With digital transformation, issues around data protection and privacy are important for business leaders and CIOs. In this episode, Aaron Levie, co-founder and CEO of the cloud storage service, Box.com, explains the impact of cloud computing on security, privacy, and compliance. He also describes the benefits of public cloud computing and how on-premise vs. cloud affects security.

Transcript

This transcript was lightly edited for readability.

Introduction

Michael Krigsman: Security, privacy, data protection. We're speaking with Aaron Levie. He's the CEO of Box. We're going to take a business leadership point of view and explore these topics.

Aaron Levie: We help enterprises securely manage and collaborate around their most important data. We have about 97,000 customers. We work with nearly 70% of the Fortune 500, companies like General Electric, Eli Lilly, Coca-Cola, and many others. Our job, first and foremost, is to help companies keep their data secure and keep their most valuable information protected as they move into the cloud.

Importance of Data Protection

Michael Krigsman: You said our most important job is to keep that data safe. Tell us about that.

Aaron Levie: This takes on many characteristics when you're a cloud company and it really starts with, obviously, the foundation of your platform, so the data security, the way that you design your software, the infrastructure that you leverage, how you harden that infrastructure. If you think about it, job number one is to make sure that we are building the most secure systems possible for customers' information.

Job number two is to make sure that, as employees of Box and from a corporate standpoint, we are keeping our customers' most valuable information protected. This is how we think about internal security, how we make sure that we have the highest degree of security hygiene within the organization.

Then, finally, we build functionality for our customers to help keep their data protected and give them the control to be able to help them secure their information. This is where we build advanced products that go way beyond keeping data secure and more around, how do we help companies understand how their information is being accessed; what type of data is being shared and with whom; is certain information not supposed to be leaving the corporate network or leaving different geographies or being accessed by certain devices?

Being able to have all of the analytics and all of the intelligence around how you apply additional levels of security to the data is what we're focused on building. Keep the core foundation security really strong. Make sure that we, as stewards of our customers' most important information, have a high degree of security hygiene. Then build a lot of great software to help our customers really tune the security within their organization to keep their data protected. That's how we think about security at Box.

Then, of course, maybe the only other thing to add is, do that all within the ecosystem of other security partners and vendors, so we work with companies like Splunk, Palo Alto Networks, McAfee, or Symantec to make sure that we can integrate with all of the other security investments that our customers have made.

Current State On-Premise to Cloud Migration

Michael Krigsman: Where are we in cloud migration? We'll talk about security in that context.

Aaron Levie: We started Box 15 years ago, and so we just passed our 15-year anniversary mark. It shows the naivety of young founders because we thought that, once we launched, we felt like, okay, the entire world would have to be only in the cloud with no on-premise systems in probably three to five years. This was in 2005 when we kind of had that theory.

To us, the writing was on the wall. You had Salesforce. You had Workday. You had Amazon Web Services. We felt like, okay, everybody is just going to rapidly move to the cloud. Then, of course, we get hit with the reality of, you have, in some cases, systems that have been built in on-premise environments that had been running for 20 or 30 years. That takes a long time to migrate. You have industries where there are heightened degrees of, obviously, conservatism because of the sensitive nature of the data that they deal with, so think about pharmaceutical companies, obviously banks and financial services firms, government agencies.

Only really in the past couple of years have we actually seen the real tide begin to shift where, in net new projects in the majority of organizations that we go visit, cloud is the default approach. This could be true at banks. This could be true at life sciences companies. It could be true of government agencies. That wasn't the case just even three years ago where cloud was the default paradigm for any new application or service.

I think we've now switched where any net new project, I think most customers in most industries, are biased toward the cloud but you still have decades of legacy systems, legacy processes that also have to migrate. I think we're still in the earliest of innings. I think most analysts and most of what we hear from customers in the market is that we're just, maybe at best, 10% of the way to this overall IT transition to the cloud. That means that there's just an insanely exciting amount of change left to come.

I think what we get most excited about is not when you can lift and shift one particular workflow, workload, or set of data from an on-premise system to the cloud but what the cloud enables you to do that you could not have done in an on-premise environment. That's the really exciting thing.

I think so much attention is put by vendors and the market on, how could I get better agility, better flexibility, lower cost, more efficiency by moving to the cloud? That's fantastic. That's the baseline of what we should expect from a technology paradigm shift. What's most exciting is actually the new use cases that we can open up because of the cloud.

In our case, and what we hear from customers, some of those use cases are that the business process itself can transform. Some of the use cases are, they get a way better way to be able to drive data security and protecting information. Some of the use cases are, fundamentally, they can work with their partners, their customers, and their clients in all-new ways.

That's really where I think the next decade is going to be all about, which is, what can we do differently in the cloud now that's the base foundation of how we're delivering computing? I think that's what we're going to look back in the 2020 timeframe and say, okay, that's really where we started to actually change business, not just run it more efficiently.

How Does Cloud Change Security and Privacy?

Michael Krigsman: When we talk about security and we talk about privacy in the context of cloud, what does the cloud change with respect to these concepts?

Aaron Levie: When you move from an on-premise environment to the cloud, what actually is happening? In your on-premise systems, this is a perspective that is informed by what we do, so I think a lot about unstructured files and data, so your documents, your media assets, your customer contracts. A lot of this is sort of tilted toward that, but you can imagine the implications to any application or any category.

When you're in a data center view of the world and a perimeter view of the world, you put all of your infrastructure, all of your applications, and then all of your data within your environment. It means that now the customer is responsible for investing in all of the security and the bolt-on security technologies to protect all of that information in the perimeter around their corporation and around whether that's their data center, the corporate headquarters, or how their employees work within their network. That becomes the customer's responsibility. Well, all of a sudden, if I move my applications, if I move my infrastructure, and if I move my data to the cloud, now, all of a sudden, that's in somebody else's data center and it becomes, in many cases, somebody else's problem to start to think about.

If you are moving your CRM system to the cloud, you're moving it maybe from Siebel or Oracle and then you're maybe moving it to the Oracle Cloud or Salesforce.com, as an example. If you're moving your HR to the cloud, you're moving it from maybe PeopleSoft or SAP to Workday, Oracle, or SAP in the cloud. It becomes that cloud vendor's responsibility to now think about the integrity, the privacy, the compliance, and the security of your data and then enable the organization to have advanced capabilities around that.

What we're finding is that, as you move all of that information to the cloud, you need a completely different security model because if you think about how content, your files, or your documents are shared or they're collaborated once you move that data to the cloud, fundamentally, it's going to your mobile devices, it's being shared externally to partners, it's going outside of your network to be collaborated on, on different devices and in different geographies. And so, we need an all-new paradigm for how we think about security data as it moves from our data center to a cloud environment.

All of a sudden, when you think about how I secure that information, I need to be thinking a lot more about all of the analytics, about what people are doing with their information, where they're accessing it, how they're accessing it, who they're sharing it with. I have an unbelievable amount of new analytic information that I can take to actually deliver better security.

