Offense and Defense Innovation at Experian with World Class CIO, Barry Libenson

Barry LibensonI’m very excited about my guest for you today. It’s Barry Libenson, Global CIO for Experian. He is responsible for the design and delivery of global technology strategy. Prior to joining Experian in 2015, he was Senior Vice President and CIO of Safeway in North America. Before that, he was the CIO and VP of Land O’Lakes. He has a continuous track record of huge success in the CIO capacity.

I am excited to bring Barry back for “Round 2” – his second episode with me and the RedZone Podcast. You will get the following out of this show as it relates to CIO Offensive and Defensive Strategy for a World Class company:

  • Why you must understand strategies around Micro Services and APIs, how Barry’s topflight team is a key component to this strategy, how he approaches legacy and ‘build new’, and rapid iteration and testing in his environment.
  • Idea Incubation and 3 Innovation Labs at Experian coupled with M&A
  • Nurturing a mindset that can’t be disrupted or blindsided by tech disruption
  • Why moving to the cloud is a debatable strategy and more of a tactic
  • Barry’s approach to building portability using Micro Services with legacy apps
  • His relentless pursuit of security excellence. He dives into his layered defense and ‘hunting approach’
  • The role of AI and Machine Learning at Experian in developing products of the future
  • The mistakes some CIOs make with security and how to avoid them
  • When to look at the Macro vs. Micro perspective to keep yourself in top leadership form

I hope you enjoyed this program interview with Barry Libenson. If you liked this episode, I want you to forward it on your LinkedIn page to your community. I also want you to like and leave comments about the episode on iTunes, and for my droid listeners on Stitcher.

If you are interested in learning more about RedZone and our security expertise in particular related to Cloud and Email Security Kill Chain Strategy, Techniques, and Tactics you can email

Until next time. I’m signing off. Thank you and have a great day! 

You can go to the full transcript to get more details about this episode with Barry Libenson below.

Read Full Transcript

Bill M: Hello, and you are listening to Bill Murphy's RedZone Podcast. I interview leaders who inspire me in the areas of exponential technologies, business innovation, entrepreneurship, thought leadership, enterprise IT security, neuroscience, philosophy, personal development, and more. Welcome to the show...
Bill M: Welcome back to the show, everyone. This is Bill Murphy, your host of the RedZone Podcast. So many of you know in the last episode, #104, we talked about Sparta and the Spartans with historian, Paul Rahe. The irony was I recorded that introduction on a Friday night. Saturday morning I was getting started, and a Spartan race, a super, on one of the mountains on Pennsylvania. It's now Saturday, and I'm recovering from that great experience.
Bill M: I'm very excited about my guest for today, for you. It's Barry Libenson, Global CIO for Experian. He was responsible for, is responsible for, the design and delivery of global technology strategy. Prior to joining Experian in 2015, he was Senior Vice President and CIO of Safeway in North America. Before that he was CIO and VP of Land O' Lakes. He has just a continuous track record of huge success in the CIO capacity. This is his number two episode with me and with the RedZone Podcast. This is the kind of stuff, I'm going to tell you what you're going to get out of this episode today.
Bill M: We talked about offense and defense strategy for a world class company and what he's doing that is so interesting and so powerful related to offense and defense. I call this offense and defense innovation. Barry covers this across the globe. For many of you listening, you're probably wondering, how the heck does someone do that? And that's why I have people like Barry, leaders like Barry, on the show, so we can get a window and we can get a lens into what it's like to play with the very, very, very best. Here are some of the suggestions and things you're going to get out of this conversation. Basically, there's a couple.
Bill M: There's understood strategy related to micro services and APIs and how Barry's top flight team is a key component to this strategy, and how he builds upon legacy infrastructure and builds net new in a micro services format and what kind of leverage and power that gives him and capabilities and portability with cloud infrastructure. Also, I want you to really pay attention to his opinion about the cloud. That's really important.
Bill M: Also, how idea incubation happens at Experian using their three innovation labs and also how M&A works in relation to innovation as well. Nurturing a mindset that can't be disrupted or blindsided by technical disruption at an organization level, Experian is serious as a heartbeat about innovation, and they back that up with not only their CIO, Barry, but many, many people on his team, which support this overall strategy.
Bill M: As I mentioned, the cloud, in the building the portable services is really interesting to listen to, and I find in my innovation groups with CIOs this is a really interesting topic, that the biggest companies in the planet are quite far along with micro services, and the small ones aren't. It's just the way I see it happening and the way it rolls. They're usually two, three, four years ahead of the small to mid-market, so it's good to see from Barry's point of view what that type of capability is giving him.
Bill M: His relentless pursuit of security excellence, we dive deeply into layer defense and also the approach to hunting that Experian takes with how they approach security, the role of AI and machine learning at Experian and developing products of the future. Also, he comments with the mistakes CIOs make with security and how to avoid them. When you're looking at the role of the CIO, pay attention to his comments about the perspective and paying attention to the macro, not always the micro, to keep yourself in top, top leadership form mentally and physically, as you dream about reaching higher levels of capabilities as a CIO in your career.
Bill M: So, I want you to enjoy the show today. It's very, very, very interesting, and I'm super excited to introduce to you my conversation with Barry Libenson.
Barry L: Every time you open up a tech pub or something like that, you see we're moving to the cloud, we're cloud first. It's just been fascinating to me, as somebody who's sort of been in tech for close to 40 years now, to kind of watch this, because we have a very different strategy. We believe that the cloud is an incredibly important vehicle in terms of deployment, but there are multiple vehicles for deployment. I, for the life of me, cannot understand why companies are coming out and firmly stating a cloud first strategy instead of saying, “We're completely agnostic about where workloads are run, and we actually let the customer determine that and run the workloads where it makes the most sense for the business and for the client.”
Barry L: So, that may be a public cloud, that may be a private cloud, that may be on-prem, it may be in a colo, it may be in someone else's data center. But the thing that's been really fascinating to me to watch is sort of everybody jumping on this cloud bandwagon, including us, but as sort of this infallible and intractable strategy. That's one that is totally, because I do lot of investor relation conversations, and what I try to explain to the investor community is, "Look, our approach is completely platform agnostic, we deploy in containers that allows us to put our workload in the Amazon cloud, in the Google cloud, in a private cloud, or run it any way we want." That, to us, is a much more important strategy. So, that's one area that I think is really interesting to delve into.
Barry L: The other is obviously sort of the continued challenges around security. We, as a company, obviously take security incredibly seriously, it's one of our highest priorities, if not the highest priority. The threat levels, if anything, they're getting higher, they're not going down. It really sort of creates an interesting question about where do we think security is going to be over the next several years, never mind in the next decade, because the bad guys continue to be pretty aggressive, and some of them are nation state sponsored, and every CIO I think is sort of wondering, where is security headed and how are we going to ultimately get ahead of all of this. Those are a couple of things that are sort of top of mind, obviously.
Bill M: Well, Ben, I want to welcome you to the show. It's been about a year-and-a-half, maybe even two, since you were last on.
Barry L: I appreciate it, thanks Bill.
Bill M: It's interesting, we talked last time, and I used your thesis about being not agnostic to which cloud provider. I remember asking you, “Are you more deploying on azure, or AWS, or your own internal in house,” and you stated quite emphatically, two years ago, you're agnostic to this and due to micro services, or because of micro services.
Bill M: You and I were talking prior to this about it being such a... you're tired of hearing people having cloud first strategy, and I want to just ask you, I'm not even sure if cloud first is a strategy, that's just a tactic, isn't it?
Barry L: Yeah. But it's become one of the most... it's an expression that you hear an awful lot in the industry. You're right, I think I would agree, it's more of sort of a tactical deployment approach than so much of a strategy, or you could argue that it's a deployment strategy. We are very agnostic, our approach is to be able to run in a public cloud, anyone's public cloud, Google, Amazon, Microsoft, as long as it will run a containerized workload using OpenShift, where we're good.

