Electrical Business Review

Electrolux

Kaveh Djavaherian, Director Global Cloud Office (CCoE)

Driving Cloud Innovation with Governance, Automation and Security

My main focus is to guide and enable my team to achieve greatness. It sounds like a cliche, but in order to strategize, plan and execute activities in a hugely complex and global organization, having the right people around you, creating an environment where talents grow and thrive are the key responsibility of any manager. I also need to continue upskill so I am able to comment, prioritize and communicate all activities we are involved in. This latter part is extremely important since the complex and everchanging IT-landscape requires insight into my own organization but also understanding and learning from others internal and external. One other key area is the stakeholders of my deliveries, across the organization, from senior VPs to developers who have various needs and questions, which requires strategy as well as my ability to talk tech.

Cloud Governance and the Untapped Power of Automation

As one knows, there is no end to “governance” and one could establish processes and governance bodies to control everything, which probably would result in “death by bureaucracy”. So, the main recommendation is to first start to see where your organization is. Do you have the basic policies to manage the cloud platform? Who are your main stakeholders who could support your platform development? What are the main pain points your platform consumers are facing? What controls do you have in place to prevent, detect and react to anomalies? If you start by answering these questions and start outlining your own maturity journey, then beautiful things will happen. And remember, that internal audit, security organization, compliancy etc are a fantastic ally in order to drive changes which are needed. So don’t be shy when it comes about transparency of issues you see in your CCoE and ask these bodies for support.

Each organization is of course different hence what brings the most value could be something that is completely natural in other companies. What I have seen in the past 10 years could fall into two categories: security/ compliance automation and governance/reporting. If security controls are set, then deploying applications within the defined confinement could be automated (say FW port openings) and that would greatly enhance developer experience. The other one is letting cloud resource owners know how the health of their environment is through automatic reports. FinOps, outof-box advice/recommendations for optimizations are huge insights that should automatically be forwarded/assigned to resource owners within the ITSM tool available in the organization. Throw in AI (say CoPilot) and you have a great tool to assess the recommendations, but also implement them quickly. One technical area is automated deployment (IaC, CI/ CD...), which of course have huge benefits for the developers but I would not call that area “overlooked”.

Realizing the benefit in speed and being able to focus on coding rather than setup.exe would greatly enhance their experience.

Embedding Security While Driving IT Modernization in Complex Organizations

Although there are some formal frameworks that could be used for this (NIST SSDF as an example), the main principle is to embed security as close to the code creation as possible. This could be a combination of process controls that won’t allow certain things to happen (like deploying unscanned code or checks in your CI/CD pipelines), upskilling of developers, cloud security policies (.,e preventing public IP Addresses to be assigned to a cloud resource without proper approval), to CSPM/CNAPP solutioning etc. From a tooling perspective, agreeing on a golden path for developers with “some” tools who have various security functionalities integrated would be my first step anytime. The concept of having multiple development tools doing the same thing and letting the developers managing them is unfortunately a utopia which will lead to major integration, governance and none the less huge commercial issues. Limit the tools to a few, automate and integrate them in various processes (license, on-boarding), introduce security steps, introduce them across the organization and stick to it. If you get that, then the developers will initially complain, but realizing the benefit in speed and being able to focus on coding rather than setup.exe would greatly enhance their experience.

Modernizing could mean so many things in global organizations. In global organizations, a combination of 7Rs (or 4Rs) are used to decide what to do with the landscape. Whichever is chosen, at the end, the modernization path is not a technical challenge, but more a political one. Where to invest, how much to invest, which team to lead, which team to operate, etc are mostly non-technical and the solution is different for different organizations, which could go all the way down to the EBITDA of your organization. But my main message is to not trying to address everything at the same time, but assess, prioritize, implement and repeat. Stick to the long haul, celebrate the wins, loose some battles but aim to win the marathon. Try to have fun, create an environment that allows for creativity and share your insights across the organization. For leaders, one important advice: don’t be the one talking tech based out of Chat-GPT answers. Get your relevant cloud certifications even if you are a CEO.

The articles from these contributors are based on their personal expertise and viewpoints, and do not necessarily reflect the opinions of their employers or affiliated organizations.