Wednesday, January 12, 2022

When it comes to API security, expect the whole world to be testing your mettle, says Twitter CISO

Just as cloud computing initially seeped into organizations under the cloak of shadow IT, application programming interface (API) adoption has often followed an organic, inexact, and unaudited path. 

IT leaders know they’re benefiting from APIs -- internal, via third parties, and often outwardly exposed -- they just don’t know where they are, how much they support key services, and how they’re being used … or abused.

As a result, developers and business architects alike don’t know how organically adopted technologies like APIs are adversely impacting their businesses -- until something like the Log4j and Log4shell vulnerabilities have run amok.

Stay with us now as we explore how API-intensive and API-experienced businesses are bringing maturity to their APIs’ protections through greater observability, tracing, and usage analysis.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

To learn how Twitter, a poster child for business-critical API use, makes the most of APIs by better knowing and managing them across their full lifecycles, we’re joined by several guests to discuss the latest in API maturity: Please welcome Rinki Sethi, Vice President and Chief Information Security Officer (CISO) at Twitter, and  Alissa Knight, recovering hacker and partner at Knight Ink. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Security researchers at Akamai in their latest state of the internet report detail how cyber criminals have noticed APIs and are turning them into an attack vector. This in itself isn’t a surprise, but the degree to which people are not prepared for such vulnerabilities as the Log4j issue is.

Rinki, how do CISOs such as you at Twitter get the most out of APIs while limiting the risk?

Sethi: Securing APIs is a multi-layered approach. My philosophy is that APIs are meant to be exposed. We expose APIs to enable developers to do amazing things on our platform.

So, you need a multi-pronged approach to security. There are basic tools that help you prevent risk around APIs, whether it’s volumetric attacks or the basic vulnerabilities and supporting the infrastructure. But really, each API introduces its own risk, and there is a multi-layered approach in how you go and secure that.

Gardner: Rinki, what’s your history as a CISO? And please tell us about your tenure at Twitter.

Sethi: I’ve been in the cybersecurity industry for almost two decades now. I’ve been around the block at some really great brands in the Bay Area, from working at eBay to Palo Alto Networks to IBM.

I took my first CISO role almost three years ago at a start-up company called Rubrik, a unicorn, and helped them after a security breach and to scale up their security program. That was my first role as CISO. Before that, I held various roles leading product security, security operations, and governance, risk, and compliance (GRC).

While at Rubrik, during early COVID, we had to scale back and focus on how to thrive as a business. At that time, Twitter reached out. I joined Twitter after the security breach and before the U.S. election to help build out a scalable security program. And so, here we are. I’m a little over a year into this role.

Gardner: The good news about APIs is they’re widely exposed and can be used productively. The bad news is they’re greatly exposed. Knowing that and living with that, what keeps you up at night? What’s a lingering concern when it comes to the use of APIs?

Decrease API vulnerability ASAP 

Sethi: The explosion of APIs in use in just the last few years has been at an exponential rate. Our traditional security products don’t protect us against business logic flaws -- and that’s what keeps me up at night.

How to Protect Against 

Business logic flaws can result in security or privacy violations for the consumer. And other than unit testing -- and really looking at your APIs and testing them out for those business logic flaws -- there’s not great innovation yet. There are [API security] companies starting up, and there are going to be a lot of good things that come out, but we’re still early. That’s what keeps me up at night. You still have to go back to the manual way of looking at APIs.

Those kinds of vulnerabilities are the biggest challenge we have in front of us. And thankfully we have people like Alissa who come after us and find those issues.

Gardner: Alissa, you wrote an e-book recently, The Price of Hubris: The Perils of Overestimating the Security of Your APIs. Other than the business logic flaws that Rinki described, what are the biggest risks in the nearly unmitigated use of APIs these days?

Knight: There’s a library of papers I’ve done on these issues. I feel like every morning, Rinki wakes up and lies in her room and says, “Oh, my God, another paper from Alissa!” So, yes, there’s a real struggle around API security.

What was interesting and what I loved about the Hubris paper was it allowed me for the first time to take all my vulnerability research across industries -- automotive, healthcare, financial services, fintech, and crypto currency exchanges – and put them into a single paper. It’s a compendium of all my API exploits that shows this is a ubiquitous problem across many industries.

It’s not just a Twitter problem or a whatever-bank problem. It’s an everyone problem. Much to Rinki’s point, APIs have pretty much become the plumbing system for everything in our world today. They affect life and safety. That’s what attracts me as a vulnerability researcher. It’s like George Clooney’s movie, The Peacemaker, where the lead character didn’t care about the terrorist who wants 1,000 nuclear weapons. He cared about the terrorist who just wants one.

For me, I don’t care about the hacker who wants to deface websites or steal my data. I care about the hacker who wants to go after my APIs -- because that could mean taking remote control of the car that my family is in or hacking healthcare APIs and stealing my patient records. If your debit card was compromised, Wells Fargo can send you a new one. They can’t send you a new patient history.

APIs are the foundational plumbing for everything in our lives today. So, rightfully so, they are attracting a lot of attention -- by both black hats and white hats.

Gardner: Why are APIs such a different beast when it comes to these damaging security risks?

Knight: Humans tend to gravitate toward what we know. With APIs, they speak HTTP. So, the security engineers immediately say, “Oh, well, it speaks the HTTP protocol so let’s secure it like a web server.”

APIs are the foundational plumbing for everything in our lives today. So, rightfully so, they are attracting a lot of attention -- by both black hats and white hats.

And you can’t do that because when you do that, and Rinki addressed this, you’re securing it with legacy security, with web application firewalls (WAFs). These use rules-based languages, which is why we have gotten rid of the old Snort signature base, if you remember that, if you’re old enough to remember Snort.

