The Next Big Question

Episode 20
Hosted by: Drew Lazzara and Liz Ramey

Kurt John

Chief Cybersecurity Officer

Siemens USA

Kurt John is chief cybersecurity officer of Siemens USA, a $25 billion dollar technology company. Kurt joined Siemens in 2016 and is currently responsible for the strategy, operations, and implementation of cybersecurity in the US.

How Are Organizations Tuning Out Noise to Create an Effective Technology Ecosystem?


This time on The Next Big Question, Chief Cybersecurity Officer Kurt John of Siemens USA joins the podcast to discuss how to manage the noise in your organization’s crowded technology ecosystem. Kurt explains how digitalization, speed to market, and a plethora of products are contributing to that noise and how to manage risk in this environment.


Drew Lazzara (00:13):

Welcome to The Next Big Question, a weekly podcast with senior business leaders sharing their vision for tomorrow, brought to you by Evanta, a Gartner company.

Liz Ramey (00:23):

Each episode features a conversation with C-suite executives about the future of their roles, organizations, and industries.

Drew Lazzara (00:32):

My name is Drew Lazzara.

Liz Ramey (00:34):

And I'm Liz Ramey. We're your co-hosts. So, Drew, what's The Next Big Question?

Drew Lazzara (00:40):

This week we’re asking, ‘how do organizations tune out the noise to create effective technology ecosystems?’ Our guest for the show is Kurt John, chief cybersecurity officer for Siemens. Kurt sees the business utility of technology in very clear terms. For him, tech is necessary to make operations more impactful and allow businesses to go to market in new, better and faster ways. Of course, if it were really that simple, this podcast wouldn’t exist because turning a traditional company like Siemens into a digital-first tech company means navigating an exploding vendor landscape. It also means identifying what the right partner even looks like in a third-party marketplace where the barriers to entry have fallen and new players proliferate. Finally, it means translating abstractions like ‘digital transformation’ into concrete strategies. In this conversation, Kurt discusses what a noisy tech ecosystem means, where it comes from, and how leaders can leverage it for competitive advantage. He also talks about the forces that shape technology decision making and the migratory nature of risk in this new context. 

Before our conversation with Kurt, we’d like to take a moment to thank you for listening. To make sure you don’t miss out on the next Next Big Question, subscribe to the show on Apple Podcasts, Spotify, or wherever you listen. Please rate and review the show, so we can continue to grow and improve. Thanks, and enjoy.

Drew Lazzara (02:13):

Kurt John, welcome to The Next Big Question. Thank you so much for being on the show. 

Kurt John (02:17):

Thank you for having me. 

Liz Ramey (02:18):

Kurt, we're really excited to have you here today. And before we really dig into a pretty cool topic, I would love to just get to know you and let our audience members also get to know you. So, can you talk a little bit about your background and how that kind of journey led to you becoming a cybersecurity leader? 

Kurt John (02:38):

Sure. So, I was born on November... kidding. Kidding. 

Liz Ramey (02:44):

It's like, it's like Chunk on Goonies, right? 

Drew Lazzara (02:50):

I remember my first formative cybersecurity incident when I was about six years old. Changed my life. 

Kurt John (02:56):

Exactly. So, the story's not too far from that, actually. I had a friend of mine who came over to our house, and this is when you could do dial up, right? And so, they came over with this USB stick, and they had like tons of dial up numbers. And so, we would dial up and get the Internet for free. And so, I distinctly remember that time thinking to myself, why is it so easy to do this? And so that sort of catalyzed my interest in cybersecurity. I did an undergrad in computer science, and then really got into it in around 2012 when I did my certified ethical hacking and certified penetration testing certifications. And that was fun. I got to Pentest a couple of major airports, some, you know, federal buildings, state, county locations. 

So, it was a very interesting journey to get to this point. And I joined Siemens, in particular, in 2016 as part of their leadership development program. And there, the focus again was on cybersecurity. So, I had like a dual hatted role. I was sort of managing projects in the US with also managing these global projects. And around 2018 is when I was tapped for this role. And in this role, I'm the chief cybersecurity officer for Siemens U.S. And so, roughly, for those I don't know, roughly a 25 billion dollar business. And we're in practically everything, right. Transportation, automation, smart infrastructure, right, so smart cities. The list goes on. And in this role, I'm responsible for the strategy, operations, implementation, you name it, for cybersecurity in the US. 

