Gary Reiner served as CIO at General Electric for the better part of 20 years, and he’s now an enterprise technology Operating Partner at General Atlantic, a leading global growth equity firm. Reiner sat down (virtually) with Greg Keller, Chief Technology Officer at JumpCloud, to share his unique perspective on the massive fundamental changes caused by the COVID-19 crisis and how they relate to the larger-scale evolution of tech in business in the cloud era.
Reiner brings both a historical and current perspective on IT, and on the way companies are leveraging technology to build better business practices. He’s advised global enterprises and hyper-growth startups, translating strategic approaches between the two for the benefit of each. He’s navigated historic market disruptions before, and as an Operating Partner at General Atlantic, he’s able to see in real time how a wide range of companies in the portfolio are handling this one.
You can hear more about Reiner’s history at GE, what he learned working with the late legendary CEO Jack Welch, and how his current interests evolved in a separate comprehensive interview with JumpCloud, from fall 2019.
Keller: It’s March 2020, and we’re all in a state of newness brought on by the coronavirus pandemic, which has affected lives everywhere around the globe. It’s a new world order, one where we as global citizens, let alone citizens of our companies, need to show up and stand up. And now is the time to get work done and to keep people focused and motivated.
At JumpCloud, we’ve been thinking a lot about the modernization of IT, and how companies could better support folks working remotely or disparately. We’re thinking about this less with the global pandemic as a forcing function and more as this is just the way of the future. So let’s talk about that as our first topic, what we’ve been calling the future of work.
Out of the changes that orgs in your purview are implementing in the short term because of this global pandemic, what do you see sticking in the long haul?
Reiner: It’s the right question. What stays and what goes back to the way it was?
If you go back in time to the early 2000s, many people attribute some of Alibaba’s early success in China to the problem of SARS. People had to stay home, and all of a sudden they had to figure out new ways of buying and selling goods. And if you look at the 2008 financial crisis, people were trying to figure out how to get around, and some attribute the early successes of Uber and AirBnB to that. There are obviously other factors that create success for all three of those companies, but it’s clear that during times of shock and times of recession, new business models come out.
It’s hard to know exactly what those new business models are going to be right now, but there’s a good chance that we’ll see some develop. One way to think about what this is doing to the world of business is that it will actually homogenize what many people have already been doing in terms of using technology to make them more productive.
Think about e-signature: Some companies use it, some individuals are comfortable with it. When you’re remote, suddenly it’s the only game in town. E-banking more generally, too. Where many people have still been going to bank branches, digital banking now becomes the only way. Another example is telemedicine, remotely connecting providers with patients that need both physical and mental/emotional help. My guess is that usage of these services will surge as a result of what we’re going through right now, and that will actually grow those businesses in the long term as people get used to using those kinds of services.
The broader point is that this equalizes the use of digital technologies that many people, but not necessarily most people, had already adopted. More people are forced to start using these technologies now, and then over time they will enjoy the benefits.Gary Reiner
Keller: Interesting perspectives. The Uber and Alibaba stories are very emblematic of crises forming new ways of thinking about business.
Reiner: No doubt. The author William Gibson had a great quote a while ago: “The future is here. It’s just not evenly distributed.” I think this event ends up evenly distributing productivity technology across the entire workforce, globally.
Keller: Great point. Let’s get deeper into the specifics of IT now. What do you think are the most beneficial steps an org can take to modernize their IT? And again, you can look at that in the lens of a global pandemic or not.
Reiner: I think about the use of technology in one very specific way: it’s about a given business’s key processes, especially the processes that face customers or consumers. If you have the fastest and most defect-free business processes, and you have spent the least amount of money on technology to get that done, you’re among the most successful companies.
It’s not often easy to spend a small amount on technology and get perfect business processes. There’s a concept called straight-through processing that many financial services companies use to define what percent of all customer and consumer interactions are done completely digitally, without any human intervention whatsoever. The companies that have the most digitally intensive businesses, meaning they require the least amount of human intervention, are able to delight customers and consumers the most and drive the greatest productivity inside the company as well. That’s a theoretical statement, but that is the framework with which to look at all technology investments: Are you allowing the best cycle time in front of stakeholders, with the least amount of defects?
Keller: Agreed. I’m going to add one small thing in there that runs through all of that, especially with straight-through processing: security. You can’t compromise it.
Reiner: Obviously, all of this has to be incredibly secure. And there’s a view that I have and others share as to how the whole security approach is in the process of changing. People have different names for it. Some, like you, call it domainless. Others call it zero-trust. The problem is that no matter how much effort you put into controlling the perimeter, controlling access to applications and running software that detects inappropriate or surprising network activity, even with all that, companies still get breached.
At its core, the right way to think about security is to get to the point where all of your permissions and policies are at the data level, and all of the validation of user access is being done with equal effectiveness across the board.Gary Reiner
So if Greg is the only person allowed to decrypt certain data, then the only thing you need to do is be sure that Greg is who he says he is. Now, whether that requires two-factor authentication, three-factor authentication, or five-factor authentication, the ultimate security is to have policies established at the data level in terms of who can do what with the data, and then guarantee that people are who they say they are.