Those days of intrusion detection system signatures, and updating for antivirus and every new variant of the Code Red worm that came out, is why we’ve moved on to using machine learning (ML). We’ve evolved in these other security areas, and we need to evolve in API security, too.

As I said, we tend to gravitate toward the things we know and secure APIs like a web server because, we think, it’s using the same protocol as a web server. But it’s so much more. The types of attacks that hackers are using -- that I use -- are the most prevalent, as Rinki said, logic-based attacks.

I’m logged in as Alissa, but I’m requesting Rinki’s patient records. A WAF isn’t going to understand that. A WAF is going to look for things like SQL injection or cross-site scripting, for patterns in the payloads. It’s not going to know the difference between who Rinki is and who I am. There’s no context in WAF security -- and that’s what we need. We need to focus more on context in security.

Gardner: Rinki, looking for just patterns, using older generations of tools, doesn’t cut it. Is there something intrinsic about APIs whereby we need to deploy more than brute labor and manual interceding into what’s going on?

Humans need to evolve API culture

Sethi: Yes, there are a lot of things to do from an automation perspective. Things like input/output content validation, looking at patterns and schema, and developing rules around that, as well as making sure you have threat detection tooling. There’s a lot you can do, but a lot of times you’re also dealing with partner APIs and how your APIs interface with them. A good human check still needs to happen.

Now, there are new products coming out to help with these scenarios. But, again, it’s very early. There are a lot of false positives with them. There’s a lot of tooling that will help you capture some 80 percent, but you still need a human take a look and see if things are working.

What’s more, you have the issue of shadow APIs, or APIs that are old and that you forgot about because you no longer use them. Those can create security risks as well. So, it goes beyond just the tooling. There are other components needed for a full-blown API security program.

Gardner: It seems to me there needs to be a cultural adaptation to understand the API threat. Do organizations need to think or behave differently when it comes to the lifecycle of APIs?

Knight: Yes. The interesting thing -- because I’m so bored and I’m always trying to find something to do -- I’m also the CISO for a bank. And one of the things I ran into was what you mentioned with culture, and a culture shift needed within DevOps.

Get the Free Tool to 

I ran into developers spawning, developing, and deploying new APIs -- and then determining the cloud environment they should use to secure that. That’s a DevOps concern and an IT concern. And because they’re looking at it through a DevOps lens, I needed to educate them from a culture perspective. “Yes, you have the capability with your administrative access to deploy new APIs, but it is not your decision on how to secure them.”

Instead, we need to move toward a mindset of a DevSecOps culture where, yes, you want to get the APIs up and running quickly, but security needs to be a part of that once it’s deployed into development -- not production -- but development. Then my team can go in there and hack it, penetration test it, and secure it properly -- before it’s deployed into production. 

What’s still happening is these DevOps teams are saying, “Look, look, we need to go, we need to rush, we need to deploy.” And they’re in there with administrative access to the cloud services provider. They have privileges to pick Microsoft Azure or Amazon clouds and just launch an API gateway with security features, and yet not understand that it’s the wrong tool for the job.

If all you have is a hammer, everything looks like a nail. So, it requires a culture change. It is certainly that. Historically, there’s always been an adversarial relationship between security and developers. And it’s part of my job -- taking off my hacker hat and putting on my executive hat as the CISO – to change that mindset. It’s not an us versus them equation. We’re all on the same team. It’s just that security needs to be woven into the software development lifecycle. It needs to shift left and shield right.

Gardner: Rinki, any thoughts about making the culture of security more amenable to developers?

Sethi: I couldn’t agree more with what Alissa said. It’s where I found my passion early in my security journey. I’m a developer by trade, and I’m able to relate to developers. You can’t just sit there and train them on security, do one-day training, and expect things to change.

I'm a developer by trade, and I'm able to relate to developers. You have to make their lives easier to some degree, so they don't worry and the tooling is training them in the process. You have to show them the impact of a security breach or bugs.

It has to be about making their lives easier to some degree, so they don’t need to worry about things, and the tooling is training them in the process. And then a shared sense of responsibility has to be there. And that's not going to come because security just says it’s important. You have got to show them the impact of a security breach or of bugs being written in their code -- and what that can then end with. 

And that happens by showing them how you hack an application or hack an API and what happens when you’re not developing these things in a secure manner. And so, bringing that kind of data when it’s relevant to them, those are some bits you can use to change the culture and drive a cohesive culture with security in the development team. They can start to become champions of security as well.

Knight: I agree, and I’ll add one more thought to that. I don’t think developers want to write insecure code. And I’m not a developer, so I couldn’t speak directly to that. But I’m sure nobody wants to do a bad job or wants to be the reason you end up on the nightly news for a security breach.

I think developers generally want to be better and do better, and not do things like hard-code usernames and passwords in a mobile app. But at the end of the day, the onus is on the organization to speak to developers, and said, “Hey, look. We have the annual security awareness training that all companies need to take about phishing and stuff like that,” but then no one sends them to secure code training.

How is that not happening? If an organization is writing code, the organization should be sending its developers to a separate secure code training. And that needs to happen in addition to the annual security awareness training.

Gardner: And Rinki, do you feel that the risk and the compliance folks should be more concerned about APIs or is this going to fall on the shoulders of the CISO?

Banking on secure APIs

Sethi: A lot of times, risk and compliance falls under the CISO and I think Alissa said they don’t get into it. The regulators are not necessarily going to get into the minutia and the details of each and every API, but they may mandate that you need some kind of security program around that.

As we all know, that’s only one aspect of security. But I think it’s starting to come up in discussions -- especially in the banking world. They’re leading the way as to what others should expect around this. What I’m hearing from vendors that are supporting API security is that it’s easier to go to a bank and drive these programs because they already have a culture of security. With other companies, it’s starting to come now. It’s a little bit more chaotic around how to bring these teams involved with APIs together so that they can build good security.