Liz Ramey (04:40):

That's fantastic. I kind of have a question about your experience, but then also about, you know, someone who is the leader of a large cybersecurity department within such a big organization. And that is, you know, where do you see your role in in this kind of idea of business leadership, right? As opposed to cybersecurity leadership. And I'll say the reason, honestly, that I ask this is because every time I talk to a CISO or, you know, someone such as yourself, I get a little bit nervous that I'm not going to know what I'm talking about. So, I would love to hear n that context, you know, how do you fit into that business leadership group? 

Kurt John (05:21):

So really good question, which I think touches a little bit also on how this role is likely to evolve. It’s still TBD. But the way I see it is that I happen to be an expert in cybersecurity. But really my job at Siemens is to think strategically, creatively, and try to problem solve and enable the business so that they can be successful. And again, that's in the broadest possible scale. But using my expertise, which is cybersecurity, obviously that's the lens to it. But really, it's about business enablement and protecting the brand. 

Drew Lazzara (06:02):

Kurt, I'm really grateful to have you here, not just because of the perspective that you just outlined, but also you talked about, you're working in Siemens where you guys are doing so many different things. You've got quite a business ecosystem. And today's big question is -- how are organizations tuning out noise to create an effective technology ecosystem. And so, I couldn't think of a better guest to have to talk about this. Now, there's a lot of elements to that question. We can go a lot of different directions. So, I wanted to start by kind of narrowing down some terms. Liz and I get a chance to talk to technology leaders a lot for this show. And I think most of our audience and our guests would work from this kind of premise that technology is just a toolset for either making your business more effective or for driving your go-to-market strategy. So, it's a part of what your business is doing that’s a tool. Considering that there's that kind of consensus around that definition, where do you see that the noise comes from in the in this ecosystem, and why is that so challenging for businesses to conceptualize? 

Kurt John (07:00):

The noise generally comes from the partners that you need to choose to accomplish two things. The first is to try to enable, right, streamline, automate, optimize your operations. And then the partners you need to choose that would enable you to have a stronger, faster, more flexible go to market, right. And typically, the frontline folks, the business folks are challenged with the second right which partners to pick to help me get deliver more value to my customers as quickly as possible. And then the folks in the second line, your CFOs and CIOs are really struggling with the first, which is who do I partner with to help set up my operations in a way that would make us successful. 

And so, the reason why there's so much noise is a combination of two things. First is digitalization is a buzzword that we throw around a lot. But there's a reason why that's the case. And so, everything is being sort of digitalized now, right? Operations, AI, machine learning deployment of technology to accomplish some of the simplest tasks. And so that's one aspect of it. But the other reason why there is noise is because never before have we had a technology environment where the ability to go from an idea to a product could be delivered so quickly, right. So here we're talking about the hyper scalars of the world, right. And cloud computing, in particular, deploying an infrastructure, deploying a software development pipeline, and taking your idea from conception to delivery to the market is the fastest it's been, and it's only going to increase. And so, because of that, there's a lot of products in the market, right? And so, it's a very saturated market. And so, those are the two bits of noise that are coming at leaders a million miles an hour. 

Liz Ramey (08:57):

Yeah, I listen to this podcast. Gosh, it must have been even a year ago. And it wasn't my own podcast, but it was another podcast. And it was talking about, just like you're saying, is there's so many products and services out there, and they are all using the same value proposition. They're all talking about digital business and where they fit into that, you know, that large ecosystem, I would say. So, how do you as a leader within a business that probably has several technology ecosystems, you know, around the business, in operations right now. So, how do you start filtering out some of that noise without having to test out so many different technologies since you're talking about this need for velocity to be able to take an idea and get it into the market as fast as you can. 

Kurt John (09:52):

Now, typically, when I start these answers, the ideas pop into my head, right. And so, I'll throw a number out there. So, the number is three. There are three things. Let's see if I can keep up with my own first. 

Drew Lazzara (10:06):

They can be multifaceted numbers. 

Kurt John (10:08):

There you go. 

Drew Lazzara (10:10):

So, we can make three the ultimate truth here. 