So, that can be in our data center, it could be in a customer's data center, it could be in a public cloud, it could be in a private cloud, but it's sort of that portability and transportability that we think is incredibly important. We have clients that are adamant that they do not want their data put into the public cloud, and so a public-cloud-only strategy for us is really not viable. We create our workloads so that they can be deployed pretty much anywhere.
Barry L: If a customer wants it in a private cloud we can put it in a private cloud, but if ultimately they change their minds and down the road, for some technical reason, we can move it to a different cloud environment if we want to do that. To me, that's a strategy, and that's really more important than sort of the marketing angle of being able to say “cloud first.” That's kind of been where we're going.
Bill M: As you know, my show is listened to by CIOs and CTOs and CISOs around the world, so why don't you tell us a little bit about what your major role is and what products and services Experian, when you said, “our customers,” you're listening to them and where they want to go, and be deployed, you're deploying them there, but what products does your company produce that you support?
Barry L: Yeah, I run Global Technology for Experian, we're the world's largest credit bureau provider, but we also have a number of other businesses. We have a fairly diverse portfolio, so we also play heavily in the healthcare space, we're involved in the automotive space as well, so we have products that do any number of different things.
Barry L: I would say we're specialists in big data analytics, so looking at very large, complex analytical models on behalf of clients to draw inferences, and we provide large data sets to clients that are trying to make analytical decisions themselves. We also provide a number of products in the fraud detection space. These are all products that are relatively high volume. They require very high availability, so four nines of reliability or better, and we operate globally, so we provide the same set of services around the world, largest markets being the United States, the United Kingdom, and specifically Brazil in South America, but we also operate throughout Asia and other parts of Spanish Latin America.
Barry L: The products are varied, so a lot of them involve what we call PII data, or heavily, very confidential information, so the need to protect that information is extremely, is incredibly important. It's typically the information that would be used in making a decision about mortgage rates, or something of that nature, or a car loan. Our clients are the largest financial institutions in the world on the B2B side of things. But, we also deal directly with consumers to provide similar sets of services, whether it's identity management, or identity protection, whether it's credit reporting information, we provide similar services to end users.
Barry L: That's why the need, and to be able to run in multiple compute environments is so important, because we have certain financial services clients that, obviously, are very concerned about where their data may reside, and even some of the large automotive manufacturers and some of the companies that we deal with in the automotive space, as well as the healthcare space, have similar concerns about the use of the public cloud. Not all of them, it's a mix, but our goal is obviously to be able to provide those products and those services in any way that the customer wants to consume them. If you're going to do that, they have to be built in a way that's not cost prohibitive in order to support those multiple models, and that's where the use of micro services and containerization and orchestration from a deployment standpoint are so critically important for what we do.
Bill M: When you're thinking strategy at the CIO level, are you depending on your architects and business analysts to come up with different problems to solve, and then you're creating a portfolio of ranking of how, and then, are you trying to think about what's the 20% of the orchestration of the data such that I can get 80% value? How do you think about it from the structure of a global organization?
Barry L: It's a good question. The way we operate is my team in my organization is responsible for global architecture as well as global operations. As such, we work very, very closely on a global basis with the different development organizations to make sure that products are being designed with flexibility and around a common set of standards in order to drive the highest possible amount of reuse that we can get. We also sort of facilitate what I would call the cross pollination of ideas and development around the globe.
Barry L: The architects in my organization are really responsible for making sure that when we build something it's not only fit for purpose in a particular region, but that it has all of the necessary components to make it reusable in another part of the world in the event that we wanted to take that technology and reuse it in another geography. Those are the same architects that generally sit down with the business units at the very beginning of the process of designing a new product, or whether we're going to innovations workshops or blue sky sessions, there'll almost always be somebody from my organization present to work with the business units as we're designing products.
Barry L: The global architecture group tends to have the most regional knowledge of what's happening across our product portfolio, so these individuals actually have a global responsibility, they're not regionally focused. So, if we're building, for example, an analytical sandbox to service the United States, how do we make sure that when we design that, that it also would be reusable or could be deployed into the United Kingdom or into the Brazilian market. So, those individuals are responsible for sort of understanding all of the regional nuances so that we don't end up having to make changes down the road as we design and build new technology and new products.
Barry L: They're also the group that's responsible really for helping to drive standards, and as most people in the technology space know, that's a little tougher than most people realize. I mean, everybody loves standards as long as you pick theirs. The great thing about standards is there are so many to choose from.