When you're actually thinking about how information is being shared between organizations and not necessarily trapped within the firewall of your enterprise, I have to think about, how do I keep that data secure as it leaves my network? It's not enough to just add a file attachment to an email and then send that as an email where you now have content that's available on somebody else's machine that is unsecured. I want to be able to track that data as it's being shared. I want to be able to revoke access to it. I want to know who downloaded or previewed that information.

As our data moves to the cloud, we need an all-new way to be thinking about the security of that information. It's not just protecting that data at rest, within your data center, when it's stored, and when it's not moving. Fundamentally, it's about protecting the flow of that information as it's being shared between devices, between people.

It's a completely different shift in how we think about data security where you're relying much more on the service providers. You're relying much more on the cloud partners to be able to deliver that security. It's not enough just to have a bunch of bolt-on technologies to help you secure your enterprise. That's really where we're making a lot of investments is to build that security more natively into the platform and give our customers the tools, analytics, and capabilities they need to help secure their information.

Cloud Security, Collaboration, and Ecosystem

Michael Krigsman: It sounds like cloud security is actually a collaborative ecosystem project.

Aaron Levie: It's fundamental because we are going to be one application that helps companies manage their content, their files, and their data. Salesforce is going to be an application that helps companies manage their CRM information. Workday is going to be an application that helps companies manage their HR data. Slack is going to help you collaborate and have channels for communication.

Each of us is going to be responsible for securing our systems and the data and the information within our systems. Then there's going to be another layer, which is around technology that helps you secure all of the different SaaS or cloud investments that you're making. Maybe that layer will be a security event system from Splunk or maybe it'll be a cloud access security brokerage system from Palo Alto Networks or McAfee. Maybe it'll be an intelligent layer that's delivered by IBM or Amazon.

There is going to be a role for the different applications and infrastructure players. Then there's going to be a role for horizontal systems that help think about the security across all those applications and data types. Fundamentally, we need to be thinking about security in terms of platforms and how our platforms interact with one another, not just as silos of data where we are closed off to one another.

Michael Krigsman: You talk with a lot of customers. To what degree are you finding awareness of the need to be thinking about these issues? Also, does it vary by industry, by size of company? What kind of patterns are you seeing?

Aaron Levie: First of all, I think the awareness is at the peak level that I've ever seen in doing this for 15 years. That's been contributed to because of all of just the amount of splashy headlines, whether it's a Capital One breach or Jeff Bezos's phone getting hacked.

We have a range of very en vogue kind of moments around security that have helped security professionals be able to really say, "Okay, this is super important. This is why we need to invest here." Now, I think there's not a CEO in the country or the world that is not paranoid and thinking about this constantly. That's the awareness side.

Now, what are they doing about it? There's a wide range of outcomes on what companies are doing from an investment, resourcing, or strategy standpoint. That's where we see the greatest variability, but I don't think there's anybody that's not aware of how big of an issue this is.

To your second question, I think one of the interesting things that I've seen is that security really started out as an issue that I think was either a very fringe concern by only your IT organization or your security organization or a concern of very regulated entities, so banks, pharmaceutical companies, healthcare institutions, government agencies. That was sort of the audience of security.

If you think about going to a security conference 10 or 15 years ago, it would either be banks or it was really just an IT or security issue that was off in the corner for other organizations.

Today, I think security and thoughtfulness around data sensitivity is pervasive across all industries and companies of all sizes. The reason for that is that, first of all, you now just have way more regulation that has occurred from a data privacy perspective that is causing companies and previously unregulated industries.

Think about if you're just a retailer or a CPG company. You weren't really having to think about data hygiene five or ten years ago. Now, all of a sudden, with things like CCPA or GDPR, you really have to pay attention to this.

Think about the Sony hack just a few years ago. If you were a media company, you didn't really have to think about cybersecurity as a possible business risk between reputational harm or financial impact. All of a sudden, now, media and entertainment have to pay a lot more attention to these issues.

There's not an industry today that doesn't either have regulatory challenges, financial harm, or reputational risk if they have security go the wrong direction. I think that's causing boards of directors, CEOs, CIOs in every industry to say, "Holy [explicit used]. We have to pay attention to this. We have to invest in it."

Then it really comes down to, okay, how are companies resourced to do this? How are they driving the strategies to be able to go and actually get into a much better position?

Security, Compliance and Industry Sectors

Michael Krigsman: Do you see differences among industries or types of companies in terms of the level of resources and focus that they're placing on this?

Aaron Levie: I do. Depending on the level of compliance and regulatory challenges you have, the investment tends to be, in some cases, an order of magnitude more. You get more dollars applied to the problem because there might be billions of dollars' worth of fines that are tied to doing it in the wrong way. That is maybe a view of the financial investment.

However, security is not always an area where more dollars solves the problem versus where good architecture and good principles in the design of your systems and the design of your processes matters a lot more than how many dollars you throw at the problem. I can't quite generalize yet where I say some companies that have way more dollars are doing better because I know of many more nimble organizations that maybe have better security hygiene. But it's due to the sort of scarcity of investment that caused them to be really, really hyper-focused on the most impactful areas of security as opposed to maybe some of the flashy things that are done or some of maybe the things that you do only for compliance but they don't end up helping security.

I think sometimes what we see is that there can be too much conflation of security and compliance. Those two things are very different because compliance is a set of maybe 100 things you have to do from a regulatory standpoint. But security is really about risk and judging risk across the business and really putting your bets in the areas that are associated with the highest degree of risk. Compliance may not have that same exact perspective or prioritization.

Companies that can just focus on risk and focus on data security often can do better than those that have to tie in all of the compliance and all of the regulatory challenges that they equally have to deal with. We see differing outcomes all across the board.

Michael Krigsman: It's really interesting and a little counterintuitive when you said that larger budgets do not necessarily mean better security practices. Could you elaborate on that?

Aaron Levie: I think if you just take two extremes, if I gave an organization hundreds of millions of dollars to solve a security problem, inevitably what tends to happen is you tend to then invest more in people and manual operations. You invest way more in more systems, which makes your business more complex, which creates more vulnerability.

If you had fewer dollars but only could invest in the highest leverage areas of security, so a single-sign-on system that had two-factor authentication, analytics and intelligence system that gave you full visibility into what was going on in your environment, and modern cloud-based software and applications to run on, what we've seen is that you would generally do better in that modern environment that was maybe a little bit more lean but invested in the highest leverage applications versus the environment where you just threw more and more dollars at maintaining the legacy, adding more complexity, throwing more people at the problem, and creating, again, more of a complicated architecture that creates more difficulty in actually securing the environment. Usually, simplicity always breeds both better hygiene but more agility, more speed, more efficiency and, ultimately, better security practices in most cases.

Michael Krigsman: If the underlying systems and technologies are simpler and less complex and hairball.

Aaron Levie: As a general rule, more dollars will lead to more complexity over time. Thinking about, "Do I really have a budget problem or do I have an architecture and a design principle problem?" and thinking through from that perspective often will get you to a better outcome, ultimately, than just, "How do I throw more dollars at this issue?"

Now, that being said, this is not a statement that the global spend on security isn't going to grow and that it shouldn't grow. On a much more micro basis, when you think about your architecture, think about it around simplicity. Think about how do I design out the complexity.

