Bottom Line: Healthcare providers need to adopt more persistent, resilient endpoint cybersecurity to thwart cybercriminals who are escalating their efforts to steal healthcare records. Motivated by up to $1,000 being offered on the Dark Web for healthcare records, cybercriminals are prioritizing healthcare breaches for financial gain.
Endpoint Resilience Is the Cornerstone of Apria Healthcare’s Cybersecurity Strategy
Healthcare providers are a favorite target for cybercriminals, and their popularity is growing. In the first eight weeks of 2020, the U.S. Department of Health and Human Services received 66 reports of breaches affecting 500 patient records or more at healthcare providers and health plans. The Health & Human Services Breach Portal, which contains a list of all cases under investigation today, reflects the severity of healthcare providers’ cybersecurity crisis and the urgent need for a strong, resilient system to protect patient information. Apria Healthcare is well aware of these threats and has taken an innovative, insightful approach to thwart them.
Apria Healthcare’s cybersecurity strategy focuses heavily on deterrence at the endpoint and device level, an approach that has proven effective in mitigating breaches globally. The company is a recognized leader in healthcare, serving nearly 2M patients annually across 300 locations in 49 states. They have more than 8,000 laptops, desktops, and tablets, many of which regularly leave the organization. Apria needed a way to deliver zero-touch IT asset management, provide self-healing endpoint security, and employ always-on data visibility and protection whether an asset was on or off their corporate network. They turned to Absolute and the company’s patented Persistence technology.
“Persistence [located] in the BIOS is the number one item that I think really sets Absolute apart from other companies touting that they can do asset tracking better,” said Janet Hunt, Senior Director, IT User Support at Apria Healthcare.“The other vendors really can’t, they don’t have that piece – that persistent piece is so important to me. I always am looking for opportunities to use different technologies as they come up, and I haven’t found anything that’s as good as Absolute. Nothing can compare.”
Absolute’s Persistence technology, the foundation of the company’s Resilience solution, enables a self-healing, unbreakable two-way connection to endpoints, applications, and data. It provides an adaptive layer of defense by notifying IT of where devices are and when security applications are removed or corrupt, and triggering automatic reinstallation. Because Absolute is already embedded in the BIOS of Dell, HP, Lenovo, and 22 other leading manufacturers’ devices, it provides Apria with the single source of truth needed to protect personal data and help achieve HIPAA compliance.
Turning HIPAA Compliance into A Competitive Advantage
Apria quickly established a leadership position in the healthcare industry by setting and maintaining stringent requirements needed to achieve HIPAA compliance across its patient data platform. Leveraging Absolute’s Resilience solution and Persistence technology, Apria differentiated itself from its competitors and reduced the risk they would ever see fines for HIPAA non-compliance. And with HIPAA fines ranging from $25,000 to $15.M per year, Apria’s prescient decision to turn compliance into a competitive advantage was an excellent one because it put patients’ welfare and data security first, above all other IT priorities.
Achieving Greater Device Control & Visibility Is Key
Absolute’s dashboard provides Apria with both a snapshot of the status of all devices, updated every 15 minutes, as well as a complete device history that enables security managers to see and report on encryption, geolocation, and usage.
“Our geo-fencing is extremely tight. I have PCs that live in the Philippines. I have PCs that live in India. I have one, or actually two, PCs that live in Indonesia. If somebody goes from where they say that they’re going to be to another part of Indonesia, that device will freeze because that’s not where it’s supposed to be, and that’s an automatic thing. Don’t ask forgiveness, don’t ask questions, freeze the device, and see what happens. It’s one of the best things we’ve done for ourselves,” Janet Hunt recently said during a recent during a recent panel discussion. Geofencing is a must-have in any persistent endpoint security strategy.
“[With Absolute] I have a complete history of each device, which makes it really easy for me to say not only whether it is encrypted now, but also what its status was a week ago, or two weeks ago, or two months ago,” said Dave Ochoa, Manager, Information Security Operations at Apria Healthcare. “So, you get this lovely little package that you can hand off to your auditor and say, ‘Not an issue.’ You know that this is not an incident, this is not a breach.”
Endpoint Security’s Network Effect Is Accelerating
Apria Healthcare’s decision to protect its 8,000 laptops, desktops, and tablets using Absolute’s Resilience endpoint solution is a leading indicator of the Network Effect happening with endpoint security today. A sure sign the Network Effect is taking place is how demand is growing for more endpoint security agents and applications. Absolute is seeing this Network Effect globally and has been steadily adding integrations with more than 30 endpoint security agents and applications – most recently adding support for the market-leading security solution VMware® Carbon Black.
“The average enterprise today has already spent thousands, if not millions, of dollars on security controls and applications, and that total security investment only continues to rise in the face of escalating risk,” said Christy Wyatt, CEO of Absolute. “However, the vast number of controls and agents being invested in and subsequently piled onto the endpoint can introduce a false sense of security; those controls are only effective if they are present and actually running. A foundation of Resilience enables IT and security teams to understand the current state of their assets, understand if the security controls have been compromised, and heal those that have been taken offline.”
Conclusion
In the face of increasingly sophisticated attackers and vectors, organizations continue to layer on security controls. Gartner estimates that more than $174B will be spent on security by 2022, and of that, approximately $50B will be dedicated to protecting the endpoint. Absolute’s 2019 Endpoint Security Trends Report revealed that organizations have an average of 10 distinct agents layered onto endpoint devices, all competing with one another for device services and resources. The resulting complexity not only negatively impacts endpoint performance but creates an environment ripe for collision and decay. This, along with humans tampering with or removing security controls, means that even the most well-functioning endpoint agents have a high probability of failure.
All of this has IT and security administrators grappling with increasing complexity and risk levels, while also facing mounting pressure to ensure endpoint controls maintain integrity, availability, and functionality at all times, and deliver their intended value. And so, organizations need complete visibility and real-time insights to pinpoint the dark endpoints, identify what’s broken and where gaps exist, as well as respond and take action quickly.
Absolute’s Resilience offering empowers organizations to build an enterprise security approach that is intelligent, adaptive, and self-healing. Rather than perpetuating a false sense of security, Absolute provides a single source of truth and the diamond image of resilience for endpoints as Apria Healthcare’s cybersecurity strategy and results indicate.
The human tragedy the COVID-19 pandemic has inflicted on the world is incalculable and continues to grow. Every human life is priceless and deserves the care needed to sustain it. COVID-19 is also impacting entire industries, causing them to randomly gyrate in unpredictable ways, directly impacting IT and tech spending.
COVID-19’s Impact On Industries
Computer Economics in collaboration with their parent company Avasant published their Coronavirus Impact Index by Industry that looks at how COVID-19 is affecting 11 major industry sectors in four dimensions: personnel, operations, supply chain, and revenue. Please see the Coronavirus Impact Index by Industry by Tom Dunlap, Dave Wagner, and Frank Scavo of Computer Economics for additional information and analysis. The resulting index is an overall rating of the impact of the pandemic on each industry and is shown below:
Computer Economics and Avasant predict major disruption to High Tech & Telecommunications based on the industry’s heavy reliance on Chinese supply chains, which were severely impacted by COVID-19. Based on conversations with U.S.-based high tech manufacturers, I’ve learned that a few are struggling to make deliveries to leading department stores and discount chains due to parts shortages and allocations from their Chinese suppliers. North American electronics suppliers aren’t an option due to their prices being higher than their Chinese competitors. Leading department stores and discount chains openly encourage high tech device manufacturers to compete with each other on supplier availability and delivery date performance.