We run a large organization, we have thousands of software developers and engineers inside the company, and not in a negative way, but sort of left to their own devices, engineers are no different from anyone else, they'll pick whatever technology they're most comfortable with or most familiar with or they believe is the most productive, and if there's not someone or some part of the organization coordinating those efforts, you're going to end up with people developing in Java, and you're going to end up with people developing in Python, and you're going to end up with people developing on every possible platform as a service environment because they're going to gravitate to what they're most familiar with.
Barry L: That's actually okay in a small organization where you're not looking to achieve a great degree of synergies through cross pollination, but as an organization grows, which we have quite a bit over the last several years, it really becomes critically important to basically get everybody moving in the same direction, and that architectural part of the organization is really responsible for pulling people together and saying, what platform as a service environment do we want to standardize the enterprise on?
What authentication technology do we want to use as an enterprise? What servers are we going to put our workloads on? And so, we've spent a lot of effort and a lot of time over the last several years making sure that everybody was moving in lockstep and driving to a common set of standards.
Bill M: So basically, when you're securing those... there's a lot of marketing, I won't say it's misinformation, but I've been saying for years that the CIOs of the future are going to learn how to dominate APIs and be able to ingest, take APIs in, and be able to provide them as services out to the outside world and be able to marry data sources and understand that in the modern economy in the modern world.
Bill M: If you were forming a startup today, what kind of a team would you need to really, like at a small innovation scale, so that a CIO can say, okay, these the minimum skillsets I need to be able to run an environment like you're running today? I know you're running across thousands of people, but what are the key major roles that you need to pull this off so you're confident?
Barry L: You hit on something I think there that's really an important point, which is that the world is really changed in terms of how software is built, and it used to be that you would sit at a terminal or a machine and you'd bang out line after line of code and you were really responsible almost from the ground up, to engineer and to architect a solution. I think one of the most important aspects in this day and age in software development is flexible thinking, and finding people that don't sort of suffer from a not-invented-here syndrome, and are willing... it's hard to get a really smart engineer sometimes to embrace the reuse of a piece of code that they didn't necessarily write, or to use a micro service or API call that wasn't created by them or their organization.
Barry L: And I think that the generation of engineers that you're really looking for are individuals who are more focused on innovation and getting product out the door and understand sort of agile software development and the need to basically constantly be adding value versus the old school style of software development which was writing prolific amounts of code and debugging it on a regular basis.
Barry L: It really is a pretty significant paradigm shift in terms of how software and applications are developed today versus the way it was done 20 years ago. Finding individuals who can embrace those kinds of models and sort of think that way is critically important to building out any kind of a development organization these days. It's really about learning how and knowing how to effectively put pieces of technology together more than it is, in many cases, about writing those baseline pieces of technology.
Bill M: When you took over, Barry, in your current role, did you... I run an innovation group in D.C. and North Carolina for my CIOs in the group, and we had a micro services presenter come in and it gave me an interesting thinking. I thought that micro services was sort of a ground-up strategy of building software, but then he said, well, often he's stripping layers out of legacy systems and building it in portable modules versus having a $25 million software project in the old legacy model. He's taking legacy systems and kind of stripping them out into services. Did you have that type of environment, or were you building everything from the ground up?
Barry L: No, I can really relate to that actually. I think almost any organization where part of their portfolio would be considered legacy has dealt with a similar type of challenge which is sort of the need to transition from what I would call a legacy environment to a more modern architecture, and typically that can mean a number of different things including a dual operating environment. Or, it may be that there are some reusable code that may be legacy by nature, but it can by wrapped effectively with an API layer or with a set of micro services so that the logic doesn't necessarily need to be rewritten, but it can be called as a module, and be embedded in some other application.
Barry L: We actually have seen a lot of that. Most of the major bureaus including ourselves and a lot of large financial services organizations still have a handful of mainframes that they may be operating on. While those [inaudible] are incredibly reliable and they scale very effectively, they're very proprietary and very closed environments. But, moving off of a full legacy mainframe environment is typically a multi-year project, and in many cases there are chunks of code that may exist in that environment, and in our case that was in fact true, we did what we call a heavy amount of what's known as pinning on the mainframes. Pinning is the process of associating a data element with an individual in our case.
Barry L: People may say, “Well, why don't you just use Social Security number?” We actually intentionally don't use things like Social Security numbers for security reasons, and because we want an even more unique identifier. So all of that pinning logic has historically been run in a mainframe environment. We basically took all of that pinning logic and turned it into micro services, moved it off of the mainframe in order to reduce our dependency on the mainframe, and it also allowed us to begin the process of eliminating that legacy footprint and sort of gave us a solution in the interim to doing that.