What we know from experience is that any time a system gets too complex, people will start to make mistakes. They will put something in the wrong location. They'll end up working around the system because the default system is so complex that they need to bring in Shadow IT.

Any time that your system gets so complex, gets too complex, you inevitably will have to work around the system or do the wrong thing. When they do the wrong thing, that is what creates your vulnerability. All the dollars in the world won't actually help that if your technology environment is too complex to work in.

How to Develop a Culture of Security

Michael Krigsman: The importance of developing a security culture, what do you see at your customers regarding that issue?

Aaron Levie: The best practices we've seen are really around how do you create as much awareness and visibility internally about security, how do you make it a dialog and create nomenclature around it and create a vocabulary around it as opposed to it's this sort of rare, infrequent, annual compliance thing that you do as a company. If you come to any of our internal all-hands events, either once a month or once a quarter, you will hear us talk about security in some significant way. It might be having an external guest speaker. It might be an internal testing that we did against employees and the rate of people responding to that maybe social engineering test. We have various internal programs that are collaborative and bring the community together more.

What we want is as much sort of ongoing awareness and conversation around security as possible, not this is a rare, one-time, infrequent event where it's about compliance or it's about just checking the box. That's how we think about awareness. That's how we think about creating a culture of security within the organization.

Michael Krigsman: Is that among your customers? As you talk with your customers, is that happening?

Aaron Levie: I think we're still early in that because that's a collaboration between the security organization, the IT organization, the HR organization, internal comms. You need CEO sponsorship. When you get to companies that have 5,000, 10,000, or 50,000 employees, there are a lot of conflicting priorities that people do run into. I think we're still probably early in some of the cultural change that has to go on with companies.

If you go to a big bank, as an example, they are definitely doing this. The question is, how much is it resonating; how much is it sticking? That obviously is always the big question. But we do know that it's starting to ripple through more and more organizations.

Michael Krigsman: What about differences between consumer and B2B? Are there patterns or differences there, would you say?

Aaron Levie: I think it usually comes down to how does the company or organization understand what kind of data that they hold onto and how sensitive is that information. If you're on one end of the spectrum, a complete brick and mortar environment, and the only data that you really work with is kind of credit card swipes at the cash register, then you're probably doing a limited amount, a finite amount of security awareness and culture setting. If you're on the other end of the spectrum where you're a digital media consumer organization and you have credit card data, you have consumer buying preferences, you have listening habits or activity, and you have ad targeted, then on that end of the spectrum, you have to care probably about a hundred times more than that brick and mortar organization on security hygiene and sensitivity around this.

I think it probably less relates to consumer versus enterprise and much more around what digital information do you house for your customers and how valuable is that information to outside threats. That's how much of a steward you have to be for that data.

Michael Krigsman: If you think about breaches like Equifax, for example, which is a vast, should be a vast steward over vast realms of data, isn't it extraordinary that that can happen, that kind of data breach can take place in that environment?

Aaron Levie: On the one hand, it's extraordinary. On the other hand, unfortunately, it's not that surprising when you think about the complexity of these systems and the fact that you might have one or two systems that are not patched or not using the latest configuration and the ease at which a hacker can traverse that.

On the one hand, it's obviously very surprising because of the data that they hold. On the other hand, it's all too unsurprising because of the fact that when you design complex systems and you have an organization that's trying to keep up with all of the latest innovation trends and some systems fall behind or some developers fall behind, you create an environment where you're going to be vulnerable to those types of events.

Enterprise Architecture and Cloud Computing

Michael Krigsman: We have another really good question from Arsalan Khan. He says, "From what you're describing, there is more of a need than ever for enterprise architecture." He says, "Have you ever considered opening up a consulting arm?"

Aaron Levie: [Laughter]

Michael Krigsman: [Laughter]

Aaron Levie: Well, we do have a consulting arm, but it's very bias toward, obviously, customers that are deploying Box and helping them with that change management and digital transformation.

To Arsalan's point, enterprise architecture is one of those sorts of 100x levers in a business where, if you have an environment where you have complex, democratized, distributed system design, you might get the amazing market forces within your organization. Lots of people are going to be pushing the limits on new technologies.

You'll get a plethora of new innovation, but you will absolutely have a challenge in data security. You'll have a challenge in too much redundancy in systems that get implemented. You won't be thinking in terms of platforms and sort of how do I have layers of platforms that work together.

Enterprise architects, I think, have a very long future. It's a good time to be an enterprise architect right now.

Business Process Advantages of Cloud Computing

Michael Krigsman: The changes that cloud drives in organizations is that it's not just efficiency.

Aaron Levie: What we see that it just fundamentally changes the business process. If you imagine a world where all of your data, all of your information, all of your business processes are inside of your four walls of your organization, inside of your data center with perimeter-based security, that's one way of working.

Now you flip to, let's just say, a cloud-based way of working where you have Zoom, you have Slack, you have Box, you have Okta, you have Office 365, maybe you have Google Docs; you have all of these new tools. You're fundamentally going to be collaborating in real-time. You're going to be working inside and outside of your organization seamlessly. Whether you're working with an employee that is literally at the desk right next to you or a contractor or a partner that is 5,000 miles away on a different continent, that work is exactly seamless between the person next to you and the person around the globe. Fundamentally, it means that your business processes will start to extend more and more beyond the boundaries of your organization.

The resources then that you have access to because now you have every single possible resource around the world to help move your business forward. The ability to collaborate instantaneously and move ideas and information forward much more rapidly, not by days or hours, but by seconds and minutes. All of these things go and transform the actual underlying work process itself.

It doesn't make things 10% more efficient or 20% more efficient. It fundamentally changes the work that you're going to do. It changes the idea that you deliver to market. It changes the partners that you actually go to market with. It changes the way that you can interact with your customers.

That's ultimately what the cloud is delivering. It's not making our businesses 5% more efficient or 10% more efficient or lower our cost of infrastructure. Yes, it does all of those things. But, ultimately, it makes our businesses much more competitive.

It changes the products that we build. It changes how we go to market with our customers. That's the really exciting thing about the cloud. Obviously, embedded in all of that is it changes how we have to secure our information.

Michael Krigsman: Is this digital transformation what you're describing? Can we encapsulate it with that label or no?

Aaron Levie: It's absolutely under that entire umbrella. I think what sometimes we miss about digital transformation is that it's very focused on this idea of the thing that was analog now going digital. But there's still so much stuff that actually technically has been digital but it hasn't been automated; it hasn't moved to real-time; it hasn't extended beyond the boundaries of our organization; it hasn't delivered a great employee experience.

If you think about digital transformation not just as, "I can get my Uber car on demand," that's obviously digital transformation within the automotive space. But digital transformation is the team of 100 people that once had to get in a room to be able to deliver their project now can be diffused, distributed, and be amongst partner organizations and employees. That's equally digital transformation but it's driven by the fact that we can collaborate in real-time; that we can automate more of our work; that we can get insights from data that previously were trapped inside of our databases or data lakes that we couldn't actually understand. That's the broader sense of digital transformation the cloud is ultimately the driver of.

Michael Krigsman: Somebody is listening and they say, "Yeah, that's great, but you know what? Our on-premise vendors have built all of these capabilities, and so how is cloud better?"