Knight: If you think about it, 20 years ago, back when both Rinki and I got into security, it was a different story. The motives for hackers were website defacement and getting your name on all those defacements. That was the point of hacking.

Now, it’s all about monetizing the data you can steal. You don’t go digging for gold in just any random hole. You try and find a gold mine, right? Data is the same. Data is worth more than … Bitcoin. Maybe more than oil. You go to a gold mine to find gold, right? That means you go to APIs to find data. Hackers know that if they are going to steal and ransom a company, and double dip, and then lock and leak -- so leak the data and encrypt it -- you go where the gold is, and that’s the APIs.

I think there’s going to be an exodus where hackers start shifting their focus to APIs. Knowing that more hackers are moving in this direction, I need to learn JSON, I need to know what the hell that is and not be scared off by it anymore, because that’s where the data is. I need to understand how to hack APIs. 

Just because someone’s a hacker doesn’t mean they know how to hack APIs. I know a lot of hackers that freak out when they see JSON. So, it’s a certain type of hacker. Hackers need to take their craft -- either a white hat or black hat -- and develop that craft to focus on how to hack APIs.

The winds are changing and it’s going toward APIs because Twitter isn’t a monolithic application just like isn’t. It’s not one big app running on one big web server. It’s a bunch of distributed containers, microservices, and APIs. And hackers are going to learn how to hack those APIs because that’s where the data is.

Gardner: What do organizations then need to do to find out whether they’re behind that 8-ball? Is this still a case where people don’t know how vulnerable they are?

Identification, please

Sethi: Yes, I think identification is essential. If you’re kicking this off, at least make the case for a top priority to identify what your API environment looks like. What do you have that’s currently being used? What older versions that are not used but are still around and may be creating risks? Are there shadow APIs?

Finding out what the environment looks like is the first step. Then go through those APIs to see how they work. What do they do for you? What are the high-risk ones that you want to take a look at and say, “We need a program around this.” Identification is the first step, and then building a program around that.

Learn More 

You may also want to identify what teams you need on board because as you’re identifying what’s already existing, if there’s things you need to do to change around to how developers are working with APIs, that’s another step you want to look at. So, it’s about building a cohesive program around building a culture. How do you identify what’s out there? How do you change how work is being done so that it’s more secure?

Knight: As a CISO, I’m quick to buy the coolest new things, the shiny new toys. My recommendation is that we as security leaders and decision-makers need to take a step back and go back to the old, fine art of defining our requirements first. 

Creating a functional requirements document on what it is we need from that API threat management solution before we go out there shopping, right? Know what we need versus buying something and looking at a vendor and saying, “Oh you’ve got that. Yeah, that could be good. I could use that. Oh, you’ve got that feature? Oh, I could use that.”

You can't protect what you don't know you have. Do your tools have the capability to catalog APIs and find out what the attack surface really is? What kind of data are those APIs serving? I sure as hell want to know which APIs are serving PII or PCI data.

Understand what your requirements are. Then, most importantly, you can’t protect what you don’t know you have. So, does your tool have the capability to catalog APIs and find out what your attack surface really is versus what you think it is? What kind of data are those APIs serving? Maybe we don’t need to start by focusing on protecting every single API, but I sure as hell want to know which APIs use or serve personally identifiable information (PII), or payment card industry (PCI) data, and all of those that are serving regulated data.

So where do I need to focus my attention out of the 6,000 APIs I may have? What are the ones I need to care about the most because I know I can’t protect my entire operating area -- but maybe I can focus on the ones I need to care about the most. And then the other stuff will come in there.

The number one vulnerability, if you look at the Hubris whitepaper, that’s systemic across all APIs is authorization vulnerabilities. Developers are authenticating a request but not authorizing them. Yes, the API threat management solution should be able to detect that and prevent it, but what about going back to the developers and saying, “Fix this.”

Let’s not just put all the onus and responsibility on the security control. Let’s go to the developers and say, “Here, our API threat management solution is blocking this stuff because it’s exploitable. You need to write better code, and this is how.” And so, yeah, I think it’s an all-hands-on-deck, it’s an-everyone issue.

Gardner: Because the use of APIs has exploded, because we have the API economy, it seems to me that this ability to know your API posture is the gift that keeps giving. Not only can you start to mitigate your security and risk, but you’re going to get a better sense of how you’re operating digitally and how your digital services can improve.

Rinki, even though better security is the low-lying fruit from gaining a better understanding of your APIs, can you also then do many other very important and beneficial things?

CISOs need strong relationships

Sethi: Absolutely. If you think about security upfront in any aspect, not just APIs, but any aspect of a product, you’re going to think about innovative ways to solve for the consumer around security and privacy features. That gives you a competitive advantage.

You see this time and time again when products are released. If they have issues from security or privacy, they may have been able to threat model that in advance and say, “Hey, you might want to think about these things as an outcome of the consumer experience. They may feel like this is violating their security or privacy. These are things that they may have in mind and expect from the product.”

And, so, the earlier you have security and privacy involved, the better you’re going to deliver the best outcomes for the consumer.

Knight: Yes, and Dana, I consider it fundamental to our role as a CISO to be a human LinkedIn. You should form a partnership and relationship with your chief technology officer (CTO), and have that partnership with infrastructure and operations, too.

APIs are like this weird middle ground between the CISO’s office and the CTO’s office because it’s infrastructure, operations, and security. And that’s probably not too different from other assets in the environment. APIs need a shared responsibility model. One of the first things I learned from being a CISO was, “Wow, I’m in the business of relationships. I’m in the business of forming a relationship with my chief fraud officer, my CTO, and the human resources officer.

All of these things are relationship-building in order to weave security into the culture of the enterprise, and, I think, in 2021 we all know that by now.

