One of the main causes of security operations (SecOps) pain is the sheer number of disparate protection tools now in use across the enterprise, leading to an ever higher volume of alerts, operational inefficiencies, and increased cost. There’s no denying the cybersecurity threat landscape has become extremely dynamic and complex — encompassing data, applications, APIs, and containers as well as multi-cloud, on-premises, and hybrid environments, just to name a few. Each of these environments requires security tooling to address potential vulnerabilities and respond to threats and incidents. However, increased tool adoption and use come with a downside.

Redundancy, wasteful spending, and system complexity. That’s IT tool sprawl. And it’s the root of countless, needless tools purchased for IT purposes. Tools which are typically misused or statically ingrained within legacy systems. This trend is severely exhausting organizational resources, including unnecessary spending and inefficient, vulnerable, and siloed data. Tool sprawl is also a main culprit of fractured IT teams. Not only does this division create risky security gaps, it also fails to satisfy the requirements of end-users. And this issue doesn’t just affect Fortune 100 companies. From SMB to large enterprise, no business is exempt. Gartner’s 2023 CIO Agenda Report lists tool sprawl as one of the top ten monitoring challenges for CIOs.

Companies often don’t realize they have a tool sprawl problem until it becomes exorbitantly expensive or creates security issues. Unfortunately, security issues often go unnoticed until the effects of a breach are felt. Disparate, siloed data protection tools only compound the issue with an unmanageable volume of alerts, false positives, and security gaps, adding significant time, money, and resource costs to the equation. 

SecOps teams require specific tools to build, manage, and monitor their systems. But when more tools are added without proper planning and integrations, they can cause more harm than good. Accenture Security estimates many of their clients average 60 – 80 tools in their security architecture, with some companies as high as 140, which is an overwhelming amount of sprawl. It takes time for security teams to become familiarized with each tool, provision and configure, and then make actionable use of its telemetry.

Complicating this effort is the cybersecurity talent shortfall, the rapidly changing vendor ecosystem IT and security leaders are facing, and the challenges associated with the evolving threat landscape. In addition, many standalone tools don’t work well with others, often requiring their own unique implementation, dashboards, and outputs. Despite the complexity in the tooling ecosystem, there is an opportunity for simplification for security teams. Removing steps, complexity, and burden adds tremendous value to those involved in the cybersecurity process.

In the Gartner Hype Cycle for Data Security, 2022, Privacera is recognized as a representative vendor in a new solution category: Data Security Platform (DSP). DSPs address tool sprawl by aggregating individually-mature technologies into a unified solution. Traditionally, data security has been delivered by disparate products, resulting in operational inefficiencies and an inability to support, for example, data risk assessments, open data, commercial data, and internal innovations and collaborations involving data. DSPs provide consolidated security and protection capabilities for data by aggregating formerly siloed capabilities under a common policy instrument, significantly streamlining data security. Especially in cloud-based data stores, a DSP reduces integration costs, manual work, and friction by connecting previously disparate data security controls and capabilities.

The Privacera DSP secures data using a combination of fine-grained data access controls, data masking, and data encryption to provide a zero trust framework. Privacera provides observability into the data environment, including data access monitoring (DAM) — a category in which Gartner recognized Privacera as a sample vendor in its Hype Cycle for Data Security, 2022. Additionally, data audit and reporting capabilities support compliance requirements and data risk assessments.

Privacera is a broad-spectrum DSP that can be deployed as a SaaS-based service or self-managed software. Privacera’s other integrated DSP capabilities include automated discovery of sensitive data, instant visibility into data assets, and distributed, cloud-native policy enforcement across leading platforms such as Amazon Web Services and Snowflake.

Minimize security tools and mitigate sprawl, while enhancing enterprise-wide efficiency and data protection. Learn more about consolidation and centralization with a data governance and data security platform. Get Privacera’s buyer’s guide.

Data and Information Security

For all the talk of IT launching big-bang transformational initiatives, sometimes it’s the smaller changes that are the most impactful. That’s the case for HVAC manufacturer Carrier, which, in the wake of its 2020 spin-off from United Technologies Corp., has taken a microtransformational approach to updating and automating the business processes that cause its customers and employees the most pain.

The process began prior to the companies’ separation, says Julie Edwards, director of intelligent automation at Carrier, and when the companies split, Carrier IT had to staff up quickly — and take over digital functions previously provided centrally by UTC.

“It was a very challenging time when we started. We were onboarding a lot of new digital personnel to handle the separation from UTC, and to gain that independence,” she says. “We had a lot of people new to Carrier, and then also Carrier was new to automation.”

