in, a lot of things were available with relatively low levels of security. We ran the network ourselves, we had our own data centres. And a large change around IT was protecting that. Now, as we move forward from being largely a UK based business, running internal systems, to running systems for other businesses and providing platforms, and using far and far more SaaS and cloud based, we needed a solution that was going to kind of help protect all of those elements, based on the challenge of the data we're protecting rather than where you happen to be. So to me, kind of the core of Zero Trust is explicitly understanding the checks you're making at the time someone acts as a resource, rather than an assumption that you're connected to a particular network, therefore we should trust you, or that it's our device. Every time someone requests a resource, checking. And we needed to drive consistency across these different platforms, internal tools, SaaS based products and cloud based products, based on the risk of the thing we're protecting rather than where it happens to be running. It shouldn't really matter whether we're using a SaaS service, or something running on prem or in the cloud. It's the criticality of the resource we're protecting we wanted to look at. At the same time as a chance to kind of step forward and remove legacy and move to a kind of simpler, more modern architecture. So I think oftentimes when we talk about Zero Trust, I think naturally VPN replacement comes up in the conversation for the very reasons that you explain. I think certainly post-pandemic in the bigger picture, we've seen a lot of organizations now looking to replace VPNs because they had to put them in place during COVID, so that they could have remote workers continue to be at least in one way productive. If you sort of think about that from your own journey within Ocado technology, how do you have that conversation with the senior folks? So obviously I think the best conversations that we have at Cloudflare with customers who are really thinking through the Zero Trust problem tend to start with identifying the assets, whether that be the data or IP or combinations of those that you truly want to protect and then sort of building the solution around that versus just looking at say a VPN replacement and saying that equals Zero Trust. How do you elevate that conversation when you're thinking about risk and you're thinking about governance and you're thinking about all the sort of board level things that the organizations are trying to wrestle with, especially as you go global as an organization. So how did that journey evolve? Yeah, so I think VPN replacement is quite a tactical conversation. Actually the discussion at more of a senior level is around kind of a future vision of where you want to get to. And where we wanted to get to and still want to get to is a point where we can go into locations and operate anywhere globally, whether it's our site, somebody else's site, temporary office space, with lower investment levels, simpler network and lower cost, while still protecting our key resources. So effectively we want to end having the concept of a corporate WAN or a corporate network, but get to the point where we've got people and devices and then services and resources are being accessed. And regardless of where the people and devices are and how the service is being offered, there's a consistent security layer and an enablement layer between the two. So that vision is compelling on not just security grounds, e .g. the ability for senior team to say this is the protection we want on these key elements. Actually we can operate at a lower level here and thus enact that universally regardless of where people are. But equally a fundamentally lower and simpler, lower cost base and a simpler setup as well. We have a lot of legacy, a lot of expensive and complicated network equipment in place. We'd rather not have that in five years time. So yeah, selling upwards, it's kind of what's the vision, the big picture, what are the key benefits. Yeah, VPN replacement is a step on that way, but it's always really good kind of asset tracking, really good identity services, really much understanding the value of the threats you face as well. So there's a kind of a multi -step process here and I definitely wouldn't oversell the VPN replacement part of that journey. It's a step on the way to where you really want to get to. So let's talk a little bit about the things that we that we saw in the video. Obviously as our relationship grows between the two organizations, we're beginning to understand a lot more about what you're doing as a business and some of the things that you saw there might look relatively straightforward. But I think if you were to think about all the things that are exciting in tech at the moment, from robotics to cyber physical, to AI, to machine learning, to optimizations of technology for business reasons, it seems that everything of that is in the video. And maybe just to educate the audience a little bit, there's different business models that you have as well. And obviously they come with different challenges and different sets of requirements, different technologies. How are you thinking about when you close your eyes at night and you imagine the future of Ocado technology from a business perspective, how does that look longer term? And then what types of technologies, obviously including fundamentals around Zero Trust and more security and better efficiency and cost optimization and benefits and reliability, all the things that we're after, that when you bring a technology or a set of technologies in like Zero Trust to serve a part of the requirement, there's all these other considerations and it's a part of a technology platform, it's part of the domain. How do you think through that when you have the whiteboard sessions or you have your more serene moments at night? Yeah, so it's worth explaining a little bit of history about how we got here and a bit of out of context, because it may seem that that's a very complicated solution. Why have we got robots driving around doing things in the first place? Grocery is reasonably unique in that although there's a very large spend that goes through grocery globally, the margins are very low. Freshness is really important and quality of product is important, so you're having to operate at very kind of tight levels of efficiency and the things we've built, we built for Ocado first to drive that kind of profitability of Ocado. Every kind of touch matters, every interaction with an item is a cost, so automation is very appealing in that space. So by building things for ourselves for that kind of level of efficiency and customer service, we then built a platform which we could resell. So the platform is very broad, all the way from mobile, e -commerce, supply chain and planning, through fulfillment, pick technology and automation through to kind of last mile. There's a broad platform and so this is how our business has changed. We now don't just operate that platform in the UK, we have operations in Australia, Japan, North America, continental Europe, which are other retailers paying us for the use of the platform and we're providing it