Kurt John (10:13):

So, the first is back to fundamentals, right. And that's your business strategy, your objectives and what it is that you want to achieve in the market, because that will determine the path you need to take and therefore the technologies that can enable you to do that. The second thing is you need to look at your operations more holistically. So, typically what's happened is let's say this business or department is implementing these technologies because it fits into what they're trying to do. Another department, the same, let's say the CFO department is trying to do RPA, right, Robotic Process Automation. And individually on sort of like that level, it works well for them. But then when IT tries to fit it together as a whole in order to move the organization forward, we realize that it's not fitting together well or we've sort of given ourselves some technical debt or insert any number of reasons why these individual choices while again, individually tied back to achieving a particular business objective, it wasn't really harmonized across departments, right, to make sure it is the best interoperability or alignment as possible. 

And then the third really comes back to having a very flexible environment, and this is not something you can just go and flip the switch on, right. This is sort of a medium- to long-term strategy where you need to sit with your CIO and speak with them and say, look, over the course as we renew technologies, purchase new technologies, partner with new people. Conceptually, we want an environment that allows us to plug and play, allows us to break things safely, right, and figure out if that's what we want or that's what we need without this massive disruption to operations. So, the third one is more sort of a conceptualization or maybe a cultural approach, right, that will then drive your technology setup so that you could enable that type of agile and flexible environment. 

Drew Lazzara (12:31):

Kurt, one thing you said earlier just kind of made me think of a follow up question. I remember for a brief and shining moment there was a debate between the idea of buying capability versus building capability. But it seems like we're having this conversation entirely in the context of buying it. And I'm just wondering, do you think that is just the reality that large organizations like yours are confined to or is there still a space to build something and that still allows you to be fast and competitive? 

Kurt John (13:01):

Oh, absolutely. But what this is -- my view on it is the following. You should buy things for which you find it difficult to compete or it's faster for you to acquire through these partnerships. The things you need to focus on building should fit mostly, and it's fine if there's a little bit of overlap, right, but it should fit mostly into your area of expertise, your domain expertise, because that's worth the tradeoff of the time it takes to build, because no one else is likely to beat you to market. Or if they do beat you to market, they won't have the quality or feature set that you have, right. So building, in my view, should really come down to leveraging your domain expertise, your intellectual property, insert appropriate term here that demonstrates your expertise in a particular area. 

Liz Ramey (13:59):

So then, do the technologies that you build yourself or the capabilities that you build yourself within that ecosystem, do those become the competitive differentiator? 

Kurt John (14:11):

They do in a lot of ways. And it's not to say that you won't even need to do a partnership to do that type of building. This is not going to be an easy problem to solve. This build versus buy. And quite frankly, in some cases it's almost like a hybrid. But yes, what you again, because of the saturation of the market, most organizations, what they want to focus on are the things that they have expertise in that could really allow them to safely capture a portion of the market and then hopefully grow over time, right. If you have your feedback loop for your customers, how they feel about your product and so on. 

Drew Lazzara (14:49):

Kurt, something you were talking about earlier. You mentioned this idea of hyper scaling and applying that really to the vendor landscape, you know, whereas before maybe a company like Siemens had had fewer options for partners that could help them at the scale and the speed that you needed. But now that the people can buy computing power from Amazon or Google, some of these smaller players can have a big impact at the enterprise level. So, for me, that would complicate, that would make an even noisier ecosystem. So, when it comes to some of these smaller players who now have an opportunity to get at the table, how are you weeding those out? What do you look for in some of those maybe niche players? And how do you make those decisions as a business to bring someone like that in? 

Kurt John (15:30):

That's what's really funny or maybe interesting is the better term. You don't weed them out, right? Because it's a fundamental change now in a thought process of how you view the access to technologies that you need, whereas before the general consensus is we need big, we need established, we need proven. And the proven part doesn't go away, but we need something that everyone knows, trusts, respects, has a good track record in order to partner with us. That's got to change, right? Yes, you still want to do your vetting. You want to make sure that this is something that can scale. The financials for that particular partner make sense -- that they're not going to fizzle out, right, because eighty-five, ninety percent of startups are gone within five years. So, there's that complexity to choosing some of the smaller people. 