Gardner: APIs have become the glue, the currency, and a common thread across digital services. What I just heard was that the CISO is the common denominator and thread among the different silos and cultures that will ultimately be able to impact how well you do and how well you protect your APIs. Are CISOs ready, Rinki?

Sethi: I wouldn’t say that they aren’t. Any CISO today is exposed to this. The proof is around, look at how many vendors are out there solving for API security now, right? There’s hundreds and they’re all doing well.

There's so much innovation happening. All CISOs are talking about this, thinking abut this, and it's a challenge. CISOs are the common denominator in how we bring these different teams together to prioritize these weaknesses.

It’s because CISOs have defined that there’s a problem that we need to go and solve it. It’s a multilayered issue, and that’s why there’s so much innovation happening right now. And we’re not just solving for typical issues in your infrastructure, but also how you look at content validation? How are you looking at those business logic flaws? How are you looking at monitoring? Even how are you looking at identifying APIs?

You don’t know what you don’t know, but how do you start finding out what’s in your environment? There’s so much innovation happening. All CISOs are talking about this, thinking about this, and it’s a challenge. I do think CISOs are the common denominator in how we bring these different teams together to prioritize this.

Knight: I think you hit the nail on the head, Dana. CISOs are the connective tissue in an organization. We even have a seat on the boards of directors. We have a seat at the big kids’ table now, along with the CEO, and the heads of the different departments in the company.

And I don’t think the API security solutions were all created equal. I just recently had the pleasure of being invited by Gartner to present to all their analysts on the state of the API security market. And all these API security vendors have a different approach to API security, and none of them are wrong. They’re all great approaches. Some are passive, some are in-line, some import the swagger file and compare the back-end API to your Open API specification. Some are proxies.

How to Protect Against 

There are all these different approaches because the attack surface for APIs is so big and there are so many things you need to think about. So, there are many ways to do it. But I don’t think they are created equal. There’s a lot of vendors out there. There’s lot of options, which is why you need to first figure out what you require.

What is the back-end language? What are you programming in? Does your solution shim into the application? If so, you need to make sure the API security solution supports that language, that sort of thing. All these things you need to think about as a security decision-maker. We as CISOs sometimes go out there and look at product options and take the features of the product as our requirements. We need to first look at our requirements -- and then go shopping.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Traceable AI.

You may also be interested in:

Tuesday, December 14, 2021

2022: The year technology and new work models come together to enable continuous innovation

Predicting the future took on a whole new degree of difficulty the past two years. And while we can’t always know what Mother Nature will throw our way, we can learn from what worked -- and what didn’t work -- in 2021. 

Clearly, adjusting swiftly to persistent change and leveraging digital -- and often virtual -- tools, environments, and processes were major benefits. Now, how will 2022 shape up as we extrapolate on the trends around shifting work models?

How will technology, both tactically and strategically, improve the ways businesses operate and enable employees to remain productive and content, regardless of where they are?

Stay with us as we explore the ways work continues to be reinvented while -- at the same time -- digital technologies enhance and disrupt the means through which we all collaborate and operate in our jobs. 

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

To learn more about the ways that 2022 will set the stage for the next decade of innovation and work adaptation, BriefingsDirect sat down with Christian Reilly, Vice President and Head of Technology Strategy at Citrix, and Tim Minahan, Executive Vice President of Business Strategy at Citrix. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tim, do you see the speed in how work models are evolving and maturing slowing at all in 2022? Have we reached some sort of plateau yet?

Minahan: Not at all, Dana. In fact, the old adage that necessity is the mother of innovation is certainly holding true. All of the unplanned investments that organizations have made over the past two years to accommodate secure remote work have torn down barriers. That has led to new ways of operating that are going to continue to fuel unprecedented innovation and growth in the year -- and years -- ahead.

If you think about it, when the pandemic hit, companies had to find new ways to operate. They had to invest in new technologies that took them decades worth of steps forward. They not only innovated on how they work internally, but in how they engage with their customers through new digital channels.

And the technologies they used to digitize their businesses to survive have now provided new business models and a new pace of innovation across every industry -- from a dramatic increase in the role of telemedicine and remote clinics to virtual learning and, as we’re hearing now, to the metaverse -- that will enable them to thrive in the new year ahead and beyond.

Gardner: Tim, what have we learned over the past two years as the reinvention of work solutions accelerated? What worked – and what didn’t?

Reworked post-pandemic possibilities

Minahan: Well, companies have been forced to do two things. Number one, they were forced to accelerate the digitization of their business. In financial services industries, for example, that meant increasing remote and digital financial advisory and trading services. For retail, it meant further accelerating the use of digital channels. And in healthcare, they found new ways to engage with patients and provide patient care.

But the second thing is it also caused both employers and employees to rethink work, to break down the old taboos that work can only happen while in the office. Employers have recognized the benefits that remote work plays -- not only in keeping their existing employees engaged, but in being able to reach new talent pools well beyond commuting distance to their work hubs or offices.

The pandemic caused both employers and employees to rethink work, to break down the old taboos that work can only happen in the office. Employers have recognized the benefits that remote work plays.

And employees have recognized that, “Hey, I can actually do creative and innovative work when not in the office. In fact, I may even be able to be more creative and innovative because I have uninterrupted time to focus on solving business problems and not having to deal with all the other headaches and distractions that come with long commutes and travel. I can now make better use of technology to foster more efficient work execution and collaboration wherever work needs to get done.”

Gardner: Tim, some people seem to think that the best-case scenario is that we get back to the way things were in 2019. Why is that not likely to happen when it comes to how we work?

Minahan: Because of the two dynamics that we just mentioned. One is we’ve broken down the taboos about where work happens, what constitutes work, and who does the work. Many employees have recognized they can be selective about the jobs they take and for which organizations.