Barry L: Yeah, I can very much relate to sort of the encapsulation of some legacy code and the wrapping of things. I think it really falls into both categories. For us, it's a mixed boat, we do a fair share of creating new entry points and new micro services based on our newer platforms, but we also do a fair amount of encapsulation of some of the older services so that they can be shared or more easily reused, or be part of a migration process down the road.
Bill M: Yeah, and I know there are a lot of entrepreneurs listening and CIOs that I think that it's great to get your feedback on that because you're so far in front of a lot of folks there.
Bill M: Now, there's sort of a trend coming to people that have kind of 10x thinking and I know a lot of people come to my innovation group to kind of get their brains stretched as far as what's possible. Like, what truly is possible as a CIO as someone who has access to all the data on the network and could be educated by all the ways to put that data to use to create offense for the business, but how do you think big? Like, what mentors, which people, like, how do you surround yourself with people that keep you thinking about the bigger picture and not thinking small?
Barry L: Yeah. There are a couple of things. First, I will be the first person to admit, I am very rarely, if ever, the smartest guy in the room. I prided myself on consistently and always hiring people that are a lot smarter than me, and sort of knowing what their capabilities are, and also what their limitations are, just like I think it's important to know what your own limitations are. I'm really fortunate at Experian in that we've got a ton of really smart people and we actually have some mechanisms in place.
Barry L: For example, we have a bunch of data labs around the globe, three in particular. A big one in San Diego, we've got one in the U.K., and we've got one in Brazil. The centers are, typically, each one has anywhere from ten to 30 PhDs in them, and there's one individual who's a peer of mine, who I have a great deal of respect for, Eric Haller, who runs those organizations. Those guys work very closely with my organization and I work with very closely with Eric, and that's where a lot of idea incubation is done. It's sort of a think tank type of operation. They get to try things and sort of fail fast.
Barry L: I look at them almost like I would look at a VC operation. If they get it right one out of every ten times, we win. They make a lot of bets, they look at a lot of technology. We work very closely on things together, and we actually have a much better track record than one out of ten, but that's one mechanism that we use. I love working with those guys because they are so smart, and nothing's impossible in their minds. They're so creative that when we pair those guys up with the architects, they come up with some amazing ideas and some incredible things.
Barry L: A lot of the more recent, more innovative technologies inside of Experian were incubated in those organizations, whether it's what we call our Global Analytical Sandbox, which allows businesses to look at data on 250 million consumers in real time with historical data over the last 15 years. It doesn't allow you to see a specific individual, but it allows you to look at large populations and draw inferences from that. That was incubated in one of those centers.
Barry L: Our Text for Credit platform was incubated in one of those centers. And, I've worked with that group on a number of projects, some of which we've taken to market, and some of which we actually killed because we just didn't decide they were viable. We have a really good environment to drive innovation, we sort of recognize how critically important it is to constantly be reinventing yourself and adding new products to the market. So, that's something we really focus on as a company.
Bill M: Yeah, Eric was on the show after you and I talked a couple years ago. It seems like you've married the art of what's possible with his group and then are constantly testing for how you can bring those new ideas into market. And then, I'm sure you test them and then bring back the feedback.
Barry L: Yeah, well, we sort of do it together. Eric and I routinely will get together with large financial services clients down in San Diego at the labs. I'll drive down there and we'll meet with any number of large companies and sort of bounce ideas off them, do joint ideation sessions with them, we'll build prototypes, and then we'll do minimally viable product with them.
But, what we try to do is actually test a lot of these ideas out in phases with actual real world clients and let them participate in the process. It's produced some really, really cool results, and it also sort of has told us, are we heading in the right direction? Do we need to course correct? Are there other things that we should be thinking about?
Barry L: But, we really have tried to make it sort of a three-way process between the technology side of the organization, the data labs, and our clients directly, so it's been a really powerful model, and one that seems to be working quite well.
Bill M: Well, the funny thing is that even with entrepreneurs, when you're testing new ideas, you've basically brought your customer in as a part of the solution set, and if they're a part of that model, then essentially they're highly likely to write a check for that capability versus trying to guess what they want and need.
Barry L: You're spot on. The idea is to create kind of a win-win situation. We don't want to go too far down a path until we know that what we're building is the right thing. There are plenty of times where we've been told, “Yeah, that's kind of interesting, but that's not going to be a significant enough game changer for us that we would really pursue it.” And then we've had other times where we've shown somebody a prototype and their jaws hit the floor and they've said, “Can we have that today?” Which is obviously what you want to hear. We hope for a lot more of those than the former.
Bill M: But what I like is you're playing offense, and I talk about this a lot with the CIOs that are listening. There's a part of the job which is defense, which we'll get to, kind of like, how do you secure and govern. But, then there's offense, like, how are you playing offense and bringing new products to market and having that part of your brain really tuned and ready in aligning with the... and that's why I like the stories you're telling because it's completely aligned with like, can we bring value to the customer and can we bring it there fast. And it sounds like the whole organization is really geared for that.

