Streamlining IT Management and Security: Madhusudan Krishnapuram, VP & Country Manager, GoTo

In a world where remote work and digital collaboration are becoming the norm, GoTo has been at the forefront of enabling seamless communication, collaboration, and IT support for nearly two decades. With a vision to empower individuals, companies, and employees to work from anywhere, GoTo has evolved its suite of solutions to meet the evolving needs of the modern workplace.

In a recent interview, Madhusudan Krishnapuram, VP of Engineering & Country Manager, at GoTo, sheds light on the challenges organizations face regarding shadow IT and shadow AI, as well as the role GoTo plays in addressing these challenges. Madhusudan emphasizes the importance of consolidated IT management and monitoring in standardizing security measures across different departments of an organization.

Excerpts

DQ: How would you explain some key features of GoTo to someone unfamiliar with the platform?

Madhusudan: I think the best way to describe GoTo Resolve is by first explaining the problem it addresses, and then outlining how GoTo Resolve handles it. When considering how people work today, it's common to see the use of laptops, desktops, and mobile devices. Regardless of location or task, these devices constitute the primary tools people rely on to get their work done. However, each of these devices runs software that requires regular updates, maintenance to ensure compatibility with other software, and seamless functionality to facilitate productivity. Essentially, the goal is for this software to enable users to perform their tasks efficiently without creating additional obstacles. This aspect forms a crucial part of how these tools are supposed to function.

The second aspect of how these tools are supposed to function is to prevent bad actors and malicious activities from affecting your business. When working from anywhere, security becomes a significant concern. If there's a vulnerability, you can be certain that hackers or other malicious individuals will exploit it, potentially causing significant harm to your business. Depending on the size of your business, this damage could be catastrophic. While larger enterprises may have the resources to recover, small businesses may not have that luxury due to their tighter profit margins.

The third aspect of what these devices are meant to achieve is seamless integration, allowing people to work together without encountering silos or obstacles to collaboration. This can be disrupted when individuals use incompatible software, hindering communication and collaboration efforts. For example, if I want to have a video conversation with you but we're using different tools that aren't compatible, it creates a barrier. Typically, IT professionals are responsible for resolving such issues and ensuring seamless functionality. However, as the number of users increases, this task becomes increasingly challenging. While it's manageable for a small group of people, scalability becomes a concern when the problem grows in scale, making it difficult for one person or a small team to manage and ensure successful resolution effectively.

That's where GoTo Resolve comes in. It offers an easy-to-use modern interface for IT professionals to provide both reactive support and proactive IT management and monitoring. Additionally, for larger enterprises, we've always had LogMeIn Rescue, a flagship product that offers similar functionality, including providing support to multiple large enterprises. Essentially, with GoTo Resolve and Rescue, we cater to organizations of all sizes, ensuring they can manage their IT infrastructure effectively, and facilitating productivity while alleviating concerns about security, compatibility, and compliance.

DQ: Explain how using unsanctioned tools can affect the IT infrastructure of the organization.

Madhusudan: it’s important to understand why unsanctioned tools come about so we can grasp their impact and how to prevent them. Typically, we refer to this phenomenon as IT shadowing. Surprisingly, miscommunication often plays a leading role in its occurrence. When you look at typical security updates or alerts, they're filled with technical jargon that executives, managers, or other recipients may not fully understand. Without grasping the seriousness of the issue, individuals may be less inclined to comply. While everyone aims to do the right thing, lack of explanation regarding the consequences of using certain tools can lead people to resort to their preferred methods of getting work done instead of using sanctioned tools endorsed by the security or IT department. This is manageable when there are only a few tools in use.

But again, complexity compounds with the number of people in the organization and the variety of tasks they need to perform, especially when people want to work from anywhere, which is common in today's world. Consequently, everyone ends up using a variety of tools scattered across the ecosystem. This complexity makes the life of an IT administrator incredibly challenging, leading to the occurrence of shadow IT. When we fail to effectively communicate why certain actions are not permitted, people are left to do what they want instead of understanding why they should adhere to certain guidelines. This is the first issue.

The second issue is understanding the implications. People often underestimate or fail to grasp the impact of shadow IT. The most obvious consequence is the creation of security vulnerabilities or cybersecurity incidents. While we all install tools, we may not always prioritize updating them to the latest versions as needed.

Sometimes, in the middle of an important task, you might think, 'I'll just put off updating until tomorrow, it should be fine.' However, if it's a critical security update that you've neglected to apply, you could be leaving a vulnerability in your organization that a malicious actor could exploit, leading to a cybersecurity incident. It's common for about 11% of reported cybersecurity incidents to result from such negligence.

Another less obvious issue relates to data privacy and compliance policies. With regulations like GDPR (General Data Protection Regulation), companies are required to comply with data protection policies, or they face penalties. However, with the proliferation of tools, it becomes challenging to manage where and how data is stored, used, and accessed. This leads to data silos and compliance issues.

