In this Run and Reinvent podcast, I chat with BMC Software CIO Scott Crowder about the company’s move to the cloud and what it’s like to drink your own champagne. Below is a condensed transcript of our conversation.

Allison Cramer: Last time we spoke, we talked a bit about your cloud journey with BMC and how things have started off. So, maybe you can start off with just telling us what are some of the considerations you had? Why did you push towards moving BMC more into the cloud, and what were some of your initial observations?

Scott Crowder: It started really about seven or eight years ago, when I really showed up for the first day, and some of our engineers invited me to go look at the data center. And I walked in the center, one of 36 data centers that we had, and I thought, “Oh my goodness, we really have to rationalize these data centers, and really modernize the overall infrastructure.”

The majority of the data center foot space, footprint that we had at the time was actually for our research and development organization, which basically, IT would get an order from R&D, we would go and procure that, stand up the instance, whatever it may be, Unix, Windows, Solaris, etc, and then hand it over to R&D, which that as it would never be seen again. So, the reclamation of assets never really happened. R&D would order, and we would deliver, and that’s how it was for many, many years here at BMC.

As part of our cloud journey, we decided that we really needed to rationalize the hardware footprint, which went through extensive evaluation of energy efficient and high-performance compute storage, network virtualization stack, etc, and standardized on that. And then we really kicked off in earnest our data center consolidation initiative. We went from 63,000 square feet of data center, and 36 different data centers and labs, and were able to actually consolidate that over a four-year period, down to four primary data centers, as well as wiped out a megawatt of power.

And then, also, really transformed the way we delivered services to our research and development business partners. So, in the past we were order takers, as IT, and really using one of our products that’s really build for large carriers. It’s cloud lifecycle management, or CLM.  We were able to build a self-service capability for our research and development organization, and really wipe out the order taking mentality and philosophy, and really become more of a self-service type of infrastructure-as-a-service provider, for our research and development organization.

So, literally, our R&D group really doesn’t have to talk to us, unless they need something wildly exotic, or out of the norm. They can go into our portal and pick whatever they want, from 10 virtual machines, large, medium, small, to a full-stack build of our Helix ITSM, or any of our different products. So, we really got IT out of the way, but also really enacted, because we were leasing these assets to our research and development engineers, so, really, we lease it for 90 days, and then we reclaim it.

If they need to extend, they can, which really gives us the ability to now control our capital cost, and really become more efficient, and ensure that those assets that they’re using are reclaimed and available for other engines nearest to use at some other point in time. So, that was really our private cloud, again, going from 63,000 square feet, to 7,000 square feet, 1.6 megawatts down to 600,000 watts. And then, really, building out that self-service capability for our private cloud.

The next step, and this was all sort of in tandem, was really making sure that our business systems were best-of-breed, and I’m really talking about our internal business system, that not only research and development use, but our HR organization, marketing and sales organization, accounting, finance, Etc. So, we really adopted a staff-first approach, and really today, about 80 to 85 percent of our business systems are software-as-a-service.

And I consider that public cloud as well. And what that really gave us is the agility, it gave us best-of-breed business systems that are industry standards now, and really took us to the next level, as far as reducing the overall dependency of our business on our data centers. So, most of those things are really off-premise now, operated as software-as-a-service.

So those are two big blocks, and then the third one really, as the public aloud adoption became more relevant, AWS, Azure, Google, etc, our engineer started building more and more cloud-specific, or public cloud-specific products. And we use our technologies to actually provision those assets as well, within Amazon, Azure, etc. And in probably about 15 to 20 percent of our development now is really focused on public cloud-native APIs, web services, microservices, etc. And we actually deliver a lot of services, as part of our software-as-a-service portfolio, via AWS and Azure. So, those are really the three clouds that I look at, when I think about our transformation journey.

Allison: As folks are considering their cloud migration, or movement to the cloud, they start to consider, do they want to move all the activity off of specific particular sever and move that into the cloud, or do they want to look at moving an entire application into the cloud? And both of those have different issues associated with them, and maybe there are different reasons why you would choose one or the other. Could you give folks some advisor guidance on folks struggling with that question?

Scott: As you can imagine, at BMC we are operating a fairly extensive private cloud infrastructure, with tens of thousands of virtual machines that are, again, more or less self-service, with regards to our research and development group. We operate those virtual machines for about $135 a year, for a medium or midsize virtual machine. To run that on an on-demand instance, or any other on a public cloud would be multiples of that.

And, for the things that really just need a basic virtual machine, basic Wintel or Linux operating system, it’s much more cost-effective for us to do it in our private cloud. But as I mentioned before, all the things that we’re doing, from a public cloud-native perspective, it just makes sense that everything like that is in the public cloud, AWS, or Azure.

I think a lot of people, overtime, and really early on, when things were really amping up around public cloud, there was a lot of people that just said let’s move everything to the public cloud oh, it’s going to be cheaper. And really, my philosophy on that is, do the things that makes sense. So, if it is a new application that you’re developing, absolutely put that out there, put it on AWS, Azure, etc. If it’s an application that is portable enough, and makes sense, and can operate in that environment, you can certainly do that, but there are a lot of applications that it doesn’t make sense just to move to the cloud, just because you think it’s going to be cheaper. And really, what we found is, it depends.

So, when we are operating large data centers at scale, and using a lot of our software, really, all of our software, we can operate a lot more efficiently than the average IT organization. The average IT organization only uses probably about 35 to 50 percent of a server, whereas in our case, were using 90+ percent of our computer memory, with regards to our virtual machine infrastructure. So, we can do it a lot cheaper, but it depends on the sophistication, I believe, of the IT organization, and how much they are really using the hardware resources that they have.

One instance, for example, we would not move our Oracle or ERP to the public cloud, because, from a licensing perspective, we can operate that more efficiently in our own data center. But, there’s many things that we have done, and there, again, I think a lot of the applications, or business applications that we use utilize here at BMC Software are predominantly on software-as-a-service platforms,  not customized, not specific to BMC, but really, something that, like a Salesforce and major software service providers offer.

Allison: What are some of the new security challenges you’ve had, or how have you addressed things as part of your cloud adoption?

Scott: You can really never relinquish the security posture, and approach an ownership to the public cloud provider. They are providing certain services, and trust me, they’re very good at what they do, with regards to trying to keep the bad guys out, but our security team is always intimately involved in all aspects of what we’re rolling out to the public cloud. We actually, we go through a rigorous analysis of the various providers that we’re using, to ensure that they have all of the right credentials, we have  auditability, SOC 2 {compliance}, etc, and now there’s GDPR, there’s just a whole new level of governance that you have to think about.

