Q&A with Netskope CFO Drew Del Matto on C-level Security Considerations During COVID-19

We sat down for a virtual Q&A with Drew Del Matto, CFO of Netskope, to get his thoughts and advice for C-level executives who are navigating concerns for their workforce and ongoing business.

Question:  How will COVID-19 change the conversation with executive teams and their boards of directors?

Drew Del Matto: Boards are focused on governance and they have a multitude of concerns, including employees, customers, and shareholders. Safety of employees is obviously paramount. As it relates to customers, boards and executives need to ensure that they’re accounting for new risks related to the new reality of a remote workforce and more cloud usage.  These risks range from how customers interface with the company, its products or services, or how the customers’ sensitive data is treated. C-level executives are also focused on ensuring the ongoing continuity and velocity of the business. It’s now obvious that remote connectivity is an accepted way of doing business. COVID-19 has shined a light on this and it will likely encourage longer-term remote work habits as well. Companies now need to ensure people (and only the right people) have the required, ongoing connectivity and access to what they need to do their work. This requires a new security architecture as applications, data, and the network need to be secured beyond the world of physical data centers. This is a curveball to the world of old perimeters, and a catalyst for driving the increased digitization and use of cloud, primarily via business applications. COVID-19 effectively catalyzes enterprise migration to the cloud.

Question: What role should security be playing in executive boards in planning for this shift to remote work?

Drew Del Matto: From a governance point of view, the board and management have the responsibility to assess the situation, drive the business, and ensure that they’ve evaluated and properly addressed the business, cyber, and cloud risks. The silver lining is that everyone has been hyper-focused on IT and assessing cyber risk as a result of the many data breaches over the last several years. However, companies were focused on hard perimeters, which means physical worksites and physical data centers. People are now working everywhere, and this crisis shines a bright light on the mobility trend and related risks. This means that users are increasingly accessing the cloud for compute power, data, and applications. Said another way, to boards and the C-level, COVID-19 accelerates cloud security risk. Priorities are ensuring appropriate performance of the work, driving growth, and ensuring customers are served in an appropriate manner without business disruption. If approached correctly, it’s easy to imagine this becoming a windfall for cybercriminals. Suddenly everyone is doing something differently with a broadened attack surface, creating a massive opportunity for the bad guys.

Question: How has COVID-19 changed perspectives on what is considered remote work and how it is done for most companies?

Drew Del Matto: For the safety of employees, our country, and neighbors, we’re trying to avoid spreading the virus, or spreading it more quickly than necessary, in order to avoid overburdening the healthcare system. People are now working remotely, and they need the tools to do so. We’re hearing from our customers and prospective customers that some have those tools, but others don’t. In 2014, the average business had over 400 applications in use and today they have more than 1,400. This massive shift to cloud applications and ongoing digital transformation initiatives are converting countless enterprises into cloud-first companies.  Many of these digital transformations are led by the business, which has left security teams in catch-up mode. Remote work accelerates the trend, given the quickness and convenience of a team spinning up a cloud workload, building or using cloud applications. However, quick implementations or product releases represent the same culture that created the breach opportunities of the post-Target era of 2014-2017 when people were saying “another day, another breach.” Without proper security, we could very well be headed down the same path, and this time customers, employees, regulators and aren’t likely to be as forgiving. They expect that we’ve hired strong security teams, that we comply with the regulations put in place over the last several years, and that there is strong oversight and governance from both the board and C-level. We’re in a period where COVID is imposing sudden and generally unexpected remote access and connectivity requirements. Data is now flowing outside of the walls of the company at an increasingly high velocity. Once we’re through this, it will not be acceptable to say: “We didn’t think about the risk of moving all of our data into the cloud in a week and taking our remote working percentage to 100.” 

Question: What are some of the biggest risks and security concerns enterprises are likely going to come across in this grand shift to remote working that they may not be fully equipped to handle?

Drew Del Matto: Number one is accessibility. Where are the applications and can they be accessed remotely? Then we need to think about authentication or authorization — the front door of that data and who gets access. Thirdly, governance over cloud and data, which is what CASB does. One of the top risks last year was phishing and ransomware and we have many cases that show that this risk is now quite prevalent in the new cloud era. This will increase and start to focus on remote working.

Question: What are some tools enterprises could use to best overcome these challenges and better protect themselves?

Drew Del Matto: At the risk of being self-serving, a lot of what Netskope does can help enterprises in this crisis. Cloud and mobility are foundation-level drivers behind the creation of the company. Netskope was built to address security outside of the traditional locations. Categories like Next Gen Secure Web Gateway, Cloud Access Security Brokers, and Zero Trust Network Access are tools that provide strong security and ensure a high level of network performance. Boards and C-levels will benefit by thinking about architectures like secure access services edge (SASE) that Gartner has been advocating for more than a year now. 

Question: Will this shift to remote work result in a long-lasting strategy change? To phrase it another way, will organizations be able to offer more flexibility in the future as a result?

Drew Del Matto: Of course, teams are in a reactionary mode at the moment, the world is for that matter, but I do think the answer here is “yes.” Many technology trends of the past have been preceded by an event. If you look at the Star Report in the 1990s, that accelerated the flow of content distribution networks. The Star Report was where everyone hit the White House website at the same time, and nobody was actually able to see the report. It was akin to a massive DDOS attack. Fast forward and the Mona Lisa virus created awareness of the risk of viruses on computers, which is kind of the same idea as ransomware, with pop-ups that would freeze on your computer. In 2013 the Target breach exposed the risks of IT, in general, in corporate and retail environments. Security spending has grown two or three times since then. This event highlights the IT capabilities of being able to work remotely and do it exceptionally well, but we know that cybercriminals are quickly going to exploit this moment.  

Question: Are there adjacent or nascent concerns that executive teams should be thinking about? 

Drew Del Matto: The speed and performance of security solutions will come under greater scrutiny as enterprises start to figure out their new architectures for supporting a 100% remote workforce. Why? Because this architecture will rely heavily on the cloud, and the network is now heavily reliant on the public internet. Legacy security providers don’t have the DNA to go cloud native and most security providers aren’t committing the time, energy, or investment to ensure that security is fast and performant. This is a concern that most executive teams aren’t aware of yet, beyond the CISO.

Drew is currently the CFO of Netskope, and has served in the past as CFO of Citrix Systems,  Fortinet, and acting CFO at Symantec.