How can senior IT executives best deal with the increasingly complicated nature of managing IT operations? The ever-growing demand for computing resources, the expanding complexity of computing environments, and the critical shortage of experienced talent are all seemingly conspiring to derail the C-Suite’s best laid strategic plans.
Alessandro spends a lot of time working on these issues as part of his role at Red Hat. He believes that the proper alignment of automation, public cloud infrastructure, and shadow IT are the key to solving this 21st-century challenge. Alessandro also has a unique recommendation for CIOs, CTOs, & CISOs on the #1 thing they should do to prepare their personnel for this rapidly shifting landscape.
Guy: Welcome everyone. We have another great guest for this edition of Intelligent Automation Radio. Joining us today is Alessandro Perilli, the general manager of Management Strategy for Red Hat, who are, of course, best known for the Linux distribution of the same name, but they do lots of other things too. Alessandro is focused on long term strategy for the company’s efforts in automation, artificial intelligence, and IT security among other things. All of these are topics this podcast is very focused on as well. He is a highly regarded expert on cloud management and virtualization, and is a frequent speaker at major industry events.
Alessandro, welcome to Intelligent Automation Radio.
Alessandro: Thank you. Thanks for having me. It’s a pleasure.
Guy: Your name really rolls off the tongue, and it’s fun to pronounce, so I may be saying it quite a few times today.
Alessandro: That’s fine. No problem.
Guy: Alessandro, before you became general manager of management strategy for Red Hat, you were a Gartner analyst in charge of cloud computing and automation for over three years. During that time, you no doubt had numerous conversations with high level IT executives from large enterprises around the world. Could you please share with the audience what you would tell organizations are the top 3 reasons they should consider automating their IT service, Cybersecurity, and DevOps operations?
Alessandro: When I was with Gartner, I started almost seven years ago, and that time was very different. The kind of environment that we are was quite a different situation compared to now. The public cloud computing was starting to emerge and now it’s a reality, well-established one, and so the kind of advice that I have for top executives in large enterprises at that time is kind of different than the one that I would have for them today. If this is a question for today, as I think it is, the answer is there is just one answer, which is you technically have no choice but to automate, to cope with the scale and complexity of very large environments that the environment that exists today.
I’m not talking just about public cloud environment. The facilitating large scale deployment or workloads because the infinite elasticity that they offer at the relatively cheap price, but also because even when you are on premises in private cloud infrastructure or in a hybrid cloud IT environment, you start to shift from traditional monolithic application architecture to more aggregated ones, and so you start to go for microservices architectures and cases supported by virtual machines, but then containers and then eventually [inaudible 00:02:51]. So even within the same single application, you start to have a lot of moving parts and there are a number of complexities that are related to provisioning those parts and then be sure that those parts are properly configured and updated and patched and retired and replaced and so on.
And then you need to multiply that single application architecture that has become so complex for all the other applications that you have in a public, or a hybrid cloud environment. To give a sense of the scale, that this is something that any CIO in a large enterprise knows already, the average size of an application portfolio in a large end user organization like the ones I used to consult for when I was in Gartner, is of over 1,000 applications. Now, this over 1,000 applications used to have a monolithic architecture with just three peers, right? The web frontend, the middleware, the backend services, the database, and that was it.
Now is that you move from those three tier architecture to seven, eight, 9, 10, 20 containers in a microservice architecture. There’s an explosion of components, and then there is the infinite scalability I mentioned before that forces the use of automation. There is no chance that a human operator, no matter how skilled, no matter how well paid, can possibly cope with that level of complexity. This is the number one, the only piece of advice that I feel it’s really necessarily [inaudible 00:04:39].
Guy: Yeah, that’s something that we talk about all the time here is that people don’t scale very well, and that’s why automation is really the only practical alternative to dealing with the complexity, the explosion in demand for computing resources, et cetera. What are the big challenges you see today in automating IT and Cybersecurity environments?