So, really, cloud security helps us ensure that we don’t shoot ourselves in the foot, and that when we do move applications out to the public cloud providers, that all the right settings are in place, and if there are, then, future vulnerability that are identified, that we have the ability to really close those holes up, with the push of a button, really making it simple and sort of effortless to ensure that your security posture is in place on the public cloud assets.

Allison: We very affectionately refer to your team as Customer Zero, for a lot of our products at BMC. So, I’m wondering, in addition to Cloud Security, what are some of the other things that you’ve tried out that we offer that I’ve helped in your journey? How did you use them, and what problems did they solve for you?

Scott: We use all the different Helix products, so one of our favorites is the Helix Multi-cloud Discovery product, which really is the only product in the industry today that gives the capability of really mapping all the various systems that are talking to each other, the dependencies on the various applications, as well, identifying all of the different web services, microservices, APIs, etc, and there’s hundreds of them AWS and azure, and how those map to your hybrid architecture and infrastructure.

So, many, many customers are living in this hybrid world, and really being able to map the public APIs, microservices, web services, etc, to what’s happening in your private data center on your systems and records, ERP systems, things like that the, are vitally important, and that’s really one of the only products that has that capability, and we work very closely with both Azure and AWS to make sure that we had all of that mapped out. We mentioned cloud security already, so that’s one of the big ones that we are using.

I’d say, from an ITSM perspective, Innovation Suite is one of the ones that were using, with regards to building chatbots, and also enter operating with IBM Watson. So, that’s a big one. Smart IT is a big one, as well. So, there are many products that are really cloud-native, that we’re delivering as a service, that are relevant to today’s truly hybrid world in which we live in.

Allison: Do you have any additional comments you’d like to leave for other CIOs who are working through their cloud migrations?

Scott: It’s a journey, and you have to be pragmatic about what you’re going to go tackle. You can’t solve it all at once. These are, a lot of times, like our data center consolidation initiative, is a multi-year initiative. But one of the strategies that we said was let’s consolidate and play. So, let’s get rid of 50,000+ square feet of data center, and understand all of the different assets standardized and infrastructure framework. And then, that makes it a lot easier, once you really understand the different things that are within your infrastructure, and again, and you can use our multi-cloud discovery to do that. But, standardized, and then ultimately, you pull the trigger on making it happen.

In this Run and Reinvent podcast, I chat with BMC Software CIO Scott Crowder about what it takes to reinvent an IT organization to make it world class. Below is a condensed transcript of our conversation.

Allison Cramer: What does run and reinvent mean to you as you think of your organization and your role at BMC?

Scott Crowder: I’d say that run is just sort of table stake today. You need to keep everything up and running, you need to have all the high availability. And it’s really business continuity, disaster recovery, all of the different things that are associated with just running a large-scale enterprise IT organization and IT platforms. And, again, it’s just a day-to-day table stakes, quite frankly.

When you think about reinvent, though, that’s really, how are you going to change the game? What are the strategic initiatives or business initiatives that you’re going to do to try to move the needle forward as far as systems and what your employees interact with or for BMC customers. How do you change the game with regards to the next-generation app or capabilities that you’re offering to your constituents, whoever they might be, whether internal or external.

Allison: Can you give our audience just a little view into what the scale and scope of your role is at BMC and what the size of the organization, how much you’re supporting?

Scott: I like to say I have three jobs here at BMC. There’s really supporting our internal IT needs and really supporting the 6,500+ employees and another couple thousand contractors on a day-to-day basis. So, that’s really giving them a modern workplace in which they can get their jobs done, giving them world-class business systems. Many of our business systems are our Software-as-a-Service, so about 80-85 percent, and it really just keeps going up in our various Software-as-a-Service platforms. So, that’s job No. 1.

No. 2 is, actually, I run a fairly significant Infrastructure-as-a-Service business for our research and development business users. So, these are the people that are really building the software that BMC delivers to our customers. And we operate about three major data centers, and that consists of around 30,000 virtual machines/servers that are R&D grade, basically self-serve and get what assets they need when they need it. It’s all done throughout our cloud management platform of CLM.

And then, lastly is what we call Customer Zero, and that’s essentially – we use every one of our products internally, so we work hand-in-hand with our research and development organization to provide real-time feedback, both on alpha and beta bits, and, alternately, general availability bits associated to products that we offer to our customers. We also do meet with customers occasionally and just talk about our digital transformation, what we’ve done, how we’ve used our products, and just overall strategy and vision.

Allison: Can you comment on any challenges and maybe unexpected positives that you have found as you guys have gone down the SaaS road?

Scott: Well, you’re basically migrating business systems out of your traditional data center and using Software-as-a-Service providers, whoever they may be, whether it’s Salesforce or Okta or the other two or three dozen that we have within our portfolio. And what that causes you to do is really more of an integration process, versus the spoke new development or integrating or customizing on-premise software.

So, really it changes the game from having to develop software to more integration and orchestration of all these different systems interacting. Now, ultimately, the data has to come back here—we are looking at Software-as-a-Service BI platforms right now—but in order to really harvest and mine all the information across all of these different business systems, you have to bring all of that in and have a very powerful business intelligence platform in which to derive business value and understand what’s going on within the business.

Allison: How do you balance the time you spend between running the business and optimizing that and then the reinvention piece? How do you decide how to spend your time and your resources?

Scott: We try to make sure there’s not the sort of bifurcated organization in which people are relegated to money, and some people get to play with all the really cool new toys. We’ve tried to really spread that out across the entire workforce within BMC IT and give people the ability to go and understand these new technologies and be part of both the run and the reinvent. Because I think it’s so important to have that historical view as well as a view towards the future.

So, we don’t split up the organization; we do not have two different levels of IT that some that have the run business and some that have the cool new reinvent. And it’s really a balancing act. You have to make sure that you’re keeping the lights on, for sure, but we try to give that opportunity to all of our different employees. I would say that, overall, we’re probably about 50/50 right now as far as run and reinvent, so, really, regarding terms to mode 1 versus mode 2.

Allison: How does that work for you as far as a research and culture standpoint? Do people embrace that, or some been stand-out stars?

Scott: Probably the most positive aspect of that is the employee retention rate – and understand that we have about 60 percent+ of our employee base in India, which typically has about a 12 percent attrition rate. So, when you look at BMC IT, we’re in the 8-9 percent worldwide attrition rate, which is really world-class, as far as when you have a worldwide IT organization through the Americas and Europe, as well as Asia-Pacific.

Which, that’s very important, and giving people the opportunities to work on cutting-edge technologies and understanding how everything comes together is so important. We try to sort of lead the way with innovative new technologies that we put into our various business systems and infrastructure and data centers, etc., but that’s something that we’re very proud of and something that I think keeps all of our people excited with regards to really learning new, high-tech technologies.

Allison: What advice would you give for folks who are trying to maybe navigate their way through cloud adoption or some of those other pieces?