As part of this shift, Carrier created a series of centers of excellence for various IT capabilities, including one for analytics and automation. “We decided to couple those two disciplines because we thought they played well together,” Edwards says, adding that she was the COE’s sole employee for the first three months of its existence.

The fast-growing IT team had a lot on its plate: “We had probably 130 different ERP platforms across the four business units, and a lot of times they were similar, they were SAP or JDE, but there were different versions, and they ran autonomously on different platforms,” she says. “There’s a lot of focus right now on standardizing and simplifying our ERP footprint across Carrier globally.”  

But business departments have needs that cannot wait for that company-wide digital transformation process to complete.

Microtransformations

Carrier’s initial plan was to use RPA (robotic process automation), but the diversity of ERP systems in use made simple RPA approaches difficult. Edwards’ team shifted its strategy to making what it calls microtransformations of key business processes, combining automation with analytics, machine learning, and targeted tweaks to ERP systems to solve some of the company’s most pressing digital challenges.

“We come into conversations thinking about everything in our arsenal that could help combat a problem, including process reengineering,” she says. “There’s really no digital tech that can make a process work smoothly if it’s just poorly designed.”

Among the most significant of the 100 or more processes that have now received this treatment is that for return of materials, a project that has earned Carrier a CIO 100 Award for IT innovation and leadership.

The internal process for customers to contact Carrier to arrange return of unwanted materials had some inefficiencies. “We were exposing all of that pain to our customers,” says Edwards, adding that the sheer number of steps customers had to go through to fix a mistake that was often not their fault was causing them frustration.

The first step to transforming the process was to listen to Carrier’s customers to get a better understanding of their pain points. “Secondly, you really have to understand the steps in the process that are value-added steps versus those that aren’t value-added,” she says.

In this case, the process ran through two different ERP systems, one customer-facing to generate the return material authorization (RMA) and a second to prepare the warehouse to receive the material and credit the customer.

“We weren’t going to retire an ERP, that’s not practical,” says Edwards, “so it was really about how we hid that complexity from the end customer.”

Focusing initially on a subset of one business unit’s customers, the team has halved the number of steps in the process, presenting customers with a single interface in Salesforce and automating the exchange of data with the other ERP. Employees are still involved in the process to approve the return, with bots performing the investigative work and filling in the forms.

Carrier is preparing to roll out the new process for customers of its Carrier Bryant Payne business unit next, says Edwards: “We aspire always to expose automation that’s scalable across not only the business unit that we’re focused on, but across business units on common processes.”

Staffing up from near scratch

Microtransformations like that of the return materials process are handled by a Scrum team of four to six, Edwards says. The pod lead manages the team and liaises with the relevant business unit; the architect typically works on a couple projects in parallel, with the project manager handling three or four. Then there will be up to three developers on the team: just one if the automation is done solely using Blue Prism’s RPA software, or more if it also involves working with Salesforce or integrating other APIs.

But all that barely existed when Carrier first split from UTC. Edwards and her colleagues had to use a variety of strategies to build up Carrier’s IT staffing strategy.

Consultants were first on the list: Ernst & Young (EY) provided the initial support to build the team’s governance while delivering early automation pilots.

With the automation team’s start-up period overlapping with the first COVID lockdowns, Edwards was prepared to consider nontraditional candidates to staff up quickly.

“I don’t always hire for the technical savvy,” Edwards says. “I hire for the characteristics of the individual we’re bringing into the COE.” Those characteristics include having the right mindset, curiosity, and a passion for providing digital solutions. Technical skills are still important, though, so, “We couple that with education so we can help them learn the tool sets, we can get them certified, and we can grow a career path for them,” she says.

Carrier flips that story with its Digital Technology Leadership Program, which hires recent graduates who have the technology skills but no work experience and puts them on three eight-month rotations through various Carrier business units to learn about the industry. “These are the top of the top kids coming out of school,” she says.

The final element in staffing up the US automation team is offshore: “We’ve got a hub in India where we also have a lot of our developers and technical architects,” she says.

Small changes, big disruptions

While Carrier’s microtransformational approach has paid off, the automation team’s interventions into the HVAC manufacturer’s business processes were not always well received, thanks to their fast pace in an organization more used to 18-month waterfall ERP projects.

“We were really aggressive about how quickly we wanted to turn solutions over, and we were very disruptive. That was another hurdle we had to overcome,” says Edwards.

What got the team through was the support of senior executives — “without that we would not have been able to succeed,” she says — and a willingness to compromise: “Everyone had what’s best for Carrier in mind. Coming to a process that could work for all parties was what made us successful.”

CIO 100, Digital Transformation