Alessandro: Cyber security is a very special, I would say, layer or corner of the whole IT organization and the computing stack. There are at least two major issues that I see today, and in my role, I talk to a lot of organizations about automating security. The number one is that if you look at the security ecosystem as it is today, you see that there is a massive, unprecedented amount of security solutions in the market, not just from established vendors, but also from startups that they merge in waves every year.
The amount of capital that is invested by venture capital firms into the security industry is reaching unprecedented peaks. We’re talking about almost four billion, according to the last research by CB Insights. This amount of capital to build new solutions corresponds to an enormous amount of spending on the end-user organization side. We’re talking about something close to $100 billion spend on security solutions. Now, I used to be in security when I was very young at the beginning of my career, almost 20 years ago. You would expect that since then, a lot of the problems that existed at that time has been solved, it’s been addressed, and are pretty much solved problem from an engineering standpoint, but actually, it’s not the case.
You would expect that the ecosystem would have consolidated compared to those times, and instead, no, the ecosystem has grown and grown and grown, and it’s exploding in size. You will lead to think that, “Okay, there is this explosion of vendors. This is the injection of capital. This is a massive amount of spending. These solutions are all for new problems that emerge as we got to deal with new technologies, but it’s not even the case. Quite the opposite.
The problems that we’re trying to solve with this new wave of solutions are always exactly the same that existed 20 years ago. There is an inherent inefficiency in the way the security industry is doing things, that it’s not being fixed by any of these new wave of startups that promise to disrupt the space. Quite the opposite. If you look at Gartner surveys or IBM surveys or all sorts of … [Silent 00:07:38] surveys, all sorts of companies, from all different corners of the IT industry, they all confirm that a chief information security officers are more and more concerned about their capability to secure, to protect the environment, to respond to attacks. This is getting worse. A lot of them complain that they don’t have enough security personnel to address this.
A lot of them lament that the intensity of the attack increased, and the time to respond to the attack increased as well. Why is all of this? There’s always a number of concurrent factors like in a very complicated situation, but I personally believe, and this is the first, of the two main problems that we have today in cybersecurity in terms of automation, is that when you look at the ecosystem, these vendors, the solutions don’t integrate with each other. They just don’t. They don’t talk to each other in any way.
Yes, there are minor connection, integrations between one or two solutions provided by the same vendor or there might be integration between two different vendors at the site to get to win a partnership before a limited amount of time because it’s a marketing effort, but that isn’t [inaudible 00:09:05] not universal integration like … And the standards that are being provided in the past didn’t have any market traction to the point and now we have a new wave of standards that are trying to solve the problem. This is a never ending cycle of attempting to solve the problem, which is clearly not working. This is number one problem. The biggest one problem is that even if you want to automate the security industry, those tools don’t integrate with each other. The solutions don’t integrate with each other. That is the first problem to solve.
The second problem is not technical, it’s not standards, it’s nothing to do with the industry per se, but it’s cultural. Security professionals, and I come from that world, so it’s a very familiar to me, they’re just very, very, against automation. There is a general mindset, that is we’re not gonna automate security because if things can be blocked, mission critical services and systems could be just stopped and somebody is gonna complain, and we don’t wanna get into the sort of liability responsibility and so on, which is insane. It will be like AWS, Amazon saying, “We don’t run automation with AWS. We prefer to do things by hand because we don’t trust automation.”
They will never reach the scale that they reach. But Amazon.com, in terms of warehouses, for example, for the Red Hat part of the business, and in terms, of course, of cloud computing. This is just untenable, so the mindset to the security professional has to change and has to evolve to accept and embrace the fact that at this scale, at this level of complexity, the only way is to automate the security layer just like all the others have been automated. Compute, storage, networking, all of them, security is the last one, and that has to change.
Guy: I think with the others, there were also some resistance at the outset but I think with security, there is a more pronounced problem and that is that according to various surveys and studies by 2021, there is gonna be somewhere around three and a half million unfilled positions in security, and you’ve just … In the next three years, less than three years, you’re simply not gonna find enough people to get trained on the complexities of security in that time period, so the only solution is to automate a lot of the work that those people need to do.