Scott: We really started our transformation journey about seven years ago, and that started with really what we call consolidating in place. We had 36 labs and data centers, just a lot of M&A over the years that was never really rationalized with regards to the data center and lab footprints. We essentially rebuilt our infrastructure with regards to our production business systems, as well as our research and development Infrastructure as a Service, and reduced those 36 down to four major data centers and actually saved a lot of money (millions of dollars) on an annual basis as well. They produced a megawatt of power, so from a green IT perspective, that was a big deal.

So, really, tighten up what you have first. Let’s get everything consolidated and get a really fresh footprint, and then, in parallel, we really had the SaaS-first initiative. And, again, we’ve been on Salesforce for a long time, probably about eight, actually about 10 years now. But, when you consider all of the other Software-as-a-Service platforms that were coming out, we really started migrating more and more of our technologies to Software-as-a-Service-based platforms.

And what that did is it actually gave us the opportunity to have the best of grade, but also have maximum flexibility with regards to our employees’ interaction with our business systems because they were all basically on the public internet.

So, that’s some of the guidance: consolidation in place first, and then really look at the various SaaS platforms that are out there, and then make sure you have a really good vision going towards the future. But if you have chaos or service availability issues or a scrawl through the data center perspective, it’s hard to focus on what’s important, which is really grabbing business value from these various systems.

In this Run and Reinvent podcast, I chat with Steve Bohlen, Technical Evangelist from Microsoft, to dispel many of the common myths around cloud. This is a condensed transcript of the discussion.

Allison Cramer: What are some of the first mental shifts people need to make in order to be able to truly take advantage of the cloud and determine if they themselves are cloud ready?

Steve Bohlen: As organizations think about moving to the cloud, I think there are a number of things that they need to think about. Some of them are technology centric, and others of them are operations and process centric. The first thing I would suggest is that in moving to the cloud, one of the first things to pay attention to is that for a lot of organizations that already doing things in virtualized environments in their own data centers, fundamentally there are elements of moving to the cloud that are not really structurally that different from what they’re doing in their own data center.

As you start thinking about your cloud strategy as an organization, I usually tend to suggest that people think about these things in phases. And the first phases is taking your own workloads and running them, to the degree it’s feasible, as is in the cloud as kind of a first step of getting your feet wet and understanding how some of the technology works, and how things like your governance and security model need to extend to the cloud as an organization.

And then as you kind of move up the abstraction stack, you get to the point where you’re starting to use platform as a service offering, and so on, in the cloud. And those kinds of things really require thinking carefully about what your application architecture might need to be modified to in order to start taking advantage of those things.

Allison: What would you say are some basic rules you can look at for how you evaluate which workloads you want to test in the cloud?

Steve: If we take the situation where perception is reality, or where the perception is that my on-prem data center is in some meaningful way more secure than the cloud data center then one vector of thinking about what workloads are cloud-ready is understanding how your own governance and compliance models might apply to workloads that might leave your data center.

Lots of people have data sovereignty concerns, and there are lots of ways in the cloud to solve data sovereignty, but the easiest data sovereignty solution is simply delete the data in your own on-prem data center. And so, for organizations that have really strict regulatory compliance constraints and so on, thinking about which workloads do and don’t fall within those kinds of constraints is one way to think about it.

If you’ve got workloads that are very burstable and very elastic therefore in the resources that they would consume, then that might be a good candidate to be thinking about moving to the cloud because there, even if you have regulatory concerns and even if you may have to think about re-architecting some of your solution for that, it might very well be that the biggest value add for moving to the cloud is for those kinds of workloads precisely because they’re burstable and elastic, and the cloud might make a lot of sense in those conditions.

Another way to think about it is workloads that are greenfield, right, so that you’re not looking at taking your existing technology solutions and tearing them apart to get them cloud ready. But instead you’re saying new workloads will move to cloud because we’re going to be able to architect and engineer those solutions for the cloud natively moving forward. But old workloads might remain in the data center because reworking all that code is either too much work or too much risk versus the benefit of moving to cloud.

Allison: Do you think most people have a great handle on their workloads and the inter-dependencies, or no?

Steve: Part of the process of evaluating a solution for its sort of applicability or appropriateness for cloud is getting to the point where you’ve got what you think to be, with a high level of confidence, a great 360-degree view of what that application’s real requirements are, so that you’re making the right choice when you say this is or isn’t in the end a good candidate for a cloud workload.

As a simple for instance, it’s possible to have an incredibly chatty application that talks to the database very chattily and produces lots of traffic between the application and the database. And so long as you’re at a very low percentage of the overall throughput that your internal data center can handle, that chattiness is not really a negative, which is to say that you are paying to support that chattiness when it’s on-prem. But, in a sense, you’ve bought the chattiness in bulk.

When you start moving to the cloud and start paying per chat, right, every time the application talks to the database there is a cost. Now it tends to be cents or fractions of cents, certainly, but you’re paying as you go. And so, the penalty for being chatty is manifest very differently. Rather than paying up front for a data center with X capacity, you’re paying every time you start doing a database transaction, for example, right. And so, the chattier application, which doesn’t seem to be a cost problem in an internal data center scenario, starts to become very different when those things are metered in the cloud and you’re actually being charged per transaction in that way.

Allison: I think everybody who’s gone to the cloud had gotten one of those bills where they’re like, “Oh.”

 Steve: Yes, absolutely. In order to not be surprised by that bill, there is a very necessary upfront cost modeling process that needs to be done in order to understand that the act of simply moving your workload to the cloud is not going to magically produce savings for you, necessarily. It may. You may be lucky, right.

But the reality is that in many cases you’re not going to realize the sort of true economies of scale that moving to cloud are going to give you until you’re actually at the point where you can begin to be thinking about modeling and designing your application based on the way the cost model in the cloud works rather than the way the cost model in a data center works in an on-prem data center.

In this Run and Reinvent podcast, I chat with Bill Miller, president of BMC’s ZSolutions group, about how customers are reinventing the way they use their mainframe technology and some of the challenges that opens up. Below is a condensed transcript of our conversation.

Allison Cramer: What’s your perspective on what does run and reinvent mean in the context of mainframe?

Bill Miller: In mainframe we’re actually very excited that this is the new BMC tagline, run and reinvent, because it really fits like a glove to our mainframe customer base. We do a survey every year asking for input from our customers and this year the top five issues that the customers had as always in the mainframe space is cost and availability and security. But one of the ones this year was modernization, modernization of the mainframe.

So, run and reinvent fits very nicely into that because we have traditionally helped our customers run their business or their mainframe solutions, but we’re also modernizing our technology so the customers can, working with us, reinvent their solutions so they are better prepared for their end users. They are better prepared for a workplace that is bringing on newer talent to the mainframe space. They are looking for us to develop solutions that are easier to use and that have more automation tied to them so that the workloads stay on the mainframe and even new workloads get attracted to the mainframe because of the ease of use, interest, and automation that is available now.