Barry L: Yeah. The other piece is also... there's one other element to that I would say, and that's sort of the mergers and acquisition and the investment side of the business. You know, most very large tech companies, whether it's a Cisco or a Microsoft, or Google for that matter, they have very large investment portfolios. They make typically investments that are synergistic to the portfolio of the company or something that they think would be impactful for clients, but it's a big part of their business and they see it as an innovation driver as well.
I was really surprised when I joined Experian, for the size of the company, how important a role that is as well. We do more M&A activity inside of Experian than almost any company I've been involved with over the last 30 years, but we're not nearly the size of a Cisco or a Microsoft. But, it's so important right now to be aware of the technology that's coming out of Silicon Valley or any other incubation zone, because there's disruption sort of occurring everywhere.
What I tell a lot of people that ask me what keeps me up at night, what keeps me up at night is the unknown. It's not the competitors that I can see in the rear view mirror and I know are there. It's the Fintechs and the startups that are coming up in the rear view mirror at a million miles an hour that keep me up at night. I think we do a very effective job of having part of the organization also sort of canvasing what's happening out in the industry and making strategic investments and acquisitions that are very synergistic to what we do and allow us to keep a pace of innovation that's considerably faster than it would be if it was purely organic. So, that's the other piece that I think is worth mentioning.
Bill M: Yeah. I love that. Yeah, what your, in summary, of offense, is you've got the lab, it's working tightly with the ops group, your group, you guys are lockstep there, and then you've got M&A activity to make sure that you're partnering financially with those potential disruptors that are coming down the pike, instead of ignoring them.
Barry L: Yeah, you got it. All of those are spot on.
Bill M: Now, I was listening to Bill Gates, he was talking. I don't know what show he was on, but it was on YouTube, and he was given his thoughts, someone asked him, “If you have a startup today and you were running it new like a Microsoft, what would you jump into?” And he said, “I would jump into some AI derivative.”
I want to get your thoughts on AI, and I was reading a little bit about some of your blog posts, and I agree with you, but I'd love for you to share with my audience about the role of AI in supporting humans, especially in a data-driven world and modern economy. What are your thoughts there?
Barry L: I do think we're still in the early stages of the conversation, but it's clearly one of the next big things, and you see it every day. I think I have eight Alexa devices in my house and four Google Home devices in my house. I mean, literally, every single room has some form of voice activated AI device in the house that controls anything from the televisions to lighting or the alarm system. They've just sort of become ubiquitous.
It's been really interesting for me to sort of watch just how crappy Alexa was like two years ago and how much better it is today. We're like living in the Star Trek that we used to watch as kids. It's sort of becoming a reality right before our eyes. That same technology really has a pretty important role, especially in our business, where we're trying to help our clients make better decisions and we use gigantic data sets to do that, but we actually are creating models now on the business side that actually get more and more intelligent over time and learn behavior and learn people's patterns based on historical data and get smarter and smarter so that we can provide more effective decision making products to clients.
Barry L: But, we also use technology that helps us from a machine learning perspective every day in just running the operations and running them smarter. So, we are constantly changing what normal looks like in the data center, for example. We're always monitoring systems from a security perspective to look at things like disk I/O and CPU utilization and network traffic, and there's a whole slew of measurements that we do, and these things all have to be measured, they can't be measured or looked at by human because they just don't have the ability to analyze the data quickly enough, so we use a lot of different tools that analyze that data on a nonstop constant basis. And these tools are constantly evaluating what normal is and resetting what normal is based on volumes and based on behavior and based on tweaking of the algorithms that they contain.
I would say our ability, for example, to detect fraudulent behavior or bad actors or some type of disruptive behavior gets better and better pretty much every month, because things that are normal, that definition of what normal is, is constantly being tweaked to get smarter and smarter. These are really simple examples of sort of using machine learning in different capacities.
I think we're very much at the tip of the iceberg. We finally are starting to see compute models and tech somewhat that's available that can take what used to be only doable by a PhD and put it into the hands of a regular... somebody with basic software development skills.
It's also, as a discipline, you're seeing more and more people come out of universities with expertise in machine learning and artificial intelligence where that used to be more of a highly specialized expertise. And let's face it, this is something we've been talking about for decades. I would say over the last ten years is when it's really started to become a reality for us.
Bill M: Yeah, especially in your world, because ditch diggers, when my grandfather came over from Ireland shoveling coal in a steamship, there was one shovel, one human being. But then you had the backhoes, and you had front end loaders, and you've got big capabilities of digging holes faster that develop. And it's just all of a sudden humans are at a different level, now they're running a bigger steam shovel, or a front end loader. So it's interesting how these machine learning algorithms, when deployed, are essentially going to reduce the human need for the expertise, and it becomes high level thinking on solving the problems.
Barry L: Yeah, I absolutely agree. I remember probably 15, maybe 20, years ago when the outsourcing phenomenon was becoming a pretty big thing and people were offshoring a lot of work.
There was this huge fear about the loss of technology jobs in countries like the United States or the United Kingdom, so it resulted in kind of the opposite effect, which was people started shifting directions and getting degrees in different professions, and all of a sudden we found ourselves with a huge shortage of software engineers in the United States because people had decided this isn't going to be a viable career path any longer. People could not have been more wrong about that, and ultimately the system self-corrected itself.
I think that there's a lot of concerns around machine learning and AI that are very similar. I think what you said is pretty much spot on, what machine learning and AI do is allow you to take human capital and simply move it to more important tasks, or tasks that can't be automated, or aren't eligible, or we don't have the machine learning technology to take advantage of yet.