The third concern, as previously mentioned, is IT compatibility. When individuals use different tools, it hinders communication and collaboration, making it difficult to work effectively together. And that, again, creates a problem that essentially compromises our collaboration, teamwork, and relationships, whether it's between employees or between the company and its customers. This creates significant challenges. Shadow IT casts a large and looming shadow over businesses.

The best way to deal with this is by doing three things. Firstly, we need to effectively support employees who encounter these issues, whether reactively or proactively. Quite often, problems compound if they cannot be resolved swiftly. Even if I don't like a tool, if I can find a quick solution to my problem using it, and navigate initial hurdles, I'll stick with it. Frustration arises when nothing gets resolved promptly, leading me to revert to my own methods to get the job done.

With GoTo Resolve, we can swiftly and efficiently resolve your (pun intended) problems. Additionally, we can automate simple tasks that consume IT administrators' time, such as patch management and system upgrades. Proactively monitoring for issues allows us to intercept and resolve them before they impact you. While dealing with desktops and laptops seems straightforward, challenges arise with mobile devices. However, we also offer mobile device management to address this issue.

Moreover, we provide essential features as a baseline, including endpoint protection, to ensure that all managed devices are tracked, monitored, and protected.

It's built on a foundation of Zero Trust, which means we don't assume trust in any parameters. Instead, we consider everything untrusted and verify your identity and permissions. Our Zero Trust Network architecture, underlying our entire stack, enables us to provide this and mitigate the problem of shadow IT to a large extent. While it's never possible to eliminate it, we help you get as close as possible.

DQ: As there is a prevalence of Bring Your Own Device (BYOD) policies in many companies, what modifications should be made to their policies to prevent unauthorized tool usage in the organization?

Madhusudan: upon entering into an employment contract with a company, individuals acknowledge and commit to adhering to the established policies. However, it is widely recognized that if a policy is overly complex, convoluted, or otherwise difficult to comprehend, individuals are more prone to unintentionally violating it.

Communication is key in this aspect. I believe what GoTo Resolve offers is the ability for companies to simplify communication between businesses and their employees, particularly in an IT context. This makes it easier for companies to convey their expectations to employees. Essentially, it involves three main aspects: Firstly, the ability to easily create and enforce policies tailored to each company's specific needs. It's impractical to have a one-size-fits-all policy, and that's not what we're advocating for.

Regardless of the policy you have, its ease of implementation and enforcement, as well as the ability to communicate it in a conversational tone rather than a technical one, are crucial. With GoPilot, our AI assistant for GoTo Resolve, we facilitate this process for both end-users and IT administrators.

Secondly, our device management capabilities allow for the easy separation of business use and data from personal use and data. This enables efficient device management and ensures the segregation of business-related activities from personal ones, which is beneficial for the organization.

The third aspect circles back to what GoTo does on a day-to-day basis, which is enabling you to work from anywhere at any time. This essentially means that your device doesn't need to be of a specific type or in a specific location to be part of your ecosystem. What we've built allows you to get your work done using either your own devices or company-issued ones.

By implementing policies that permit certain actions and disallow others, while also explaining the reasoning behind these restrictions, and by proactively addressing issues that arise, we ensure transparency for you as an end-user. You'll know that your device is being adjusted and monitored to be compliant, safe, and effective for your work.

DQ: Explain what Shadow AI is. And what makes managing it more challenging than traditional shadowing?

Madhusudan: Shadow AI is relatively new and has gained more popularity in recent times, primarily due to the increasing prominence of AI as a buzzword. Essentially, it involves individuals using their preferred AI or generative AI solutions to enhance productivity or perform tasks they deem necessary. Typically, the industry progresses faster than we can keep up with from a policy and IT perspective, resulting in a gap, similar to what occurs with tools.

In an ideal world, while I may not have the answer now, we're typically one generation behind cutting-edge technology in terms of providing compliance and policy guidelines to manage it. So, the issue of shadow IT replacing it with AI refers to the use of unsanctioned, unmonitored, and unmanaged AI solutions, tools, and technologies to carry out tasks. What makes shadow AI more complex is that it fosters autonomy and is inherently interdisciplinary. The primary risk it poses is unauthorized data access. For instance, if you unknowingly transfer private, confidential data to a solution to obtain an abstract or summary without ensuring the security measures of that data storage.

You're essentially creating a data leak, which leads to legal compliance and security issues, depending on the nature of your data. Secondly, not all AI solutions are the same; there is bias in many AI solutions depending on how they're trained or learned. By using a non-curated AI solution, you may inadvertently create ethical issues with the decisions it generates. For example, if you're trying to shortlist applicants for a job and you have a large number of resumes, you may opt to use an HR AI system to simplify the process.

Now, if that system is vetted, approved, and managed by your company, that's great. However, if the system has biases in terms of how it's been trained, you've introduced bias into your applicant management and monitoring processes, which isn't favorable for the business. This is a risk that we don't often understand but may fall prey to if we're not careful. 

The third issue is the sheer complexity of how AI systems operate. They consider numerous parameters to generate the desired outcomes. Therefore, managing them involves not just overseeing one aspect but also managing all interconnected components that contribute to their functioning.