Alessandro: Absolutely, but even if we would have enough skilled personnel that is available to do those things, you will still not be able to cope with the speed. So far, I’ve been talking about scale and complexity, but there is a third element, a third dimension, that we’re getting into play very soon in the near future, which is the speed. What happens when artificial intelligence is used to drive these hacking attempts? These attacks. At what speed are the attacks and variations of the same attacks all around the world are executed if it’s an artificial intelligence that is driving that kind of effort? How a human, no matter if there are enough humans, but how a single human can cope with that speed? That is beyond the possibilities that any of us have, and so the only possibility here is that we go for automation, regardless of the personnel availability.
Guy: Yeah, that’s another thing that we tell people as well is that the attacks being launched against you are usually automated, so shouldn’t your defenses be as well?
Alessandro: Mm-hmm (affirmative), absolutely.
Guy: What do you feel then are the top skills a CIO or CTO or chief information security officer should encourage their staff to acquire in preparation for implementing automation in their environment?
Alessandro: There are at least a couple of aspects that are connected to each other. The first one is that in my experience at least, a lot of the security professionals, but also the traditional IT operation people, that might or might not be involved in security, don’t have a sense of operations at scale. I have a certain size of data center to deal with but it’s nothing even remotely close to the size of an AWS or an Azure or Google Cloud and even the smaller public cloud service providers.
A top skill to acquire for all these professionals is to start to understand how things change at scale. What does it mean to rethink an operational framework or a security framework at the scale that we are about to face or we’re facing already. That is number one.
The second aspect is that connected to this, is that I saw a lot of security professionals looking at automation as a very tactical tool, as a system that can in a very small pockets and limited fashion, try to be used to solve a minor task in the security analysis process. That is, I believe, limiting the possibilities that automation offers in security. My recommendation will be to shift in thinking from thinking security as a tactical tool and thinking more in terms of strategy. Automation, part of the security framework being used systematically and in a pervasive way throughout all the different operations that a security team performs during the day, could really make a difference in terms of the approach and the posture that the team has towards the discipline.
Guy: In kind of a related question to that, what’re your thoughts about general purpose automation platforms versus function specific automation platforms? Specifically for IT process automation, specifically for cybersecurity automation, specifically for DevOps?
Alessandro: This is a topic I’m extremely passionate about because I saw through two decades of career with Gartner, before Gartner, now after Gartner, I saw exactly what happens with customers, no matter how skilled they are, are put in front of general purpose automation tools or platform or frameworks, call it the way you want. What happens is that when these tools, and not just these tools by the way, any sort of IT tool kits that has general purpose capabilities suffers the same kind of issue in my experience, and it’s this.
When customers are put in front of those general purpose tools, and they come to the table with a very specific use case or two, three use cases in mind, and they’re being offered something that in theory will solve all those use cases because the general purpose nature of the platform is such that it can be adopted to solve different issues, but in practice this general purpose platform is not excellent at any of those use cases, and requires quite a lot of effort from the end user organization side in terms of crafting and adapting into the specific the business needs that they have with certain use case A, B, or C.
Customers struggle to see the immediate return on the investment, and the actual value of general purpose platform. They very much prefer, even if in theory it’s counterintuitive that when they ask logically what they prefer, of course they prefer a general purpose platform because they think that they can return on investment in a lot more use cases. There’s a bigger return, but in practice, they always go for point solutions. They tend to prefer point solution. This is the same kind of approach, if you think about it, that you would have in your home repair on a Sunday morning at home kind of routine.
If you’re doing some sort of home fix of any sort, you have two choices. You go for a Swiss Army knife, that is a general purpose toolset or you go for highly specialized tools that are more efficient to solving a problem. A hammer, a screwdriver, and so on. Why does it that humans always go for the specialized tool rather than just buy and use a single general purpose platform? The reason is that we tend to think in terms of what is the most efficient tool to get the job done? No matter if that fills the drawer and takes all the space and it costs probably 10 times more than a general purpose platform, we tend to go in that direction. I saw over and over and over in my career in IT, general purpose technologies and approaches failing over a long time for a lack of market traction for what I believe is this reason.