as a service. So that really changes the general kind of IT and technology landscape. We've got a lot of people who don't work for us accessing the services, we've got our people out in the field, on -site, repairing robots, developing in multiple countries, so it moves from being effectively everyone in one building or two buildings in the UK on a network, it's a very distributed workforce. So then when we're looking at technology tools and platforms and a future vision for that, where you want to be is are people working wherever is convenient, where they need to be globally. They might be working from home, might be working from an office, one of many, they could be in a client site and they could be repairing or they could be manufacturing and all of our kind of enablement services need to be available to them and the nature of our kind of company means we've got a lot of engineers, there's more mechanical engineers than we have in the people team or finance team. So when we talk about internal IT, an awful lot of the internal IT is very technical tools, it's CAD software, it's source control software, as well as the more traditional tools. So having a unified solution where people can access what they need, where they need to be is really crucial in that and having that scope and span globally of both kind of compute networking and device access control. So I think many of us are wrangling with this question of how much is enough technology, at what point does technology become something that truly is a remover of cost rather than additive to a business and I think if you think about you know the automation examples we've seen in the video and you think about you know what it takes to build one of those facilities for and operate them for a customer, is there a vision of how technology should almost become invisible and from the point of view of what it takes to build one of those facilities, what's your vision for say the future of network or the future of connectivity and what does that mean from the point of view of shrinking the time to market for getting one of the fulfillment centers online and therefore generating revenue? Yeah so I guess I'll start off by saying that our focus is always solving a business problem first, there's something we're trying to solve, there's some efficiency we want to eke out, the technology always comes second. So yes we use machine learning in understanding the robot arms, understanding how to pick items, they're training that in a machine learning approach, that wasn't because we wanted to use machine learning particularly, it's because we wanted to solve that problem of getting an efficient really effective pick of products which can really vary from soft fruit all the way to cans right, it's a very complicated problem. So yeah technology is always a servant of business need, we're always looking for the next one percent efficiency out of products. So that given, where do you want to move to in the future? Well you lead to a really good point which is if you use the service from the outside you don't need to know there's robots, you don't know the robot arms are there, you know a van typically turns up at your house or maybe it's a click and collect user website but effectively it's a little bit like the kind of iceberg analogy or a swan whose legs are paddling very fast under the water, it's an awful lot of smart systems and work going on that you don't need to know about and yeah as we scale up we have more and more sites, automation of our own tooling, automating deployments, standard configurations, less manual management has been a real driver, back when we only had one fulfillment site a lot of configuration was done manually, it was a lot of effort to keep that site working, as we scale out and mass produce more and more sites, more and more robots, we have thousands of robots operating in the field, everything needs to become more generic and more automated and more standard, what does that mean for network? Really you want to be able to drop a device anywhere in the world and have it just connect back, connect home without having to do configuration, network configuration is complex and expensive, bespoking it is not something you want to be doing, so that driver towards more standardization is just going to continue as you get more and more sites. So if we think about the journey and I would suspect everybody's on some kind of modernization or transformation journey one way or another, obviously network being a big part especially for global companies or companies that have a number of branches, whether that's in retail banking or retail in general, how did the conversations go as you got more senior buy-in within Ocado technology, I mean obviously you own it, so there's an element of you know the book stops with me, but the reality is that I think some of these technologies, some of these methods, some of these approaches are different than what we've seen for maybe traditional network administrators and there's always this kind of healthy tension between there's something new and it's going to be better versus we've always done it this way so we should kind of continue to do this. How do you break through that sort of question of getting parts of the organization to trust the direction, does that come right from the top or is that more you know you sell it upwards and say hey guys we're going to do this, we're going to make it different, we're going to make it better for internal people, we're going to make it better for supply chain, we're going to make it better for the ecosystem, ultimately making it better for the business. Are they very distinct sets and very different conversations as you engage different parts of your own organization? Yeah I think with a lot of these changes you kind of need both bottom up and top down support, you kind of need to build the groundwork with particularly influential people on the ground, not necessarily at the top, that this is why we're doing it and sell the story around it and build up support, particularly from the having teams in networking space involved in looking at the options and exploring this so they're bought in is really valuable and then from the top you want to sell kind of the business case and the vision but also people at the top really care about the individual employee experience, so actually saying this is going to be better for our people and here's how is really important and then along the way you always have these road bumps, particularly in a very technical organization, you'll get people who either like it, don't like it, have a different opinion, it's worth engaging and talking to them, you don't, you can't, I've learned through the a certain scale of org you can't please everybody, if you can have an intelligent discussion and maybe you end up agreeing to differ, it's still worth engaging and hearing people's thoughts on these things and getting to the right place, the thing not to compromise is the big vision, there's lots of routes to get there and you want to listen to people on the way but if you really believe in that vision you want to keep driving towards it even though it's going to take you a good few years to get there usually. So I