In contrast to the parts shortage and unpredictability of supply chains dragging down the industry, software is a growth catalyst. The study notes that Zoom, Slack, GoToMyPC, Zoho Remotely, Microsoft Office365, Atlassian, and others are already seeing increased demand as companies increase their remote-working capabilities.
Key insights from Forrester’s latest IT spending forecast and predictions are shown below:
Forrester is revising its tech forecast downward, predicting the US and global tech market growth slowing to around 2% in 2020. Mr. Bartels mentions that this assumes the US and other major economies have declined in the first half of 2020 but manage to recover in the second half.
If a full-fledged recession hits, there is a 50% probability that US and global tech markets will decline by 2% or more in 2020.
In either a second-half 2020 recovery or recession, Forrester predicts computer and communications equipment spending will be weakest, with potential declines of 5% to 10%.
Tech consulting and systems integration services spending will be flat in a temporary slowdown and could be down by up to 5% if firms cut back on new tech projects.
Software spending growth will slow to the 2% to 4% range in the best case and will post no growth in the worst case of a recession.
The only positive signs from the latest Forrester IT spending forecast is the continued growth in demand for cloud infrastructure services and potential increases in spending on specialized software. Forrester also predicts communications equipment, and telecom services for remote work and education as organizations encourage workers to work from home and schools move to online courses.
Conclusion
Every industry is economically hurting already from the COVID-19 pandemic. Now is the time for enterprise software providers to go the extra mile for their customers across all industries and help them recover and grow again. Strengthening customers in their time of need by freely providing remote collaboration tools, secure endpoint solutions, cloud-based storage, and CRM systems is an investment in the community that every software company needs to make it through this pandemic too.
Bottom Line: Phishing is the leading cause of all breaches, succeeding because impersonation, redirection, and social engineering methods are always improving. And, phishing is only one way emails are used in fraud. Businesses need to understand if an email address can be trusted before moving forward with a transaction.
Microsoft thwarts billions of phishing attempts a year on Office365 alone by relying on heuristics, detonation, and machine learning, strengthened by Microsoft Threat Protection Services. In 2018 Microsoft blocked 5 billion phish emails in Office 365 and detonated 11 billion unique items by ATP sandboxing. Microsoft is succeeding with its cybersecurity partners in defeating phishing attacks. Phishers are going to extraordinary lengths to discover new techniques to evade detection and successfully carry out phishing attempts. By analyzing Office 365 ATP signals, Microsoft sees phishers attempt to abuse many legitimate cloud services, including Amazon, Google, Microsoft Office365, Microsoft Azure, and others. Microsoft is creating processes that identify and destroy phishing attempts without impacting legitimate applications’ performance.
Phishers’ Favorite Trojan Horse Is Office365 Followed By Cybersecurity Companies
Phishers are hiding malicious links, scripts and, in some cases, mutated software code behind legitimate Microsoft files and code to evade detection. Using legitimate code and links as a Trojan Horse to successfully launch a phishing campaign became very popular in 2019 and continues today. Cybercriminals and state-sponsored hackers have been mutating legitimate code and applications for years attempting to exfiltrate priceless data from enterprises and governments globally. Office365 is the phisher’s Trojan Horse of choice, closely followed dozens of cybersecurity companies that have seen hackers attempt to impersonate their products. Cybersecurity companies targeted include Citrix, Comodo, Imperva, Kaspersky, LastPass, Microsoft, BitDefender, CyberRoam, and others.
Using Trojan Horses To Hijack Search Results
In 2019 Microsoft discovered a sophisticated phishing attack that combined impersonation, redirection, and social engineering methods. The phishing attack relied on using links to Google search results as a Trojan Horse to deliver URLs that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to the phishing page. Microsoft discovered that a traffic generator ensured that the redirector page was the top result for specific keywords. The following graphic explains how the phishing attack was used to poison search results:
Using this workflow, phishers attempted to send phishing emails that relied on legitimate URLs as their Trojan Horses from legitimate domains to take advantage of the recipient’s trust. Knowing which e-mails to trust or not is becoming foundational to stopping fraud and phishing attacks.
How Kount Is Battling Sophisticated Attacks
Meanwhile, email addresses can be a valuable source of information for businesses looking to prevent digital fraud. Misplaced trust can lead to chargebacks, manual reviews, and other undesirable outcomes. But, Kount’s Real-Time Identity Trust Network calculates Identity Trust Levels in milliseconds, reducing friction, blocking fraud, and delivering improved user experiences. Kount discovered that e-mail age is one of the most reliable identity trust signals there are for identifying and stopping automated fraudulent activity.
Based on their research and product development, Kount announced Email First Seen capabilities as part of its AI-powered Identity Trust Global Network. Email First Seen applies throughout the customer journey, from payments to account login to account creation. The Identity Trust Global Network consists of fraud and trust signals from over half a billion email addresses. It also spans 32 billion annual interactions and 17.5 billion devices across 75 business sectors and 50-plus payment providers and card networks. The network is linked by Kount’s next-generation artificial intelligence (AI) and works to establish real-time trust for each identity behind a payment transaction, log in or account creation
Email Age Is Proving To Be A Reliable Indicator Of Trust
A favorite tactic of cybercriminals is to create as many new e-mail aliases as they need to deceive online businesses and defraud them of merchandise and payments. Kount is finding that when businesses can identify the age of an e-mail address, they can more accurately determine identity trust. Kount’s expertise is in fraud prevention effectiveness, relying on a combination of fraud and risk signals to generate a complete picture of authentication details. The following graphic illustrates what a Kount customer using Email First Seen will see in every e-mail they receive.
Kount’s Identity Trust Global Network relies on AI-based algorithms that can analyze all available identifiers or data points to establish real-time links between identity elements, and return identity trust decisions in real-time. Kount’s unique approach to using AI to improve customer experiences by reducing friction while blocking fraud reflects the future of fraud detection. In addition, Kount’s AI can discern if additional authentication is needed to verify the identity behind the transaction and relies on half a billion email addresses that are integral to AI-based analysis and risk scoring algorithms. Kount is making Email First Seen available to all existing customers for no charge. It’s been designed to be native on the Kount platform, allowing the information to be accessible in real-time to inform fraud and trust decisions.
Conclusion
In 2020 phishing attempts will increasingly rely on legitimate code, links, and executables as Trojan Horses to evade detection and launch phishing attacks at specific targets. Microsoft’s research and continued monitoring of phishing attempts uncovered architecturally sophisticated approaches to misdirecting victims through impersonation and social engineering.
Known in shorthand as the ‘ESN’, this emerging class of communication and mass engagement platform was inspired by the runaway growth and success of the global social media revolution. The ESN focused on creating a living, breathing organization-wide digital fabric of open connections, conversations, knowledge sharing, and meaningful collaboration that was as egalitarian as it was eminently useful.
