Robert Cruz, VP of Smarsh, Talking Cloud Security During the Pandemic
Robert Cruz is the Vice President, Information Governance for Smarsh - a cloud services provider, and a leader in the field who serves some of the largest banks in the US and Europe. R. Cruz has more than 20 years of experience in providing thought leadership on emerging topics, including cloud computing, information governance, and discovery cost and risk reduction.
We have reached out for a short interview to discuss the intricacies of cloud security, how the field got affected by the COVID-19 outbreak, and what’s in store for the future. He was kind enough to accept our invitation, so here we go.
You joined the company in 2015, and you’ve witnessed a period of big changes for the firm. Can you give us an overview of that ride and also an outline of your current role in the company?
RC: I am very fortunate to have had an unusually long run in Silicon Valley, and I feel that I have developed a good eye for spotting game-changing technologies as they begin to emerge. I joined Actiance in 2015 because I had previously worked with many companies who were either frustrated that their technology had become outdated, or who were frustrated because the vendor was focusing their innovative resources on other markets.
Actiance, and later with the merger with Smarsh, was bringing technology to the market that was forward-looking, designed for the newer communications formats that were beginning to become popular, and built with the same infrastructural concepts that were being leveraged by Amazon, Netflix, and Google. It was ahead of the market at that time.
Since that time, the mainstream adoption of Microsoft Teams, Slack, Zoom, and mobile applications has totally reshaped our market, and our firm has matured and done very well in staying in front of constantly evolving dynamics around communications and collaborative technologies. We’ve always been ranked highly by industry analysts for our vision, but in the last couple of years, we’ve also significantly raised our game in the ability to execute, which is very rewarding.
In my role as VP of Information Governance, I leverage my domain background in regulatory compliance and discovery to help our customers stay prepared for the changes in how they get work done while staying focused on the identification and mitigation of information risks. That gives me a cross-functional vantage point across marketing, product, and sales that I share via our blog, webinars, and to directly engaging with our customer practitioners.
What’s the most challenging aspect of having to lead a multi-national team of experts based in different offices and countries?
RC: I actually feel quite comfortable with the multi-country leadership role, as I’ve managed remote, international teams earlier in my career. In our market space, the biggest challenge is probably maintaining the appropriate balance across the different regulatory, privacy, and governmental drivers in each market we serve. We deal with many multi-national firms and staying on top of the latest from GDPR, to the striking down of the Privacy Shield, to the latest data privacy mandate in a South American market, can be quite a challenge for a small team.
What was the impact of COVID-19 in your operations, and how do you handle the risks that arose from the situation?
RC: Like every organization, we have some staff that is accustomed to remote work and those whose careers have been primarily in an office, so that transition has impacted individuals differently. However, in total, we seem to have a smaller percentage of employees whose job requires an office presence, so we’ve carried on with minimal disruption.
In terms of the move toward the total dependence on virtual meetings and collaborative tools, our company has done well in providing the appropriate guard rails, training, and communication policies that kept things like the use of unauthorized apps or misuse of the intellectual property well controlled. This is the nature of our business, so we should do well here.
In terms of customer impact, demand for collaboration, conferencing and other technologies has surged, and we’ve been quite active in sharing common challenges and best practices we are gathering from our customers and sharing that in our blog, on webinars, and directly with the regulators.
The cloud computing and information archiving sectors have been witnessing an explosive growth over the last few years. How did COVID-19 affect this trend, and what are your predictions for the upcoming period?
RC: The best way to describe the impact on cloud adoption is that it has accelerated us along a path that we were already on. The reason is simple: every system that stores communications data is seeing a massive spike in volume. That, along with the fact that Microsoft Teams video grew 1,000% in a month, Zoom went from 10M to 200M daily active users, and Slack grew 40% in a couple of months, all illustrate that data is now much more heterogeneous.
Organizations that were attempting to manage this with on-premises systems are finding it exponentially more complex to try to maintain sufficient processing power and storage capacity. Additionally, the significant adoption of public cloud infrastructures such as AWS and Microsoft Azure is now the second wave of cloud adoption that offers productivity and cost advantages over first-generation vendor-operated hosted cloud solutions. The impact on the information archiving market has been profound.
Essentially, there is minimal value in replacing a system that stores historical email within a newer one that does the same thing. The market is now being driven by the ability to manage all these heterogeneous content sources, such as Teams and Zoom, that we are now using every day, but leveraging public cloud infrastructure that can help that data be easily integrated with other enterprise applications that can drive top-line growth.
Security is a crucial concern for entities that want to reap the benefits of cloud services. How does Smarsh approach this key aspect?
RC: Security will always be the top concern of firms not just pertaining to the cloud but in the adoption of any new technology that they intend to support. In outlining our approach, it's first important to note that not all cloud services are equal. Some are better designed than others to provide the protections that are suitable for firms who are highly regulated and face frequent litigation – like ours is.
The approach is probably best described by borrowing the GDPR phrase “data protection by design and default.” That includes providing a fully role-based system with access controls to ensure that only authorized compliance or legal users have access to the system is a start. Complementing that are sophisticated controls across the data, application, and network layers that are audited and carry the appropriate third-party attestations.
Finally, underneath it all, we leverage AWS and Microsoft Azure, whose investments in security infrastructure dwarf what any individual archiving vendor could provide by running in their own data center.
You have recently acquired Entreda, a cyber-security firm. Can you give us some insight into how Smarsh is planning to incorporate Entreda into the portfolio, and what’s the timeline for this?
RC: We already see demand for the Entreda portfolio as it provides another component to our information risk management portfolio. We can envision our small and medium-sized clients leveraging this technology now, particularly in firms where there is a tight coupling of the CISO and compliance functions, such as in some broker-dealer and investment advisory clients, where we can now provide a fuller “one-stop-shop” portfolio.
Last year, the European Central Bank’s General Director Korbinian Ibel stated that for financial institutes that trust external storage solutions like cloud services, it’s only a matter of time to get hacked. As a cloud service provider that has top banks from around the globe in its clientele, how do you perceive this statement? Is it ill-advised, bloated, or half-true?
RC: It goes back to the statement that not all cloud services are created equal. It is true that cybersecurity incidents such as ransomware, credential stealing, and advanced threats are on the rise because those with the intent on wrongdoing will always go where the action is. But it is also true that top security concerns for CIOs are internal threats, where internal actors may have an easier path toward an internally managed system than one that stores data in the cloud.
Ultimately, in the due diligence and selection of a cloud data storage provider, firms should invest in the cloud infrastructure providers that are making the biggest investments in cloud data security innovations to mitigate the risks of a breach. AWS and Microsoft Azure are leaders in the market in these innovations.
In what direction is Smarsh going to push towards in the next years? We have the rise of IoT, machine learning, modular software solutions, cloud-based custom CRMs, deep data lake analytics, etc. Where is Smarsh looking to go next?
RC: There are a couple of dimensions to note. First of all, we continue to enhance the value of the platform. This means continuing to make it easier for firms to consume additional content sources, whether that is data from a legacy system or a new collaborative network. We are innovating hereby:
- Making it easier to consume these sources
- Embracing advancements that make it easier to scale the processing of large data sets
- Continuing to build the API set to effectively deliver this data to other enterprise applications.
The second area is embracing machine learning and other mechanisms to enhance platform intelligence so that firms can more easily spot hidden risks, discover data patterns to help with investigations and surface customer insights that can be leveraged by KYC initiatives.
If you were to give a single piece of advice on cloud service selection to our readers, what would that be?
RC: Make sure that you select the cloud service provider who understands and provides capabilities that align with your specific use case.