want to just change gears a little bit and sort of talk about the relationship between our two organizations, when I first got involved with the conversations because of my background in a previous life I came across a lot of very similar things that had complicated facilities, control systems, things that are I would say traditionally very separate domains if you think about the way that the factories have worked and smart facilities work and now we've got this notion of having sort of more dumb components but smarts in cloud of course all of that is evolutionary as well. What do you think that we've brought from a Cloudflare perspective into the conversation because obviously we have a lot of things across the portfolio, we do a lot of things in different ways for different customers including clearly Zero Trust but I'd like to think that our conversations have been a little bit bigger and a little bit more about the discovery of what's possible, so how have you seen that benefit, the whiteboard that you have in your office which must have a million things on it, how does that kind of engagement with us kind of help you to understand what's possible maybe today, tomorrow and then in the future? Yeah it's a bit of a journey to how we got there and how we selected Cloudflare, it's fundamental we got some quite good advice early on that Zero Trust isn't something you can just go and buy, there's no one thing called Zero Trust that exists you buy and you've got it, it's a multiple step change program, it's on lots of different pathways and it's also, it's still new, there isn't like a solved this is Zero Trust out there, so then we started looking at okay cultural alignment, let's look for a company where we think actually there's a real meeting of minds and we're kind of buying on kind of future vision and future promise of where Cloudflare are going to, so when we're looking at this we have as mentioned a big engineering community internally, we have a real mix of different devices, there's a lot of as well as Windows, a lot of Mac and Linux users around our org, a lot of them are very influential, so we want a tool that's going to really work across the board, so ideally a vendor who's already doing that, we needed that kind of global scope because we're operating in a lot of places and even more, so it was conversations, it wasn't really just looking at the box ticking of a particular feature to different product, it was like looking at the relationship and the sort of company, every company is a bit different, has a different culture, so look for a company I guess a device that meets the kind of culture you've got right, and yeah and the fact that it's a tool used inside of the companies is super valuable as well, there are a lot of Linux and Mac developers inside Cloudflare, the tool gets used, so we see that kind of if there's a pain point they'll experience it as well, and then just reputation of when we're selecting companies to work with, there's things we don't do and things we do, we want to be the best at the things we do, if there's something that somebody else is really good at and networking is really at the heart of Cloudflare, ideally we would look to that kind of connecting things globally is something that they're very strong at, so we want to pick a partner who is really strong at the thing we want them to do for us. And of course we're excited to work with you on the future of some of the things that we've seen here today as well, maybe just from a practical perspective, I think obviously you talked a lot about making steps in the journey, being very calculated about those steps, and I think there's always a scenario where maybe things don't go fast enough or don't quite work out the way that you, and I'm talking in the bigger picture here, as you wrestle with all these various business demands and technology modernizations, learning things from your internal IT scope that then can be moved laterally into the business area, what are some of the key learnings, is it just really about being brave, and we hear a lot from Silicon Valley about failing forward and failing fast, and I think that's good in some ways if the organization and the environment kind of allows that, but I would imagine that the reality of what we've seen here, you're kind of moving at warp speed with development of the robotics and the AI and the ML and all the things that are trying to make steps to improve the ultimate end user experience, which clearly are the people who click through onto e-commerce and order the things and get them delivered, what are some of the key learnings that you've had over the journey so far? Yeah, so that point about the kind of, there's lots of things, lots of very complicated things all moving fast, is attempt to keep things separated in concerns, so you shouldn't need to understand how the robot arm works in order to enable connectivity to a site, but that also means the ability to kind of talk across those areas and make sure we're not going to cause disruption, because the absolutely last thing we want to do in any of our programs to improve the network or security is actually kind of impact their ability to deliver the features they need, so having the ability to talk across the areas, and this is I think where my room is very useful, the security teams can very easily talk to the people who know development very well and the IT teams, because in the end it is kind of one, it's one company and one output and we need to all work together to get there, if there's excess complexity it's very hard for security teams to kind of get a grasp for what's happening, so you need to better summarize and pipe things through, but equally the unique needs of developers need a unique solution for connectivity, there's a lot more command line tools, APIs, local virtual machines running, so there's a lot of complexity there we need to not break, and obviously the development teams understand that very well, and they can help talk to IT to get that all working together, so sometimes just getting people in a room really helps, and then in terms of working towards a yes, the vision is great, but you've got to look at the reality of where you are now, and you've got to go step by step, and some of the kind of less exciting sounding stuff is really important, so foundational things, identity management, asset management, knowing what devices you've got, which ones you own, the state and configuration is really really valuable, actually just understanding your network, we did a big exercise around network segmentation as part of this, so the very visible element is rolling out Zero Trust tools to users, but behind the scenes you want to start understanding data flows through your network, what's on the cloud, what's locally, where threat actors might go if they get into your network, which is where you get your information security team helping you, so that you can adjust the right parts of it, so yeah end point of the vision is really important, but as you go along you want to address the high risk elements, and that often means maybe less exciting sounding work, but delivering real business benefit on the way, you can't wait till the end to get the business benefits.