And in my view, machine learning is not going to disrupt the engineering workforce or the software development space, it's actually going to create new opportunities in different areas. It's another one of those things like outsourcing where it's simply going to move the demand to other areas, and I don't mean geographical areas, I mean other disciplines. But, I hear people worrying about the impact.
Barry L: Now, it will potentially dislocate certain jobs, but it's certainly going to create a whole new class of new jobs at the same time.
Bill M: As we get wrapped up here, I wanted to shift gears from the offense, kind of new exponential technologies into talking about defense with threat management and governance, and just get your thoughts on threat management. And generally just a quick story; I have a 4,000-user customer of ours and they're really not engaged with us deeply at all yet. It was just in a small engagement that we were working with them on. And then, their whole network got taken down by a [inaudible] virus, a piece of malware that got pulled in from OneDrive, a public OneDrive, bypassed the security systems, boom, hit, and they were offline for four hours. A whole fleet of security engineers, a whole fleet of network engineers, all the fancy technologies, and I was sitting down with them and I said, “Well, security's now about recovery as much as it is about the actual running of the systems, like how quickly you can get back online.”
And I'm just curious how you approach, from a worldwide organization, with a visibility all the way up to the board, how do you strategize around security and how do you respond to a board that says, "Are we secure? Are we secure Barry?"
Barry L: Yeah. You raised a lot of really good points. In our case, obviously security is probably the highest priority, because we house so much important information on consumers around the world. And I will say, and I'd be surprised if anybody disagreed with this, but the threat landscape is growing, it's not shrinking.
We see threats typically from three different areas; nation states, which are on the increase and one of the most problematic. Let's face it, if the Red Army or the Kremlin wants to breach your environment, they can throw an enormous number of resources at it in order to accomplish that. The second would be organized crime, which is trying to monetize whatever they can get their hands on through cybercrime. And then, the third would just simply be malicious bad actors that are trying to make a name for themselves, or something like that.
We obviously see all of that every day. A lot of companies, I believe, are under the impression that if they put up a strong enough fortress they're not at risk of being breached. Our goal is obviously to prevent anybody from getting in that we possibly can, but I think it's a bit naïve to assume that nobody's ever going to get in. And so, I think you really need a multi-pronged approach to this, much like anybody who owns a house or lives in an apartment, you have a front door, and you don't leave that front door unlocked. There are certain things you simply do to prevent the bad guys from getting in. You lock your doors, you lock your windows, you turn the lights on in your house at night, and you try to create as much of a deterrent as you possibly can. But being realistic, somebody can break a window, somebody can jimmy the lock, I mean, there's any number of things... and if somebody wants to get in bad enough, they may find a way.
In technology, we live in a very similar world. No matter how strong your approach is, there's always that risk that somebody finds a vulnerability or some areas of exposure and manages to get into the environment. And that's where the next most important thing is, and this is where a lot of companies literally don't make any kind of an investment because they invest everything on the prevention, how do you detect if a bad actor is in your environment? How do you know that somebody has gotten through the front door?
In your house you have an alarm system and the alarm goes off and that alerts you that somebody's inside. There are similar types of things that we try to use from a technology perspective to provide a similar view, we're monitoring traffic all the time, we look for spikes in different areas and if we see a spike the first thing that happens is somebody has to investigate that. We have alarms that effectively will go off to let us know that we believe that there's a risk, that there's a bad actor in the environment.
Barry L: And then, that's all great, so then you know that there's a bad actor in the environment, it's actually not a good thing, obviously, but at least you know. What do you do to minimize the blast radius or the impact that individual can have in the environment? In your house you probably will have a safe and they'll put their very important private documents in the safe, and maybe jewelry, or other things that they consider to be of extremely high value that they've acknowledged the fact that their house is not impenetrable, that somebody may get in, they may not be home in order to do anything about it, so they have a safe as sort of the next thing.
Once again, there's sort of similar analogous types of technology, whether it's encryption at rest, or encryption in transit, or any other types of segmentation, things that we do to try to minimize the impact if somebody was to get into the estate. The challenge I think most companies have is they go very heavily on the first part of this, but they don't do anything on the observation or alert side of things, and they don't have the right types of technology in place to minimize the blast radius if somebody does get into the environment.
When I talk to other people... I've actually had to go to Washington on several occasions and meet with different politicians and we've talked about this. They're always looking for, “Tell us what you think is important in these areas,” and it's always like a light goes off when we talk about all three areas and how important they are, and it seems to resonate. But, it's increasingly a topic of conversation, and I think all three areas really need to be evaluated if you're going to do this right.
Bill M: The middle area you talked about detecting behavior that is happening, odd spikes, odd movement. I call that “go hunting.” You're actually playing offense with your defense right in the middle of the enterprise, and I think that's a healthy way to look at it. It's sort of like someone's come through the metaphorical castle, they've crossed the drawbridge, got past the first line of defense, and now they're sneaking through the commoners areas, and how do you detect them? I call that “go hunting,” and it sounds like that's... I know people call it different words, but it sounds like that's an interesting area for you.
Barry L: I mean, we literally have two different teams that literally go hunting. We have one that we call a “Red Team” which is internal to Experian which is part of my organization, that basically is compensated on their ability to get into one of our externally facing applications. Their job literally, without telling anyone, is to try to break into one of our existing applications. That's all they do all day long, that's their job.
We also do an enormous amount of pen testing where we use external organizations and ask them to try to break into an application or find vulnerabilities. That literally is hunting, they're literally going on offense in order to play defense, so it's a perfect analogy.
