Get Your Head Into Cloud Transformation

What is cloud transformation and migration? Cloud Security executive Partha Chakraborty tells all.

Or listen on

Get Your Head Into Cloud Transformation

What is cloud transformation and migration? Cloud Security executive Partha Chakraborty tells all.

Or listen on

Description

Partha Chakraborty, security executive at Humana, joins host Amir Bormand in episode #230 of The Tech Trek. He and Amir explore the critical factors that contribute to successful – and unsuccessful – cloud security.

Show Notes

00:51 – Partha shares his perspective on what contributes to the successful adoption of Cloud security services.
09:20 – What is the “Fail-Fast” approach, and how does it apply to Cloud Security?
15:46 – How to keep matrix teams aligned on Cloud transformation projects.
22:48 – Partha offers his advice for dealing with common mistakes that companies make when adopting the Cloud.

Partha Chakraborty

Cloud Security Executive at Humana

Meet our guest

Partha has over 20 years of cyber security leadership experience in the financial services and healthcare industry. An active speaker and panelist in major cyber security conferences around the world, and frequently called in for views and interviews in electronic media like The Economist, UK.

Episode transcript

Amir Bormand: [00:00:00] Welcome to the Tech Track where technology leaders share their insights, experiences, and views. Every week, I bring you a new guest, and on today’s 

Partha Chakraborty: episode, I’m part Jati. I’m the Associate VP head of Security, architecture, engineering and Innovation at Humana. And for those of you who are not fully familiar with Humana, we are a Fortune 40.

Health insurance company and we operate both on the healthcare care side as well as in the provider side. 

Amir Bormand: Martha, thanks for being on the show. I really appreciate it. Uh, super excited to have you on. Uh, I know security is your background. We’re gonna be talking about some of the critical factors that lead to cloud implementation, success and failure.

Uh, obviously security being the core component of that. Uh, I, I guess let’s maybe take a step back. Um, your background with security. Your, you work a lot within. The transformation. [00:01:00] Give us some context in terms of, you know, when you look at cloud and security, what some of those projects look like. 

Partha Chakraborty: So, uh, thank you for having me.

It’s my pleasure. And it’s a great question. Every company right now is going through a digital transformation journey, and clouded option is a huge part of it. Now, there are two ways, like companies see success. Some companies are successful in their first. And some companies are successful with multiple attempts, right?

Because they have to go through an iterative journey. Nothing is absolutely right and wrong, like multiple attempts with the fail fast is good enough. You see what works for you, what doesn’t work. And if you want to take another approach that, okay, I want to take more time and analyze and see how others are doing, and then I will choose the best uh, way for me, and then we’ll ensure that I’m successful in my first attempt.

That is also good enough. In my experience working mostly in the Wall Street financials and also right now with one of the, you know, top 50 Fortune healthcare [00:02:00] company, the things that make or break a cloud transformation successful depends on three things. First thing is that we need to know why we are moving to cloud, right?

Is it we are trying to consolidate our on-prem f. Shut down our data center because we have a lot of rental property and data center cost is going skyrocketing and cloud makes it cheaper. In other words, saving money, right? Cost saving is the driver. Second one could be, are we looking? Cost is not the factor.

Are we looking to get in competitive edge where I will have a better analytics in a fraction of a second or a millisecond, which my on-prem compute cannot provide and I need to rely on a cloud provider. And the third one is that, is it, uh, innovation, right? There are a lot of the things in order to go ahead of the market, my on-prem infrastructure will not give me that agility or even the scale to, you know, [00:03:00] prove a concept and that is why I’m moving to cloud.

Or it could be a combination of all. But until, and unless the organization asks this question and decide that defies the priority, right? If cost is a priority, then there should be no way a company should move to cloud and later on realize when the builds are skyrocketing, that okay, this is probably gonna not the right move or not the right tool, right?