Aaron Levie: Well, for that person, if you're still asking that question, I can't help you. [Laughter] I think you're going to have bigger problems in your enterprise, I'm sorry to say.

Michael Krigsman: [Laughter]

Aaron Levie: But I think, empirically, if you want modern CRM, modern analytics, modern HR, modern ERP, modern collaboration, modern video conferencing, you literally can't get that in an on-premise system. It's only delivered over the cloud. That's because it's being delivered by SaaS or cloud providers that all of the new versions of their products are being built for the cloud.

Sure, there are some systems that make sure that they write code for SaaS and write code for your data center. That's becoming a much more rare way of delivering software and eventually will be a very, very small minority or niche way to be running technology. I think cloud is inevitable.

Then the question is not, "Are you going to the cloud?" The question is, "How are you going to utilize the cloud?" How is it going to change your business?

Are you going to think about cloud as, "I can now run my exchange server from my data center in the cloud. I can run my legacy CRM system from my data center in the cloud," or are you thinking about it as, "I can use the cloud to change how my employees work. I can use the cloud to change my employee experience. I can use the cloud to collaborate with my customers differently, and I can actually use this as a lever to transform my business, not just as an efficiency gain or a lever to adjust the bottom line," Which again, it will do as well, but how do you actually go and transform the underlying business process that the company is operating with?

Michael Krigsman: That's hard for many companies that have been working with on-premise software for many years in their processes. It's really hard to know. How do you begin? How do you think about this if you're a business leader?

Aaron Levie: You have to partner with the business. If you're a CIO, ahead of IT, or anyone within IT out there, you have to go seek understanding from the business, from marketing, from sales, from HR. What are the challenges that they're running into? What are our customers looking for us to do better for them? Where are employees being held up because our internal systems are slowing them down?

I can't tell you how many times we'll go into an enterprise; we'll talk to IT. They might think that they've solved a particular problem. Let's just say it's collaboration or document management.

Then you'll go talk to the business and you say, "How are you solving this problem?" The businesses, their hair is on fire. They're upset about everything. They can't get work done. It's too hard to collaborate.

That disparity is because the IT and the business have not gotten together to be able to communicate around what the challenges are in the enterprise. What we want is we want IT to raise the bar on what they're delivering for the business. We want the business to raise the bar on what they expect from their technology and more of that collaboration to come together. This can only happen when you remove as much of the divide as possible between IT and between the business, so you actually have that as sort of one fused way to see the enterprise.

Digital Transformation, Cloud, and Breaking Siloes

Michael Krigsman: The common theme here then is removing the barrier because when you were talking about security as being essentially ecosystem security, again it's removing the barrier.

Aaron Levie: Correct. Yep.

Michael Krigsman: It carries through so, if you're a CEO or you're a CSO—you hear lessons from your customers—what advice can you offer these folks?

Aaron Levie: Where we have seen enterprises in many cases make the most progressive and quickest change is really starting with thinking about, again, this concept of leverage is really important. If you were to prioritize the sequence of decisions and the sequence of investments by leverage, as defined by what is the smallest amount of effort I can do to have the highest degree of impact in my digital transformation journey, not how we traditionally think about it, which is, you generally are sequencing your execution by where your dollar is going.

If you sequence your execution by where your dollars are going, oftentimes that is going to take you to your ERP system. That's going to take you to your legacy data centers. If you sequence your investments or your execution to where is your greatest leverage, then all of a sudden you're like, "Okay, how do I impact every single employee every single day to make their jobs better?"

Oftentimes, again, that might start with, okay, let's make it easier to interact with IT. Maybe you invest in Okta so that way people can launch into the modern applications that they're using faster. Maybe you invest in something like Slack so people can communicate enterprise-wide much more collaboratively. Maybe you invest in something like Zoom so people can have real-time video conferencing or WebEx so you can do real-time video instantaneously across the enterprise.

Obviously, we are really happy when companies invest in Box early in their journey because every single employee now can collaborate or manage their data in a new and modern way.

If you start to think about what sequence of technology can I implement that has the greatest amount of impact to my employee culture, to the way that we work, to the way that we serve our customers, to the way that we come up with new ideas, that is often the fastest way to get your organization moving on a digital transformation journey. You're almost doing sort of shock and awe a little bit where you're like, "Okay, we're going to now have a whole bunch of new ways that people can get their work done. Then, in the background, we're going to go and migrate the legacy stuff."

If you invert that and you start working on the legacy stuff first, you're going to be three to five years out, employees won't have had any change in their employee experience so they don't know anything is any better, and most likely something is going to stall in that migration journey that will just cause you to slow it down inevitably anyway. Really thinking about how you get some early wins on the board, how you change the employee culture early, and then how you follow it up with maybe some of the bigger ticket, higher dollar, legacy transformation that you also have to drive. It tends to be the sequence that I've seen be most successful.

Michael Krigsman: If you're going to drive change, then you need to show, relatively quickly, some type of change.

Aaron Levie: Yes and, counterintuitively, start small and find the things that are the smallest footprints that have the greatest impact in the business because that's how you can easily get going on this. I've seen some customers accidentally – it's certainly not intentional – accidentally take as much time to decide to deploy Slack, Zoom, or Box as they would be making an ERP decision because their organization has slowed down to the pace of the most complex system that they implement when actually what they should be doing is knock those types of applications out rapidly, obviously with the right security vetting and compliance vetting, but knock those out rapidly, get the employee transformation going, and then follow up with the bigger ticket back-end transformations that you have to drive. If you get that confused and you move that sequence in the wrong direction, it'll end up slowing down the entire enterprise and you won't get any points on the board.

Michael Krigsman: That's really interesting that some organizations deploy at the speed of the slowest application.

Aaron Levie: Think about your procurement processes, your compliance processes, your architectural processes. They were built for your most significant systems because it has to work for that. That's not the same process you should be using to implement or launch some of these lighter weight, end-user tools that are actually, in many cases, the fastest catalyst to digital transformation in an enterprise.

Advice to Chief Information Officers

Michael Krigsman: Any final thoughts before we finish up?

Aaron Levie: I've already been spitting into the microphone, so I feel like I've gotten all my major comments in and I'm frothing at this point in excitement on digital transformation.

Michael Krigsman: [Laughter]

Aaron Levie: But I think this has been a great conversation. I think maybe the final thing I'd leave you with, and this is a phrase that we use internally with our customers, is, "Eventually, your culture will look like your IT stack."

Think about what kind of culture you want. How fast-pace do you want it to be? What type of collaboration do you want?

Then do you have the IT stack to be able to go and enable that? Do you have the modern tools with the modern interfaces and modern user experiences with the right degrees of collaboration between those systems? That's going to ultimately drive your culture as an enterprise.

Certainly, I'm excited to continue the conversation going forward.

Michael Krigsman: You just gave the greatest plug for CIO opportunity that I have ever heard. To all my CIO friends out there, I'm speaking on behalf of them. We say thank you.

Aaron Levie: All right, well, thank you.

Michael Krigsman: We've been speaking with Aaron Levie. He's the CEO and the co-founder of Box.

