Citi Ventures’ 2021 Fall Enterprise Tech Series Explores the Fast-Changing Cybersecurity, Data, and Automation Landscapes

During 2021, the rise of remote work contributed to more cyber attacks on previously unknown vulnerabilities than during the past five years combined. Meanwhile, a mass migration of data to the cloud has prompted a record $58B in venture investments in data companies this year; enterprises are grappling with new compliance and data privacy rules; and so-called “low-code/no-code” development platforms are empowering non-IT employees to be “citizen data scientists.”

Citi Ventures recently held our Fall Enterprise Tech Series, which explored these and other top-of-mind issues in cybersecurity, data management, and automation. Led by Matt Carbonara, Managing Director and Head of Enterprise Investing at Citi Ventures, the event brought together leaders from both within Citi and across the industry landscape for three days of thought-provoking conversations on these critical topics.

Highlights from the virtual event are below.

Day One: Cybersecurity

As technology becomes an ever-more key driver for the banking industry, cybersecurity architecture has become a crucial factor in decisions enterprises make about potential partnerships, investments, and vendors.

Day One of the Enterprise Tech Series focused on three key dimensions of cybersecurity: cyber resilience; the “new normal” of hybrid and remote work; and DevSecOps, or the integration of security testing and protection throughout the software development and deployment lifecycle (SDLC).

Key Takeaways – Cyber Resilience

“There's a rapidly evolving cyber threat landscape that we're all dealing with. We've seen [a] level of sophistication demonstrated by major cyber-criminal groups that now rivals nation-state actors.”
- Ann Barron-DiCamillo, Global Head of Cyber Security Operations, Citi

  • Large enterprises are increasingly focusing on tools that reduce their risk and improve their ability to recover from cyber-attacks.
  • Cyber criminals, many of whom collude with nation-state actors, are able to quickly abandon and reconstitute operational networks. "In the past it took 45-plus days to see exploits [of cybersecurity patches] available in the market…but now it's happening within hours of release and sometimes even sooner," Barron-DiCamillo said.
  • Phishing and other forms of social engineering have made “cybersecurity…no longer the sole responsibility of technical gurus in the back office,” according to James Hadley, CEO and founder of Citi Ventures portfolio company Immersive Labs.
  • Enterprises must also secure their supply chains—an effort that requires working together by leveraging industry groups, said John R. Miller, Citi’s Global Head of Cyber Security Services. “It's not going to be one technology company or one financial institution that begins to shift and creates the standards and gets people on board. It's going to take all of us to participate in that.”

Key Takeaways – Securing the Hybrid Workspace

“When COVID-19 hit, we securely turned on remote access for thousands of additional Citi employees—many now working fully remotely for the first time. Despite our existing remote access and data protection controls, the attack surface changed, giving cyber criminals an opportunity to go after us in a way we hadn’t experienced before.”
- Al Tarasiuk, Chief Information Security Officer, Citi

  • Employees now move fluidly from home to work activities online, potentially exposing work material inadvertently by using less secure network hardware and using Bring Your Own Devices for work purposes, etc., noted Clark Smith, Citi’s Head of Engineering and Architecture Practice for Cyber Security. Smith outlined a three-pronged approach for enterprises seeking to secure their hybrid workspaces:
    1. Employ the cloud-based Secure Access Service Edge (SASE) framework, which delivers networking security controls as close to users as possible. Startups are increasingly using SASE to help enterprises ensure that their cybersecurity keeps pace with digital transformations begun before the pandemic. For example, Citi Ventures portfolio company Netskope uses SASE to help enterprises adapt data security from on-premises to the cloud—“so that no matter where I am, and no matter what I'm accessing, I have a consistent security stack," said Netskope founder and CEO Sanjay Beri.
    2. Go beyond multi-factor authentication to create an “identity ecosystem”—a digital passport combining a variety of personal credentials mutually recognized by a wide range of players—that can safely enable remote employees to engage in critical processes and access sensitive, restricted data.
    3. Focus on employee behavior and best practices. Startups are increasingly targeting what Tim Sadler, co-founder and CEO of Citi Ventures portfolio company Tessian, calls "the human layer" of enterprises. Using machine learning models to distinguish between normal and anomalous human behavior—in other words, "when you make a mistake or break the rules"—Tessian detects cybersecurity threats that employees cause accidentally and intentionally via email.