Similarly, many companies are beginning to evolve to much more of a blend between full-time employees (FTEs) and contractors, especially for those hard-to-find skill sets that are required to digitize and modernize their businesses.

Need Some Good Reasons to Innovate?

Citrix Research Uncovers About Half a Million.

Skills such as for artificial intelligence (AI), analytics, cloud, and security are often hard to find on a full-time employee basis. But when the contract between employers and employees shifts, and employees are looking to select those jobs that they want -- looking to hone their skills and be an independent -- that really opens up new opportunities both for employers and employees.

Gardner: Christian, if we’re entering into this bold new era of work and there’s no going back, why is the timing good from a technology standpoint? Why is technology in a better position than ever to support such a work-model-adaptation-shift?

Reilly: There’s just so much more choice. If we look around the technology sphere, there’s also more speed in how technology finds its way into organizations -- and that’s not always by IT, a lot comes in by demand from end users and employees.

Just step back and recall how quickly were we able to apply technology to what I lovingly call the world’s greatest semi-coordinated remote work experiment. I don’t use the word pandemic anymore. If you really think about it, every organization on the planet was challenged from day one of the lockdown to say, “Okay, well, the technology that we had and we then deployed really wasn’t intended to support this kind of remote work.”

That is the very work that Tim was talking about as being forced upon us. It wasn’t really by choice. It was a mandate due to the global lockdown. When you recall how quickly we were able to respond to that with a variety of different technologies, that proved that remote work really does work.

So, I think it’s a great time to be in tech. It’s a great time for organizations to step back and think about what has been achieved. Now, what else can we achieve, knowing that our traditional barriers -- and the Department of No that most IT organizations have been historically -- have been turned on their heads? The ways that these technologies have arrived has given us a huge opportunity to change the way that we think about supply and demand across every industry.

Gardner: if there is no such thing as the new normal, and we can just get rid of “normal,” what’s the new new, Christian?

New now is a great time for IT

Reilly: I call it the new now. If you go back just a few months, the world was slowly coming out of the pandemic and offices and countries were beginning to reopen. If you use the word normal in that context, I don’t think it treats us equally.

The pandemic affected everybody around the world differently. Referring to that as normal doesn’t reflect those differences. It doesn’t do enough to reflect the differences because normal doesn’t reflect what we’ve been through in the last couple of years.

But if we think about it as now, that puts us in a different mindset. Most companies that have been successful through the pandemic have had agility. They were able to shape-shift, to put their resources to work in different ways quickly to address different work challenges. If we suggest that that’s normal, it puts us in a box that might limit our thinking and creativity.

I like to think about things in a fluid way. We haven’t seen a strategy from a single company that’s going to be the blueprint for everybody going forward. So, treating every day as a new now leads us humans in organizations to be open to the things we do really well, which are creativity, innovation, and thinking outside the box.

We haven't seen a strategy from a single company that's going to be the blueprint for everybody going forward. Treating every day as the new now leads us humans in organizations to be open to the things we do really well, which are creativity, innovation, and thinking outside the box.

I prefer to think about it in terms of various phases of evolution post-pandemic, which has accelerated many things -- whether that be technology or business change, which is all very positive. 

I think normal is probably a little bit too harsh a word for what we’ve been through and what we can expect for the next few years.

Gardner: Christian, if technology is foundational to making this new era vibrant and innovative, has there ever been a better time to be in the IT business?

Reilly: From the changes we saw before the pandemic -- with organizations moving to cloud, changing their application portfolios, and in how work gets done -- there’s always been a technology underpinning of that. And if you’re in the technology industry, you have to be pretty happy with the opportunity for more change.

For many years, it was difficult for people in organizations to drive change and to challenge the status quo in organizations large and small. But as technologists, we always like to look out and try to invent the future. It was difficult to do that when the rest of the business was in catch-up mode or didn’t see the value of technology as an investment to drive the business, as opposed to being a necessary evil.

Now we’ve leveled the playing field, both in the choices we have in technology as well as in the time it takes to invent technology and the short time to get a return from that investment.

Learn How to Avoid a New

Digital Divide from Hybrid Work

It’s great, and we see examples in our customers around the world, of organizations that put technology strategies at the forefront of their business strategy. In my nearly 30 years in this industry, I can’t remember a time when it’s been more exciting to combine the technology with the business opportunity and to drive some really great outcomes going forward.

Gardner: Tim, for the business leaders out there who are also responding to this sea change, what does your research tell you? Are they as optimistic as the technologists are for 2022?

Leaders favor flexible work future

Minahan: Yes, business leaders are viewing this moment, and the investments they’ve made to support advanced digitization and engagement with their customers and in remote or hybrid work models, as a platform for driving new levels of innovation. 

In fact, Citrix recently conducted a research project in partnership with Coleman Parkes Research interviewing some 1,200 business leaders across the US and Europe. And on average, these leaders attribute almost half of their growth over the past year to new innovations, new products, new service lines, and new ways of working fueled by the adoption of new technologies and the work models we’ve been talking about here.

In fact, according to the study, investments in new technology and flexible work models over the past several years have fueled $678 billion in new revenues across these industries. Furthermore, 69 percent of those business leaders around the world say they’re going to increase investment in research and development (R&D) over the next 12 months to sustain this growth.

Because part of that growth had been constrained by our biases in thinking, as Christian just said, those longer journeys to the cloud are no more. Companies are accelerating digitization of their businesses -- including the shift to cloud. They now are taking a three-year cloud transformation project and doing it in three months because they need the agility. They see the benefits that are available to them.

The same thing goes for work models. Business leaders are removing the traditional taboos associated with working remotely and using that to rethink their entire work model. Where work gets done is certainly part of the dialogue we’re having in the market. Should employees go back to the office or work remotely continually?