Bill M: Just as we get wrapped up, I have a theme I wanted to ask you about what your thoughts are. I talk about the human immune system and if we get a cut on our hand, our whole body's aware of this cut, but it's a lot of deployed, automatic resources directly to that cut to heal it, and then we externally have to triage it usually with a band aid or stitches, or something like that. But, there's a triage and a recovery process, but the body's doing a lot of its healing in response.
I get a sense that, as we move along here, and as these technologies like machine learning and AI come on and become more mature, that we're going to have our digital systems are going to approach our biological systems in the ability to have a lot of automated response, but then we're still going to need triage with humans and band aids and broken, go-to-the-hospital type things. Our biological systems are going to largely model our digital ones. We go through the year as healthy as we are, as healthy of foods that we have, how many trips and inoculations we get, we still get sick. And I think that's essentially what's going to happen, and it is happening with enterprise. What are your thoughts about that scenario?
Barry L: Yeah, I think we're there already. For example, we have self-healing networks and we have redundant systems that can detect when a storage array is starting to throw panics and is likely to fail, so they will automatically roll over to the backup device. We have redundancy at the router and switch level so that if its performance drops below a certain threshold, another device... we have load balancers that sort of look at capacity in a particular area and can reroute traffic if necessary.
And then, we actually run the organization in a very similar way to the way your body heals itself. For example, if we find that there is a vulnerability in one location, the first thing that happens is there's sort of an enterprise wide scan of the environment, or somebody goes to the CMDB to sort of evaluate where else there may be exposure, so that we can immediately deploy a bunch of tools in order to remediate an issue that may exist in other parts of the world, or may exist in another application, based on some report we recently got.
I think we're pretty much in that mode. I think we're in the primitive states right now. The self-healing network is something that's probably one of the more progressive and been around longer than others, but I think that basically applications' ability to heal themselves and hardware's ability to heal itself, or to address failures or faults, is very much the way of the future. I think we have some of that today.
I think the prices are coming down. It used to be that if you wanted to have a fully redundant environment you basically had to have duplicity of something that you hope you never needed, which is a very expensive concept. The cloud has actually helped that a great deal, I mean, you can have recovery environments that are in the cloud that you only have to pay for when they're spooled up, and things of that nature.
So, I think there're a lot of things happening around self-healing and remediation that we're benefiting from, both in terms of machine learning, in terms of the use of the cloud, in terms of underlying capabilities that are being built into the technology platforms themselves. So, I think it's a good analogy. I think we're already starting to see examples of that.
Bill M: This has been a fascinating conversation, Barry, I think it's going to be a great window into yourself and what a world class CIO is doing day-to-day, some of the challenges, but then also what Experian is doing as an organization. I always like to end my conversations with just asking you, from a leadership perspective, when you personally from the vision and mission that you bring to bear every single day, is there a fundamental philosophy that you think when you get up and you're having a hard day, you've traveled 200,000 into your 250,000 miles for the year, that you always go back to that kind of gets you energized, or at least gets you playing at the top of your game? Is there a fundamental philosophy you depend on?
Barry L: Yeah, you know, I guess when I'm feeling down, or when I'm wondering if we're doing the right things or if we've made the progress we should make, I remind myself that in this job you have to look at things at a macro level, not a micro level. If I look at what I think we've accomplished over the last week, or two weeks, or three weeks, or even a month, it can be really frustrating at times. But if I look at what we've accomplished over the last 12 months, and I see the way the company is performing as a result of that, it makes me feel really good.
I think it's that lens that's a little bit more perspective and a little bit more long term that's so critical, because let's face it, these types of initiatives, these types of programs, the level of change that we try to drive as technology leaders in an organization, take time. While we all love instant gratification and want results overnight, we just don't live in a world where that's always realistic. So I think the one thing that gives me solace and that I think is incredibly important, and what I remind my team and everybody in the organization constantly is you have to look at progress on a macro level. And when I say macro, I'm not talking five years, but I'm talking more like the quarterly type of evaluation.
Barry L: Did we make progress over the last quarter in moving the needle. And if you can answer that question and say affirmatively, yeah, we absolutely did, then you should feel pretty good. But if you haven't moved the needle in a quarter or in six months, that's when you probably need to do some evaluation.
Bill M: Well, Barry, I really appreciate you coming on to the conversation today. If anybody had any questions, I'm going to put all the show notes and links to your articles and the organization, if it's okay to put your link to connect with you on LinkedIn. I'm sure a lot of people would like to reach out to you and say hello. Is that a good place to do it, on LinkedIn or Twitter?
Barry L: Yeah.
Bill M: Okay.
Barry L: Yeah. LinkedIn is great.
Bill M: I appreciate it very much. Thanks for coming on the show.
Barry L: You bet, any time. Thank you Bill. Appreciate it.
Bill M: Bye-bye...
Bill M: I hope you loved my conversation with Barry. If you would go on to LinkedIn and share this episode on your LinkedIn profile, that would help to spread the message on this podcast across the whole IT leadership community. Also, if you can go to iTunes and give a rating and share your thoughts about this episode, it'd be fantastic. Also, Sticher is a great place as well, because all of my droid listeners listen, usually, through Sticher. So, use those three and help support the show; LinkedIn, Sticher, and iTunes.
Bill M: Also, if you want to learn more about security as it relates to email and cloud kill chain strategy, again, that's email and cloud kill chain strategy techniques and tactics, I want you to send an email to . That's , and we can be back in touch with you. Just say, “I want to learn more,” and someone on my team will be in touch with you. Have a great day. Enjoy the rest of your summer.
Bill M: So, there you have it. This wraps another episode of Bill Murphy's RedZone Podcast. To get all the relevant show notes please go to our blog at . Additionally, make sure you go to iTunes and leave your comments in iTunes about the show. This helps our show rankings enormously, and it helps support the show. Until next time, I appreciate you very much for listening. Thank you.