Allison: You don’t always hear modernization in the same sentence with mainframe. What advice would you give to people who have a big mainframe presence who are trying to make that decision of how they decide? Why would you stay with the mainframe or why would you move off?

Bill: I think that most people that have made a decision to do a hard right and get off the mainframe, it’s taken them a long time to get that done and perhaps they didn’t even get that done because they don’t really think through the advantages of the mainframe. Be it the security, the availability, the scalability, the trustworthiness, etcetera, etcetera, of the mainframe. So, sometimes, they don’t really take into account all of those things when they make the plans and try and execute on getting off the mainframe or taking critical apps off the mainframe.

About 70 percent of the world’s production workloads still run on the mainframe. And it is really only about six percent of the cost of the software and hardware ITs spend. So, it’s really an amazing statistic when you look at it. When you add that to the availability of the mainframe and the flexibility of the mainframe, IBM is now being more proactive in the marketplace, it is still a great place to be. If anything, I expect us to be able to attract more workloads to the mainframe with some of the new things that are going on in the space right now.

Allison: Would you agree with the idea of how modern you are, when you look at assessing yourself, isn’t dictated by the infrastructure choices but more just how you are doing your business? Is that fair?

Bill: Yes. I mean, mainframe might have a connotation that it is old school. Even my kids at times say, “Dad, what do you do? What is this mainframe all about? We never heard about a mainframe.” But there is a lot of coolness to the mainframe. We talk about mainframe being cool here at BMC because we have a lot of young folks that have joined our team that are bringing some of the skills and knowledge that they have of using other technologies that are out there and applying that to the mainframe and allowing us to modernize it and make it easier to use. And to make it such that it is easy to adapt to people that really don’t have the skills that our mainframers that have been around for 30 or 40 years have today.

Allison: You mentioned in the beginning about security and the security advantages that mainframe can provide. Can you talk a little bit about the security challenges and how you all have been addressing those for mainframe?

Bill: That’s a great question, Allison, because most people think the mainframe is totally secure. In reality, that’s not the case. Yes, the mainframe is a very secure platform, but it is not impenetrable. A hacker who knows what they are doing, who knows their way in and out and they work hard enough with skills and talent that they can develop do have the capability to get into a mainframe. That is externally. Then internally, most of the world’s data is still on the mainframe. So, you don’t want people accessing DB2 databases for example that shouldn’t be gaining access to that data, that information on perhaps people’s information. Whether it is social security, address, phone numbers, and things like that.

So, it’s important that our mainframe customers are aware of that and look at some of the technology that is available to make the mainframe very secure. We’ve recently made an acquisition of a company called CorreLog that we’re calling now AMI for Security, Automated Mainframe Intelligence for Security, and it is software that allows our customers to work in a more secure mainframe environment, protecting their data, and able to access the data that moves in and out of the mainframe in a more secure fashion.

Allison: Do you have any examples you could share on how folks are trying to use BMC’s AMI technology?

Bill: what we’re demonstrating to our customers is that our top priority is to develop a self-managing mainframe for our customers. Developing intelligent automation, predictive analysis and things like that so that our customers can focus more on the products they have and use software from folks like BMC to be able to run a more efficient and effective operation in their mainframe shops.

We’ll be delivering four new products this year in the AMI portfolio. One of those is called AMI for DevOps, which is connecting distributed or open systems application code so it can connect more effectively to mainframe develops of DB2 for example. So, they have more of a seamless transition when they work together for applications. We’ll also be delivering some code and new products that will allow us to do a predictive analysis. We call it “seeing around the corner” which means determining a problem for a customer based on using their historical data before the problem even occurs, whether it is a potential slowdown or worse.

We’ll also be delivering some remediation once a problem has been determined. We’ll also be delivering a new product for us that will enable us to do a better job, a more effective job for our customers today of assessing application workloads and their environments as they want to bring on new applications.

One of the coolest things we’re working on is our GUIs and how our products will work and touch and feel with our customers. That is something that we’ll be rolling out this year too, so the customers get a different look and feel from a BMC perspective on how our products appear to our customers.

Allison: There’s lots written anymore on sorting through the noise of your data and trying to figure out what is predictive and what is just noise. How is the tool utilizing that different information and kind of helping people to sort through that and figuring out what could predict and what is just an anomaly?

Bill: We are now working on some modeling that will allow us using some multi variant techniques by looking at all sorts of different angles and looking at customer’s historical data. So, we’re asking customers to give us some historical data from maybe three or six months where in that timeframe they may have had a bump in the night or maybe a slowdown or worse. And we put that into our model using their data and then we go back to customers and show them how our model would have potentially identified that slowdown or worse, a bump in the night, before it even happened. So that, they will be able to tell, as I said earlier, they will be able to look around the corner instead of having something bad happen to them by looking at it.

We have hired a couple of data scientist as well as some architects who are helping us with the modeling and the modeling techniques. We’re now gaining customers who are sharing their data with us so we can make sure the model not only works generically but also will be a model that works in their specific environment based on the fact that we have their historical data. And we’ve shown them that historical data has proven to us and to them that the bump in the night could have been foreseen before it happened.

Allison: I know skills gaps are typically an issue as you don’t maybe have enough people coming into the mainframe space. Do you feel like this will help with that dilemma as well?

Bill: Yes, Allison, I think it will. I mentioned earlier our mainframe survey and the two fastest items that are moving up on the chart of customer concerns from the mainframe survey input were what I mentioned earlier is modernization and security. Aging workforce is another one. When we started the survey 10 or 12 years ago, it wasn’t even on the radar. Now it has become a top five or six issue for customers. It’s not easy at times to get people coming out of university that want to jump into the mainframe because they are not even exposed to it at all. But once we get them in here and they get their hands on the technology that I was just talking about, the multivariant technology for predictive analysis, and things like that, they really get excited about it. They actually bring ideas to our mainframers here that we probably would have never even thought about because of the knowledge they have and the skills they have developed over their years that maybe the folks who have been working here for 30 years don’t even have a sense of what that is or what that experience that might be for them.

In this Run and Reinvent podcast, I’m joined by Doug Hynes, head of sales engineering for North America for Fusion Global Business Solutions, a BMC partner, to chat about the future of IT Service Management and the role of artificial intelligence in the service management field. Below is a condensed transcript of our conversation.

Allison Cramer: Tell us about your background at Fusion.

Doug Hynes: I’m the North American head of Sales Engineering straddling business and technology, listening to my customers’ pains and dreams of where they want to take IT as a business, and helping them through the products, processes, and the roles their people should be in to get to those dreams.

Allison: Everybody wants to work with the person who can make their dreams come true. How have those aspirations and visions of themselves, how has that changed for your customers over time?