Before you go, please subscribe on YouTube and subscribe to our newsletter and check out CXOTalk.com. We have lots of great shows coming up and we'll see you again next time. Have a great day, everybody. Bye-bye.​

This transcript was lightly edited for readability.

Introduction

Michael Krigsman: Security, privacy, data protection. We're speaking with Aaron Levie. He's the CEO of Box. We're going to take a business leadership point of view and explore these topics.

Aaron Levie: We help enterprises securely manage and collaborate around their most important data. We have about 97,000 customers. We work with nearly 70% of the Fortune 500, companies like General Electric, Eli Lilly, Coca-Cola, and many others. Our job, first and foremost, is to help companies keep their data secure and keep their most valuable information protected as they move into the cloud.

Importance of Data Protection

Michael Krigsman: You said our most important job is to keep that data safe. Tell us about that.

Aaron Levie: This takes on many characteristics when you're a cloud company and it really starts with, obviously, the foundation of your platform, so the data security, the way that you design your software, the infrastructure that you leverage, how you harden that infrastructure. If you think about it, job number one is to make sure that we are building the most secure systems possible for customers' information.

Job number two is to make sure that, as employees of Box and from a corporate standpoint, we are keeping our customers' most valuable information protected. This is how we think about internal security, how we make sure that we have the highest degree of security hygiene within the organization.

Then, finally, we build functionality for our customers to help keep their data protected and give them the control to be able to help them secure their information. This is where we build advanced products that go way beyond keeping data secure and more around, how do we help companies understand how their information is being accessed; what type of data is being shared and with whom; is certain information not supposed to be leaving the corporate network or leaving different geographies or being accessed by certain devices?

Being able to have all of the analytics and all of the intelligence around how you apply additional levels of security to the data is what we're focused on building. Keep the core foundation security really strong. Make sure that we, as stewards of our customers' most important information, have a high degree of security hygiene. Then build a lot of great software to help our customers really tune the security within their organization to keep their data protected. That's how we think about security at Box.

Then, of course, maybe the only other thing to add is, do that all within the ecosystem of other security partners and vendors, so we work with companies like Splunk, Palo Alto Networks, McAfee, or Symantec to make sure that we can integrate with all of the other security investments that our customers have made.

Current State On-Premise to Cloud Migration

Michael Krigsman: Where are we in cloud migration? We'll talk about security in that context.

Aaron Levie: We started Box 15 years ago, and so we just passed our 15-year anniversary mark. It shows the naivety of young founders because we thought that, once we launched, we felt like, okay, the entire world would have to be only in the cloud with no on-premise systems in probably three to five years. This was in 2005 when we kind of had that theory.

To us, the writing was on the wall. You had Salesforce. You had Workday. You had Amazon Web Services. We felt like, okay, everybody is just going to rapidly move to the cloud. Then, of course, we get hit with the reality of, you have, in some cases, systems that have been built in on-premise environments that had been running for 20 or 30 years. That takes a long time to migrate. You have industries where there are heightened degrees of, obviously, conservatism because of the sensitive nature of the data that they deal with, so think about pharmaceutical companies, obviously banks and financial services firms, government agencies.

Only really in the past couple of years have we actually seen the real tide begin to shift where, in net new projects in the majority of organizations that we go visit, cloud is the default approach. This could be true at banks. This could be true at life sciences companies. It could be true of government agencies. That wasn't the case just even three years ago where cloud was the default paradigm for any new application or service.

I think we've now switched where any net new project, I think most customers in most industries, are biased toward the cloud but you still have decades of legacy systems, legacy processes that also have to migrate. I think we're still in the earliest of innings. I think most analysts and most of what we hear from customers in the market is that we're just, maybe at best, 10% of the way to this overall IT transition to the cloud. That means that there's just an insanely exciting amount of change left to come.

I think what we get most excited about is not when you can lift and shift one particular workflow, workload, or set of data from an on-premise system to the cloud but what the cloud enables you to do that you could not have done in an on-premise environment. That's the really exciting thing.

I think so much attention is put by vendors and the market on, how could I get better agility, better flexibility, lower cost, more efficiency by moving to the cloud? That's fantastic. That's the baseline of what we should expect from a technology paradigm shift. What's most exciting is actually the new use cases that we can open up because of the cloud.

In our case, and what we hear from customers, some of those use cases are that the business process itself can transform. Some of the use cases are, they get a way better way to be able to drive data security and protecting information. Some of the use cases are, fundamentally, they can work with their partners, their customers, and their clients in all-new ways.

That's really where I think the next decade is going to be all about, which is, what can we do differently in the cloud now that's the base foundation of how we're delivering computing? I think that's what we're going to look back in the 2020 timeframe and say, okay, that's really where we started to actually change business, not just run it more efficiently.

How Does Cloud Change Security and Privacy?

Michael Krigsman: When we talk about security and we talk about privacy in the context of cloud, what does the cloud change with respect to these concepts?

Aaron Levie: When you move from an on-premise environment to the cloud, what actually is happening? In your on-premise systems, this is a perspective that is informed by what we do, so I think a lot about unstructured files and data, so your documents, your media assets, your customer contracts. A lot of this is sort of tilted toward that, but you can imagine the implications to any application or any category.

When you're in a data center view of the world and a perimeter view of the world, you put all of your infrastructure, all of your applications, and then all of your data within your environment. It means that now the customer is responsible for investing in all of the security and the bolt-on security technologies to protect all of that information in the perimeter around their corporation and around whether that's their data center, the corporate headquarters, or how their employees work within their network. That becomes the customer's responsibility. Well, all of a sudden, if I move my applications, if I move my infrastructure, and if I move my data to the cloud, now, all of a sudden, that's in somebody else's data center and it becomes, in many cases, somebody else's problem to start to think about.

If you are moving your CRM system to the cloud, you're moving it maybe from Siebel or Oracle and then you're maybe moving it to the Oracle Cloud or Salesforce.com, as an example. If you're moving your HR to the cloud, you're moving it from maybe PeopleSoft or SAP to Workday, Oracle, or SAP in the cloud. It becomes that cloud vendor's responsibility to now think about the integrity, the privacy, the compliance, and the security of your data and then enable the organization to have advanced capabilities around that.

What we're finding is that, as you move all of that information to the cloud, you need a completely different security model because if you think about how content, your files, or your documents are shared or they're collaborated once you move that data to the cloud, fundamentally, it's going to your mobile devices, it's being shared externally to partners, it's going outside of your network to be collaborated on, on different devices and in different geographies. And so, we need an all-new paradigm for how we think about security data as it moves from our data center to a cloud environment.

All of a sudden, when you think about how I secure that information, I need to be thinking a lot more about all of the analytics, about what people are doing with their information, where they're accessing it, how they're accessing it, who they're sharing it with. I have an unbelievable amount of new analytic information that I can take to actually deliver better security.

When you're actually thinking about how information is being shared between organizations and not necessarily trapped within the firewall of your enterprise, I have to think about, how do I keep that data secure as it leaves my network? It's not enough to just add a file attachment to an email and then send that as an email where you now have content that's available on somebody else's machine that is unsecured. I want to be able to track that data as it's being shared. I want to be able to revoke access to it. I want to know who downloaded or previewed that information.