Optimism was rife back then and progress seemed tantalizingly close in resolving the many issues with the aging model of corporate organizational hierarchies. There’s no doubt about it: The vision for the enterprise social network was as utopian as it was grand. I know, because I can count myself as one of the leading proponents of people-connected technologies back in that age. I even wrote a popular book on the subject, when the management and design theory behind it was known as social business.
But the ESN revolution was also grounded in using technology to go well beyond the limiting constraints of the real world when it comes to distance, time, experience, or access to leaders or subject matter experts. The ESN flourished in many organizations, and they still do, though I notice a distinctly more subdued tone today when I talk to ESN owners, practitioners, and the specialized staff that help them run well, community managers.
Back in those days, we eventually accumulated enough to experience to know what worked and what didn’t: It was easy to roll out the tools and hard to shift the culture and skills, but as an industry, we largely learned how to make them successful. For those that wanted it, a virtual organization of vibrant digital connections formed a network across the company that became a central conduit for learning, knowledge capture/management, operations at scale, vital peer-based support, and so much more.
However, the ESN was different enough that it required strong stakeholders and passionate evangelists who would rarely leave its side or tire. Since the heady early days, I’ve noticed that ESNs tend to come and go if their sponsors and/or champions move on. That’s not to say there haven’t been and don’t continue to be many success stories. There are.
The Need for Resilient Digital Communities Has Come Roaring Back
Enter the coronavirus. The dasher of hope and changer of worlds in so many ways. There have been few times in history where the workplace has been so thoroughly disrupted as it has been today by COVID-19. The workforces of virtually every organization globally is either on a mandatory work at home policy or soon will be. My analysis of what to do in the early days of being suddenly remote is easily one of the most popular things I’ve written in recent years.
To say most organizations are not ready to become “suddenly remote”, as the phrase of art has become, is an understatement. In short, organizations around the world have essentially been physically disbanded until further notice. This is an incalculable shift. Our Internet connections are now our main lifeline by far to our work lives, to our colleagues, and to our careers. It’s as isolating for many, as it is freeing for others.
As it turns out, remote work is also a profoundly different way of functioning in our jobs that is inherently less social (unless we substantially augment it to be otherwise), more siloed, and disconnected than most of us are prepared for. Especially when we have to work remotely all the time, for days, weeks, or months on end, which is the reality at this time.
The Return of the Enterprise Social Network
In the current period of prolonged dislocation from our old work lives, wouldn’t it be incredibly useful if we already had a robust digital support structure in place? One that we’ve long since carefully crafted and built up from the connections of people that we’ve met either physically or virtually. While we actually have that in the form of our consumer social networks (or at least many of us do), it’s almost completely out of context for our workplace needs.
It’s a shortcoming of our own making. Our attempts to train workers to be digitally savvy has had long and sustained gaps because we’ve been able to lean on our legacy physical skills and environments. In the past, I’ve attempted to describe the necessary digital skills to help workers adapt to this new work more gradually. They are all predicated on building modern social capital, meaning have a broad, diverse, and strong network of connections to people in today’s modern operating environment: The global digital networks that infuse everything today.
Yet in the context of our work at least, most of us are now completely lacking this social capital, these connections, or a virtual community around us, just when we need it most.
Instead, for those organizations that didn’t make the determined and sustained efforts to do the hard work of creating an enterprise social network (or equivalent), the workers who have been tossed overnight into entirely remote working situations are finding it hard going. Their familiar communal work environment is gone. Their outdated tools don’t keep them plugged into the pulse of the organization.
In fact, most workers badly need the resilient and vibrant connective tissue of an ESN, with all its rich user profiles, relationships between far flung connections, countless groups of local experts, reams of searchable open knowledge, and the deep insight that all these can provide to step in for the shockingly rapid loss of our physical world of work.
ESN/Community Practitioners and Executive Leaders: It’s Time to Seize the Day
To practitioners, I’ve started making it clear that this is a (hopefully) once-in-a-lifetime and historic opportunity to make your enterprise social network save the day when it comes to grounding and delivering a healthy remote organization. An effective ESN can connecting the organization back to itself far better than older tools by focusing on returning and then improving both the cultural “dial tone” and daily bustle of the organization. The practical benefits are significant: Actual outcome-based business impact by improving operations, productivity, and employee engagement. So this is your time to shine, whether you now need to develop an ESN and the communities within it, or supercharge the one that you have.
For business leaders, now is the time to put your organization on a modern digital platform that is far more resilient to disruption and that will both modernize it and make it much more effective. I encourage you to look at the baseline results you’re likely to get, which was published in the MIT Sloan Management Review. Worst case is that you’ll achieve about a 25% productivity increase for your investment, which is fairly modest compared to CRM or ERP systems. You will however be required to invest in more staff than is typical for a traditional IT solution (the why and how many is here, but it’s not large compared to major productivity losses for remote workers without a strong supporting network.) Don’t wait. Support the ESN and online community champions trying to help you.
For both, this is the time to learn that advanced preparedness for going all digital is critical. We live in exponential times of change, and this also seems to mean large and more frequent disruptions. Those with the healthiest, best connected, and engaged digital networks of workers will experience the least disarray and breakdown when major events like coronavirus take place. Let’s learn from not making the most of these powerful tools the first time around. It’s now time to fully commit to building the best possible connected organization for next time around.
Final Note: Before you ask me about why ESNs and not team chat apps like Slack or Microsoft Teams, it’s because the ESN scales conversations and engagement up to the size of the enterprise. Almost all orgs are already using Slack and Teams, and it gives them a much narrower and far more limited view of what’s happening. In an ESN, all contributions are visible by default across the whole organization, content types are more sophisticated, and as you can see below in additional reading, they can be used for advance change processes like enterprise-wide digital transformation. ESNs are strategic. Team chat is useful, but tactical.
Bottom Line: Biometrics are proving to be better than passwords because they’re easier to use, provide greater privacy and security, and are gaining standardization across a broad base of mobile, desktop, and server devices that users rely on to access online services.
In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard. FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organization that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications.
The Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, WebAuthn, and CTAP). The following graphic explains how the FIDO2 architecture authenticates every account requesting access to resources on a secured system:
The security industry has been trying to kill the password for decades. It has long been viewed as a weakness, primarily because of the human element: people continue to use weak passwords, on multiple accounts, at work, and in their personal lives. 81% of data breaches involve weak, stolen, default, or otherwise compromised credentials, according to a Verizon Data Breach Investigations Report.
Usernames and passwords (“something you know”) was the best factor of authentication available for decades yet didn’t provide enough of a barrier to hackers. Then came two-factor authentication, which added “something you have” as a second factor, such as a smartphone, key card, token, or other tangible item associated with the user.
Today everyone lives in a multi-factor authentication (MFA) world where cybersecurity technologists have added another factor: “something you are.” This is where biometrics come in, and facial recognition, fingerprint scanning, retinal scanning, and other forms of bio-identification have become normal thanks to technologies like Apple’s Touch ID and Face ID. Many people have already been using these technologies for years on their iPhones.