About Barry Libenson

Barry Libenson is Experian’s Global Chief Information Officer (CIO), with responsibility for the design and delivery of Experian’s global technology strategy. Prior to joining Experian in June 2015, he was Senior Vice President and CIO of Safeway Inc. in North America. Before that, he served as the Chief Information Officer and Vice President at Land O Lakes Inc. Barry joined Ingersoll-Rand as Vice President of e-Business in May 2001 and served as its Chief Information Officer beginning in 2003. There he was responsible for defining and implementing Ingersoll-Rand’s global electronic and internet business strategies, with a focus on customer relationship and supply chain management.

Early in his career, he served as Executive Vice President of Surety Inc., a data-integrity services company; as Chief Executive Officer for Visix, a software publisher; and held management positions with Phoenix Technologies and Oracle Corporation. He served as a Director at Tavant Technologies, a software firm with offices in California and Bangalore India.

Barry holds a bachelor’s degree in Computer Science from Colgate University and earned a Master of Business Administration degree from The Fuqua School of Business at Duke University.

How to get in touch with Barry Libenson

This episode is sponsored by the CIO Innovation Insider Forum, dedicated to Business Digital Leaders who want to be a part of 20% of the planet and help their businesses win with innovation and transformation.

* Outro music provided by Ben’s Sound

Other Ways To Listen to the Podcast
iTunes | Libsyn | Soundcloud | RSS | LinkedIn

Leave a Review

If you enjoyed this episode, then please consider leaving an iTunes review here.  Click here for instructions on how to leave an iTunes review if you’re doing this for the first time.

About Bill Murphy
Bill Murphy is a world renowned IT Security Expert dedicated to your success as an IT business leader. Follow Bill on LinkedIn and Twitter.

Leave a Reply