As our data moves to the cloud, we need an all-new way to be thinking about the security of that information. It's not just protecting that data at rest, within your data center, when it's stored, and when it's not moving. Fundamentally, it's about protecting the flow of that information as it's being shared between devices, between people.

It's a completely different shift in how we think about data security where you're relying much more on the service providers. You're relying much more on the cloud partners to be able to deliver that security. It's not enough just to have a bunch of bolt-on technologies to help you secure your enterprise. That's really where we're making a lot of investments is to build that security more natively into the platform and give our customers the tools, analytics, and capabilities they need to help secure their information.

Cloud Security, Collaboration, and Ecosystem

Michael Krigsman: It sounds like cloud security is actually a collaborative ecosystem project.

Aaron Levie: It's fundamental because we are going to be one application that helps companies manage their content, their files, and their data. Salesforce is going to be an application that helps companies manage their CRM information. Workday is going to be an application that helps companies manage their HR data. Slack is going to help you collaborate and have channels for communication.

Each of us is going to be responsible for securing our systems and the data and the information within our systems. Then there's going to be another layer, which is around technology that helps you secure all of the different SaaS or cloud investments that you're making. Maybe that layer will be a security event system from Splunk or maybe it'll be a cloud access security brokerage system from Palo Alto Networks or McAfee. Maybe it'll be an intelligent layer that's delivered by IBM or Amazon.

There is going to be a role for the different applications and infrastructure players. Then there's going to be a role for horizontal systems that help think about the security across all those applications and data types. Fundamentally, we need to be thinking about security in terms of platforms and how our platforms interact with one another, not just as silos of data where we are closed off to one another.

Michael Krigsman: You talk with a lot of customers. To what degree are you finding awareness of the need to be thinking about these issues? Also, does it vary by industry, by size of company? What kind of patterns are you seeing?

Aaron Levie: First of all, I think the awareness is at the peak level that I've ever seen in doing this for 15 years. That's been contributed to because of all of just the amount of splashy headlines, whether it's a Capital One breach or Jeff Bezos's phone getting hacked.

We have a range of very en vogue kind of moments around security that have helped security professionals be able to really say, "Okay, this is super important. This is why we need to invest here." Now, I think there's not a CEO in the country or the world that is not paranoid and thinking about this constantly. That's the awareness side.

Now, what are they doing about it? There's a wide range of outcomes on what companies are doing from an investment, resourcing, or strategy standpoint. That's where we see the greatest variability, but I don't think there's anybody that's not aware of how big of an issue this is.

To your second question, I think one of the interesting things that I've seen is that security really started out as an issue that I think was either a very fringe concern by only your IT organization or your security organization or a concern of very regulated entities, so banks, pharmaceutical companies, healthcare institutions, government agencies. That was sort of the audience of security.

If you think about going to a security conference 10 or 15 years ago, it would either be banks or it was really just an IT or security issue that was off in the corner for other organizations.

Today, I think security and thoughtfulness around data sensitivity is pervasive across all industries and companies of all sizes. The reason for that is that, first of all, you now just have way more regulation that has occurred from a data privacy perspective that is causing companies and previously unregulated industries.

Think about if you're just a retailer or a CPG company. You weren't really having to think about data hygiene five or ten years ago. Now, all of a sudden, with things like CCPA or GDPR, you really have to pay attention to this.

Think about the Sony hack just a few years ago. If you were a media company, you didn't really have to think about cybersecurity as a possible business risk between reputational harm or financial impact. All of a sudden, now, media and entertainment have to pay a lot more attention to these issues.

There's not an industry today that doesn't either have regulatory challenges, financial harm, or reputational risk if they have security go the wrong direction. I think that's causing boards of directors, CEOs, CIOs in every industry to say, "Holy [explicit used]. We have to pay attention to this. We have to invest in it."

Then it really comes down to, okay, how are companies resourced to do this? How are they driving the strategies to be able to go and actually get into a much better position?

Security, Compliance and Industry Sectors

Michael Krigsman: Do you see differences among industries or types of companies in terms of the level of resources and focus that they're placing on this?

Aaron Levie: I do. Depending on the level of compliance and regulatory challenges you have, the investment tends to be, in some cases, an order of magnitude more. You get more dollars applied to the problem because there might be billions of dollars' worth of fines that are tied to doing it in the wrong way. That is maybe a view of the financial investment.

However, security is not always an area where more dollars solves the problem versus where good architecture and good principles in the design of your systems and the design of your processes matters a lot more than how many dollars you throw at the problem. I can't quite generalize yet where I say some companies that have way more dollars are doing better because I know of many more nimble organizations that maybe have better security hygiene. But it's due to the sort of scarcity of investment that caused them to be really, really hyper-focused on the most impactful areas of security as opposed to maybe some of the flashy things that are done or some of maybe the things that you do only for compliance but they don't end up helping security.

I think sometimes what we see is that there can be too much conflation of security and compliance. Those two things are very different because compliance is a set of maybe 100 things you have to do from a regulatory standpoint. But security is really about risk and judging risk across the business and really putting your bets in the areas that are associated with the highest degree of risk. Compliance may not have that same exact perspective or prioritization.

Companies that can just focus on risk and focus on data security often can do better than those that have to tie in all of the compliance and all of the regulatory challenges that they equally have to deal with. We see differing outcomes all across the board.

Michael Krigsman: It's really interesting and a little counterintuitive when you said that larger budgets do not necessarily mean better security practices. Could you elaborate on that?

Aaron Levie: I think if you just take two extremes, if I gave an organization hundreds of millions of dollars to solve a security problem, inevitably what tends to happen is you tend to then invest more in people and manual operations. You invest way more in more systems, which makes your business more complex, which creates more vulnerability.

If you had fewer dollars but only could invest in the highest leverage areas of security, so a single-sign-on system that had two-factor authentication, analytics and intelligence system that gave you full visibility into what was going on in your environment, and modern cloud-based software and applications to run on, what we've seen is that you would generally do better in that modern environment that was maybe a little bit more lean but invested in the highest leverage applications versus the environment where you just threw more and more dollars at maintaining the legacy, adding more complexity, throwing more people at the problem, and creating, again, more of a complicated architecture that creates more difficulty in actually securing the environment. Usually, simplicity always breeds both better hygiene but more agility, more speed, more efficiency and, ultimately, better security practices in most cases.

Michael Krigsman: If the underlying systems and technologies are simpler and less complex and hairball.

Aaron Levie: As a general rule, more dollars will lead to more complexity over time. Thinking about, "Do I really have a budget problem or do I have an architecture and a design principle problem?" and thinking through from that perspective often will get you to a better outcome, ultimately, than just, "How do I throw more dollars at this issue?"

Now, that being said, this is not a statement that the global spend on security isn't going to grow and that it shouldn't grow. On a much more micro basis, when you think about your architecture, think about it around simplicity. Think about how do I design out the complexity.

What we know from experience is that any time a system gets too complex, people will start to make mistakes. They will put something in the wrong location. They'll end up working around the system because the default system is so complex that they need to bring in Shadow IT.