The reality is that these additional factors based on “something you have” or “something you are” are both much stronger than “something you know,” such as a password or PIN. Not only can the latter be easily stolen, guessed, or phished for, but authentication based on biometrics is very hard to fake or duplicate.
In short, by using the two newer factors of authentication, everyone who uses an electronic device daily is moving closer to a passwordless reality. Cybersecurity technologists are going to continue making authentication easier and more secure to improve user experiences and reduce the threat of a breach.
Privileged Admin Passwords Need To Be The First To Go
Key lessons learned from visiting with the 30 or so vendors who claimed to support passwordless authentication include the following:
Centrify was the only vendor who prioritized enforcing FIDO2-based privileged administrator logins. It was also one of the few that specifically mentioned support for Apple’s Touch ID and Face ID, as well as Windows Hello, showing full support for the FIDO2 standard.
Windows Hello and Windows Hello for Business are table stakes in passwordless authentication, all vendors claim and can demo this capability.
Combining multiple forms of biometrics is proving problematic for the majority of vendors, as evidenced by the inconsistent demos on the show floor. No one could conclusively demo multiple types of biometrics for their solutions on the fly in a demo environment while at RSA. Of the many vendors claiming this capability, Centrify’s approach is the most unique in that privileged user identities are verified, satisfying a valuable pillar of its Identity-Centric PAM approach.
All vendors claiming FIDO2 compliance were able to demonstrate Apple’s Touch ID electronic fingerprint recognition, while Apple Face ID facial recognition product demos were hit or miss. If you are evaluating biometrics vendors who claim FIDO2 compliance be sure to stress-test facial recognition, as the demos on the show floor made it clear there’s work to do in this area.
Product management teams have been studying the NIST 800-53 high-assurance authentication controls standard and integrating it into their roadmaps. The 170 controls that comprise the NIST 800-53 standard are being adopted quickly across the vendors who claim passwordless authentication as a core strength in their product strategies. Using biometrics eliminates the risk of credential theft techniques and provides better alignment with the NIST 800-53 high-assurance authentication controls standard.
Vendors are at varying levels of maturity when it comes to being able to capitalize on the metadata biometrics provides, with a few claiming to have real-time analytics. Every vendor had a different response to how they manage the massive amount of metadata being generated by their biometrics, which all claim also to support analytics. After speaking with the vendors at RSA, analytics used to authenticate rather than just report activity is far more effective. I had a chance to talk to Dr. Torsten George, Cybersecurity Evangelist at Centrify, who said, “Centrify’s support for the FIDO2 standard is a direct result of our ongoing commitment to our customers and their requests for biometric authentication of privileged user identities. Combining our support for the FIDO2 standard with our existing multi-factor authentication and real-time analytics capabilities, we’re able to greatly reduce the risk of security breaches that might exploit weak, default, or stolen privileged credentials.”
Conclusion
RSA’s theme Human Element was prescient from the heavy emphasis on passwordless authentication at this year’s conference. FIDO2 is getting solid support across the cybersecurity vendors who chose to exhibit there, which is great for enterprises, organizations, and small businesses who need to defend themselves. Of the many vendors there, Centrify’s approach stood out based on its unique approach to authenticating privileged user identities for its Identity-Centric PAM platform.
FIDO2 ultimately makes security stronger and less disruptive because it can not only eliminate passwords but also make the user experience more seamless and less likely to be circumvented. Passwordless authentication ensures that login credentials are unique across every website, never stored on a server, and never leave the user’s device. This security model helps eliminate the risks of phishing, as well as all forms of password theft and replay attacks.
We’re closer than ever before to the elusive goal of a passwordless future.
Bottom Line: Passwordless authentication, endpoint security, cloud-native SIEM platforms, and new API-based data security technologies were the most interesting tech developments, while keynotes focusing on election security, industrial control systems’ vulnerabilities and the persistent threat of state-sponsored ransomware dominated panel discussion.
This year’s RSA Conference was held February 24th to 28th in San Francisco’s Moscone Center, attracting more than 36,000 attendees, 704 speakers, and 658 exhibitors unified by the theme of the Human Element in cybersecurity. The conference’s agenda is here, with many session recordings and presentation slides available for download. Before the conference, RSA published the RSAC 2020 Trend Report (PDF, 13 pp., no opt-in). RSA received 2,400 responses to their Call for Speakers and based their report on an analysis of all submissions. The ten trends in the RSAC 2020 Trend Report are based on an analysis of all papers submitted to the conference. It’s a quick read that provides a synopsis of the main themes of the excellent sessions presented at RSAC 2020.
The following are the five most interesting takeaways from the 2020 RSA Conference:
Endpoint security products dominated the show floor, with over 120 vendors promoting their unique solutions. There were over 50 presentations and panels on the many forms of endpoint security as well. Instead of competing for show attendees’ attention on the show floor, Absolute Software took the unique approach of completing a survey during RASC 2020. Absolute’s team was able to interview 100 respondents, with most holding the position of a manager/supervisor or C-level executive. More than three in four respondents reported their organizations are using endpoint security tools, multi-factor authentication, and employee training and education to protect data, devices, and users. You can review their survey results here.
The number of vendors claiming to have Zero Trust solutions grew 50% this year, from 60 in 2019 to 91 in 2020. There continues to be a lot of hype surrounding Zero Trust, with vendors having mixed results with their product and messaging strategies in this area. A good benchmark to use for evaluating vendors in the Zero Trust market is the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, written by Chase Cunningham and published on October 29, 2019. I’ve summarized the lessons learned in the post, What’s New on the Zero Trust Security Landscape In 2019.
Over 30 vendors claimed to have passwordless authentication that met the current FIDO2 standard. In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard. FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organization that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications. I’ve written a separate post just on this topic, and you can find it here, Why Your Biometrics Are Your Best Password.
Cloud-based security information and event management (SIEM) systems capable of integrating with 3rd party public cloud platforms reflect the maturity nature of this market. Of the several vendors claiming to have cloud-based SIEM, Microsoft’s Azure Sentinel’s demo showed in real-time how fusion AI technology can parse large volumes of low fidelity signals into a few important incidents for SecOps teams to focus on. Microsoft said that in December 2019 alone, Azure Sentinel evaluated nearly 50 billion suspicious signals, isolating them down to just 25 high-confidence incidents for SecOps teams to investigate. The following graphic explains how Azure Sentinel Fusion works.
One of the most interesting startups at RSA was Nullafi, who specializes in a novel API-based data security technology that combines data aliasing, vaulting, encryption, and monitoring to create an advanced data protection platform that makes hacked data useless to hackers. What makes Nullafi noteworthy is how they’ve been able to build a data architecture that protects legacy and new infrastructures while making the original data impossible for a hacker to reverse engineer and gain access to. It desensitizes critical data so that it’s useless to hackers but still useful for an organization to keep operating, uninterrupted by a breach to your business. Nullafi is built to AWS GovCloud standards. The Nullafi SDK encrypts the data before sending it to the Nullafi API. It then re-encrypts the data within their zero-knowledge vault in the cloud (or on-premises). The result is that no sensitive data in any format is shared with Nullafi that could be used or lost, as their architecture doesn’t have visibility into what the actual data looks like. The following graphic explains their architecture:
Product Managers need to consider how adding Location Intelligence can improve the contextual accuracy of marketing, sales, and customer service apps and platforms.
