As cyberattacks get more sophisticated, pushing cybersecurity to the background can have devastating consequences.
While the pandemic accelerated the adoption of cybersecurity technologies worldwide, certain industries require more robust security measures than just antivirus software or a corporate VPN. Our guest today believes that these days, ensuring resilience is not only about adopting the latest cybersecurity tools but also having defenses in place in case of a natural disaster or a physical attack.
To discuss what actions companies should take to upgrade their defenses, we sat down with Alex Heneveld, the CTO of Cloudsoft – a company helping critical industries manage their complex IT environments.
How did the idea of Cloudsoft originate? What has your journey been like so far?
We started off back in 2009, with just three of us. I’d recently completed a Ph.D. and realized that the types of problems I was interested in solving were better thrown to the market for feedback.
We’ve come a long way since then – we’re on the sixth major release of our flagship software, Cloudsoft AMP, which is used by global tier-one banks and defense companies, we’ve launched an AWS consulting business (Cloudsoft Tempo) and we partner closely with AWS to build solutions like the ServiceNow Connector.
In the last two years alone, we’ve boosted headcount by 43%. Scaling up means we must be cognizant of our company values to ensure we don’t lose the open, inquisitive and collaborative environment which makes Cloudsoft what it is.
This is particularly important as we have gained recognition as a Great Place to Work: we were recently named one of the Top 10 Best Workplaces in Tech in the UK and were also identified as one of the UK’s Best Workplaces 2022 (where we were the highest-ranking Scottish-headquartered business in the small business category – placing 22 out of 80). While technology is at our core, it is what our people do with it that helps us to grow and succeed.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
Our primary focus is our software product, Cloudsoft AMP. This is a tool that helps customers in regulated industries like banking and defense to orchestrate and govern critical services across their often highly complex IT estates and improve their resilience.
Since Cloudsoft’s inception, the technology landscape has really exploded which has made our application- and service-centric approach more important. Our users describe the components of their applications and services and use automated policies to orchestrate them in any technology environment to ensure they’re available, so it was interesting for us to see new PRA regulations in the UK focusing on service availability rather than infrastructure availability.
As more companies move their workloads to the cloud, are there any details that might be overlooked when making the switch?
We all know that the pandemic has accelerated many organizations’ cloud adoption plans. In haste, some less than optimal decisions can be taken, so having a thorough review post-migration can really help to make sure your environment is as efficient, performant, and secure as possible.
Those who are very new to the cloud are often tempted to see it as another data center and simply replicate old architectures and processes, but by doing so they’re missing out on the real value it can bring. The beauty of the cloud is that “everything is programmable” – with the ability to get new storage/compute almost instantly, automate infrastructure and network setup, automate release processes, and gain access to a rich tapestry of tools for achieving this with products and services built for easy implementation by cloud providers.
Whether cloud adoption was made under pressure or with tons of planning, it's also important to recognize the value of continuous evolution. New services, security, compliance, and pricing opportunities emerge every week. An essential part of any cloud strategy should be continuous improvement and knowledge sharing.
Do you think the recent global events altered the ways in which threat actors operate?
We have seen many occasions over the last couple of years where the resilience of an organization has been tested. During this time there have been several high-profile incidents, some due to human error and some at the hands of malicious actors who exploited a technical vulnerability within an organization.
An example of this was the Log4j vulnerability which highlighted how complexity can hinder recovery from incidents. Equally, it reinforced the need for automation, composability, and orchestration. Our customers reported that once Log4j updates had been added to AMP’s library of policies, they were able to quickly update and secure affected applications and their dependencies with little to no downtime.
What are the most common problems you notice companies run into on their digital transformation journey?
Technology is typically the first thing that comes to mind when digital transformation is mentioned. However, digital transformation is not just a tech process – it’s about fundamentally changing the way a business operates, and delivering new value to customers through integrating digital technologies into every aspect of your business. The impact of such a program on the team and overall culture is something that cannot be ignored.
Additionally, digital transformation can also require a skills transformation. Given the highly publicized tech skills gap that many organizations are currently facing, to gain value from digital transformation companies must be proactive about upskilling and education.
In your opinion, which industries should be especially attentive when it comes to application security?
Sadly, no organization or sector is immune to the impact of an IT security incident. Complexity is the biggest threat as it creates new vulnerabilities which are hard to identify and secure. This is particularly prevalent in industries that are also heavily regulated and for whom a breach could have a significant economic or political impact – particularly in government, financial services, banking, and defense – must be clear on the steps and processes they must follow
What are the best practices companies should follow when developing, and, when launching applications?
This will vary depending on the scale of the organization and the scope of the application, but there are four fundamental principles that we follow:
- Who is your core user? What are their problems?
- Who is your core buyer? What are their problems?
- Regular feedback from externals, so you can test and iterate.
- Not a “one and done” process – your users are your biggest resource for product improvements!
However, as so much of what we do involves heavily regulated industries, it would be remiss of me not to mention the importance of being mindful of current and upcoming regulations and their impact on any IT programs being rolled out or new applications being developed.
Besides application security, what other best practices do you think every organization should follow to secure their operations?
I don’t think I need to emphasize the importance of good defensive security practices, where you try to keep attackers out of your systems and applications. But I think that sometimes the perception of secure operations can be too narrow, and that resilience should play a bigger role. You might be able to defend against sophisticated cyber attacks, but how prepared are you for a natural disaster or geopolitical conflict which impacts your operations? Added to this, the wall between Operations and DevOps is also coming down, as operations realize the benefits of using “as code” best practices to help ensure resilience; whilst DevOps becomes more service and governance aware.
Lots of organizations are recognizing this – there are plenty of job ads for Heads of Operational Resilience at the moment – and are starting to think more holistically about their resilience, what a “threat” actually is and how they can proactively secure their operations against those threats and keep going when incidents inevitably do occur.
What does the future hold for Cloudsoft?
In addition to continuing to extend our reach internationally, we will be evolving our products, services, and partnerships. Continuous innovation is important for us as an organization and for our customers. We look forward to being able to share more news on what we have been working on over the coming months.
We will also continue our focus and investment in our people. I am proud to work with an incredibly talented group of people, but we can’t stand still. We’ll therefore continue to focus on creating an environment and culture where people can grow personally and thrive professionally.