Any time that your system gets so complex, gets too complex, you inevitably will have to work around the system or do the wrong thing. When they do the wrong thing, that is what creates your vulnerability. All the dollars in the world won't actually help that if your technology environment is too complex to work in.

How to Develop a Culture of Security

Michael Krigsman: The importance of developing a security culture, what do you see at your customers regarding that issue?

Aaron Levie: The best practices we've seen are really around how do you create as much awareness and visibility internally about security, how do you make it a dialog and create nomenclature around it and create a vocabulary around it as opposed to it's this sort of rare, infrequent, annual compliance thing that you do as a company. If you come to any of our internal all-hands events, either once a month or once a quarter, you will hear us talk about security in some significant way. It might be having an external guest speaker. It might be an internal testing that we did against employees and the rate of people responding to that maybe social engineering test. We have various internal programs that are collaborative and bring the community together more.

What we want is as much sort of ongoing awareness and conversation around security as possible, not this is a rare, one-time, infrequent event where it's about compliance or it's about just checking the box. That's how we think about awareness. That's how we think about creating a culture of security within the organization.

Michael Krigsman: Is that among your customers? As you talk with your customers, is that happening?

Aaron Levie: I think we're still early in that because that's a collaboration between the security organization, the IT organization, the HR organization, internal comms. You need CEO sponsorship. When you get to companies that have 5,000, 10,000, or 50,000 employees, there are a lot of conflicting priorities that people do run into. I think we're still probably early in some of the cultural change that has to go on with companies.

If you go to a big bank, as an example, they are definitely doing this. The question is, how much is it resonating; how much is it sticking? That obviously is always the big question. But we do know that it's starting to ripple through more and more organizations.

Michael Krigsman: What about differences between consumer and B2B? Are there patterns or differences there, would you say?

Aaron Levie: I think it usually comes down to how does the company or organization understand what kind of data that they hold onto and how sensitive is that information. If you're on one end of the spectrum, a complete brick and mortar environment, and the only data that you really work with is kind of credit card swipes at the cash register, then you're probably doing a limited amount, a finite amount of security awareness and culture setting. If you're on the other end of the spectrum where you're a digital media consumer organization and you have credit card data, you have consumer buying preferences, you have listening habits or activity, and you have ad targeted, then on that end of the spectrum, you have to care probably about a hundred times more than that brick and mortar organization on security hygiene and sensitivity around this.

I think it probably less relates to consumer versus enterprise and much more around what digital information do you house for your customers and how valuable is that information to outside threats. That's how much of a steward you have to be for that data.

Michael Krigsman: If you think about breaches like Equifax, for example, which is a vast, should be a vast steward over vast realms of data, isn't it extraordinary that that can happen, that kind of data breach can take place in that environment?

Aaron Levie: On the one hand, it's extraordinary. On the other hand, unfortunately, it's not that surprising when you think about the complexity of these systems and the fact that you might have one or two systems that are not patched or not using the latest configuration and the ease at which a hacker can traverse that.

On the one hand, it's obviously very surprising because of the data that they hold. On the other hand, it's all too unsurprising because of the fact that when you design complex systems and you have an organization that's trying to keep up with all of the latest innovation trends and some systems fall behind or some developers fall behind, you create an environment where you're going to be vulnerable to those types of events.

Enterprise Architecture and Cloud Computing

Michael Krigsman: We have another really good question from Arsalan Khan. He says, "From what you're describing, there is more of a need than ever for enterprise architecture." He says, "Have you ever considered opening up a consulting arm?"

Aaron Levie: [Laughter]

Michael Krigsman: [Laughter]

Aaron Levie: Well, we do have a consulting arm, but it's very bias toward, obviously, customers that are deploying Box and helping them with that change management and digital transformation.

To Arsalan's point, enterprise architecture is one of those sorts of 100x levers in a business where, if you have an environment where you have complex, democratized, distributed system design, you might get the amazing market forces within your organization. Lots of people are going to be pushing the limits on new technologies.

You'll get a plethora of new innovation, but you will absolutely have a challenge in data security. You'll have a challenge in too much redundancy in systems that get implemented. You won't be thinking in terms of platforms and sort of how do I have layers of platforms that work together.

Enterprise architects, I think, have a very long future. It's a good time to be an enterprise architect right now.

Business Process Advantages of Cloud Computing

Michael Krigsman: The changes that cloud drives in organizations is that it's not just efficiency.

Aaron Levie: What we see that it just fundamentally changes the business process. If you imagine a world where all of your data, all of your information, all of your business processes are inside of your four walls of your organization, inside of your data center with perimeter-based security, that's one way of working.

Now you flip to, let's just say, a cloud-based way of working where you have Zoom, you have Slack, you have Box, you have Okta, you have Office 365, maybe you have Google Docs; you have all of these new tools. You're fundamentally going to be collaborating in real-time. You're going to be working inside and outside of your organization seamlessly. Whether you're working with an employee that is literally at the desk right next to you or a contractor or a partner that is 5,000 miles away on a different continent, that work is exactly seamless between the person next to you and the person around the globe. Fundamentally, it means that your business processes will start to extend more and more beyond the boundaries of your organization.

The resources then that you have access to because now you have every single possible resource around the world to help move your business forward. The ability to collaborate instantaneously and move ideas and information forward much more rapidly, not by days or hours, but by seconds and minutes. All of these things go and transform the actual underlying work process itself.

It doesn't make things 10% more efficient or 20% more efficient. It fundamentally changes the work that you're going to do. It changes the idea that you deliver to market. It changes the partners that you actually go to market with. It changes the way that you can interact with your customers.

That's ultimately what the cloud is delivering. It's not making our businesses 5% more efficient or 10% more efficient or lower our cost of infrastructure. Yes, it does all of those things. But, ultimately, it makes our businesses much more competitive.

It changes the products that we build. It changes how we go to market with our customers. That's the really exciting thing about the cloud. Obviously, embedded in all of that is it changes how we have to secure our information.

Michael Krigsman: Is this digital transformation what you're describing? Can we encapsulate it with that label or no?

Aaron Levie: It's absolutely under that entire umbrella. I think what sometimes we miss about digital transformation is that it's very focused on this idea of the thing that was analog now going digital. But there's still so much stuff that actually technically has been digital but it hasn't been automated; it hasn't moved to real-time; it hasn't extended beyond the boundaries of our organization; it hasn't delivered a great employee experience.

If you think about digital transformation not just as, "I can get my Uber car on demand," that's obviously digital transformation within the automotive space. But digital transformation is the team of 100 people that once had to get in a room to be able to deliver their project now can be diffused, distributed, and be amongst partner organizations and employees. That's equally digital transformation but it's driven by the fact that we can collaborate in real-time; that we can automate more of our work; that we can get insights from data that previously were trapped inside of our databases or data lakes that we couldn't actually understand. That's the broader sense of digital transformation the cloud is ultimately the driver of.

Michael Krigsman: Somebody is listening and they say, "Yeah, that's great, but you know what? Our on-premise vendors have built all of these capabilities, and so how is cloud better?"

Aaron Levie: Well, for that person, if you're still asking that question, I can't help you. [Laughter] I think you're going to have bigger problems in your enterprise, I'm sorry to say.