Marketers need to look at how they can capitalize on smartphones’ prolific amounts of location data for improving advertising, buying, and service experiences for customers.
R&D, Operations, and Executive Management lead all other departments in their adoption and use of Location Intelligence this year.
Enterprises favor cloud-based Location Intelligence deployments in 2020, with on-premise deployments also seeing new sales this year.
These and many other fascinating insights are from Dresner Advisory Services’2020 Location Intelligence Market Study, their 7th annual report that examines enterprise end-users’ requirements and features including geocoding support, location intelligence visualization, analytics capabilities, and third-party GIS integration. The study is noteworthy for its depth of insights into industry adoption of Location Intelligence and how user requirements drive industry capabilities. Dresner Advisory Services defines location intelligence as a form of Business Intelligence (BI), where the dominant dimension used for analysis is location or geography. Most typically, though not exclusively, analyses are conducted by viewing data points overlaid onto an interactive map interface.
“When we began covering Location Intelligence in 2014, we saw the potential for the topic to gain mainstream interest,” said Howard Dresner, founder, and chief research officer at Dresner Advisory Services. “With the growth in visualization and the emergence of the Internet of Things (IoT), incorporating maps and location into business analyses have become increasingly important to many organizations.” Please see page 11 for a description of the methodology and page 13 for an overview of study demographics. Wisdom of Crowds® research is based on data collected on usage and deployment trends, products, and vendors.
Key insights from the study that provides an excellent background on the current state of location intelligence in 2020 include the following:
R&D, Operations, and Executive Management lead all enterprise areas in adoption with Location Intelligence being considered critical to their ongoing operations. The majority of Marketing & Sales leaders see Location Intelligence as very important to their ongoing operations. The following graphic compares how important Location Intelligence is to each of the seven departments included in the survey:
90% of Government organizations consider Location Intelligence to be critical or very important to their ongoing operations. Healthcare providers have the second-highest number of organizations who rate Location Intelligence as critical. The study found that mean importance levels are similar across Business Services, Financial Services, Manufacturing, and Consumer Services organizations and decline further among Technology, Retail/Wholesale, and Higher Education segments.
Data visualization/mapping dominates all other Location Intelligence use cases in 2020, with over 70% of organizations considering it critical or very important to accomplishing their goals. The study found that the majority of other use cases haven’t achieved the broad adoption data visualization & mapping has. Despite the lower levels of criticality assigned to the nine other use cases, they each show the potential to streamline essential marketing, sales, and operational areas of an enterprise. Site planning/site selection, geomarketing, territory management/optimization, and logistics optimization make up a tier of secondary interest that taken together streamlines supply chains while making an organization easier to buy from. The Dresner research team also defines the third tier of use cases led by fleet routing and citizen services, followed by IoT & smart cities, indoor mapping, and real estate investment/pricing analysis. Despite IoT being over-promoted by vendors, just over 50% of enterprises say the technology is not important to them at this time. The following graphic compares Location Intelligence use cases by the level of criticality as defined by responding organizations:
R&D leads all departments in data visualization/mapping adoption, reflecting the high level of importance this use case has across entire enterprises as well. Additional departments and functional areas relying on data visualization/mapping include Operations, Business Intelligence Competency Center (BICC), and Executive Management. Geomarketing is seeing the most significant adoption in Marketing & Sales. Operations lead all other functional areas in the adoption of logistics optimization and fleet routing use cases. Dresner’s research team found that R&D’s interest in Location Intelligence, which varies across use cases, may reflect the use of packaged applications as well as select custom development.
Map-based visualization, dashboard inclusion of maps, and drill-down navigation through map interfaces are the three highest priority features enterprises look for today. These three features are considered very important to between 64% to 67% of leaders interviewed. Layered visualizations, multi-layer support, and custom region definition are the next most important features. The following graphic provides an overview of prioritized Location intelligence visualization features.
Executive Management, BICC, and Operations have the highest level of interest in map-based visualizations that further accelerate the adoption of Location Intelligence across enterprises. Executive Management also leads all others in their interest in dashboard inclusion of maps and custom map support. Executive Management’s increasing adoption of multiple Location intelligence use cases is a catalyst driving greater enterprise-wide adoption. R&D’s prioritizing the layering of visualizations on top of maps, offline mapping and animation of data on maps are leading indicators of these use cases attaining greater enterprise adoption in future years.
Four of the top ten Location Intelligence features are considered very important/critical to enterprises, reflecting a maturing market. The most popular (counting, quantifying, or grouping) is critical or very important to 46% of organizations and at least important to nearly 70%. Another indicator of how quickly Location Intelligence is maturing in enterprises is the advanced nature of analytics features being relied on today. Predicting trends and volatility, detecting clusters and outliers, and measuring distances reflect how multiple departments in enterprises are collaborating using Location Intelligence to achieve their shared goals.
Government dominates the use of data visualization/mapping with a strong interest in site planning/site selection, citizen services, fleet routing, and territory management. Business Services are most interested in using Location Intelligence for Indoor Mapping and IoT & Smart Cities. Geomarketing is the most adopted feature in Higher Education, Financial Services, Healthcare, and Retail/Wholesale. Manufacturing and Retail/Wholesale lead all other industries in their adoption of Logistics Optimization. The following graphic provides insights into Location Intelligence use case by industry:
Executive Management and Business Intelligence Competency Centers (BICC) most prioritize Location Intelligence applications that have built-in or native geocoding. Enterprises are looking at how built-in or native geocoding can scale across their Location Intelligence use cases and broader BI strategy with Executive Management taking the lead on achieving this goal. Automated geocoding support and street-level geocoding support are also a high priority to Executive Management. Marketing/Sales lead all other departments in their interest in geofencing/reverse geofencing, indicating enterprises are beginning to use these geocoding features to achieve greater accuracy in their marketing and selling strategies. It’s interesting to note that geofencing/reverse geofencing has progressed from R&D in previous studies to Marketing/Sales putting the highest priority on it today. Dresner’s research team interprets the shift to customer-facing strategies being an indicator of broader enterprise adoption for geofencing/reverse geofencing.
61% of organizations say Google integration is essential to their Location Intelligence strategies. Google continues to dominate organizations’ roadmaps as the integration of choice for adding more GIS data to Location Intelligence strategies. ESRI is the second choice with 45% of organizations naming it as an integration requirement. Database extensions (30%) are the next most cited, followed by OpenStreetMap (20%). All other choices are requirements at less than 20% of organizations.
Enterprise SaaS and retailers have more in common than you might think.
Let’s think about retailers for a minute. Retailers drive growth in two ways:
They open new stores
They increase sales at existing stores
Opening new stores is great, but it’s an expensive way to drive new sales and requires a lot of up-front investment. It’s also risky because, despite having a small army of MBAs working to determine the right locations, sometimes new locations just don’t work out. Blending the results of these two different activities can blur what’s really happening. For example, consider this company:
Things look reasonable overall, the company is growing at 17%. But when you dig deeper you see that virtually all of the growth is coming from new stores. Revenue from existing stores is virtually flat at 2%.