But it’s more than that, it’s about how work gets done. Are we fostering these workers with a digital workspace environment that allows them to work anywhere and be as productive and as secure -- whether they’re in an office building or on the road?

And then there’s more innovation around who does the work. This is the most exciting part. Businesses are now able to access new talent pools and drive greater equitable and responsible hiring practices because they’re no longer constrained by where their office buildings are.

For example, the healthcare sector has been advancing not just telemedicine but new remote clinics that are closer to the patients. A great example is Mass General Brigham in your hometown there, Dana, in Boston. Just before the COVID crisis, they had transitioned to the cloud, which not only ensured that 70,000 physicians, clinicians, and administrators could work safely and remotely, it allowed them to be much more responsive to the needs that have arisen during the pandemic.

There's now more innovation around who does the work. This is the most exciting part. Businesses are able to access new talent pools and drive greater equitable and responsible hiring practices. They're no longer constrained by where their offices are.

For example, they opened up a remote clinic at the Boston Convention Center, literally in three days, per order of the governor. Because they were using the same technology platform, they were able to do that very, very quickly. It has also allowed them to increase their telemedicine visits by more than 27 times. And they don’t see that going fully back to the way it was before.

And, finally, using such a cloud platform delivers greater access to experts at colleges, for example, in Minnesota. They don’t necessarily need to live in the Boston area to be able to sustain this. That’s just one great example of an industry and a leader in that industry that’s not going back.

They’re using the investments they made in technology. And they’re using the investments they made in work models to fuel new ways of patient care and new innovations for their businesses.

Gardner: Christian, as we move past the previous work shackles using hybrid and remote models, how will recent technology trends – such as 5G connectivity, edge computing, AI, and parallel internets -- further enhance this process of reinventing work in 2022?

Hyperconnectivity everywhere

Reilly: To your point about networking, I think it’s the unsung hero of what we saw during the pandemic. With the number of people being asked to work remotely, locked out of their physical locations, the demands for bandwidth were essentially catered to around the world. That speaks a lot to the underpinning of the infrastructure.

And if you think about this world of hyperconnectivity, of always-on, and advancements in 5G technology, the speed and capacity that comes with that … It’s incredible. I don’t think we would have been able to do what we’ve done in the last two years with the constraints around the networking technologies from a decade ago.

Need Some Good Reasons to Innovate?

Citrix Research Uncovers About Half a Million.

All sorts of different providers are now building their own undersea capacity across the world, just to carry the growing demand. You can assume in the next couple of years there’ll be no such thing as never connected. Whether you’re in an airplane, on a train, in your own car, or in a coffee shop -- or whatever -- the ubiquitous connectivity is going to power a lot of this next generation of the economy.

We tend to talk about what’s on top of the network, and obviously it is security, which is important. But performance, reliability, and availability will be there for the folks out there who want all the world’s applications and data served to them.

I made a comment a few months ago about the major cloud providers building parallel Internets. The traditional Internet consists of different carriers interconnected at various points around the world in Internet exchanges (IXes). There, the name of the game is exchanging data from a peering perspective, where there’s equity between the transactions.

And if you’re a commercial customer, you can buy bandwidth from there and act like a carrier. But if you really think about what goes on in the IXes, there’s a question about how we can fairly exchange data that means that nobody loses out from a cost perspective.

Now, think about what we’re seeing where the Googles, Microsofts, and the Amazons are all building these giant networks of their own so that they can essentially offer better reliability, performance, and availability -- loads of different points of presence around the world, some carried on subsea, some carried on terrestrial technologies. I think what we’re seeing there is a huge sea change in the way that we think about carriers.

If you want to be able to get your application served by the best network in the world, you may be looking at different providers, i.e., the big hyper-scalar cloud providers, than we saw a decade ago. There’s a significant element to that, which has an upstream effect on where organizations choose to place their cloud services and the data and applications, of course.

From a wireless perspective, we’ve been talking about ubiquitous connectivity for Internet of things (IoT) for many years and we’re seeing the evolution of that now with opportunities in edge computing. Lots of workloads will continue to be delivered by edge because that last mile connectivity that we used to struggle with will disappear with the continued rollout of 5G and the availability of that around the world.

What really excites me is what's happening in the developing nations. Doing net build-outs will give rise to real economic growth in areas of the world that were disadvantaged historically. I'm excited about  a level playing field across networking.

What really excites me is what happens in developing nations. In the Western world, we’ve been very fortunate to be on a journey from different types of networking. In some cases, they had to be built and rebuilt and built on top of existing physical infrastructure, such as cell towers, physical fiber, and so forth. For the opportunities of the developing world, they don’t come with that set of problems. Doing net new build-outs will give rise to real economic growth in areas of the world that were disadvantaged historically.

I’m really excited about a level playing field across networking that drives important economic effects and social interactions for countries that have not been able to participate in the global economy because they’ve been held back by their physical infrastructure. It’s super exciting. If you look five years from now, will we see the gross domestic products (GDPs) of countries differently by virtue of the fact that they’re hyper-connected and have much more opportunity than they’ve had historically. 

Gardner: Tim, the good news is the technology enables things that hadn’t been possible before. And, at the same time, we’ve gained a clean slate to reinvent work, having moved past former taboos.

But the bad news is this is uncharted territory, with a lot of options.

What challenges do businesses need to overcome to make the most of this unique -- unprecedented, you might say -- situation without becoming overwhelmed or paralyzed?

Hybrid hopes and fears

Minahan: It’s a very good point, Dana. There are some choppy waters that people need to navigate because these are uncharted areas, as you mentioned.

The biggest risk companies will grapple with in the coming year is around the concept of hybrid work. Finding the right fit for right role and the opportunity of hybrid work is a tremendous opportunity, as we mentioned. Employees are liberated to work wherever they can to do their best work. Employers can tap into new talent pools well beyond commuting distance to their physical office hubs.