Doug: Everybody starts with wanting to sit down and kind of have a, I hate to call it a complaint session, but nobody ever calls IT to say, “Congratulations, thank you.” Everybody calls IT whenever you have a problem. So, it all started probably with we need to have a process. We don’t have a process. We just do things, either pen and paper, spreadsheets, email. We need to take that to the next level.

And then a couple years go by. People say, “Okay, we’ve got a process down. We have people who are process owners. We need to be more efficient in how we work, the inner workings of IT.” So, we take that to probably the more intermediate, and start providing value back to the business by taking those processes and making more efficient and start providing more of what the business is asking IT to do, not just IT getting their house in order, if you will.

Allison: Have you noticed over the past few years that people are relying more on maybe more self-service, like how do I help myself better versus engaging with a person? Or even using, when they do want to talk to a person, looking more towards using bots than having an actual human being on the other end?

Doug: It has. And I think, really, we have a lot of the consumer-based electronics to thank for that. So, whether you’re talking Android or iOS, or even Microsoft with their mobile capabilities, people have become tech savvy in a sense. And we definitely have seen that roll through the generations. People don’t necessarily need to call the IT help desk for everything anymore. They have a level of understanding of how technology should be working from their personal lives. So, being able to follow an FAQ that the company provides, or utilize some natural language processing through artificial intelligence, being able to just generally ask a question like you would Google. People are starting to look for that private-life experience in their corporate life.

Allison: What do you think the role of AI is for IT? So, where can it help, and where can’t it?

Doug: The role for AI is to aid in a better customer experience, to aid in data quality, and to aid in getting rid of the rote, or let’s just call it boring, day-to-day tasks. Something that it follows a natural process. We do it the same way every time. And we don’t necessarily have to have to have a human interaction to see it from start to finish anymore.

We have a number of different automation things in the background that can handle that. It’s really a question of what is the front end to the customer, and is it a rich user experience for them using AI to get it through to the automation? And then that repeatability from how the customer interacts to how it’s resolved, that’s the data quality side of things. Making sure that it is handled in the same fashion and gets the result that the user is looking for. That’s where AI has really started to fill in in the IT world.

Allison: The relationship between AI and automation, do you feel like one precipitates the other? Like you have to have a lot of automated processes before you can utilize AI? Or what’s the relationship there?

Doug: Not at all. I think it really starts with, what is your outcome? What is this something that you are trying to fulfill? And then you work backwards. You start to say to yourself okay, this is where we want to get something like a password reset. So, when I talk to my customers, that’s generally the first thing that comes up. How do we get that type of request off of my service desk, or off of my IT security help desk? How do we just get that handled without human interaction?

We know that the end goal is to have the user’s password reset. How do we put the automation in the center of that, in between the user and the outcome? That’s where we start to have that discussion is at the outcome first. Then we look at what exists in the center now. Is there a process? Is there not a process? Are there dreams of a process, if you will? And then fill in the gaps. That’s where AI kind of fits.

Allison: What are some of the other thing that you have to be aware of in order to appropriately utilize AI?

Doug: The people who appropriately use AI and not fall into we bought this software, or we bought this service, and it’s sitting on the shelf because we don’t know how to properly implement it is a little bit of homework. If you are trying to use AI for self-service, you need to have processes and outcomes defined when a customer asks for something.

Regardless of how we use the natural language processing to determine what it is, do we have an outcome for them? Do we have a way of getting them what they’re asking for, whether they’re asking for something from technology, you know, a new phone or new application to be installed on their system, or something like requesting a day off, do we have that process? And if we don’t, well, we need to define it.

And if it’s not necessarily a process they’re looking for and it’s just like a self-help article, we need to have the knowledge base up inside our system. So, making sure that we have potential answers, be it textual-based, video-based, or service request-base available to our customers prior to utilizing AI is probably one of the biggest hurdles that customer sometimes don’t think about.

Allison: What kind of resistance do you see from organizations when they’re trying to move towards using more AI?

Doug: You always get the, “Is it going to replace us?” Any time you talk about robotics or artificial intelligence, you have people worried about that. But in the end, I really think that while we do have a system that helps process things faster, efficiently, however you want to phrase it, you’re still going to have to have people who can take care of those robots, and make sure that if the process gets stuck there are people who are trained to unstick it.

I don’t think that everything can be solved with automation and AI either. Getting people out of the ‘I’m used to calling so-and-so day in and day out whenever I have a problem’ and getting them used to using that self-help and using that AI is definitely a cultural change. There’s sometimes that relationship to the person that you’re used to sending an email to or to having a phone call with changes if it’s not easy to change hearts and minds.

So, I see the fear there, but I think once a customer has a positive experience with using a self-service, using AI, or whatever the case may be, it starts to change their mind, at least somewhat. I’m not going say it’s going to change it for all time, but at least it starts thinking okay, this isn’t as bad as I thought it was going to be.

Allison: What are some of the big new trends you see on the horizon?

Doug: The new trends besides just the idea of AI is using it in niche ways. One of the ways we talk – one of the things we talked about earlier was data quality. So, using AI to help the service desk when they do take phone calls or emails, categorize things properly, so later on when people are doing reporting or they’re doing capacity decisions or hiring decisions, we can say, “What are the areas where we’re lacking in knowledge?” Or, “What are our hot areas?”

And the reason we have that, the data quality, is because we used the AI engine on the background to help us categorize things in the proper fashion. So, it’s not just a service request now. Now we’re looking at how do we look at our business as a whole and making sure that we understand things in a more repeatable and a more efficient fashion.

In this Run and Reinvent podcast, I chat with Vinnie Lima from long-time BMC partner VVL Systems, who shares his insights and best practices into creation a cloud migration strategy. Below is a condensed transcript of the discussion.

Allison Cramer: Can you tell me the difference between Cloud First versus Cloud Smart?

Vinnie Lima: A lot of organizations and federal agencies, they took the first leap and say, “We must get the cloud.” “We will get the cloud.” And they established some policies to indicate we should first go to the Cloud no matter what. Well, that’s a great strategy. The challenge always becomes, are you organizationally ready? Is your organizational process aligned with that strategy? Is your culture, is your tooling, is your processes, is your training and skill set up to that task of going Cloud First? And what a lot of agencies and commercial sector found is that that leads to some introduced risks. For example, security, right? Enabling that rapid approach to the Cloud requires you to think about a couple key tenants to make sure you’re not introducing a risk to your organization.

Security is a big aspect that the Cloud First did not necessarily always take into account, as well as cost management, which is this big challenge. A lot of organizations jump into the Cloud. They enable their organizations to use the Cloud and then they get a bill. And then they have to determine how do I adjust that bill? Was it being utilized in a smart way?

That’s how I differentiate between Cloud First and Cloud Smart. Where Cloud Smart is really looking realistically around your culture, your tooling, your processes, and your knowledge – your personnel knowledge to go to the Cloud in a calculated way. Identifying applications that are further down the modernization roadmap that are good candidates. There are quick wins, as well as, creating a roadmap around governance. To make sure that as you introduce more workloads to the Cloud that they are sustainable, that you’re not going to have a shell shock around cost, or security, or cultural.

Allison: One of the things that always surprises me a little bit is that folks seem so focused on moving to the Cloud, but have not necessarily documented what they think that’s going to do for them, right?

Vinnie: In the example of USDA [a joint BMC/VVL client], our key success is to be able to demonstrate that a hybrid-cloud, multi-cloud strategy is functionally capable within a federal agency. So, there’s a lot of layers before you start talking about taking applications to the cloud, especially when dealing with USDA where you have to deal with a federate moderate and a FISMA High environment that has additional layers of complexity.

Our initial charter was to do a very agile methodology-based approach of delivering some key tenants of fundamental capabilities; some foundational services. So, not only connectivity, or texture, security, ATOs come into play, but also enabling to demonstrate that a service once delivered into the cloud, is manageable, is sustainable.

All of the operational aspects – the incident management, the change management, all of the ITIL processes, how do you monitor it, how do you patch it? Those are all things that in the USDA scenario were key tenants for us to go the cloud. Without that, they will not accept that cloud strategy. So, that was our first initiative, to start small, think about the key tenants that you have to deliver before any customer workloads – any workloads were going to the cloud.

Allison: Do you have a roadmap or just some suggested activities for people to go through as they try to figure out, “Okay, what would it make sense for me to move first?”

Vinnie: As what everybody says, there’s never a single right answer, but for most organizations that we’ve come across, and especially true for USDA, was really focus on your strategy around how you’re approaching cloud. Don’t let policy drive the risk. You want to be smart about going to the cloud, but you first really need to take a good 360-degree view on perspective for your organizational processes.

What is your culture like? How do they operate? How do you deliver services to your customers? Personnel skill set I think is a key challenge, as much as a lot of cloud vendors – they might not like me saying this, make it look easy. Cloud is really hard, right? Cloud is – to do it right requires you have the right people, the right training, the right skill set. And they have to pair that up with technology. So, looking at your current technology innovation and investment to determine where are their gaps to sustain this rapid pace of cloud?

Allison: I like the way you couched in the quick wins around they might be quick wins, but they’re part of a long game, right?

Vinnie: It’s important that you set realistic goals, right? But at the same time, have visionary ideas, right? Having the visionary idea helps you build a roadmap, but you have to be realistic about what you can accomplish. There’s no right answer to how fast you can move. It’s going to be very culturally and very organizationally dependent.

Allison: What are some of the gotchas that you found in there of an easy way – or even some of the evaluations they should look at when they’re looking at the process to see if it will work or not?

Vinnie: The biggest challenge is understanding your current process in context to manual or interactive activities when you move to the cloud. Let’s say you’re talking about serverless computing. You’re talking about an AWS Lambda service. You’ll find very quickly that your current process, your on-prem traditional operations, will have a hard time scaling to maintain or sustain.

This is where some of the capabilities that BMC’s brought to market has been very helpful for us, especially dealing with USDA and their strategy. Talking about TrueSight Cloud Security where you can manage the variety of controls that have to be enforced in a regulated cloud environment, in that large scale, right? So, how do you track things like EBS volume encryption and many other things that are quick to grow out of control, especially when you’re doing a lot of DevOps capabilities such as CI/CD Pipeline where you’re introducing more and more really fast in the cloud environment?

How do you track security for that, right? And so, this is where the process reevaluation – it’s not necessarily replacing your current process, but think of it as the next modernization, the next phase in your process structure to how do you deal with these cloud resources that have a finite or very transitional state, right?

Patching’s another challenge, right? The old challenge around, well, if you’re powering off cloud instances to save on billing or to have a finite life span, how do you patch them, right? They are no longer operating as an on-prem environment where they’re on all the time. So, think about those things.

And then cost. I can’t emphasize costly capacity management. It’s very, very important to culturally to change the way people think around the process of provisioning a lifecycle manage because right-sizing is a real challenge when it comes to cloud.

In this Run and Reinvent podcast, I chat with Amaya Suarez, VP of IT at First Data, about how to create a roadmap for IT transformation. First Data is one of the largest payment processors in the world serving small merchants to large banks. Below is a condensed transcript of our conversation.

Allison Cramer: You’ve recently gone through some sort of operational transformation. Tell us about the process and how you developed a vision of where you wanted to go?

Amaya Suarez: The whole transformation started with actually defining what is that vision for us. The vision revolves around automation, getting away from manual work as well as self-service, transparency of data and so on. We laid the foundation for looking at the entire ecosystem of tools and automation that we use. One of the things that was pretty apparent is that across the globe, when we had many different monitoring solutions because the company had grown organically, where it grew through acquisitions. So, we needed to take a look at what capabilities do we need for each part of the ecosystem of tools? What are the capabilities that we need for server monitoring, not only to monitor servers that are sitting in Argentina with many, many different OS types or anywhere on the globe, as well as EC2 instances that we have? How do we monitor all these different things? And so, we went through the entire stack of tools and then determined: What is the future tool set that we need that we could standardize on that will be able to help us progress through the future?

Allison: You’ve got the mainframe, server, and the cloud. Was part of the issue you were looking at trying, trying to figure out how do I get visibility and consistency across the entire state? Or was it more: We look to have more silos of tools, depending upon infrastructure situation? How are you dealing with that challenge?

Amaya: To a certain extent. I would love it for Splunk to be able to handle logging and log analytics for every piece of infrastructure that we have in an ideal world. Now, there could be part of our infrastructure applications that we can’t log with Splunk. Or maybe we’re going to do less than real time logs. We would have to look it like, “Okay, well, if we actually really want to get mainframe data directly into Splunk, then how are we going to do that?” And that was the case with the ITSM solution. I could choose to have an ITSM solution that can handle everything except for some segment of our infrastructure. But in an ideal world, I would like to have one ITSM solution and one CMDB that covers the entire footprint. And not only the entire footprint today, but if we’re now going to start investing in Kubernetes or Docker or you name it, what that future technology will be, like serverless, then the tools that we have need to be extensible to those new scenarios also.

One of the things that I started right away was a quarterly roadmap release that we would send out to everybody in the infrastructure and application teams. It basically says, “Here’s all the things that we need to do research and analysis on, here is where we’re doing proof of concepts, and here’s the tools that we’ve selected or the new automation platforms.” It constantly needs to be evolving and keeping up. And sometimes you may select a tool set and it’s your standard tool set. We rolled it out across the globe, but you get a new use case in and that tool set is not ready for it. And that’s going to happen. You just have to be open to taking a focus on the use cases and what you need as opposed to being locked into this sort of like, “I have to stay on this tool. I love this tool, and it’s the best thing in the world.” Or this technology. It’s constant evolution, and it just has to be constantly fed with continual learning and research.