It’s for this reason that retailers routinely publish same-store sales in their financial results. So you can see not only overall, blended growth but also understand how much of that growth is coming from new store openings vs. increasing sales at existing stores.
Now, let’s think about enterprise software.
Enterprise software vendors drive growth in two ways:
They hire new salesreps
They increase productivity of existing salesreps
Hiring new salesreps is great, but it’s an expensive way to drive new sales and requires a lot of up-front investment. It’s also risky because, despite having a small army of MBAs working to determine the right territories, hiring profiles and interviewing process, sometimes new salesreps just don’t work out. Blending the results of these two different activities can blur what’s really happening. For example, consider this company:
If you’re feeling a certain déjà vu, you’re right. I simply copy-and-pasted the text, substituting “enterprise software vendor” for “retailer” and “salesrep” for “store.” It’s exactly the same concept.
The problem is that we, as an industry, have basically no metric that addresses it.
Revenue, bookings, and billings growth are all blended metrics that mix results from existing and new salespeople [1]
Retention and expansion rates are about cohorts, but cohorts of customers, not cohorts of salespeople [2]
Sales productivity is typically measured as ARR/salesrep which blends new and existing salesreps [3]
Sales per ramped rep, measured as ARR/ramped-rep, starts to get close, but it’s not cohort-based, few companies measure it, and those that do often calculate it wrong [4]
So what we need is a cohort-based metric that compares the productivity of reps here today with those here a year ago [5]. Unlike retail, where stores don’t really ramp [6], we need to consider ramping in defining the cohort, and thus define the year-ago cohort to include only fully-ramped reps [6].
So here’s how I define same-rep sales: sales from reps who were fully ramped a year ago and still here.
Here’s an example of presenting it:
The above table shows same-rep sales via an example where overall sales growth is good at 48%, driven by a 17% increase in same-rep sales and an 89% increase in new-rep sales. Note that enterprise software is a business largely built on the back of sales force expansion so — absent an acquisition or new product launch to put something new in sale’s proverbial bag — I view a 17% increase in same-rep sales as pretty good.
Let’s conclude by sharing a table of sales productivity metrics discussed in this post that I think provides a nice view of sales productivity as related to hiring and ramping.
The spreadsheet I used for this post is available for download, here.
# # #
Notes
[1] Billings is a public company SaaS metric and typically a proxy for bookings.
[3] Public companies never release this but most public and private companies track it.
[4] By taking overall new ARR (i.e., from all reps) and dividing it by the number of ramped reps, thus blending contribution from both new and existing reps in the numerator. Plus, these are usually calculated on a snapshot (not a cohort) basis.
[5] This is not survivor-biased in my mind because I am trying to get a productivity metric. By analogy, I believe stores that closed in the interim are not included in same-store sales calculations.
[6] Or to the extent they do, it takes weeks or months, not quarters. Thus you can simply include all stores open in the year-ago cohort, even if they just opened.
[6] I am trying to avoid seeing an increase in same-rep sales due to ramping — e.g., someone who just started in the year-ago cohort will have year sales, but should increase to full productivity simply by virtue of ramping.
Talking about the heady days in the late 90s, one of SAP’s best salespeople had reminisced:
“It was a truly transformational time for the technology industry. We replaced thousands of departmental and mainframe systems. We put MSA, M&D, and many others out of business. We didn’t really have much competition. In deals it would be SAP v. SAP v. SAP — that is, SAP/Accenture v. SAP/KPMG v. SAP/PwC.”
A little over a decade later, a CIO at a large SAP customer lamented to me
“SAP used to publish A0-sized wall posters with the R/3 data model (entity relationship diagrams). How about similar for the existing SAP portfolio? Integrating even among 100 percent SAP assets must increasingly be a nightmare.”
By last year, most analysts and customers were getting really impatient. “Why are the cloud acquisitions – Ariba, SuccessFactors, Fieldglass still so siloed? When will they be on HANA? How many more years for integration across the C4 properties? Even the presentations across the SAP Analytics tools are not consistent.”
Same with customers – “Why are there so many different ways to cut checks in the SAP portfolio?” and a snarky one “the biggest contribution SAP made to the API economy is to be careful of Indirect Access exposure”
So, it is good to see Christian Klein in his new role as Co-CEO of SAP prioritize integration. He recently wrote
“Although we have made progress on integration across our full suite of offerings, we must do more to be the reliable partner our customers trust. Turning true business integration into reality is a company-wide effort and requires collaboration across board areas and teams. Customers are eager to hear about our way forward and looking for roadmaps detailing the timeline of our integration plan for the cloud.”
He also linked to what he calls a “Strategy Paper” – it is more of a long infograph in a PDF file. It is good to see something customers can put on their walls. I liked the fact that even products like IBP and AIN have been factored and that it thinks on business process lines like Lead to Cash.
It focuses on cloud properties and mostly assumes you have moved to S/4HANA. That is certainly SAP’s future, but the API economy has grown because companies are finding moves of legacy to modern cloud applications frightfully expensive and are using APIs to integrate new extensions to the old. How many big banks have moved their core banking applications? Or utilities their billing applications? Most are building or buying modern extensions and integrating them to their legacy.
SAP will have to similarly start thinking about extensions and integrations to ECC, various IS Solutions and in an even bigger opportunity to help develop extensions by industry to then allow customers to integrate to their legacy vertical operational applications.
We have moved to a world of drone-initiated casualty claims, multistory and highly robotized warehouses, last-mile and reverse logistics, shop floors with wearables, robots and 3D printing, smart assets which allow for next-gen maintenance and field service. I can think of countless extensions SAP could develop for utilities, insurance, retail, auto and many other industries.
Think of the glory days if a SAP salesperson can tell me (again) in 2025 “We replaced thousands of departmental and legacy systems.” or a SAP customer again proudly shows off the A0 chart for her industry on her wall. Well, given the increased complexity of most industries, it may take 2 or 3 of those charts.
Am glad Christian is giving it priority. Lots for SAP to deliver – and profit from.
Update – I posted this comment on LinkedIn. Should have also included it here
It’s two markets – incumbent products and incumbent customers/prospects and vertical extensions. The first one honestly is technical debt – vendors like to pretend customers have it, but especially after acquisitions if they dont invest enough that’s their technical debt. Oracle, Infor, IBM and others also have them in spades. The vertical extensions are actually way more exciting and could mean huge new growth, which can fund the former.
I recently had the honor of attending the Zoho Analyst Summit along with 64 other analysts and influencers. Aside from being a great event and beautifully run by the Zoho management team, it sparked a significant outpouring of analyst posts and articles on Zoho’s perspective and roadmaps. I didn’t write one myself. I had the Watchlist in the way that pretty much singularly focused me but I have the further honor of presenting the post of someone who also attended: industry analyst, rock star influencer and I do mean a rock star — and great friend of mine — Brian Solis. To most of you, he’s no stranger, having been a thought leader in the field. He started out by transforming the PR industry, being the pioneer who brought social to PR — among his many other innovations — and now is one of the best-known minds in the digital world. So, without any more of my obvious admiration, here’s Brian’s take on Zoho.