But the challenge is to create an equitable work environment, regardless of where employees are located. Hybrid, by its very definition, means we’re going to have employees that are in the office collaborating and executing work together with employees who are not in the office.

And there’s a risk of creating a tiered level of the employee base, or levels of inequity in the employee base if you default back to an office-first culture. Many of our customers and Citrix itself – look and ask, “Okay, what does the environment need to look like to be conducive to capitalizing on the benefits of hybrid work?”

And, just as was done decades ago, we made big investments in physical office buildings and in creating collaboration spaces. Well, if work is now happening everywhere at the same time, and employees are distributed across physical and remote locations, that means we need to create a digital work environment, a digital workplace, that provides equitable access to the tools that all employees need to be productive: their applications, content, collaboration tools -- regardless of where they are.

To Christian’s point, they also need network reliability so that the applications are not only available but perform the way they should. They need the security capability so that the company has confidence that their information is secure, no matter where an employee is doing work -- whether in an office, on the road, or from home.

But that flexibility needs to be coupled with processes and cultural policy changes that foster an equitable work environment that isn’t office-first or remote-first culturally. It has to be a truly hybrid culture.

Finally, the physical workspaces need to adapt, too. They need to be purpose-built for their new uses. If the physical office becomes a place where we come together to collaborate, we need to retrofit rooms to facilitate inclusion of those working remotely.

Learn How to Avoid a New

Digital Divide from Hybrid Work

At Citrix, for example, we use the Microsoft Teams environment and are retrofitting our conference rooms with 360-degree cameras, and with cameras on the whiteboard, so that regardless of where an employee is, we are taking the equitable work policies that came with remote work and bringing them into a hybrid-work world.

So, everyone has similar access to information. Everyone has a similar opportunity to voice their opinions and creativity in meetings. These are the types of things that folks are going to need to navigate through in the months ahead if they’re going to capitalize on the benefits of what hybrid work can deliver.

Gardner: If we are to use hybrid work as the starting point, and we don’t know where we’re going to end up, do we have any existing examples to learn from? I’m thinking about the gig economy and gig workers.

Tim, is the gig economy a bellwether for what we should expect of hybrid work models? Or can we learn from that to do even better?

Beyond the office with benefits

Minahan: When the gig economy emerged, we were still in very much of a mindset of a work environment that hadn’t changed much since Henry Ford. It was an extension of the Industrial Revolution, where everyone came together in a manufacturing facility. When we went to knowledge workers, we just adopted that work structure and said, “Well, everyone, of course, should come together in an office environment.”

What the opportunity affords us now -- by removing the taboos, having the technological infrastructure to support equitable work across all environments and domains -- is the opportunity to go to a new class of, if you will, gig with benefits that provides flexibility and autonomy to freelancers.

They gain an economy that the contracting gig workers crave along with the stability that’s become increasingly attractive as the pandemic wears on by being associated with a given employer, with appropriate benefits, and everything that comes with being a full-time employee.

And so, I think we’re seeing literally people redrafting the social contract between employers and employees for the first time in decades.

Gardner: One of the nice things technologically, as we go about this redefinition of work, is we have at our disposal analytics tools at scale and at costs that are very attractive.

How do we use that to understand the best models of the future of work without it just being trial and error? How do we apply the best of what analytics and automation can bring so that we can get to that right definition for the right company at the right time?

What else can technology do for us in the next few years when it comes to helping us through such an experimental process?

Minahan: Yes, over the past several years, we’ve seen the introduction of machine learning (ML) and analytics into the workplace, along with automation. And those have fundamentally changed the way we work. 

Number one, they help clear a lot of the noise from an employee’s day and guide them to the next task, or the next insight, that’s valuable to move them along in the process. But number two, it’s elevated the skill set of the employee and the performance of every employee so that they’re performing at their best.

That’s true whether they’re six months on the job or an employee of the month consistently for the past six years. Technology can guide any employee to deliver the best customer service and to attain the best answer to execute processes even faster.

An example that highlights that necessity is the mother of innovation is City National Bank of Florida. They adopted our digital workspace technologies not only to ensure that they could remotely deliver the applications and tools that employees need in a very secure environment, but also to utilize the ML, automation, and enhanced workflow capabilities to improve the steps needed for their mortgage loan review process.

As a result, they knitted together some of the key tasks and insights across multiple systems – customer relationship management (CRM) systems, mortgage and loan systems, and approval systems. They gained an ability to guide employees to the next step in the process, and by pulling information from other databases. They were able to process six years of loans in six months during the pandemic.

That’s just one example of how bringing together ML with automation is fundamentally creating a new level of skills, particularly at a time when we have a global talent shortage for certain skills. This technology helps fill the skills gap that many companies are suffering right now.

Gardner: Christian, what’s your take? How will ML and the analytics capabilities we have, along with automation, help us attain a new, better place when it comes to work, work processes, and the redefinition of work?

Reilly: The skills gap is kind of a paradox. We talk about the skills gap and how we’re going to address that with technology, whether it’s software, robots, or an automated workforce. And yet, the other side of the coin to be concerned with is how much of this technology comes in and replaces physical workers. 

To go back to Tim’s Henry Ford example of many years ago, there was an argument then about automation in the automotive manufacturing industry replacing the physical work force. And that’s something we’ve discussed and politicized for many years.

Democratized tech increases jobs

The real question to me is, how many more jobs does technology create? That’s the bit that we don’t talk about, and I don’t think we have a good opinion on. From a pure technology perspective, the most fascinating element comes as a category of democratization.

And, if you go back far enough, there are many examples. When Microsoft Office first found its way into organizations it democratized word processing and letter creation to the detriment of the classic typing pool.