      Furthermore, since “relevant cyber skills begin to decay” the moment security trainings end, Hadley noted that annual cybersecurity trainings are outmoded. Instead, Immersive Labs identifies the best cybersecurity talent across client organizations, battle-tests teams in real-world simulations, and continuously measures and upgrades their skills.
  • According to Rakesh Loonkar, co-founder and President of Citi Ventures portfolio company Transmit Security, traditional usernames and passwords may soon be replaced by biometrics, which use unique physical characteristics such as fingerprints and behavioral identifiers such as typing patterns to identify individuals more seamlessly and securely.
  • In the near-term, enterprises such as Citi are hoping vendors can improve their ability to anticipate complex threats. “We need model-based approaches to [be] able to say, ‘What is normal behavior in our network? What is normal behavior of this type of a person in this type of role?’” said Clark Smith. Companies also seek to improve response times and “limit the blast radius” from cyber attacks. Longer-term, enterprises are worried about meeting data privacy expectations as unmanaged devices proliferate, and about the security threats posed by AI and quantum computers.

Key Takeaways - DevSecOps

“Securing applications and infrastructure early in software development benefits both security [and] speed of delivery [to] your customers and partners.”
– Matt Carbonara

  • As DevSecOps becomes increasingly important, companies are “shifting left” in incorporating security into the SDLC, said Jonathan Meadows, Citi’s Head of Cloud Security Engineering—moving beyond simply scrutinizing software code to creating controls and policies around it and instituting automated testing at multiple points along the way. That shift extends all the way to “the software we're bringing in [to the enterprise], and how we can secure it at the source,” he continued.
  • Software developers are seeking a more streamlined set of tools as they contend with a rapidly expanding set of security concerns, said Guy Podjarny, founder and President of Citi Ventures portfolio company Snyk. Those concerns include safeguarding not only open-source code, but also cloud-native applications such as containers that deal with operating systems.
  • Security policy is “pretty much everywhere, disguised as guardrails, constraints or entitlements,” said Nils Swart, Vice President of Product Management at Citi Ventures portfolio company Styra. “We’re building this [open-source policy engine] horizontally so you’ll be able to…share a common piece of policy, put a hierarchy in place, deploy it with confidence, and monitor the behavior you’ve mandated.”

Day Two: Artificial Intelligence/Machine Learning/Data Innovation in the Cloud

“This is truly a once-in-a-generation shift in how data will be managed.”
- Vibhor Rastogi, Global Director of AI/ML/Data Investing, Citi Ventures

The big news of Day Two of the Fall Enterprise Tech Series was not that, per Citi research, annual enterprise data volumes are expected to grow at 24% CAGR over the next five years. The real headline: Nearly two-thirds of those workloads may be running in the cloud by 2023.

Key takeaways from Day Two include:

  • Enterprises must more effectively sift through the wealth of data they are generating in order to achieve “a quantum leap in customer intelligence,” said Murli Buluswar, Head of Analytics for Citi’s U.S. Consumer Bank. Cloud storage is essential to that process because it enables teams to run “optimization algorithms” that provide real-time guidance on how to market most effectively to individual customers and segments.

    Powered by the cloud, Buluswar’s team is creating a “customer analytic record” that “stitches together as many as 2,000 attributes at an individual customer level.”
  • Kyle Rourke, Vice President of Global Platform Strategy at cloud-based data warehousing company Snowflake, noted that the company’s innovative “Data Cloud” allows its customers—and their ecosystems of partners, suppliers, and customers—to securely share data for business collaboration, insights, and bringing new products and capabilities to market. The collaboration between Citi Securities Services and Snowflake demonstrates the potential of this innovation.
  • Unlike the data stack, there is no “legacy AI stack,” said Arsalan Tavakoli-Shiraji, fo-founder and Senior Vice President of Field Engineering at Databricks. This blank slate enables companies to more rapidly adopt innovations such as “cloud lakehouses,” which unify the previously disparate domains of business analytics and advanced AI/ML.
  • Like Iron Age artisans before the era of mass production, enterprise data analytics teams tend to be small islands of expertise, said Matthew Scullion, co-founder and CEO of Citi Ventures portfolio company Matillion. Matillion’s cloud-native, code-optional data operating system “makes it much easier and more productive to make data useful—to turn iron ore into steel,” Scullion continued.
  • Unstructured data such as videos, images, and documents can provide some of the richest data about consumers’ experiences, preferences, and feedback, noted Bob Muglia, former CEO of Snowflake. Modern systems are increasingly able to analyze unstructured data.
  • Enterprise technology, data science, and engineering teams in risk-averse industries such as banking and insurance must help executives understand how the cloud’s advantages connect to their balance sheets and income statements. The information gap between companies that have embraced the cloud and those that haven’t “is already pretty wide today, and it’s going to get wider,” Buluswar said. “So, these capabilities are an imperative.”
  • According to Matthew Carroll, co-founder and CEO of Citi Ventures portfolio company Immuta, the cloud has created new opportunities to transform data into business insights. In order to do so, however, companies must navigate complex new data privacy rules and regulations , often applying hundreds of thousands of policies to individual queries about customer behavior. Immuta’s data governance platform, which it has tested on some of the world’s largest and most complex companies, combines the attributes of 100,000 users with all the controls on their data, reducing the numbers of rules to just a few.
  • The standard enterprise data warehouse (EDW) model is expensive because it puts an enterprise’s most valuable data in the hands of a single vendor and “limits your view to what is in that EDW right now, which is almost never the complete truth of what's going on in your business,” said Justin Borgman, CEO of Starburst. Starburst’s enterprise query engine “turns the EDW model inside out…unlocking the value of distributed data and making it fast and easy to access no matter where it lives,” he continued.