But I would actually encourage businesses to sort of do their… not sort of, you know, cast them aside, but actually think about them as potential partners. And maybe one other aspect to that is if you're going to try to choose and it goes back to that environment that I mentioned, right. The one where it's flexible and it allows you to plug and play and figure stuff out. If you're going to choose a smaller partner to move forward with, one thing that's very interesting that I find about the smaller the advantage to them is they are incredibly flexible. I am talking, you know, maybe a portion of it with a company like Siemens is purchasing power, right. And so on. But still, even with all that, they're so flexible and responsive to needs, right, which means then you get a more customizable approach to your go to market. 

And then, the final thing I'll mention as well is depending on the size and complexity of your business, most businesses are small to medium size, right, small to mid-cap businesses. Siemens and others, they're in the minority as larger enterprises. But if you were let's say you're a midcap business and you have a few different verticals, don't toss out the idea that you can have an individualized approach for your verticals, right. Still capturing at the highest level that you want something that's harmonized and aligned to move you forward to your goals. But still, there's don't rule out the idea that you can have, for example, Azure for one vertical and AWS for another, right. If that's what fits best for what that vertical needs to go to market and or its operations. 

Liz Ramey (18:13):

It's so interesting. I want to dig in a little bit to maybe go off track from the noise and just actually talk about these ecosystems that are kind of the underlying piece of all of this. I'm personally curious, I hope others are as well, in this idea of within these digital ecosystems that you're building, especially you as a cybersecurity leader, all of the participants within the ecosystem are there's distributed value, right? Everyone at some point, they're not going to be a part of that. The capability is not going be a part of that if they're not getting value in some way. But you have to assess the risk, right? So, if there's distributed value, it may not be distributed equally, but there is distributed value. Is the risk distributed or are you the one that assumes the risk and measures the risk across the entire ecosystem? How did how does that work? 

Kurt John (19:14):

Yeah, I'm definitely not the one that assumes the risk. The risk typically is going to lie with the business, right. And even for second line organizations like myself, we might have some individual risks, right, in terms of our operations. But in the context of how you just describe it, the business definitely owns the risk. My job is to make that risk as transparent as possible. And I'm really glad you brought that up because there's sort of a mindset change that people should have when it comes to risk. 

And it's the following -- typically in the past tended to be very siloed, right. So, there's this business has this these three risks. That business has another three, they're legal risks, IT risks, there's all these different risks. However, in keeping with this ecosystem theme, in keeping with digitalization, risks are much more transient now than they used to be in the past. And they not only are they transient, but they grow and shrink. So, something that started out as a legal risk might end up as an IT risk, might end up as an export control risk, might end up as a business risk. And you can argue all of those are risks. But for the purposes of the explanation, I'll separate them. And then not only that, but then, OK, so let's say its latest iteration, it's a business risk, but then all of a sudden something happens either in the regulatory landscape or the technology ecosystem that causes it to balloon and expand. And now, it's all those risks at once, right? So, risks are much more complex and transient now. And so, what you want to do when it comes to risk is collaboration is like my main theme, right. One of my things I like to say is break boxes and build the teams. It's fine to be much of a team you're in, but really you want to work across teams because it's only doing that that you make these types of risks and opportunities, by the way, transparent. 

Drew Lazzara (21:14):

Kurt, I wanted to drill down a little bit more on something you said, because when Liz asked you about ownership of risk, you were almost cavalier about – ‘Yeah, the business owns it.’ 

Kurt John (21:23):


Drew Lazzara (21:24):

I'm not entirely sure that every large organization has business units that are so eager to assume that risk. 

Kurt John (21:29):

Oh, for sure. 

Drew Lazzara (21:30):

We've talked to CIOs who say, you know, every business unit I work with wants me to provide them with their own technology. But when it comes to the risk associated, they want that to come back to IT. How did you get to a place at Siemens as an organization where business was on board with assuming that risk and being a partner in that way to you? 