If you follow that path of democratization, what we’re seeing now through the evolution is citizen developers using low-code and no-code platforms. It’s the exact thing that Tim was talking about in terms of bringing the technology to augment the workforce. We’re very rapidly seeing that in the worlds of low-code, no-code, of citizen development, and also of ML in general. It’s a democratization trend, of literally being able to take off-the-shelf components, products, and services and apply them in a new business context.

Need Some Good Reasons to Innovate?

Citrix Research Uncovers About Half a Million.

The key is better enabling the line of business people who deeply understand what the data needs to do for them. They understand the business process inside out, they understand the workflows inside out, and they’re far better placed to deal with that than traditional IT and developers.

So, the speed at which technologies are becoming democratized is essential. For a few cents an hour, you can have ML services running in a public cloud. And then those very same ML services can find their way into client-side applications.

It becomes obvious very quickly what the impact will be. Just as we’ve seen with changing work demographics when we have the younger generation come in as business analysts, but able to write algorithms in Python. We’re going to continue to see that. And we’ll see much smarter applications being put to work for those workers, too.

The challenge is it potentially creates more data silos because we’re writing point solutions, like cloud and applications sprawl. We’re likely to see more of that as organizations empower individuals to be productive by bringing in their own technology to work and using off-the-shelf components to enhance personal applications.

A few years ago, we began talking about bring your own device, and bring your own identity. I don’t think it’ll be very long before we talk about bring your own applications and that will be largely due to the democratization of technologies and the power of these new generations of applications and insights.

Gardner: Christian, is it too soon to be thinking about a third-party reality that can enhance work? We’re hearing about the metaverse, virtual reality (VR), augmented reality (AR), and mixed reality (MR). Where do you see the opportunity for using these concepts to solve some of the reinventing of work challenges?

From Ford to VR, we still work together

Reilly: I’ll use Tim’s phrase again about necessity being the mother of innovation, and, in some cases, the mother of invention. Over the past few years, we’ve seen steady technological growth in VR, AR, and MR. And, yet we’ve never really seen a killer application.

There are plenty of examples of customers and companies using those technologies to solve certain things. But we’ve never seen mass adoption. As humans, we’re fascinated by futuristic things such as The Jetsons, time travel, and teleportation. We’ve seen it in science fiction movies forever.

But if you start to think about things that are part of the metaverse, whether it’s digital twins or photorealistic immersive worlds, it’s pretty easy to let your imagination go and understand how some of what we’ve found difficult to replace during the pandemic, which is human interaction, can be done.

How do I feel in just two dimensions looking through a laptop screen with a number of other people on a video call? I think there’s a lot more to it than that. If we could figure out how to transcend the physical boundaries using a virtual world -- and I’m not talking Second Life here -- I’m talking about much more.

It’s where the office is not a building per se. It’s much more of a virtual construct that has all the things that I need to get work done, whether that’s signing contracts using distributed ledger or collaborating in more of a physical way with a representation of myself in the metaverse.

We may look at that as science fiction, and yet, if you look in the consumer world to where the younger generation is, there are plenty of examples of children using technologies such as Minecraft and Roblox that are their own virtual worlds where they learn to collaborate, learn to play by the rules of that particular game, and they learn how to immerse themselves in that to collaborate and to do tasks.

I don’t think this is a million miles from the reality of where we may end up in terms of the hybrid work that Tim talked about. We’re trying very hard to replace physical interactions that aren’t always possible on different sides of the world. I think there’s a huge opportunity for us to think about the metaverse as much more of a business-enabler underpinned by lots of different technologies. Maybe we can bring more personal interactions with it as we establish this new now going forward.

Gardner: Tim, how does the current generation of digital workspaces and the progeny of those workspaces start in 2022 to get to the vision of metaverse as business-enabler that Christian just painted?

Minahan: It goes without saying that the only constant we’re going to have in this world of hybrid work is the digital workspace within which we access the work resources, our content, and the insights we need to make decisions. And it’s how we engage and collaborate with our peers, both within our company and outside of it.

We’ve been talking about digital workspaces for quite some time, along with the need to ensure we reliably and securely deliver the work resources that employees need to get their best work done wherever that needs to happen.

The pandemic has rapidly accelerated digital transformation and opened people's eyes to new ways of working. A lot of these new AI and automation agents are being incorporated into the workspaces to ensure that everyone can perform at their best and not be distracted from even greater creativity and innovation.

The pandemic, if there’s one small silver lining to it, has rapidly accelerated digital transformation and opened people’s eyes to new ways of working. As we look at the digital workspace technologies that underpin them, you’re going to see not just ensuring reliable high-performance access and secure access to the work resources you need, but a lot of these new kinds of AI and automation agents are being incorporated within the workspace, which will ensure that everyone can indeed perform at their best and not just be distracted by the technologies but can harness them to drive greater creativity and innovation.

I’ll just close off where we started. The crisis-driven adaptation has not just transformed organizations, but it’s altered the mindset of both the employer and the employee. I’m particularly positive and optimistic about what the future holds over the coming year -- and the next few years ahead.

We’re reaching a new plateau as these items are all converging at once. The technology is there and available, and the taboos that have hindered our ability to adopt that technology have been torn away. There is a new mindset both in the mind of employees and employers that is going to set us on a course to engage through new digital means and to work in new and more hybrid ways.

Gardner: Tim, Citrix has done an awful lot of research and is helping organizations better understand this progression. Where can people go to learn more? How is Citrix making some of that information available?

Minahan: You can always go to We also have a thought leadership platform called Fieldwork in which we not only promote and make available all the research studies and benchmarks that I mentioned, but also use it as an open platform for dialogue among leaders in businesses as well as the IT organizations.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Citrix.

You may also be interested in: