“Built-in, not bolted on”: Box CISO on frictionless security

Lakshmi Hanspal joined on as Global Chief Security Officer of Box in 2019. Nearly a year on, she joins Pulse Q&A for a conversation on frictionless security and autonomous trust.

Pulse Q&A: We’ve been looking forward to this for a little while. Thank you for joining us Lakshmi. You’re a very recent addition to Box and I was wondering if you could tell me a little bit about what your first hundred days looked like?

Lakshmi Hanspal: I joined Box earlier this year in January. When we think about any leader coming in, there’s a normal pattern of observing and building relationships. Think about those quick wins and those course corrections that are needed. That’s a rinse and repeat process. It’s worked well for any new CEO or any C-suite leader. My approach is pretty much similar, with adding in nuances as to what aligns with the company and the team. 

Operation excellence was a key focus for us. What the team needed was stability and ensuring that we had ways to recognize where we were brilliant and where we needed to get better with improved maturity and advanced automation. 

“You need a more cohesive view, and I call it the ‘single-pane-of-glass view’ on risks.”

We also wanted to make sure that the team was feeling inspired, and we were placing the right questions in front of them. This means that they were asking the right questions and they were being asked the right ones as well. 

Lastly, we wanted to ensure that leadership across the board, all the way from senior leaders across to executing managers, had a shared vision of trust. At Box, we build trusted products, maintain trusted environments, and we advocate trust with our customers and partners. This was a resonating, uniform and consistent message with all stakeholders. Those were the three things that were important to do within the first hundred days.

Pulse Q&A: I wonder if we could dive into this concept of trust and what your general principles are in establishing that between you and the clients?

Hanspal: For me, it was very important to have a more cohesive view of trust within the environment in which I work. When we think about trust, it’s across many security principles. We build trust within our products, platform services operations. 

And It’s about maintaining those environments. This is accomplished through compliance and audits, certifications and adaptations. Then the question becomes how do we partner with our customers to be that tether to reality. In other words, is what we’re doing working? The efficacy of that can be measured. 

If you think about these across three pillars: built up trust, maintain trust and advocate trust, then it means you are not just fulfilling them when you operate in one of those silos. You need a more cohesive view, and I call it the ‘single-pane-of-glass view’ on risks to the company and risks to the environment. 

“Frictionless security in my mind is built in, not bolted on.”

We formulated the Trust Office within Box, where we brought multiple functions that not only have an accountability to trust but also builds that capability with our customers. Those teams have now had a chance to operate more cohesively. Again, they are seeing through the single pane of glass on one side. On the other side, which is significantly more of a positive impact, was our stakeholders getting a single pane to view their risks. They weren’t getting varied reports that were giving them different messages. 

For our stakeholders, it was even more beneficial because they said they not only have a clear view of risks in the environment but a more clear narrative on the consequence of inaction as well. If they do nothing about it, then that gives them more clarity to go into their operating cadence to rank these risks and execute accordingly. 

Pulse Q&A: You’ve said before that the Holy Grail is frictionless security. What do you mean by that? 

Hanspal: Frictionless security in my mind is built in, not bolted on. If you think about, in the mid-90s, when I started, the trust era was about policy and compliance. In short, it was about checking boxes. In that era, we were not getting any traction from businesses or business stakeholders that wanted to do things differently. 

We moved from the policy compliance era to one of talking about risk. Risk seems to be the common language that you as a business understand. It was a little bit better in terms of traction with businesses. Then, we moved into an era of business enabling – not about saying no, but yes, here’s how you can do it. Those were the conversations that were happening at the table with business stakeholders and with technology leaders as well. That became the business enabling era.

“I want us to move into an era of autonomous trust.”

That led to where we are now, with digital trust. Digital trust is about native built-in controls, not bolted on. An example of that would be the telemetry and richness of anomalous activity. Or the telemetry and richness of policy conformance that you can apply to content within your environment. Digital trust, if you think about many cloud providers, whether in the SaaS space or other areas, they’re all looking to enrich their cloud native, built-in controls, as well as seeking to develop partnerships for integration with others.

I’m going to move a little bit further than this. We’re in the era of digital trust. I want us to move into an era of autonomous trust. And the way I coin and define autonomous trust is that it’s differentiated trust. 

Autonomous trust is different from zero trust. What it’s saying is that there are levels of trust that I can build with entities and these entities could be carbon or non-carbon forms that have trust levels that are immutable in some way. They are immutable using technologies like blockchain that can help me preserve the integrity of that trusted relationship. It could be a connection. It could be an identity. Whatever is used to build that trust. 

My focus in terms of preservation of trust is not going to be with those entities with immutable trust. It’s with other entities where I cannot create that immutable trust. So, my trust yardstick goes to them and says you’re in a zero-trust model with me, or you’re on a semi-trusted model with me. The focus of efforts is strategically shifted by saying “I trust no one’ to say, ‘I have immutable relationships of trust that I won’t go and interfere with, until such and such happens.” 

Keeping Asia’s unicorns secure from breaches

Pulse Q&A: What would you expect to see from an autonomous trust perspective for the next four or five years?  

Hanspal: The advantage will go to the ones that are thinking cloud native built-in. When we say built-in, it could be built-in with best-of-breed integration as well. For example, Box doesn’t profess to be the greatest identity provider, but we’ll partner with the leading identity providers in this environment to create that autonomous level of trust. When you think about an environment, we need to create more allies and partners in this journey over the next five years at Box.

If we journey on this alone, then we’re not really creating that shared vision with business partners, vendors and others that need to be able to integrate with us in this space. It’s about getting this vision out there. How do we get more people to contribute to this vision? Secondly, how does that fit into the ecosystem of the platform and services that we provide? 

How does your company define trust? Let us know by joining Pulse Q&A’s community of verified IT leaders


Coming back to your question about frictionless security, we’re in this journey in frictionless and it has started with digital trust already, with built in controls. Think about the era when you were actually using stick shift to drive your car to a time now where we have autonomous cars. I think what we haven’t tasted autonomous trust yet, to compare it with other trust models. We’ve had a taste for digital trust, and we feel it’s great. It’s pretty frictionless. It’s definitely more frictionless than what came before it. But autonomous trust is going to truly propel us, catapult us, into the era of what true frictionless should be.

Pulse Q&A: Lakshmi, thank you so much for your time today. We really appreciate it. It’s been fantastic talking to you.

Hanspal: Thank you. Appreciate the opportunity.

You May Also Like
boardroom communicate
Read More

Speaking the board’s language

Comagine Health CIO Jason Owens used an early crisis to forge an opportunity. In this conversation with Pulse…
Read More

Challenges on connected campuses

In this wide-ranging conversation ranging from smart campuses to shadow IT, Pulse CTO and cofounder Anand Thaker talks…