Kurt John (21:48):

So, there are two things here. First is, your approach in discussing risk shouldn't be this is your risk, your problem. No, this just means that you are a key decision maker in what we do with this risk, right. You're not facing this by yourself, right. We're all going to do this together as a team -- cyber, IT, legal and compliance, everyone. We're going to work together to resolve this. That's the first. The second is, if you think about this holistically, any, practically any type of risk that pops up, whether it's a first line risk, second line risk, what's the risk? The risk is that either our brand or our products in the market will be disparaged, right. Or devalued. Even if it's before you go to market, what's the risk? The risk is that we will be slow to market or deliver a poor product to market, or we may make decisions that hurt our brand in the market. So practically everything we do, you know, first and second line is in support of the success of the business. And it's just my view that the majority of the risks, while they might sit in a particular area, really the end impact is something is the business, right, it's blocking the business or preventing the business or causing the business to have a false start, spend money, whatever the impact of the risk is. And so, that's why it's always good to view the risk through the business lens, because that's ultimately what we're trying to prevent. 

Drew Lazzara (23:28):

One thing you mentioned earlier was the idea that businesses need a safe place in the technology ecosystem to experiment and to try new things and to iterate on new ideas. What -- this is kind of a complicated question. I think it relates to risk because there's the risk of the opportunity risk of not moving fast enough. But how do you create an ecosystem that allows you to experiment, while still capturing things in a quick way, especially while you have to filter it through a number of different technologies and vendors? What's that like clear path to speed look like when you want to be an iterative, experimental organization? 

Kurt John (24:02):

That is a really good question. It's a couple of different things. It's less about technology, right, because you can sort of fit technologies together once the decision is made to do that, right. The challenge typically are approvals and discussions and alignments and disagreements. And so, one thing I've found in past companies that I've worked in, what usually hampers is the fact that there are these silos or verticals in the decision making process, right. So, the business is sort of chosen which product it wants to go to market with or what its strategy is going to be. IT is getting these demands from the business, such as we want something that helps us better collaborate internally and that where we can store files, and then maybe cyber is getting a piece of that and legal is getting a piece of that. 

And it goes back to my earlier point. They're each making individualized decisions based on a localized view of what the overall vision is. And so, in a company like Siemens, one thing I'm particularly proud about that enables us to move really quickly. Mind you, this is a company that's over a hundred and seventy years old, right. In one hundred and ninety countries. It's fairly complex. But I'm really proud to see just in the space of within 10 years how this company has evolved from a commodity-based, manufacturing company to the largest industrial software company, right. So, it's now a tech company and will continue along that path. And a big, huge part of it is culture, right. So really being intentional about your culture. And then the second is sort of harmonizing collaboration. You don't just sort of let it happen. You don't just say here's what we want to do, here are the top three guiding principles. Those are important and then that's it. You want to be very intentional about how you orchestrate collaboration and trust throughout your environment. 

Drew Lazzara (26:11):

With a company that is one hundred and seventy years old, like Siemens, you make that distinction about being now a technology company or software company, as you put it. Is that just a mindset or is there something tangible that goes along with it? Is that just a concept, you know, or is it really undoing, you know, almost two centuries of experience and legacy? 

Kurt John (26:32):

Actually, it's not. I'm happy you asked that question because it's not undoing in so much as it is an evolution, right. And so that's almost two centuries of skills and knowledge and intellectual property and just experiences that are valuable and continue to be valuable to this day. The question is, as a company that, for example, makes hardware, how do we, and knowing that software drives the world, right. Practically everything. The reason we can talk, the reason why we can set up a doctor's appointment, a doctor is so efficient. Entertainment. I was watching Netflix last night, right. All that is software driven. 

So, the question we have to ask ourselves was - how do we bring everything that we have learned in the last two centuries to bear in a way that delivers real quality and value to our customers, that allows our customers to do more with less. And so, once you sort of figure out -- and that goes back again, whether to break, whether to build or buy. Right. When you figure out what your domain expertise is, then, you know, for example, over the last 10 years, Siemens did more than 10 billion dollars in software acquisitions. 

But that's not the complete story, right? We had significant internal development as well. Another thing that we do, again, going back to intentionality about how you orchestrate your ecosystem is that we have now a venture capitalist arm called Next Forty-Seven, right. That we've carved out where their focus is on startups and new companies and what type of value we're delivering, right. And how can we leverage the Siemens ecosystem to help build on that value. And so those… when I take a step back and I look, I can see between the acquisitions, the innovative software that we've built ourselves, in making changes to our ecosystem, such as Next Forty-Seven, I've seen the intentionality behind not just saying we're a tech company, but really the investment of time and of course, all the resources that are necessary to get us to that point. And fun fact, largest industrial software company and number eight overall. So, if you look at the top 10 software companies in the world, right up there with Microsoft and Amazon and Google, Siemens is hovering somewhere around number eight. 