So if cost is the priority, Regardless, of course, bring the priority in cloud. One of the thing companies should do is that to establish a fops model right before you go to cloud, start thinking about your consumption, having a control over consumption. I have seen this movie way too many times where we have seen when we moved to cloud initially, We don’t think about it.

Let’s get the best service, best solution. Everything is available on the fly. And when the bills keep coming and we are hitting beyond our budget, then we start scaling down. Okay, stop the services, move back to the data center, don’t know what to [00:04:00] do because we don’t have money to pay the, pay the bills, right?

Either go and ask for more money to board. And in that, There’s a challenge. You need to show value and you don’t have enough applications move to the cloud at that point of time to show enough value to ask for more money. It’s like a catch 22 situation. So one thing is that establish a finops model where you have a clear control over consumption.

You exactly identify the candidates which will move to cloud and why, and what is your success factor, right? Is your success factor moving those applications to cloud or modernizing those applications through cloud technology or something? So identify those and have a clear metric, and that will definitely guide you for a successful journey.

Second thing is that security should not be a bolt on because many companies could not even move to cloud even after months of prototype and journey is because of the security. By definition, there are two trains of thoughts. One group [00:05:00] of people will think that cloud providers like Amazon or Microsoft have more dollar power to have a security in their environment.

Then as a small or medium scale, or even large scale enterprises, which are not investing that much in security in their on-prem infrastructure. Yes, it is true. They’re investing a lot of dollar power. They have a lot of security thing, but again, it depends on how you use. They are providing a tool with lot of controls and checks and balances.

It eventually depends on the organization, which is adopting it. Are we doing it in the right? Are we also not utilizing those tools which may go against our competitive advantage and expose some of our critical ad, uh, you know, information and data? So that is why having the security team onboard, having a clear security policy, standard outcome architecture blueprint and patterns are paramount.

The sooner an organization can engage security team on their journey [00:06:00] and can jointly define a strategy. No doubt. And again, as I see, like my favorite line is that I have seen that movie three to four times in the last couple of years. So I, I failed in many places where this was not done properly, right?

So that is why my recommendation, anybody is trying to go into this journey to pay like a little bit more focus and attention. Get the security person, uh, o on the table. Discuss some of the things which are absolutely no way, like security person will not allow, but you have some dependency You need to have to have those services in cloud.

Otherwise, it does not fill in the puzzle. You want to move to cloud for a better analytics and out of 10 components that you are using out of cloud eight probably are okay with some additional controls. Two are an absolute no from the security. How do you move there? I mean, if you don’t use these two components, then you are not getting the actual product out of your investment, right?

So [00:07:00] what are the alternate ways? What are the compensating control? In some cases? What is the risk that you need to sign off right from the leadership team and the executive management team? Those decisions, the sooner an organization can do the better to avoid those surpris. Then the second thing is that the security team coming up with an architecture blueprint and pattern that is paramount because I have seen an organization moving to cloud.

You can move to cloud, you can come up with security control or compensating control. But when you are under pressure, when you are under a like scale challenge that you need to move X amount of application. If you don’t have a cookie cutter pattern blueprint, you just cannot scale and you fail, right? To deliver those things on time.

So that is why having a rock solid architecture and the policy standard and the measurement tools, right, how you detect whether you are drifting from what you agreed upon to where you are landing is extremely. [00:08:00] So eventually in any cloud transformation journey, right? Vision part is very critical. Unity of a vision, what you are giving to the organization, which is futuristic and what benefits it’ll add.

Execution has to be flawless with the proper coordination, training, process enhancement, cloud native services like finops and all those stuff. And then at the end, which is extremely critical, at least from a security side, because I’m a security guy, I can tell you about that is valid. Without having the right amount of validation, many large companies having billion dollars of security budget came in news because of small issues eventually that were exposed.

So I know I touched upon many things, but to summarize, having a good objective clearly identified what we are trying to accomplish. Establishing a true fops model, establishing, uh, and security early engage. With heavy reliance on architecture and standardization that [00:09:00] gives vision, execution and validation.