Michael Krigsman: [Laughter]

Aaron Levie: But I think, empirically, if you want modern CRM, modern analytics, modern HR, modern ERP, modern collaboration, modern video conferencing, you literally can't get that in an on-premise system. It's only delivered over the cloud. That's because it's being delivered by SaaS or cloud providers that all of the new versions of their products are being built for the cloud.

Sure, there are some systems that make sure that they write code for SaaS and write code for your data center. That's becoming a much more rare way of delivering software and eventually will be a very, very small minority or niche way to be running technology. I think cloud is inevitable.

Then the question is not, "Are you going to the cloud?" The question is, "How are you going to utilize the cloud?" How is it going to change your business?

Are you going to think about cloud as, "I can now run my exchange server from my data center in the cloud. I can run my legacy CRM system from my data center in the cloud," or are you thinking about it as, "I can use the cloud to change how my employees work. I can use the cloud to change my employee experience. I can use the cloud to collaborate with my customers differently, and I can actually use this as a lever to transform my business, not just as an efficiency gain or a lever to adjust the bottom line," Which again, it will do as well, but how do you actually go and transform the underlying business process that the company is operating with?

Michael Krigsman: That's hard for many companies that have been working with on-premise software for many years in their processes. It's really hard to know. How do you begin? How do you think about this if you're a business leader?

Aaron Levie: You have to partner with the business. If you're a CIO, ahead of IT, or anyone within IT out there, you have to go seek understanding from the business, from marketing, from sales, from HR. What are the challenges that they're running into? What are our customers looking for us to do better for them? Where are employees being held up because our internal systems are slowing them down?

I can't tell you how many times we'll go into an enterprise; we'll talk to IT. They might think that they've solved a particular problem. Let's just say it's collaboration or document management.

Then you'll go talk to the business and you say, "How are you solving this problem?" The businesses, their hair is on fire. They're upset about everything. They can't get work done. It's too hard to collaborate.

That disparity is because the IT and the business have not gotten together to be able to communicate around what the challenges are in the enterprise. What we want is we want IT to raise the bar on what they're delivering for the business. We want the business to raise the bar on what they expect from their technology and more of that collaboration to come together. This can only happen when you remove as much of the divide as possible between IT and between the business, so you actually have that as sort of one fused way to see the enterprise.

Digital Transformation, Cloud, and Breaking Siloes

Michael Krigsman: The common theme here then is removing the barrier because when you were talking about security as being essentially ecosystem security, again it's removing the barrier.

Aaron Levie: Correct. Yep.

Michael Krigsman: It carries through so, if you're a CEO or you're a CSO—you hear lessons from your customers—what advice can you offer these folks?

Aaron Levie: Where we have seen enterprises in many cases make the most progressive and quickest change is really starting with thinking about, again, this concept of leverage is really important. If you were to prioritize the sequence of decisions and the sequence of investments by leverage, as defined by what is the smallest amount of effort I can do to have the highest degree of impact in my digital transformation journey, not how we traditionally think about it, which is, you generally are sequencing your execution by where your dollar is going.

If you sequence your execution by where your dollars are going, oftentimes that is going to take you to your ERP system. That's going to take you to your legacy data centers. If you sequence your investments or your execution to where is your greatest leverage, then all of a sudden you're like, "Okay, how do I impact every single employee every single day to make their jobs better?"

Oftentimes, again, that might start with, okay, let's make it easier to interact with IT. Maybe you invest in Okta so that way people can launch into the modern applications that they're using faster. Maybe you invest in something like Slack so people can communicate enterprise-wide much more collaboratively. Maybe you invest in something like Zoom so people can have real-time video conferencing or WebEx so you can do real-time video instantaneously across the enterprise.

Obviously, we are really happy when companies invest in Box early in their journey because every single employee now can collaborate or manage their data in a new and modern way.

If you start to think about what sequence of technology can I implement that has the greatest amount of impact to my employee culture, to the way that we work, to the way that we serve our customers, to the way that we come up with new ideas, that is often the fastest way to get your organization moving on a digital transformation journey. You're almost doing sort of shock and awe a little bit where you're like, "Okay, we're going to now have a whole bunch of new ways that people can get their work done. Then, in the background, we're going to go and migrate the legacy stuff."

If you invert that and you start working on the legacy stuff first, you're going to be three to five years out, employees won't have had any change in their employee experience so they don't know anything is any better, and most likely something is going to stall in that migration journey that will just cause you to slow it down inevitably anyway. Really thinking about how you get some early wins on the board, how you change the employee culture early, and then how you follow it up with maybe some of the bigger ticket, higher dollar, legacy transformation that you also have to drive. It tends to be the sequence that I've seen be most successful.

Michael Krigsman: If you're going to drive change, then you need to show, relatively quickly, some type of change.

Aaron Levie: Yes and, counterintuitively, start small and find the things that are the smallest footprints that have the greatest impact in the business because that's how you can easily get going on this. I've seen some customers accidentally – it's certainly not intentional – accidentally take as much time to decide to deploy Slack, Zoom, or Box as they would be making an ERP decision because their organization has slowed down to the pace of the most complex system that they implement when actually what they should be doing is knock those types of applications out rapidly, obviously with the right security vetting and compliance vetting, but knock those out rapidly, get the employee transformation going, and then follow up with the bigger ticket back-end transformations that you have to drive. If you get that confused and you move that sequence in the wrong direction, it'll end up slowing down the entire enterprise and you won't get any points on the board.

Michael Krigsman: That's really interesting that some organizations deploy at the speed of the slowest application.

Aaron Levie: Think about your procurement processes, your compliance processes, your architectural processes. They were built for your most significant systems because it has to work for that. That's not the same process you should be using to implement or launch some of these lighter weight, end-user tools that are actually, in many cases, the fastest catalyst to digital transformation in an enterprise.

Advice to Chief Information Officers

Michael Krigsman: Any final thoughts before we finish up?

Aaron Levie: I've already been spitting into the microphone, so I feel like I've gotten all my major comments in and I'm frothing at this point in excitement on digital transformation.

Michael Krigsman: [Laughter]

Aaron Levie: But I think this has been a great conversation. I think maybe the final thing I'd leave you with, and this is a phrase that we use internally with our customers, is, "Eventually, your culture will look like your IT stack."

Think about what kind of culture you want. How fast-pace do you want it to be? What type of collaboration do you want?

Then do you have the IT stack to be able to go and enable that? Do you have the modern tools with the modern interfaces and modern user experiences with the right degrees of collaboration between those systems? That's going to ultimately drive your culture as an enterprise.

Certainly, I'm excited to continue the conversation going forward.

Michael Krigsman: You just gave the greatest plug for CIO opportunity that I have ever heard. To all my CIO friends out there, I'm speaking on behalf of them. We say thank you.

Aaron Levie: All right, well, thank you.

Michael Krigsman: We've been speaking with Aaron Levie. He's the CEO and the co-founder of Box.

Before you go, please subscribe on YouTube and subscribe to our newsletter and check out CXOTalk.com. We have lots of great shows coming up and we'll see you again next time. Have a great day, everybody. Bye-bye.​