Drew Lazzara (29:01):

Do your customers expect that? Is that something that. I mean, it's something to be proud of as an organization, but is that something your customers see and that gives them confidence, you know. How does that impact the end user of your products and your services? 

Kurt John (29:13):

Oh, absolutely. And so, sort of this customer-first approach has delivered incredible value to our teams. So, for example, in the past, what we might have done is we delivered a train, and then there's an operator in the front of the train, and they go from point A to point B. Let's use Covid as an example. Now covid happened. And all of a sudden, because of those investments, because of the focus on being a tech company and delivering value through both incremental and where possible, disruptive innovation, we can deploy additional software, hardware, as well. But software, which, for example, on our trains can tell you, oh, hey, you know what? This car has too many people, so we will not open the door. You need to move to another car, right. And we can monitor the platform to see how many people are on the platform, how many people got off the train, got on the train. Now in the past, if you wanted to do this, most likely you had to have like multiple people on the platform and they have to try to count and so on. But this is something through software, right, that we could deploy this additional value to customers. And so, you repeat that across multiple businesses, and customers have been very outspoken about the value that we deliver as a tech company.

Liz Ramey (30:33):

As large as Siemens is, and you're moving into this space where you are considered a tech company. I also think of something that you said earlier around just really building this collaborative environment, right. And really kind of setting the different functions and groups within the organization up for success, even when you're getting this flood of IT demands, right. So, I can kind of come to the conclusion, I would think, that then there's probably naturally a kind of shadow IT that pops up. 

Kurt John (31:13):

Oh, yeah. Oh, yeah. 

Liz Ramey (31:14):

So back to this idea of kind of shuffling through the noise, right. You know, getting through that. How do you as a leader enable these different groups which are now considered what? Business technologists. They just use a different term. How do you enable them? How do you empower them to make decisions within their own tech ecosystems that they're building to shuffle through that noise and to make business decisions? So, the risk so, you know, limits the risk and helps, you know, like I said, empower them. 

Kurt John (31:48):

There are a couple of different ways. I would say the first is you have to really understand what it is that they're trying to do. So, in the past, cybersecurity tended – we’ll use cybersecurity as an example, tended to be sort of like a tollbooth, right. You shall not pass, right. And you hit that stick down pretty hard. The mindset change that's needed there is that it's less of a tollbooth and more of a partner, right. So, you need to understand as early as possible what are the business objectives? What are some of the challenges that the business faces when it goes to market? Who are his biggest competitors? 

Because what you find out is that a large part of what drives that demand and drives, for example, shadow IT, is the business is just trying to deliver on what it needs to do, right. And so, if you can understand earlier up in the process, what are the market challenges, right. What are the internal challenges? Okay, are there significant cost pressures on this business? Because they have had a rough couple of years, and so they need to meet a particular margin or revenue goal before they're able to spend more. Then that would explain why they might not go for the safest technology partner, but the cheapest technology partner, right. So how do you get line of sight on that, and how do you understand that so that you can help guide them from the very beginning. And you do a cost benefit analysis, right? Yes, this might be the cheapest, but here's likely what's going to happen, right, with a 50, 60 percent chance, you sort of guesstimate if you go this route. 

So, that's the first -- line of sight by partnering earlier with the business. The second is – IT in particular, and that goes back to that flexible ecosystem, right, if we have found as a general approach that the business is able to innovate quicker and able to -- and by the way, in today's world, shadow IT means whether it's AWS or Azure or it’s cloud mostly, right. Because that's the quickest and cheapest option. You swipe a card, and you get instant infrastructure. So, the question is, if the business is constantly doing that, the question is why? So, is the environment inflexible? Is the environment flexible, but too slow, right? So, they need something they need to iterate on within a two-week sprint, but it takes six weeks to spin up in a particular environment for them, it's flexible but too slow. Or is the environment too conservative from a risk perspective and the business can't safely innovate. So those are the types of questions that leaders need to ask themselves, and they need to calibrate the environment and the collaboration to match what it is that the business needs and what it's looking for. 

Drew Lazzara (34:50):

Kurt, I think that's a really good segue to our last segment of the show. We talk to leaders on this show, and we asked them to provide us with a big question. And so, our last guest was Piyush Chowhan, who's the global CIO for Lulu Group International. And he was talking with me about this idea that data underpins all of these things. So, it is his perspective is that data is the one thing that holds this entire ecosystem together, no matter where you are in the business. And he said that, you know, we're seeing companies make huge investments in data tools and all the opportunity there through the technology to get better data acumen across the business. But he still thinks it is moving too slowly. So, from your perspective, why do you think that data usage across the business still lags a little bit behind what's possible? 

Kurt John (35:40):

I can't remember where, right, and I'm always hesitant about throwing out statistics because -- did you hear the joke? Eighty-seven point five percent of statistics are made up, right. But that's made up, you know, but I do recall reading somewhere that something like 80 to 90 percent of data in business is still untapped and unused. The reason why is because of how we approached digitalization. We approached digitalization -- and when this journey started for many companies -- strictly as a cost savings optimization approach. And we did that on a localized level for multiple functions and multiple processes. 

And because space has become so cheap, I can argue, we've been capturing all that data without paying attention to it. So now when we're in the great data age, and now digitalization has a little bit more purpose and direction to it, so now it's more about, you know, data. But we're still playing catch up with that first step that we did where it wasn't from a data focus. It was strictly from a cost and optimization focus. And so, companies have now inherited a lot of technical debt and a lot of data lakes and a lot of databases. And so, sifting through that now to try to get insights or to give that data purpose has been incredibly difficult. So, I would you know, in some ways it's easier for a new company to get more insights than older companies that have been doing this for a while but have oodles and oodles of data but don't even know where to start with it. So, I think that's the primary reason why.

Liz Ramey (37:31):

I love that answer. I think that's a question that you've actually thought through before, and we didn't even prompt you. So, that's amazing. So, Kurt, of course, we have to now turn the table on you and ask you what your next big question is. I feel like you should frame it in a way that forces our next guest to answer this in like a numerical equation, right. Give us 3 answers or so. But we'd love to know from you as a business leader, not necessarily with that scope of cybersecurity, what you're doing day to day, but as a business leader, you know, what is the next big question that we should all be thinking about and asking? 

Kurt John (38:12):

It's a question that's likely to be low on a lot of people's priority list, but will become more important over time, I think. The private sector owns most of the Internet. And so, the websites, the products we deploy, all that they own most of the activity on the Internet. And so, my question in this constantly shifting, regulatory landscape, right, and with these threats that are facing us today -- how would you, as a leader, view your responsibility in both protecting, right, our way of life when it comes to the Internet, as well as your obligations to partnering with those external to you. It's a very it's a complex question, but really, it's just what's your own responsibility in terms of the Internet? And then, how would you view your collaboration with the federal government, other private businesses, and so on? And the reason it's low on people's priority list is because, I think, people still view the federal government as being the key driver in trying to protect the nation, and they should be, right. There are some things that the government needs to take care of regardless of the nation -- health care, infrastructure, education and then the economy, of course, right. And then the rest is gravy. So, we still view it as a government task, but as the regulatory environment catches up, as these threats continue to happen, right, across the globe, I think the private sector is going to be forced, if not choosing to but forced to try to do something about that. So, the question is, what? What do we do? Good luck trying to translate that into like a sentence that the other person can ask. 

Drew Lazzara (40:17):

No, you're right in my wheelhouse, Kurt. This is the kind of thing that I like to chew on, and I will relish asking that to our guest. I think it's a really important question, and it's also totally pervasive. So, we'll see how I distill it down. But this has been a great conversation. Thank you so much time. So interesting and really appreciate you joining us today. 

Kurt John (40:38):

Thanks for having me. I had a great time. 

Liz Ramey (40:44):

Thank you, again, for listening to The Next Big Question. If you enjoyed this episode, please subscribe to the show on Apple podcasts, Spotify, Stitcher, or wherever you listen. Rate and review the show, so that we can continue to grow and improve. You can also visit to explore more content and learn about how your peers are tackling questions and challenges every day. Connect, learn, and grow with Evanta, a Gartner Company.