The three vs as early as possible in the, in the adoption journey is better. And, uh, that will ensure it’s a small journey for cloud adoption. 

Amir Bormand: I appreciate that. I think that gives us, you know, fantastic overview. Um, of, of those critical components you just mentioned, you mentioned something about, The fail fast approach.

Um, so I guess, I guess two things around that. One, uh, tell us what you mean about fail fast approach. Uh, I have a good thought of what it means, but I’d like to hear from your words, but secondly, when it comes to security, Fail fast approach and security doesn’t seem to maybe go hand in hand for somebody just thinking about it.

So maybe just, uh, let us know what your thoughts are there. Sure. 

Partha Chakraborty: So again, like when I say like fail, definitely failing security in the cloud. Eventually you cannot keep your data, your Chrons in the cloud. So fail fast approach is. You start doing an [00:10:00] iterative way, like do not have an end-to-end solution that, okay, I will build this thing, then normally I will do, because there are a lot of the things which are based on assumptions, right?

Or even risk profile. So I would say like, break your work to the smaller chance, like the way we do any Agile implementation and, and, and celebrate success, the smaller success as well because the team, uh, your. Uh, the, the vibe and the motivation is also important, so, Break your work into a smaller chunk.

See how it is working. Then go and do an integration approach. You may find some of the phases where it is not working, but it is still better when you are testing it out in a non-production or dev environment when you fail fast. As opposed to investing like millions of dollar and signing off in a project, signing up a vendor contract.

If you’re trying to do in an iterative way, in a non-productive and and test environment, and you see that there are some gaps which are not working according to your assumption, that’s probably a better way where you can. Put [00:11:00] a pause and try to look at what are the O other options like a plan B or plan C.

Usually whenever we come up with something, plan A is a little bit risky because you are relying on a single point of failure. You already have a plan B or plan C, but failing fast ensures that you also evaluate those plan B and plan C with alternate controls or your assumptions before you move. Uh, move everything to the production where you don’t want to find those issues in production Now.

What I mean by fail fast is that during that iterative approach, Identifying and testing and validating all the assumptions. Even if it fails no issues, you have a plan B or plan C, or at least worst case, if all the things fail, you are protecting the organization from making a bad decision of investing or moving something, which could.

Turn out to be a disastrous, uh, investment, right? In the, in future or longer term. So that is what I mean by fail fast, definitely not failing or keeping a gap in [00:12:00] security in production, and then wait three months to figure it out how we make it work, rather prevent that scenario in production. 

Amir Bormand: And in that case, I mean, how does the interaction with the other teams work?

Right? So obviously fail fast approach. Are you pulling in other teams in that, in that approach? Is this more st you know, items and tasks projects that securities in responsible for 

Partha Chakraborty: only. Yeah, so I would say like for a successful cloud transformation journey, creating a matrix team is absolutely paramount, right?

There should not be a separate security agile dashboard versus an architecture dashboard. Versus a network versus development dashboard, right? It should be a common Agile dashboard where you pull in resources and SMEs from different areas and create those, you know, pods or metrics teams, and they eventually work on a single Agile dashboard, which are outcome oriented.

One of [00:13:00] the thing that I have seen, agile has a lot of great things to offer, but a lot of the times it also depends on how people use it. There are two things for any successful execution of any initiative. One is your capacity, which also translates into your efficiency, do you have enough bandwidth to deliver that work?

And then the second thing is that whatever you are delivering, is it adding value to your target state, right? In other words, my project is to paint one wall, right? Eight by eight wall, and my end goal is that I want to paint it color. Right now I can break it down into multiple sprints and, you know, multiple smaller chunks of work.

And the team where one team is going to, you know, buy the paint from Home Depot. Another team is going to, you know, prep the area with all the, uh, you know, the coverings and all those stuff so that the paint spill does not, you know, like mess up with your carpet area. Then another [00:14:00] team is going to do a painting and all those stuff.

Now the question. If you are not selecting the chunk of work, which adds to that actual outcome, how do you align your work to the actual outcome? Then it’s very easy and agile. You get a lot of PowerPoints and dashboard and reports, which shows you are hitting a hundred percent of your capacity. You are meeting all of your story points and, uh, epics and feature.

But if those are not aligned to your target state, you spent three months and at the end is the color red? No, it’s only 20% of the color is red. Remaining is still empty. Nobody painted it. So that’s what I mean. It has to be a metrics team. Getting resources from all different areas. There should be one agile team with all the coaches and Scrum masters and all agile roles.

Look at the single board. Create all of your estimations. Do not go by just the story points telling your how effectively you’re utilizing. Rather think about the efficiency of an engine. If you [00:15:00] can put more miles per gallon, that’s a better. That means even if your story points are less, but still you are achieving the outcome.

I am painting the wall read. That is what we would like to do. So again, to summarize, you have a great question. It’s a collaboration between multiple team and at the end that feeling of reporting structure has to go away. It should be the new cloud team which is delivering, they may report to different HR hierarchy, but at the end of the day, this metrics.

Has to deliver, looking into one single work board or work visualization board. 

Amir Bormand: Absolutely. I, I guess this matrix team, uh, you know, working and implementing the security the right way, as you described, when you’re thinking about the work that they’re doing, right, you’re pulling people from other teams. Um, they’re coming together on this specific project.

How much of the tooling that goes into place from a [00:16:00] security perspective, are you worried about in terms of adoption, in terms of learning curve, in terms of all those different things as as these matrix teams are coming to work together on a, on a security initiative? 

Partha Chakraborty: Yes. So that is always the challenge and uh, but again, like when we go with the standard, So we will have a tool set which are approved to be utilized, right?

So there’s a bit of training involved, right? We need to build more security champion because no organization has enough security resources to support each and every development initiative. We need to transfer that knowledge. We need to build that awareness to the development community, which we call like a security champion.

We train the development team on what they could do to have a security minded or security focus. Uh, thought process, right? When they’re coding. On top of that, we put like all the checks and balances and we use something called, again, it’s the buzzword shift left, which [00:17:00] means take security to the further left of the platform at the entry point, the tools or integrated development platform, say somebody is writing in cs, right?

Or using a Microsoft platform to write the. If we can have the right amount of plugins or the security tools incorporated so that while the developers are coding, if they’re doing a syntax error or something, which can open up severe security flaws in production, it can immediately give a pop-up, Hey, this is something you should do differently.

So we start our security journey from that point, integrating with the development. Then once the code is ready, they need to push the code to a pipeline to basically build something, integrate something. Then we integrate our security controls in the tool or in the pipeline where they’re packaging or it’s moving in the belt throughout the process.

As the code moves from one phase to another phase, we have the security tool, which is checking in each and every step. And we have defined policies. Even if we do not detect something during [00:18:00] the writing process, if we detect something in the, uh, your pipeline. And it violates the policy. We stop that code from going into, uh, production so that it cannot cause an issue.

So that is from a tooling perspective, these are all standardized and every developer should be given enough training and awareness on how to call those tools, how to use those tools just to ensure after spending like a month, month and a half of effort at the end of the sprint when they’re going to deploy their.

There is no surprise coming from security that a tool is blocking their code. Right. That effort is, should not be getting waste. Right? So that’s how actually we ensure it doesn’t matter. Like whatever tool team we bring in, we do that basic security training, build that champion program, do the tail training.

We incorporate security in the process. We train the developers how to utilize or even how to read those security outcome. If something is getting failed, whom do you need to [00:19:00] contact to either identify if it can be created as an exception or truly you need to rewrite recode, whatever it is. So that training is essential.

Otherwise, they’ll be clueless when they encounter a security blocker, uh, in the middle of. 

Amir Bormand: I guess, you know, we started the podcast talking about some of the critical factors of a large scale initiative you went through and, and really provided some, some great bullets as to some of the major components.