Guy: Touching upon the issue of the talent gap and the skills shortage, I wanna change gears a little bit and ask you about chat bots, which have become very popular lately as a new channel for IT organizations to deliver automated self-service. What do you think the future looks like for automated self-service versus the traditional way of delivering support via service desk?
Alessandro: This is an interesting question, and I have very strong opinion about chat bots in general, not necessarily popular opinions, but these are also two questions in one. One is the future of self-service provisioning and another one is what the chat bots, what kind of market opportunity is there for them? We saw an explosion in the industry regardless of automation, regardless of cyber security or IT operation in general chat bots had quite the momentum in the last few years, but then now we’re seeing a lot of companies that were offering these solutions just stopping it, so I think Facebook is one of them. There were a number of news in the market recently about the fact that chat bots didn’t create that kind of strong momentum as was initially expected.
What’s the reason for that? In my opinion, chat bots are just frontends. They’re not really solving the behind the scene problem, which is how do I automate a number of processes in the most efficient way, that it’s not complex. That it’s manageable. That it’s documented in a way that doesn’t require extraordinary amount of efforts in terms of integration & customization. They are frontends. They leverage artificial intelligence to do natural language processing, and they are in theory meant to simplify the interaction with the customer, but the problem is that the level of technology maturity that we have today is far, far, far away from what it’s supposed to be.
I am an Amazon Echo customer, and so I use Alexa all the time to do all sorts of tasks, and I’ve been doing for quite a few years, and I tried all the other assistants that exist on the market. I have to say that there is a massive gap between what the state-of-the-art solution are doing today in terms of natural language processing versus what is in our mind after watching series like Star Trek: The Next Generation, or movies like Her, for example. It is so far away. The chat bot per se is not yet going to give you that extra help that we hope it will in one day, in terms of simplifying the interaction with the automation layer for the provisioning of whatever we’re trying to provision. This is first part of the answer.
The second part of the answer is, “Okay, what is the future of self-service in provisioning the orchestration & all the other things?” I see, and I’ve been seeing this for quite a long time, a shift in terms of power, control, autonomy, that moves from central IT to line of business. The line of business are gaining more and more autonomy, control over the budget, selection of technologies that they want to use, and they tend to think in terms of, “Okay, how can I get as fast as possible to the business outcome I’m hoping to have?” Because they are measured by completely different metrics compared to the central IT. Central IT has a completely different mindset from line of business.
In this trend that I see accelerating and in part is fueled by this DevOps methodology kind of approach, a giant methodology, the capability for engineer to be completely independent, all of this is just accelerating this autonomy. The need for self-service is increasing, and it’s driven by, I would say a frustration of the line of business that being depending by the IT operation team for way too long. The IT operation team, the central IT has been too inefficient for way too long, and so there’s now there’s demand to let me do whatever I can in a fully automated way. When that is not delivered by central IT, what happens is that, and I saw this so many times in the last 10 years, then the line of business simply circumvents all the rules that exists in terms of compliance, in terms of security, and then just go and use public cloud service providers often in the form of software as a service to just get the job done as fast as possible.
I think that the future is gonna be completely automated in so many more ways than the ones we see today. I don’t know if the frontend for that automation will be chat bots, because I don’t see enough progress, but certainly we will have a way more automated future.
Guy: I think that Shadow IT, which is kind of a catch all term for what you just described, is definitely something that we’re seeing more and more of, and it’s been enabled by the public clouds like AWS, Azure, and Google Cloud. With that emerging trend and with the move towards an inevitable automation future, what is the one piece of advice you would give the CIOs, CTOs, CISOs considering whether or not to dive into automation?