Day Three: Automation

Day Three of Citi’s Fall Enterprise Technology Series focused on two key frontiers of digital transformation: low-code/no-code platforms, which enable non-IT employees to build software applications and functionality on demand; and automation in financial services, which is eliminating bottlenecks in large enterprises and creating faster and better business intelligence.

Key Takeaways – Low-Code/No-Code Platforms

“Traditionally companies hired developers or used off-the-shelf software, but with low-code/no-code [solutions], they have a third option: to build custom systems without hiring developers or compromising on software.”
- Blaze O’Byrne, Vice President, Venture Investing, Citi Ventures

  • Low-code/no-code can facilitate a broad range of use cases, such as transaction monitoring and fraud detection. For example, Unit21, a no-code platform for risk and compliance operations teams, has helped customers reduce loss from fraud by as much as 50%.
  • Many low-code/no-code solutions sit close to the business itself, to encourage innovation. “The magic happens if you empower the people who know the business and simplify the technology behind the scenes, so they try things out day after day,” said Stefan Groschupf, founder and CEO of Automation Hero.
    But the freedom that low-code/no-code brings to enterprises can also give them cause for concern. “Scale is the biggest problem for a firm…adopting low-code/no-code platforms,” said Sourahb Deb, Senior Vice President at Citi’s Artificial Intelligence Centre of Excellence. “How [does one] govern [thousands of mini-]automations, some of which could be running mission-critical business processes?”
  • Given these opportunities and risks, enterprises and vendors must work closely together. “We want people who will help us solve problems and deliver success for clients,” said Deb. Similarly, vendors look within large organizations such as Citi for “intrapreneurs” who understand the potential of new technologies and are willing to embrace their risks.

Key Takeaways - Enabling Automation in Financial Services

“Automation in technology has become even more important for enterprises to improve productivity, reduce errors, and enable employees to work on higher-order tasks.”
- Matt Carbonara

  • As with cybersecurity, often no single technology is sufficient to meet the myriad goals of enterprise automation. Ben Rayner, Head of Innovation and Productivity for Citi’s Global Capital Markets Operations and Technology team, said his team has come to rely on “a jigsaw puzzle of different technologies” that meet different demands, integrate with each other, and are creating “the next generation of data.”
  • Before-and-after comparisons of workflow and productivity are essential to understanding if improvements are being made through automation. This may require creating a “meta-model of work” to compare functions and teams before and after reengineering, said Avinash Misra, CEO and co-founder of Citi Ventures portfolio company
  • Unstructured data can be a major stumbling block to process improvement, particularly for financial services teams that are “constantly conducting client due diligence, onboarding, and servicing,” said Ozge Tuncel Ozcan, Chief Customer Officer at Instabase. “They’re under regulatory pressures, so a lot of manual operation goes into it.” To overcome this, Instabase’s platform helps banks automatically and instantly verify customer income by searching through paystubs, tax documents, bank statements, and other documents.
  • “Build versus buy” remains the fundamental question for enterprises as they consider the range of new automated solutions. “Off-the-shelf piece functionality rarely fits directly into a gap we have,” Rayner said. “We have to grow and evolve, and that involves give and take. The relationship with the vendor is super important, and secondarily, so is flexibility in the products.”

Citi Ventures is grateful to our participants and attendees for making the 2021 Fall Enterprise Technology Series a success. Visit our Tech Council page for more information, and stay tuned for more enterprise tech content and events in 2022.