Keller: Absolutely. You hit sort of a passion point of mine. Let me nudge at the concept that you brought up, which is the domainless enterprise. It’s one of the ways the modern world has effectively scuttled the old way of thinking. 20 years ago, you walked into a brick-and-mortar office and sat down at your desk with a computer in front of you. That computer was tethered through an ethernet cable to some central location there in the office that gave you access to stuff. It was the world of the domain controller.
Now fast forward, and you can pick up your machine and walk to any place on Earth with it. With no office around you, on a mountaintop, you start to compute. That’s the domainless enterprise, and that’s the current reality.
So here’s a two-part question: What do you see holding companies back from moving in this domainless direction, and what do companies need to do to evolve to the domainless enterprise faster now that we’re hearing, “You can’t work in an office anymore because it may kill somebody”?
Reiner: I think right now we’re seeing parallel efforts. Large and medium-sized enterprises are still employing perimeter protections, still doing endpoint detection and response and network detection. At the same time, they’re beginning to employ data policies, which is a newer concept. But the companies doing that have not shut down perimeter controls, application controls, endpoint controls, or network controls. It’s going to take 5-10 years before people are comfortable strictly using data policies and multi-factor authentication.
And to be clear, it’s not like multi-factor authentication means we have to put in five different passwords. There are so many ways to authenticate someone where he or she doesn’t even know it, without it being a hassle. It could be where you are and what time you’re logging in, or the way you hit your keystrokes. It could be your grammar. As we do more and more video conferencing and everyone has cameras on them, I’m certain facial recognition will become one of the easier and more common factors of authentication.
Keller: Absolutely. Let’s focus specifically on devices now. If we agree that remote work will become more widespread in organizations after this pandemic, we have to look at ways to get faster and make it easier to onboard employees. When you work from home, you’ve got a connection to the outside world through your internet provider, and then what does your company provide you? The machine; the device. That’s where your work happens. How do IT organizations maintain the same level of device access control for remote workforces?
Reiner: I think it goes back to having a great directory, because it’s in the directory that all of the provisioning happens in terms of, say, Greg can have access to one application but not another application, and within one application he’s allowed to do this but not that. For all of those things you need a great central directory to be able to bring people on board quickly, and it needs to be something that is easily managed, one version of the truth, one directory across the entire organization.
Keller: We’re now in the process of teaching the world that centralized access control is critically important. It can be secured and done fully from the cloud. Now think about the concept of what a directory does: It provides access control. But where does that happen? On devices. The machine should begin to dictate a lot of the security of its user from the moment they enter it. Where on Earth is that machine, and does its location start to influence resource access or other mechanisms of verifying the user’s identity?
Reiner: No doubt. And it’s not just identifying that the device is your device and you are who you say you are, it’s also making sure the device doesn’t have any viruses on it that are going to get in the way once it connects to the network.
Keller: I totally agree. We have this working philosophy: right user, right location, right security, and right resource access. When you put those things together, you can develop a posture score on all of those ingredients, and if they check green, you’re good to go. If one of them is a little out of line, what does the rule need to do in order to either deny access or continue down a verification path?
I want to get a sense of your views on a couple more things before I let you go. As companies are going through this period, should they be investing in new services and apps in a time when finances are clearly going to be scrutinized, and is there a playbook?
Reiner: It’s not even a matter of should they, because they don’t really have choices. What happens in times like this, as you said, budgets get slashed. Every budget, every function. The functional leaders and the business leaders are just trying to breathe with their much lower budget. In the normal world of technology, you’re making some investments for the long-term health and hygiene of the company, and some for the short-term paybacks. In this world, you can only make investments that have short term paybacks. And let me be very specific: If it doesn’t pay back this year, it’s probably not going to get done, because people have new budgets now and if they find some software that allows them to eliminate cost this year, they will pursue it. If not, they’re going to have a hard time doing it.
Keller: That’s right. We watched our finance team deal with this. We run a very tight ship, but this is a very different situation, so within 72 hours we refactored things. We revisited and scrutinized areas of the budget in order to do exactly what you say, to ensure we’re as cost-effective as possible.
We’re also looking at vendor consolidation. Our own two-person IT team doesn’t want to have six different types of products when they can look for a single solution, and perhaps they’re missing some of the features, but the cost differential does not justify having six different tools when you can find one platform that can do almost everything.
Reiner: When you have multiple tools, you need multiple people to manage them. And so the overall costs are lower if you can consolidate around one solution for most of the feature functionality that you need.
Keller: And to continue with the six different tools scenario, that means you have six different operating experiences. It’s six different conversations with vendors, and that puts weight on your finance team to get their job done. The impacts are not just the features, but the totality of how the software presents itself across an organization. For our readers out there, this is our tactic, our playbook. We’re eyeballing everything to see where we can consolidate. So yeah, this is real. This is the new world order.
Reiner: This is the new world order. Hopefully not for very long.
This document is not research and should not be treated as research. The views expressed reflect the current views of Mr. Reiner as of the date hereof, and may not be the views of General Atlantic, its affiliates or its portfolio companies, and neither Mr. Reiner nor General Atlantic undertakes to advise you of any changes in the views expressed herein. Opinions or statements regarding macroeconomic or financial market trends are based on current conditions and are subject to change without notice.