Take it away Brian.
The worlds of CRM and ERP are undergoing yet another renaissance. Following the ongoing cloud (r)evolution, AI, voice, UX/UI and macro trends such as digital transformation and the rise of the cognitive enterprise are inspiring waves of great innovation from industry leading and up-and-coming technology vendors alike. But there’s one unique vendor that’s also going through a renaissance of its own while also pushing the market forward in its own way.
Recently, I joined over 80 industry analysts in Austin to meet with Zoho executives as part of Zoho Day, its annual analyst summit. Zoho is a cloud software company offering an incredibly rich, friendly and affordable suite of artisan cloud applications that power small-to-enterprise businesses. It’s also one of the most unique companies I’ve ever had the joy to follow. It was founded in 1996, and I first met the team during the “Office 2.0” days of the early 2000s in San Francisco.
For many years, Zoho has been a company that the industry has rooted for, but not necessarily recognized it as the most innovative or dominant brands driving the direction of software markets. Industry giants such as Salesforce, Oracle, Microsoft, and SAP have been highly competitive in sales and marketing, publicly innovative, and ambitious in their acquisition and partnership strategies to build capabilities and drive growth. Zoho, on the other hand, has quietly, but diligently, focused on internal innovation, community building, and customer satisfaction. The company has famously stated, “We invest more in product development and customer support than in sales and marketing. It always struck us as paradoxical to charge the customer extra for the privilege of marketing back to them.”
Even after following the company for so long, I forget that Zoho has been around for 24 years and was “bootstrapped” without ever taking outside investment or capital. The company is beholden only to its customers, employees and partners and not shareholders, boards and those who prioritize returns and dividends over innovation, usability, experiences and customer success. While it may seem as a counterintuitive approach to success, the results are clear.
Zoho is a global company with a portfolio of over 45 applications, 50 million+ SMB and SME users, and a workforce of over 8,000 employees around the world. The company has seen 30% compound annual growth rate (CAGR) over the last five years.
And still, the Zoho I was reintroduced to in Austin made it clear. The company is making bold moves all in the name of users and its customers. The question is, where does it want to go and grow?
Zoho User-Centricity: A Purpose-Built Full Stack Provider
At a time when cloud software is coming increasingly commoditized, the platform has to become a key differentiator and continue to do so as part of its business model. Zoho is clearly investing here. Like Salesforce’s Mark Benioff, Zoho CEO and co-founder Sridhar Vembu, is also purpose driven, leading not only through technology innovation, but also through philanthropy and building an organization founded on human-centered principles and values. For example, the company invests in people and their professional development through Zoho University, where students do not pay fees, and instead earn a stipend while they learn. Zoho proudly shares that 15% of its workforce does not have a traditional college degree. Additionally, the company expands by building offices outside of big cities, helping employees enjoy a more affordable lifestyle while growing local economies.
This human-centered approach is clear in its software and platform development as well. The user experience is paramount. And by experience, I mean the emotional and intellectual connection between customers and brand and applications and productivity, and growth and success. If master chefs can add a little love to their recipes, cooking, plating, course design, and dining experiences, Zoho applies the same formula for software development, customer experience, employees experience, and also Zoho’s local economies around the world.
To say it’s a company rich with personality, values, and purpose would be an understatement. It’s also rich in true customer and employee-centeredness wrapped in technical artistry.
“When you choose Zoho, you get more than just a single product or a tightly integrated suite. You get our commitment to continuous refinement and to improving your experience. And you get our relentless devotion to your satisfaction.”
What also sets Zoho apart from competitors is that the company owns (read, built) its full stack and is constantly improving every facet of it. It’s purpose-built with every layer intently interconnected and thus, it can control performance and optimize connectivity and scale. Competitors tend to build out stacks based on partnerships and acquisitions. The pro is that companies can gain access to best-in-class technologies and talent, greater market share, and project an aura of growth and innovation to the market. The cons can be complexity in native experiences, integration and maintenance, gaps in capabilities, and higher costs.
The Full Zoho Stack
Zoho Corp.
To Zoho, this is how to deliver a seamless and end-to-end user experience (UX). Zoho is as much a cloud software company as it is a technology company. All software is homegrown, developed internally at the company’s headquarters in India. Zoho also owns its data centers powered by its own solar farms. Networking is facilitated through domestic and international carriers as part of the company’s Zoho PhoneBridge. The company built its own computer telephone integration (CTI) with a bridge to 80 telecom operators in the Services layer.
Aside from competing against traditional and up-and-coming CRM and ERP vendors, Zoho’s app services, data centers and proprietary layers of its full stack position the company against the likes of Microsoft, Google, IBM and Oracle. And, since Zoho’s full stack includes Zoho-owned hardware and data centers, it indirectly (and directly) competes against Amazon, AWS, Azure, and Google. You better be good, safe, reliable, and cost-effective to compete at this level. As you start to cast a wider market net and move upstream, you need a performance and trustworthy technology infrastructure to support hyperscale and integration and also the leadership, expertise, and talent to manage the digital transformation of your customer’s businesses.
ZohoOne: The Operating System for Business
Zoho wants to be the Operating System for Business
Zoho Corp
Operating systems are extending from computers and mobile devices to the enterprise as cloud software starts to break down operational silos. For example, Aera Technology recently launched its Aera OS as a cognitive automation platform to enable what it calls the “self-driving enterprise.” Zoho too is introducing its “business operating system” with ZohoOne, a platform of over 45 purpose-built, integrated apps and services that the company says can fully power any business while delivering unified user and customer experiences. The company shared that the average ZohoOne powered organization currently runs an average of 19 Zoho apps across the enterprise.
This move goes beyond cloud-based software suites. Zoho is placing a stake in the ground that it is joining the ranks as a global XaaS provider while architecting and owning the entire ecosystem.
ZohoOne was created with connectedness and scale in mind, aiming to replace the disparate patchwork of cloud applications, legacy tools and processes with one cloud-based system.
No matter what platform or apps you use today, Zoho literally has a product suite across the spectrum of sales, marketing, support, HR, finance, and operations. More so, every layer and every app is designed to work seamlessly as part of a holistic system, including a unified data model, scalable and integrated databases and a custom development platform.
Zoho Unified Data Model
Zoho Corp.
The concept of a business OS is particularly compelling when it comes to delivering connected, seamless, and more intuitive user and customer experiences — Zoho customers (users) and their ultimate customers (consumers).
As CRM systems become increasingly intelligent and connected, businesses are aiming to get closer to their customer truths and a shared, cross-functional ability to deliver more relevant and personalized experiences. To do so, systems and data must be unified, connected, and optimized. By having a unified data model connected to all systems, companies get closer to a true 360 customer view. Beyond Zoho’s OS, the rest lies in how organizations then mobilize around customers (placing them at the center of the business).