Allison: How has your communication of that roadmap going out been received in your organization? And do you feel like that had maybe any positive cultural impact or anything like that?

Amaya: It’s been good. Let’s say the application development teams that are here at First Data want to use some kind of an orchestration to do CI/CD to deploy their code. Well, what’s happened over the years is different development teams put up their own instance of Jenkins or RunDeck or whatever, you name it. But it was really more of a starvation that created that. So, having that roadmap go out that says, “Hey, we’re now researching, you know, what we should use for CI/CD.” It’s very positive, and people want to participate and test things out and see how it’s going to work.

Allison: How do you feel automation and some of the automation capabilities have played into your transformation?

Amaya: Automation is really interesting because there’s so many different forms of automation now. I’m really excited about some of the things that were starting to do there. One of the problems that I experience, though, is that there’s a lot of fear of automation. What we’re trying to do is introduce people to different forms of automation and then start building out those use cases. And people need to feel comfortable that, hey, this automation is going to be able to accomplish what needs to be done. It’s really getting people’s heads wrapped around intelligence, automation, how these things could help them do their jobs and solve problems for them so that they’re not stuck in the trenches doing things manually.

Allison: How do bots fit into your future?

Amaya: We have a huge call center presence where we provide call center services to a lot of banks, card issuers, and merchants. So, within that context, the company has started implementing interactive chatbots that can work with customers and call center people. Internally within First Data, within my team, we started a robotic process automation effort. So those are little software bots that can perform the actions that somebody might do in the call center or in our global command center where we’re operating on incidents or changes and things like that. People are starting to understand, “Hey, I could have these tasks that I do day in, day out that are really routine and I could just get myself away from doing that so I can focus on the real engineering problems or business problems that I’m trying to deal with.”

Allison: What do you think is next for your team and your journey towards transformation?

Amaya: Ultimately, one of the main goals is really self-healing infrastructure and trying to work on where the areas are that we could really carve out and move to the cloud. One of the things that I’ve been talking about recently is just if you take all your development environments that are sitting on on-prem, assuming that it’s all like Windows and Linux and whatever else, if you move it to the cloud, then you can put things on snooze schedules where you shut things, you shut things down on the weekends or when people aren’t actually doing development. It saves you money over having to, like, have that infrastructure sitting there available, waiting for people to, you know, do their coding.

Allison: Is there any other advice she would have for folks who are considering or going through their own transformation?

Amaya: I hear a lot of people talking about how they had to bring in all new people, to do this transformation and then people who have experience with these new technologies. And really, I think that it is good to always bring in some new people, but I’m a bigger fan of inspiring the people that you have already in your organization to learn new things and find out about these new technologies. I can’t even tell you how happy I have some people on my team who now totally embrace AWS and cognitive and all these different things. Initially, there’s a bit of resistance. But once they grasp how much impact that these technologies can have, they really just dive right in and love to learn new things.

In this Run and Reinvent podcast, I chat with Scott O’Hare, director of IT operations for the U.S. Department of Agriculture (USDA), about the agency’s move to the cloud, the challenges it faced, and what it means to be Cloud Smart. Below is a condensed transcript of our conversation.

Allison Cramer: What does multi-cloud mean for the federal government?

Scott O’Hare: For us, it is taking the combination of the private data center cloud, which, we’ve been doing for quite some time, and it’s extending that into Azure and AWS. So, we have this holistic cloud [which are] multiple clouds working together to give our customers the choice of where they want to be hosting their applications and platforms.

Allison: How did you decide that you were going to the cloud and these are the options we’ll have? How did you work thought that with your constituents?

Scott: Like I said, we’ve been doing this for a while, so we feel like we understand how to provide sort of cloud services in the private data center model. The challenge is with technology and with these different options available to consumers, they’re changing so quickly. And the expectations of the customers also changed along with that, it’s very hard to keep pace as a large infrastructure sort of data center provider.

So, if a new [federal] customer wants to come do business with us, they present their portfolio of existing services, and we try to size them out. The thought of being able to go out into an Azure and AWS, which we all think of having unlimited capacity and capability, but you only pay for what you need as you need it, makes it very enticing for us. We get away from those traditional capital expenses and turn those into operating costs where we’re just passing that directly onto the customer. We don’t have to charge them for sort of the entire data center footprint.

Allison: Some folks have gone through that cloud journey have had some unpleasant surprises as they try to shift some of those costs around. Maybe they have different dependencies that they didn’t completely understand and what moving from a CapEx to an OpEx structure, how that would change their cost basis. Did you have any of those challenges or was a little bit smoother for you?

Scott: Absolutely. If anybody tells you it’s, uh, easy, I think you need to dive a little deeper into what their definition of easy is. We’ve been on this cloud journey for six or seven years since it was sort of originally decided that everybody is going to be moving to the cloud and getting out of doing everything themselves and having known data centers, etcetera. So, it wasn’t really until the last 12 months, I would say, that we kind of figured out how to make some substantial progress forward.

A lot of those challenges were, ah, culture is the biggest challenge. It’s convincing an organization that might be 30, 40, 50 years old, and it’s really set in doing that a certain way, that there are different ways to do it. That it doesn’t necessarily mean that you’re not going to have a role or a position or a job when it’s done, it just means that we need to figure out how to repurpose people.

What we found is if we start with what we’re doing well today, before we move out into the cloud. And we try to say, “How can we replicate where it makes sense, some of these things out in the cloud space?” It was really about identifying what we were really good at and where we wanted to complement ourselves and take these really small chunks and kind of dipped our toes out into the commercial cloud space and see what we could come up with.

Allison :Could you elaborate there a little bit more of like, what do you think it takes to be cloud smart?

Scott: The concept of Cloud First, which has been sort of the brand or the moniker for years now. It’s like everybody needs to get out there. I think it paralyzes pretty much everybody that I work with and partner with and I’ve dealt with. They know that they’re supposed to do it, but don’t really understand how or why to do it. Cloud Smart is about refocusing that line of thought and figuring out where it makes sense in your portfolio to take those small steps and get out there as it makes sense and as you can prove that it’s successful.

We give ourselves very targeted goals in very aggressive time frames. We’re doing sort of an agile development methodology and we’ll say we have this to accomplish in 30 days. If we don’t, then that’s the fail part, and that’s fine because the other part of fail fast is if I fail, then what’s Plan B? Well, what did we have in the pipeline ready to go to try something else? But we don’t sit there and try for six or nine or 12 months to accomplish a single task for a set of small tasks. We try to keep the scope small, deliver in a very aggressive timeframe and monitor ourselves and be able to say, we either made it or we didn’t in that very short window.

Allison: Do you have any advice that you give to people who are trying to figure out how to determine the success metrics?

Scott: I understand that most people, when they’re pitching the advantages of moving to the cloud cost, comes up right away. The nice thing is we didn’t focus on cost first. So, we have these four pillars in order of priority that we focused on were we’re sort of moving or extending our services out into the commercial cloud. And the number one pillar is security. And number two is performance. Number three is actually cost. And, number four is customer experience. So cost is in there. But it’s not the most important thing.

Allison: What were some of the things that you concerned yourself with or looked at as you were moving to the cloud?

Scott: I don’t know that it’s really unique among different organizations or providers out there, but we tried to assess what we were doing well today. Instead of going out to the commercial cloud and rebuilding everything from scratch, we took all of those tools, all those processes, all that automation, even all of that staff, and we extended it virtually out into the commercial space.

That was one of the major ways to get over that cultural hurdle. They’re still doing the same thing. The same tickets are coming to them, the same methods that they’re using to manage those assets, to scan, to patch, to respond to incidents. It’s all the same. We didn’t have to retrain everybody. There’s not a lot of difference from managing cloud service on prem versus managing in commercial cloud when you design it in this manner.

After another hectic and news-filled AWS:ReInvent show in Las Vegas, it’s obvious there’s a lot of innovation happening in and around cloud technology. Amazon, Google, Microsoft, Oracle and others are making cloud-hosting easy and offer great tools to power a variety of business services.

For start-ups and new services being built from the ground up, thinking cloud first or cloud native makes sense. Signing up to spend resources on building and maintaining your own data center is not for the faint of heart.

But for those of us who have been in this game a bit longer there are some different questions to ask. We all know someone who has received a mandate of Cloud First for anything new and is under significant pressure to move all existing workloads to the cloud as well. Does that mean every workload is ripe for moving the cloud? No so fast.

We’ve seen numerous customers bringing back workloads to their own data centers because of unexpectedly high costs and a lack of clear objectives. It’s not just our customers as a recent IDC survey found that 81% of IT decision makers will migrate applications that were part of a public cloud back on premise or to a private cloud.

“Everybody moves everything there and then says, wait a minute. Maybe that wasn’t the right move, maybe we should be cloud smart instead of cloud first,” said our own David Cramer in an interview with TheCube at AWS.

Being cloud smart means:

• Defining goals for cloud migration. Maybe costs do end up being higher, but if you’re gaining speed to market and greater flexibility, those goals might outweigh the cost increase.
• Balance the need for access. Cloud services can make it easy to build and deploy new services, but there’s needs to be a delicate balance between operational needs and access. If the cloud service takes longer to provision than the system it replaced, that’s a lost benefit.
• Governance and security are still important. Yes, cloud providers help with security by keeping underlying systems secure, but it’s still on your organization to ensure proper configurations and governance is in place. A missed security configuration could result in a data breach or violation of regulations, which could end up as costly to the business.

Amazon’s new AWS Outposts on-premise offering gives credence to the “cloud smart” way of doing business. There are numerous reasons – regulatory, costs, security – why workloads cannot be moved to a public cloud environment. Amazon realizes this and is extending the advantage of having the infrastructure managed with the comfort of having it based in your own data center.

Being cloud smart is not rocket science, so most of us stand a fighting chance. It’s about mapping a current application or workload’s performance to the capacity and cost so that you can make the right decision for your business.

The news headlines and social media comments about IT security vulnerabilities remain consistent – and they may cause you to take a closer look at what can be done to protect your organization. It seems like “another day, another data breach, another cyber attack, and another failed security audit.”

Fortunately, there are steps you can take to thwart the threats from hackers and keep your organization more secure. How well prepared are organizations to deal with these issues? What’s the best approach for moving from a reactive strategy to a well-coordinated, offensive plan of attack — one that’s based on automation and greater collaboration between IT Security and Operations (SecOps)? A new voke Research Market Snapshot Report addresses these issues and much more.

The report is based on a survey of 318 participants from a wide range of organizations around the world (about 80% of them have 1,000 or more employees) that analyzed challenges related to operationalizing security. When security is “operationalized” effectively, it means that organizations implement secure operations and automation practices. The survey focused on each organization’s approach to IT patching and compliance, automation, and whether these practices were effective enough to establish high levels of security. Here are some key themes and 10 surprising statistics that were uncovered from the survey:

Don’t be reactive – go on the offensive

Most respondents took a defensive approach to security when they really should have been moving to a well-coordinated plan of attack. Working in silos is ineffective. Ensuring security is everyone’s responsibility – architects, developers, QA, IT Operations, IT Security, and the line of business. The consequences of a defensive approach can be disruptive and costly.

1. 83% of organizations had numerous security-related challenges and most participants reported multiple challenges.
2. Only 32% of organizations report a proactive and collaborative relationship between security and operations.

Close the gap

If you don’t close the gap between operations and security you could expose your business to potential risks. Failure to implement patches to known vulnerabilities, for example, can lead to security breaches and failed audits. Organizations that focused on closing the gap with automation and best practices experienced improved audit-readiness, increased remediation productivity, improved patch management, and reduced security breaches from pending patches. Automation should help security and operations teams collaborate more effectively by providing context and actionable information. That way operations more readily knows what to do with information from security and the security teams have a better understanding about how their recommendations impact operations.

Patch vulnerabilities quickly to pass security audits

The stakes are higher than you may think for failing a security audit.

3. 27% of survey participants reported a security audit failure in the prior 18 months because proper measures weren’t in place, breaches happened, and other factors.
4. 81% said that the audit failure could have been avoided with a patch or configuration change.
5. 26% said a failed audit can cost millions!

Prevent costly breaches

Significant breaches can put an organization at risk for fines, theft of intellectual property, brand image damage, and other problems. Yet, most breaches can be prevented.

6. 79% of participants indicated the security breach could have been avoided with a patch or configuration change.
7. The average risk of fines reported by participants is $1 million (USD)
8. The average risk of security breaches is $40.5 million (USD).

Reduce risk and increase productivity

Be better prepared by developing a plan that addresses these security challenges, along with best practices and the automation to make it successful. Identify any gaps in how security and operations teams work together.

9. Did you know that 30% of respondents said they were challenged by a lack of automation, even though technology is available?
10. On a positive note, organizations that used new solutions to perform remediations improved staff productivity with 64% reporting a 4x to 40x productivity improvement!

How does your organization compare in terms of overall IT security with the companies that were surveyed? Chances are you may face many of the same challenges they did. What best practices should you follow to protect your enterprise? How can automation help? Read the Secure Operations Report by voke Research and find out.