When you’re thinking about down at the project level, some of the critical factors for the actual project to be delivered. Obviously within the bigger scope of the security. Program and implementation and you’re pulling in various people, they’re matrixed. What are some of the common, those, those on the ground, day-to-day factors that you need to keep track of?

Cuz obviously, you know the North Star, you know, there’s this critical factors to making sure that you’re aligned [00:20:00] to that. But day-to-day in the trenches, that’s a different, that’s a different level of, of granular, uh, c. 

Partha Chakraborty: Yeah. So one thing which is critical on the day-to-day thing is that, first is that we need to ensure we communicate clearly regarding what is the objective of each and every, uh, piece of work that the teams are working, right?

They need to see the big picture. What is their input? What is their output? How, and how it integrates with the rest of the. Are we building an elephant or we are building a horse, right? If we have the Lego blocks, now, once we give them the Lego blocks, we need to paint that picture. This is the outcome. I mean, until, and unless we achieve that, then the work will not be complete.

And also at the same time, there needs to be some empowerment. I mean, we need to basic and with within defined boundaries, right? We cannot be, as the leaders involved in day-to-day decision making. First, it is not good for the morale of the team, and it is not building the next [00:21:00] generation of leadership.

And it slows down. If I insert myself in a serial fashion with each and every small scale team level decision, then we will not be able to build that big thing right on a timely basis. Empowering the team within that limit, what is the authority? What is their responsibility? Making it clear, and at the same time, communication.

Right? Even within the team, there are a lot of decisions they’re taking. If internally within the team, rest of the team members are not very clear why they’re making the decision, or if they find any issue, they’re not able to stop that decision. Right? Or in some cases, things needs to be escalated to the leadership team, right?

Hey, we encountered these. We are doing this thing. I don’t know if you do that, then the horse may be, you know, tilted. Right? Whether it will be like meeting your requirement or now we need to do something differently and if we do something differently, then that is the overall impact to the scope of the project.

Now, are you. [00:22:00] Okay to take that, you know, scope deviation or timeline deviation, or even budget deviation from what we planned or what needs to be done. So those are some of the things that we need to get involved. But overall, showing the North Star and explaining what they’re building. How, what should be their input?

What is their output? What they’re accountable, what they’re responsible, and what is the expectation on reporting and communication have to be made very clear. Once that is clear and we have the tools where we can produce the dashboard view, we can see like which one is red and which one is green, and focus on the things which are red.

Allow the green things to move faster. We don’t want to insert as a blocker, rather truly act as an enabler. I think that is what is needed, uh, on a day-to-day basis. I guess 

Amir Bormand: a, a follow up question for you. Um, now you, you’ve seen a lot of these, you know, you, you’ve seen that these movies played several times.

It’s not your, not your first time. If you were giving advice to someone trying to [00:23:00] stand up a security program and the area that is the most vulnerable, the area that typically might be susceptible for the failure point, is there a particular area that you could pin? So 

Partha Chakraborty: that’s actually a great thing. And last three jobs that I did, I actually had to build a team.

And it’s a combination of wherever you go and take responsibility. It’s a combination of identify, uh, train and enabled right, uh, the right talent from internal within the. And also identify the gaps, right? There are some skills which are not trainable. You have some of the resources who are doing something, you can elevate to a certain point, but after that, probably it’s beyond that and you need to get some additional talent.

So building that combination of external virtual internal talent, because if you fill up the team with all external resources, the [00:24:00] morale is really bad at that point of time, and the collaboration really goes. At the same time, if you just go with the internal legacy team where there are known skill gaps and talents, then you’re going to hit the roadblock at some point of time for sure that this is your maximum runway.

You cannot go beyond that with this team. So build, identifying which talent is critical for the success, what talent we have, what talent can be trained, and what has to. Insource or from outside or in some cases some outsourcing, right? A short term consulting or, or, or something with the companies identifying that is very critical and having a plan of action, right?

How we execute. The sooner we identify the gap and have a plan and start executing on it, uh, the better. Right. So if you’re asking about a vulnerable area, talent is one area which is the most important thing, and it is the most [00:25:00] vulnerable at times. And the reason being, if it’s a delicate balance, right?

You need to have the team trained at the same time in security, because security, highly trained people are in so much of high demand. There will be attrition, people will find other carrier opportunities and job how. You can refill those positions or how, what is your vacancy fill up rate is also an important thing that you have to, uh, care about.

And, uh, to, to, to summarize my thought, I would say like talent and skill is the most important thing in security. And having the right mechanism to have the right talent and team all the time you need during your project is the key to. I don’t see like any particular area that, okay, it can be identity and access management or cloud and all, all have their own challenges, but with the right talent and the right process, you can deliver it, [00:26:00] right?

So I, I’ll put like talent as the prime area to focus on right in my, uh, list of things. 

Amir Bormand: Yeah, that’s a, that’s, that’s, that’s a great point cuz we always hear about talent insecurity and, and just the, the challenge around that. So that would make, make a lot of sense. Partha, I was gonna say, your views are awesome.

Um, I appreciate you spending time with us. Uh, I, I could keep asking you questions and I think we could find, uh, amazing areas to dive into, but I know you gotta get back to your day job. So thank you very much for being on the show, for sharing. I really appreci. 

Partha Chakraborty: Thank you very much. I really enjoyed this conversation.

Thank you, er, 

Amir Bormand: absolutely. I guess before I let you go, I always like to finish up with, uh, a couple of questions. One is, um, if you could ask, uh, the next guest to answer a question, um, that might be interesting to you or cover a topic for you, uh, what, what would you, what would that be for you? 

Partha Chakraborty: For [00:27:00] me, it’ll be the foundational thing, which is a good strategy and architecture.

There is no clear answer to architecture done well, like there are different definitions of architecture. People do different ways of reference architecture, blueprint pattern. They have a different lifecycle and target process and checks and balances in that architecture. But, uh, I have some things, some ideas which I implemented in my uh, company, but I would love to hear.

The prospect from the industry on how to do security architecture, right? Uh, what is the core objective? What are the critical success factors? What are the challenges and how it can be done? Right? 

Amir Bormand: I like that. That’s a, that’s a great question. Um, good topic. Hopefully we’ll find somebody to, to address that.

Uh, second question is if somebody wants to reach out to you, talk to you about anything you’ve mentioned on the [00:28:00] podcast, what is a good way of contacting you? 

Partha Chakraborty: So I am an active LinkedIn, uh, uh, person. So LinkedIn is the best way to reach out to me. I mean, I, in definitely corporate email, there could be some technology.

Sometime it may decide on spam and block it, and Gmail also, like sometime things end up in different places. But LinkedIn so far is pretty accurate. I am pretty much like 14 to 16 hours a day. I’m respons responsive on LinkedIn so anybody can reach out to me. LinkedIn, uh, s my, my full name Partha Areti Jati and the search with Humana and they will find me.

We’ll make sure to 

Amir Bormand: include that in the show notes. Again, thank you again, Partha, for being on the show. I appreci. 

Partha Chakraborty: Thank you very much. It was really nice talking to you, and thanks for, uh, inviting me. Thanks Amir. 

Amir Bormand: That’s it for this episode. I’ll be back again with a different guest, a different topic. Until then, please like, subscribe, share, leave a comment wherever you are watching or listening to this episode.

I can’t thank you enough if you do. Until [00:29:00] next time, thank you and goodbye.

Latest Episodes

Sunil Mallya

VP of Engineering at OncoHealth

Eric Labourdette

Cloud Business Operation Consultant

Kelsey Steinbeck

Director Software Engineering @ Indigo

A community built by you
for you

Subscribe to Elevano Insights

By clicking Sign Up you’re confirming that you agree with our Terms and Conditions.