Zoho’s position is that to serve as a proper OS, you need to own the stack or at least ensure open and intuitive integration across existing stacks. To serve as a scalable partner, you also have to build apps that are better and more integrated than what organizations are using or building today, offer irresistible pricing, and own a reputation for protecting that pricing, while also providing a platform that allows for full app customization on the customer side.
Not every customer has the same out-of-the-box needs, but they do all share animosity toward price creep. And unfortunately, that’s a common business practice in enterprise software.
Additionally, and perhaps most importantly, to become an operating system for any business, you need trust; trust in the platform and trust in the team that built and supports it. This is, after all, still a relationship business.
As Zoho moves upstream and also becomes the hub of any sized organization, the company will have to continually invest in building trust and managing relationships, especially (and uniquely) designed for SME and enterprise customers.
Zia: Zoho’s Custom-Built Artificial Intelligence
If you’re going to build your own stack, how far down the rabbit hole do you go? As we shift into a post digital transformation era of enterprise evolution, artificial intelligence (AI), and eventually cognitive automation become imperatives.
When I say AI, I don’t just mean chatbots, voice, conversational AI, or robotic process automation (RPA). I mean intelligent augmentation and automation connected to all fundamental business applications and operational processes.
Several companies are already making huge investments here and are highly recognized for it. Salesforce with Einstein, IBM Watson, and Aera Technology’s Aera (an impressive startup with $170 million funding to date) are pioneering the future of enterprise operations, and are setting intelligent operational standards right now.
Zoho Zia: AI at Work
Zoho Corp.
On day two of the analyst summit, we were introduced to the breadth and depth of Zoho’s AI, representing over 10 years of inhouse development across an impressive array of capabilities in all of its enterprise apps. Like Einstein, Watson, and Aera, Zoho developed a front-end AI assistant named Zia, which stands for Zoho Intelligent Assistant. Think of Zia as the UI to a rich set of intelligent capabilities, not unlike Amazon’s Alexa. But more so, Zia delivers benefits to enterprise users and ultimate customers using Zoho-powered platforms. And also like Alexa, developers can build skills that teach Zia advanced abilities and also to integrate with third-party software. Additionally, the company has built development platforms that cater to the no code, low code and pro code markets. This means that it can attract a greater set of developers at varying levels with each, solving for different and unique capabilities and needs.
Part of this approach is to fortify its full-stack, OS model. The other part, I learned, was something more profound…protecting the privacy of business customers and their customers.
With an expected 50+ Zoho apps available on the platform, Zia becomes instrumental in connecting the dots between employees, data and business systems.
Zia doesn’t just facilitate search; it introduces conversational AI into the workflow. Much like Salesforce demonstrated on the main stage at Dreamforce 2019 with “Hey Einstein,” Zia combines natural language processing (NLP), understanding, analytics, forecasting, and reporting to simplify complex processes, connect users to instant insights, and help executives make more informed decisions in real-time. Zia not only connects information across its ecosystem, but also integrates third-party apps in the Zoho Marketplace and the World Wide Web to augment queries, results, and cognizance.
To Zoho Privacy Matters Across the Ecosystem
All relationships are built on trust. As such, I would be remiss if I didn’t talk about Zoho’s bold move toward user privacy.
Hosting an analyst event can be a tough job. This is an audience that is not only ridiculously smart and experienced, but every person there is responsible for shaping markets. Zoho’s stance on privacy however, drew applause and ignited deep, thoughtful conversations.
For starters, Zoho doesn’t allow any third-party cookies on its site, knowing that it’ll lose invaluable Google Analytics data. Furthermore, Zoho’s investment in AI development was done in the name of protecting privacy as well. It ensures that no data ever leaves its private data centers. And, speaking of data centers, everything is hosted with Zoho to prevent having to comply with Terms of Service (ToS) of outside hyperscalers and partners. As a result, Zoho is thwarting what it calls “adjunct surveillance,” which stops the trading of customer data with the likes of Google, Twitter and Facebook as an external market and revenue source.
Zoho’s Data Protection Pledge to Customers
Zoho Corp.
Raju Vegesna, Chief Evangelist at Zoho recently shared at Diginomica, “Heavyweight tech corporations are turning into surveillance companies, tracking the behavior of businesses and users — who have become heavily reliant on their ubiquitous services and platforms. By championing advertising-first business models, Big Tech is knowingly putting user and business data at risk. The result has been a series of data leaks as well as consumer privacy breaches.”
Zoho’s Data Protection Promise
Zoho Corp
Does this inhibit growth? Yep.
Does this build a unique form of trust amongst users? Yes indeed. That’s the goal anyway.
As Sridhar said at a Zoholics event in 2019, “we’re proud to leave money on the table.”
After all, if a company can’t live its values, how can it expect customers to trust and believe in the company’s vision and mission?
With Zoho, trust is paramount. It’s a competitive advantage, beyond price, against marketing and technology savvy competitors that are largely recognized for driving market trends and dictating technological standards.
So, what’s next?
With all of the wonderful announcements and insights that were shared at the event, the company still has work to do, beyond tech, to not only grow, but also mature.
Even though the company has been around 24 years, even though the company is absolutely doing so many incredible things around the world, for employees, for customers, for local economies, and for the planet, and even though the company’s stack and app ecosystem are industry-leading and cost-compelling, Zoho’s competing against players that are also pushing the industry forward. Truth is, they are much better at sales and marketing too. They’re steering the industry narrative.
To grow and deliver its vision and mission to a much broader userbase, it’s time for Zoho to adopt a new marketing philosophy. Ironically, as I was writing this, I saw a Zoho commercial on TV during a basketball game. So maybe that makes my last statement already moot. But honestly, there’s much work to do. Just visit the company’s website, follow its market-facing industry perspectives, read the company’s collateral, and compare it against savvy and ambitious competitors. Try to make an decision in the best interests of your company, regardless of size, based on what you see on your own. Zoho can be louder, more vocal in its vision and mission, and bolder in its thought leadership.
As Zoho goes upstream, the current go-to-market approach won’t scale, even though the technology will. Zoho needs an enterprise POV (and perhaps, a dedicated brand and brand experience). It could greatly benefit from introducing a dedicated enterprise customer journey, touchpoints, and relationship model.
Money aside, companies of all sizes, could benefit from the company’s platform. It just isn’t 100% clear that it can address the needs of more demanding, complex customers. Those customers are in the throes of digital transformation. They need help. They’re overwhelmed with companies vying for their attention and business.
I’ll tell you this, if Zoho wants to do it, I know it can do it. I’m rooting for it.
After spending one-on-one time with Sridhar Vembu and Vegesna, one thing I can whole-heartedly support is the company’s prioritization of philosophy in the C-Suite. It’s not always about technology. It’s about partnership.
Right before leaving Austin to return to San Francisco, Vegesna shared that Zoho constantly asks itself, “what is the purpose of what we do?” They made it clear that in every decision they make, it’s about doing the right thing with a long-term mindset.
In closing, Vegesna told me that Zoho sits at the intersection of philosophy, economics, and technology. The company is already making positive impacts in business, with employees and local economies, and also on the planet. I added that perhaps the company should add sociology to its crossing. He agreed.
Talking about the heady days in the late 90s, one of SAP’s best salespeople had reminisced:
