🔒 Securing the Modern Business, featuring the CISO & CTO of Sage

Hello everyone and welcome to another session of Cloudflare TV during Privacy Week.

I have two good friends and guests today with me that we used to work together on my previous company and it's Ben Aung which is the Global CISO at Sage and Aaron Harris which is the CTO at Sage.

So welcome guys so good to see you. So we're going to talk today a little bit about you know just security and privacy in business.

I mean many people will know that Sage is a global provider of solutions for small and medium businesses of different types.

You know they provide accounting, payroll, things like that in many areas around compliance and privacy.

So I look forward to a great chat.

So let's start with Ben a little bit. So Ben tell us a little bit about what does a global CISO do at a company like Sage.

What responsibilities do you have and all those sort of things.

Yeah well as you know I mean we've got quite a few responsibilities.

So at Sage I'm responsible for the security and defense of our internal kind of corporate network and IT systems in collaboration with our IT organization.

And then I also have a responsibility for doing effectively the same thing for the software products that we sell to our customers around the world.

So you know that's everything from our cloud products through to other types of software products that we sell in different combinations to customers.

And you know to support that we do a whole bunch of things.

AppSec, application security, we have you know a SOC, threat monitoring and detection.

We do a lot of compliance work. We do a lot of engineering work increasingly and a lot of partnering with the business.

The last thing that I'll say is that as a CISO which differs from company to company in Sage I sit beneath our general council.

So we do an awful lot of work in collaboration in partnership with our IT organization and our product organization.

Yeah great and thanks for that Ben.

And I know that before you came to kind of like the commercial dark side if you want to call it that way you had an extensive career in government and you work as deputy government chief security officer and you're lagging in a couple of boards.

So how have you seen a little bit you know like again you know from the public sector more to the private sector you know security landscape and privacy and all those things evolve.

You know you see that we're moving in the right direction.

I think it's getting more complex. So what do you see?

I mean I think it's a real I mean between public and private sectors I think there's a it really depends on what element of the private sector you're in.

You know there's elements of the private sector where the threat model is probably very similar to different governments whereas you know many others you know don't have to worry about the same kind of level of threat and it wouldn't be proportionate for them to either.

I mean in terms of the landscape or the picture I think you know what we all see is an exponential increase in change pace of change acceleration of technology you know change in the regulatory picture and you know as a CISO as a security person that's you know that's a challenge in terms of keeping pace with it understanding what's happening next and where it's going.

I think the interesting kind of dichotomy is that you know many of the things that I used to worry about you know 10-15 years ago are still are still relevant you know so we have this you know this separation or this spectrum of the things that are coming over the hill you know related to technologies that we're developing and deploying you know today and also the protection of our legacy assets and all of the threats and risks that they are subject to and have been subject to for 10 years or so.

So I mean you know it's a real it's a real kind of spread of issues. Great, thanks for that and so Aaron tell us a little bit about what keeps the CEO of SAIT busy, what is your role, the teams, what are the you know CTOs coming different things you know for different businesses so maybe you can tell us a little bit about that.

Yep yeah so just like Ben and the CISO, the CTO role differs quite a lot across different businesses but I think the one thing that's common for CTOs is it's their job to create a technology strategy and vision that maps to the company's technology overall strategy and vision right so it's it's sort of a technology implementation of the business strategy and you know it's a CTO's job to use technology to create competitive advantage in the market right which which then leads to the CTO driving innovation, leveraging emerging technology you know looking for ways to to beat the competition.

I always talk about a spectrum of CTOs.

There's a CTO that is kind of you know wears a white lab coat and feels most comfortable in a kind of low-light room with engineers and and rarely looks up from his computer and is is the recognized genius and inventor of technology and on the other end of the spectrum there's the CTO who is actually the best person in the company at explaining to marketing what the engineers are doing.

Yes. And I'd like to believe I'm somewhere we're in between but but you know to be successful I need to be able to translate what we're doing effectively externally so that the world you know the industry analysts, influencers perceive that that Sage is doing exciting things.

Now I don't want to just be a big you know chief opinion officer.

Yes. So I do have people who work for me. I've got a team of AI engineers and data scientists that are driving AI work.

I've got a team of engineers that are developing common tools and services that are both sort of modern in their their the problems they're solving and the way that we solve them with technology but are also consistent across all of our products.

Yeah. And then what's what's unique for me in versus other CTOs is experience design works for me because we believe that technology needs to follow the experience and so we're sort of putting our money where our mouth is with that and everything we do we start with what is the customer experience and then we we lead with technology.

That's great and yes I know that you know with our common friend Klaus you know that that you know that's one of the things that he's very excited about to be very embedded with the you know with the with the engineering team reporting under you.

And one of the things that people may not know is that before you joined SAGE you actually founded a a company a business that SAGE ended up acquiring around financial management right and one of the things that you know people know probably this is a particularly challenging area because of regulatory requirements and I guess you know it depends on the locality but maybe can you talk a little bit about the hurdles or problems that you have to solve you know around compliance and and if if you were starting today doing the same thing that Intact was starting today do you think that it would be easier, simpler, is there like things that you know that we have tools that make make things simpler or actually has the landscape changed so much and got more complex that it will be more difficult?

Yeah I'll start with answering that and then I'll go back.

It would be much easier and much harder today and and it really has evolved a lot.

We started Intact in in late 99 early 2000 and you know at the time we had to convince customers that it was safe to store their data in the cloud.

Cloud wasn't really the term we used back then right it was the Internet it was it was dot coms and and just so so on the one hand there was not a lot of sophistication with our customers and their understanding of of the Internet and the cloud but on the other hand there was almost no regulation.

So one of the things just kind of a funny story very early on we decided to make our customers comfortable we put a button in our product called see my data and if you clicked that button it took you to a webcam a live webcam in our data center pointed at the server and it was live right so if if somebody from our operations team happened to be in the cage they could see it there was there was a time when an individual who probably needed a better belt cinching his pants up was was leaning over a server and then perhaps our audience got a little bit more view than they wanted we finally decided you know what it's time to move on to something more sophisticated but you know in the early days you just do whatever you can to create comfort exactly and there's but there's little sophistication yeah you fast forward to where we are now there's incredible sophistication especially in bigger organizations not only are they asking tougher questions but they're sophisticated enough in their understanding of you know cloud of technology that they can get into the details of the implementation and so we've had to to go from a sort of a you know creating comfort to being very very adept at explaining the technology so the good news is that whereas we had to build a lot of stuff ourselves when we started the business to to handle security much of it is available today from from great companies like Cloudflare right you know we would have started off using capabilities like that but but at the same time customers are just so demanding now in their understanding and and governments are obviously getting into that compliance question they are getting more sophisticated as well in some ways they're helping and the way that they're helping is that they're actually guiding a more structured conversation with customers right so you know rather than having kind of a freewheeling conversation we can refer to specific guidelines and take them through you know here's here's how we comply my wish and I'm sure Ben would join me in this is you know to see the governments get more sophisticated in the regulations because they don't understand that the Internet has no borders right you know the ideas of data residency and things like that it just feels like government hasn't quite caught up uh in a level of sophistication there yeah and one of the things that you know we see and I'm sure that you know it's like the stuff that we're dealing with is I mean especially with a lot of the changing in requirements nowadays is that in many cases it's almost like governments are like we you know we're treating a little bit versus you know we're trying to actually maintain more control of you know for their subjects you know data within a specific juris jurisdictions uh you know there was always obviously a big push for this in in Europe but even now it's even within Europe is getting even still you know and and that is you know further they're going down like in Australia South Africa so I am sure that you know that that the regulatory framework that that is that that is going to evolve out of that and the technical requirements that is going to that is going to impose on on uh global providers like us you know to basically help businesses you know comply with that are going to be particularly challenging in many cases right yeah no it's it's very very difficult and unfortunately while it does provide some some sort of comfort and confidence with with customers it also limits our ability to to innovate and create great solutions so there's always a bit of a a balancing act there and protection safeguard privacy versus you know the speed of innovation yeah so let's talk about that a little bit about innovation right so one of the things that you know always happens is like this tension you know a little bit in in terms of maintaining you know good security and privacy and compliance uh uh postures but at the same time you know create an environment of innovation you know with with the with the with engineering teams right especially you know for software providers like us so you know maybe Ben or you can start with how do you you know what what are some of the challenges that that you know you guys have faced in states around that and uh and uh uh what are some of the solutions that we've asked is that to maintain a good healthy balance between between you know sometimes those competing priorities yeah it's fairly hard you know and in a large complex organization you know like Sage with such a diverse sort of technology estate you know the the tension is exacerbated because you know instinctively you want you know as a security uh person you you know you find comfort in standardization you know things you can understand repeated over and over again everywhere but you know even if that was the right answer if you've got a very diverse technology environment where you know one end you might have you know public cloud at the other end you've got your on-premise uh environments you know the same solutions and the same approach is not likely to be compatible with both so you inevitably are going to have to find kind of tailored ways of achieving the same outcomes you know and then you know when when I think about Sage you know we you know we try really hard not to deliver a kind of homogeneous style of security you know we we need to understand what it is the business is trying to do in all of its different facets and support it you know where we can achieve standardization you know in economies of scale obviously that's a great thing to do we need to be careful that doesn't stifle innovation you know and it needed you know there was a received wisdom you know that security is a blocker I think if you do it badly it's a blocker if the business if the business is a bad customer of security it can be a blocker but I think if you if you get that partnership right and we don't always get it right but if you get it right I think it it can be it can be a very fruitful collaboration you know and I think you know our I want our teams our security teams to work with the business and our engineering organization you know to collectively find the right answer you know we have a network of security champions as you know I mean I think you you helped establish it across the business you know and those are our people in the dev teams in the engineering teams that kind of act on our behalf and they understand the context that we're trying to deliver security so it's not it's not a kind of you know someone to one side adjacent giving rule throwing rules over offense it's someone right in the mix who's got you know skin in the game and the same level of commitment and then you know on the innovation space you know I mean we're at different stages in different places but you know like many organizations we're seeking to automate as much of you know what we do as we can reduce you know the human the human interaction you know with tasks so that we can scale them massively across you know the complexity of our environment you know we want to build in uh kind of uh compliances code and other guardrails so that developers and engineers and technologists can work safely within a kind of defined space and they don't they understand the parameters of that and then they can have a lot of flexibility and freedom and I think you know the kind of partnership model you know being embedded plus using the technology that's available I think in combination allows us to you know to work quickly work securely and and innovate yeah you and I one of the things that I remember always that you know you and I used to talk about it's like we don't want to be the security team that nobody wants to talk to no I did that I did that I did that government one way I did that in government it was right government it doesn't work well in SAGE yeah so that that's uh you know it's one of the things that I always tell the security teams and you know with the audit teams right it's like you know there's another ones that sometimes like nobody wants to talk to them and then you know leaning in and trying to partner I mean that's like a much better way like you know I would say it's always easier when like people want to pull you in right you know because yeah yeah uh and so I I also wanted you know to tell a little bit about the the you know SAGE's customers right in many cases I think sometimes like like with with with with Cloudflare I always try to think that you know the customers that in many cases we serve that like a little bit of a different uh position that we are and with SAGE it's a little bit the same right you know the typical customer of say 14,000 employee you know it's more of a small and medium businesses right that don't have armies of experts right around compliance and lawyers and security so Aaron can you talk a little bit about you know the the challenge that that you have seen you know customers especially in this in this in this in this day and age were like you know such a changing compliance and security environment and some of the things that you build in in in SAGE business cloud on the products to help customers basically uh uh deal with that yeah um I think I guess I'd start with with something that's universally respective of customer size which is you know COVID was the great accelerator yes of existing workforce trends right you know the flexibility remote working bring your own device bring your own identity those trends were sort of already happening and COVID just put them into warp speed and fundamentally what that means is sort of the understanding of the workforce you know the way people work the tools they want to work with the way you know the way the way they want to work with other employees you know just has changed um and and it's not likely to go back to to the way it was and one of the things that that you know we like to believe at SAGE is that technology is kind of a great democratizer uh you know it should not be the case that only enterprises have the resources to you know support uh big dramatic changes like this and in fact medium and small businesses in their agility right we ought to be able to actually help them to adapt in in much quicker ways uh so you know I mentioned that there's this big trend of bring your own device bring your own identity bring your own identity is less understood but if you really think about it the two go together right if I'm using my my mobile phone to approve an expense report or to have a a slack conversation with a colleague not only am I on my own device but I'm on a device that primarily is managed through my identity and and this really opens the door I think to something we see becoming more and more important which is the way you manage technology the way you manage privacy the way you manage security and data ownership can no longer just be on the relationship that you have with your customer right through a user license or or a software purchase agreement it's got to be with every individual who interacts with with your technology and in many cases those individuals won't be licensed users they won't be you know using tools that are that you that you understand or that are licensed they might be working through an identity that that's not a corporate identity and so we're sort of I think we're being a bit bold here but but what we're doing is we're embracing this idea that today's architectures for for data ownership for privacy right for for the preferences that we have to think about are a bit dated and we have to create an architecture that reflects the individuals and their roles that they play in this and I'll give you a kind of a provocative example um I we believe that an employee who uses one of our payroll products to access their their paychecks even after they're no longer an employee of that customer who uses our product they should be able to still access that product in order to access their pay stubs right to access their pay history and they should be able to actually use that uh in in scenarios that we don't think of and and and it's sort of owning the data there's a there's a growing trend in this thing called inverse privacy the idea that there's personal information that we all own but actually that we don't have access to it's it's it's it's it's controlled by by somebody else and one of the great factors driving that is changes in relationships uh when I'm no longer a relation have a relationship with my employer and I move on but the employer still holds all this personal information about me including my my pay stubs my pay my performance reviews so we're trying to create an architecture that is much more sophisticated in its understanding of privacy and data ownership and managing the relationship between technology providers like us and every individual that interacts with technology and it's a big part of why experience design is on my team right because you have to have a completely different view and the guy leading that his degree is in psychology right right it's you know he's not a wonky designer guy he's a guy who understands human psychology I'm going on a bit long yeah but I'm you know I'm trying to service this this this massive trend I think that starts with BYOD starts with bringing your own identity it's accelerated through COVID and it's going to completely disrupt the way we think about privacy and data ownership.

Great thank you Noah it's it's it's absolutely you know very much on top of mind I mean right now for instance even internally you know we're implementing a number you know systems in in in Coffler and one of the things that we think about basically from a design perspective and some of the things that you mentioned is you know how do we provide access to employees you know after they're no longer employees you know for things like you know again you know whether it's like paychecks or or for 1k information and so you know we got that balance where like we try to put everything you know that that we control around single sign on and controlled by our like identity provider and things like that but the moment that employee basically leaves you don't have that anymore so you know you gotta have you know another way basically to providing access to that also like you know you know you know you know because you know they I mean Medicaid system their data so that that makes a ton of sense to me so thank you for that for for that.

Ben tell me a little bit about you know there's been like all these all these all these you know these big change recently about the invalidation of privacy shield right that you know suddenly was like everybody went like oh wow what is this going to mean so how you know how how has that gone down internally basically you know there was already GDPR but then on you know that make things complex right from uh uh U.S.

and and you but then on on top of that that uh recent invalidation how how has SAGE basically dealt with that over the past few months?

Yeah I mean it's it's obviously something we're keeping a very close eye on um fortunately you know and you know uh this is a big fortunately for us I think we depend much more significantly on specific uh data processing agreements with our customers rather than this this kind of umbrella um uh regulations and agreements like by the privacy shield so you know obviously like many businesses you know we are um we need to manage our our technology and our services across multiple jurisdictions I mean to your point earlier around the fact that there's been a sort of cyclical uh situation where many regions are now looking much more inwards becoming much more protectionist around their sort of data borders I'm hoping that you know as you know the trajectory of data regulation is all going in one direction we can then you know when everyone has got their own GDPR we can then harmonize uh kind of globally again and you know and sort of remove some of those barriers as it stands as regards to or respect to the privacy shield you know it's not something that fortunately has been been a been a big issue for us although obviously something that we're keeping an eye on and and obviously it will affect our customers but I think generally speaking in a sort of broader sense you know I think you know these these sorts of arrangements probably aren't sustainable you know for you know for the way that technology is going in the way that companies and organizations want to work and I think inevitably we're going to have to do that kind of reharmonization you know just in the US just in the US you've got you know a different a different data regulatory framework in every state you know as you know as and uh you know you know just just getting some consistency or compatibility across the US would be an enormous benefit for for many of us and particularly many CISOs so I think it's uh you know it's a moving picture.

Yeah I mean I always tell you know people you guys know this is like you know uh we're doing like US payroll I mean globally in all the states I mean that's like a war on its own because you know every state I think that's like a little bit of a different basic requirements from a from a compliance point of view so you're right I mean I I remember you know a lot of the discussions around how this state basically when we had like some kind of issue you know did you gotta report it according to this state or you know how the state is going to be a little bit different so uh so uh so so so yeah I I totally um uh I totally agree.

So just one more thing as well I think you know there's obviously the regulatory regimes that sit around each jurisdiction but interestingly you know there is some divergence in terms of you know sentiment and perception and expectation you know obviously in Europe you know we have a stricter on the whole regulatory regime actually within Europe there are subtle differences between countries and and regions and uh in terms of what customers will accept what they expect and uh and I think um you know that is a even more complex element of you know this picture.

So uh we have a couple of minutes left so I'll close with like you know maybe a a question uh same question for you Aaron and then for for Ben if if you were going to pick up like you know what are the you think that is the biggest obstacle that companies have today to deliver world-class privacy and security?

Yeah I mean so I I know this is simple and it's not necessarily very provocative but it's hard I mean you know so I'll give an example um you know we support HIPAA regulated companies with our intact product and a HIPAA regulated company has to be able to produce a report of uh every time a human being views personal information uh you know and and if you think about business systems and how you know contact information is such a critical part of managing you know who you pay who pays you uh you know who are the people you know that that are working on this it it really requires some some some pretty creative thinking to solve these problems in a way that just isn't horrendously uh heavy so there's there's there's innovation required and and and keeping up with that and then there's also getting back to this this notion that you know in the U.S.

every state's different you know it's it's not just that every state is different it's that it's moving very quickly right and so you have to be you know constantly attuned to to to what's going on and you've and so therefore you have to be quite specific about who you're serving and what you're serving and you've got to be careful to be you know super precise uh about the solutions you're creating who you're creating for them for what markets that you that you're serving with those solutions that lead to quick decision making.

Yeah that's one of the things that our CEO always says that you know he'd rather have like basically you know principles and things like that than you know start with rules if you want to put it that way.

So we're out of time uh uh in fact I'm sorry Ben. It kind of records uh everything and then you know when we replay it you know it'll it'll be there so guys thank you so much for you know for for joining me in Klaffler TV.