Incorporating multiple disciplines such as data science for analysis and software engineering for code optimization introduces a diverse range of considerations. This complexity is particularly pronounced in domains like banking, finance, insurance, and healthcare, where the implications of AI tools are significant.

Effectively managing and monitoring the usage of AI tools is crucial. It's essential to delineate what tools are permissible and impermissible, considering the potential risks involved. Communicating these guidelines to users is vital, emphasizing the prevalent dangers of unauthorized tool usage and offering sanctioned alternatives for efficient and successful outcomes.

DQ: What role does GoTo play in addressing challenges related to shadow AI as well as shadow IT?

Madhusudan: I believe the best approach is to consider not just GoTo Resolve, but also what is necessary to manage or mitigate the risks posed by this problem. The issue, as I see it, boils down to constraints of time and resources. While having one person or department dedicated to each issue might be feasible, it's neither cost-effective nor scalable. Therefore, consolidation is necessary.

Another challenge arises when different tools are required to manage various types of shadow IT and shadow AI by discipline. If you can effectively monitor and manage all these tools, it may suffice. However, the problem escalates when you need to manage multiple tools simultaneously, leading to focus issues and difficulty in staying on top of everything.

Having a consolidated view of IT management, where all relevant aspects are presented in a single pane of glass, becomes crucial. This facilitates efficient monitoring and management, allowing IT professionals to address issues promptly and effectively without having to navigate through multiple interfaces.

The other essential aspect of IT management is monitoring. Rather than manually overseeing everything, automation is key. Alerts can be set up to notify IT teams of any anomalies or potential threats, enabling swift action to mitigate risks. Once again, having a unified dashboard for monitoring and managing all these aspects is invaluable.

When considering the security or compliance risks associated with the tools used, there's also a social risk to be mindful of. Effective employee training is essential to prevent inadvertent disclosure of sensitive information and minimize the risk of unauthorized access. While automation can assist to some extent, employee education remains a critical component in addressing these risks.

The other equally, if not more important aspect, is to ensure that you provide tutorials, training, and reinforced training to your employees to ensure they don't inadvertently violate the company's policies. GoTo helps address this by providing an all-in-one consolidated IT tool stack and dashboard. This platform assists in creating and implementing a robust and cohesive security framework. Rather than providing all the solutions needed, it achieves this by effectively integrating with the tools and systems you already have in place.

Let's say you're using Zendesk, Microsoft Teams, ServiceNow, Salesforce, or any other tools in your current setup. It would be impractical to expect us to come in and demand you to move everything around. The 'rip and replace' approach never worked and will never work. Instead, any new tool introduced into your ecosystem should seamlessly integrate with your existing key tools while still providing you with a consolidated view of what needs attention as an IT administrator. Essentially, this is what these tools help you achieve.

The third aspect to consider is compliance. It's not sufficient to merely claim that you've had no incidents and have met expected standards. Your customers may want proof, and they'll demand evidence. This proof can be provided through auditing, either by adhering to SOCK compliance or other external standards bodies or by having auditing and reporting functionality that demonstrates compliance. This is another area where we provide assistance and support, helping you meet your customers' requirements.

It's important for your peace of mind to periodically undergo an audit check, similar to a health check, to ensure everything is in order. This allows you to address any issues discovered during the audit process, whether they're gaps identified in audit reports or arising from the evolution of the tools and systems you're using. As we're discussing security measures, this becomes especially crucial.

DQ: Explain how consolidated IT management and monitoring aid in standardized security measures across different departments of an organization.

Madhusudan: I would probably start by saying that it simplifies life and reduces system complexity. Usually, complexity leads to oversight issues, either due to an inability to address all the gaps or simply overlooking certain things. Complexity doesn't necessarily refer to usability or the specific tool used. Across the industry, everyone is transitioning to more user-friendly interfaces and easier-to-use dashboards, aiming to make life easier for users. However, the challenge arises from having to manage a multitude of these elements.

If an IT administrator needs to handle multiple tools that serve the same purpose, they must possess expertise in using, managing, and effectively deploying each of these tools. For instance, if there are three or four different tools to master, it's insufficient for the administrator to excel in just one and consider the task complete. Each tool has its upgrade cycles that evolve to meet changing needs. Therefore, the administrator must continually update their skills and stay current with all these tools. This additional responsibility adds to their daily workload, leaving them with only two possible solutions.

There are two potential approaches to address this issue. First, you could designate an IT administrator for each discipline, tool, or department, ensuring that each has its dedicated support. However, this approach also requires resolving compatibility issues between tools, systems, and departments, which can be challenging.

Alternatively, you could opt to consolidate everything under one umbrella or roof. This allows for the management of all tools and systems in a manner that facilitates the definition, addressing, and implementation of consistent policies across the entire department. With consolidation, you eliminate the risk of losing important details when transitioning from one tool to another, ensuring uniformity in policy implementation.

Consolidation offers benefits in terms of both economy, which is crucial in the current economic climate, and consistency, which enhances robustness and reliability.