Alessandro: Well, as I said in the beginning of this conversation, I don’t think that any of the persona have any choice. They’re forced to at least understand what does it mean to operate at scale, to do IT operations or to do security at scale. The professionals that report to them and need to develop that kind of awareness, if not the skills to just cope with the kind of speed that we see today in the market in the world. The one piece of advice is certainly to invest a lot in education. I am amazed, this is a small thing or it sounds so. I’m amazed by how many executives in very large enterprises never went to attend an Amazon Reinvent Conference, and they never saw in person what we’re talking about here.
A lot of people read about this in press articles or in news outlets but they don’t quite understand or develop the awareness that is necessary. Training is for the executives in the underline is critical to understand there is no other option. This is one thing to focus on. I’m a big believer in education, so I believe that training is fundamental to progress in any kind of IT management or enterprise endeavor in a large organization. This is certainly one thing.
The other thing is, as I said before, to start considering automation, not as a tactical tool, that can kind of shave off some of the time that you spend in doing a number of tasks, but reconsider it completely as a strategic tool to drive IT operations. There is a reason why public cloud providers like AWS, that started from scratch, are getting so massive and so popular and so efficient. It can drive the cost down to the level that it is today. That reason is that they design from scratch, the entire IT architecture to be automated. That was first thing that was part of the design guidelines. The IT operations, but in general the central IT as an organization today, faces that sort of competition, faces the competition of public cloud service providers that offer a better service, a faster service, a more automated service to their own line of business compared to what is offered within the corporate boundaries.
We’re really talking about an existential risk today. For the CIO, for the CTO, for the Chief Information Security Officer, there is all of them are at risk of losing their audience, and the audience as well validates their presence in the enterprise because they simply cannot think in the same way a public service provider is thinking. The mindset has to change before anything else in terms of processes, in terms of technologies can change.
Guy: Alessandro, we’re running low on time but I can’t let you go without asking about the H+ project you’re the founder of. Can you please tell our audience a little bit about what that is and the kinds of things you’re working on?
Alessandro: Sure. First of all, I need to say that that is not in any way related to my work in Red Hat. It’s a side project. I’m very interested, and I’ve been studying a lot for years a number of different disciplines that are related to human body augmentation or human announcement technologies as the industry calls them, and they go from neural interfaces to bionic prosthetics to genetic engineering, precision medicine, nano robotics and so on and on and on. The reason why we’re patient about this thing I question from neuroscience and genetics and cognitive psychology, is that I believe that we are a fundamental point of change for the way humans process information today. The scale of information is so massive for us to process, and you can tell by just looking at how people are glued to their phone when you go on a tube, when you go on a train, when you just stepped at an office, and everybody is looking at the phone rather than talking to each other.
The amount of information that must be processed are so massive, and there is such a social pressure to be sure that this information is processed in the most efficient way, and so you’re hyperreactive to what the world is saying around you that there is no other way eventually, than the one to augment yourself. I strongly believe that just like traditional prosthetics that exist today in the world, including things like, very simple like contact lenses or pacemakers, and so on, as those things became the norm & are perfectly accepted from a societal perspective, so the augmentation in the sense of blending together technology with the biology to increase human capabilities, and process more information and being faster in making decisions and better in making decisions, computer system, if you want to send this play is gonna be a mandatory step for the humankind. I don’t see any possibility for the future, so I’m very interested in that, and I’m interested in understanding what startups are doing what in the space and what kind of new academic research comes out.
H+ is an open research initiative that basically collects in a completely open way so anybody can access completely free, can access to all the things that I collect in my free time that talks about all these different technologies. Basically, it’s a way to track how we’re going in terms of the next stage, what I believe will be our evolution.
Guy: That’s great. All those issues that you’re covering. They just prove that there’s no longer anything such as science fiction. It’s just science.
Guy: All right. It looks like that’s all the time we have for today. Alessandro, I’ve really enjoyed our conversation, and thank you again for being our guest.
Alessandro: Likewise. It was great. Thank you.
Guy: Alessandro Perilli, General Manager of Management Strategy for Red Hat and founder of the H+ project. Thank you for listening everyone, and remember – don’t hesitate, automate.