Digital Business

A dash of flexibility enhances security at International Flavors and Fragrances

Nov 01, 2022
CXO Summit Live - NYC - CXO Spotlight

At the recent CXO Summit Live in New York City, I sat down with Director of Information Security Architecture Michael Strause from International Flavors and Fragrances (IFF) to learn about how he is overcoming security challenges, pursuing digital transformation, overcoming complexity, all against the backdrop of doubling in size as after the merger with a division of DuPont that completed last year. 

IFF, a Fortune 500 company, is one of the largest organizations you’ve probably never heard of, but you’ve most likely come across its products when you’re taking a shower or eating breakfast. They live at the crossroads of innovation and science, making products around scent and flavor, like chips or ice cream—creating as many flavors as possible for your digital transformation strategy.

"Zscaler CXO Summit Live - NYC"
IFF's Michael Strause and Zscaler's Sanjit Ganguli discuss digital transformation, zero trust architectures, and other innovations driving business agility

Security via obscurity to ensure flexibility

“There’s a term we use internally: ‘One IFF,’ which is all about merging both organizations. The task is two-fold. The first is to bring together the legacy environments from both organizations and get systems to a state where we can move processes to the cloud and be more agile. The second is to build connectivity and keep things secure, allowing the business to have need flexibility without getting in the way or even being seen,” Mike said. “I call it ‘security by obscurity.’”

“That concept takes me back to the days when secrecy and obfuscation were the main methods of securing systems from an attack. Fast forward a century, and the industry has done a 180-degree turn, taking the approach that anyone on the network poses a security risk, so it’s vital to prevent and mitigate the threat through a zero trust architecture,” he said. 

At first, Mike didn’t feel comfortable with the term Zero Trust: “I didn’t like it at first and had to take the time to really understand the core principles. I see now that zero trust aligns perfectly with where technology is going as we consume more services in the cloud and those services need to talk to one another. At IFF, we don’t care as much about the endpoints. I want employees to be able to connect from anything, whether that's on their spouse’s computer or their smart TV,” he added.

Hybrid work accelerated the conversation around trust and segmentation

Mike brought up an important point: It’s not about the device or the network, it’s really about identity. “Identity is key, it’s our first line of defense,” he said. And the move to hybrid work has underscored the need for a true single sign-on rather than a band-aid approach. We discussed how the pandemic changed work and how to protect users on their own devices in different environments.

“IFF initially brought in Zscaler for security, but when the pandemic began, the benefit of connectivity became just as important. We quickly switched from SSL VPN to Zscaler Private Access™ (ZPA), which is how we got through the sudden shift to remote work. And I don’t think hybrid work is going away, which is a good thing for employees. It shifts the work-life balance in a positive direction, and from a security perspective, it’s accelerated the conversation around trust and segmentation.” Mike said

Segmentation rules are complex, especially in large organizations, since you don’t always know who needs access to what. There are different segmentation types, but for ZPA, the focus is on user-to-application segmentation. Mike has first-hand experience with this and offered success tips.

  • Follow the 80/20 rule. Focus on the crown jewel applications. This way, you can cover 80% of the use cases and then go from there. “If you wait until it’s perfect, you’ll never get through your deployment,” Mike advised.
  • Start with big buckets and work your way down. Categorize employees by department or job function, and “Try not to get too granular because it becomes a challenge to maintain,” he recommended.
  • Utilize the tools you have. Gather analytics to turn into segmentation pieces. Zscaler can help with this too. 

Security elevated from a stopgap to a transformational force for the business

Having the right tools in place is one part of the equation to digital transformation. Another of equal importance is getting all the stakeholders on board. Mike’s background in traditional infrastructure means he’s particularly well suited to bring together cross-functional teams. His advice on navigating the political waters and getting buy-in was spot on.

  • Empathize with their position. “I was formerly on the network side, so I was in their shoes, having to interface with security throughout my career. It’s been helpful to think ahead of the questions they might ask. You should always have a plan but include others in the solution; they want to be a part of it,” Mike advised.
  • Align on priorities and challenges. “It’s critical to speak a common language to ensure we’re satisfying as many goals as we can and that everyone is moving in the same direction,” Mike said.
  • Aim for flexibility. “Empathize but also educate,” he suggested. Mike reflected on when Microsoft SharePoint first came online, “I often used this analogy when a stakeholder said, ‘I want a menu approach to everything.’ I had to sit down and explain that there are millions of possibilities with this platform. The goal is to be flexible enough to have solutions that can support the business.”

ZPA enables secure connection regardless of device

With all that said, there was only one question left to ask: Having all the international flavors and fragrances at his fingertips, what is Mike’s favorite flavor or fragrance? “I’ll have to agree with my kids on this one, cookies and cream ice cream,” he said. And thanks to ZPA providing a secure connection from anywhere, he can enjoy a bowl of his favorite ice cream with his kids at home and, when he needs to, can securely log in to his apps at work as if he was there.  

More coverage from CXO Summit Live - NYC:

Digital architecture risk is a fiduciary responsibility of the board

The ascendency of inclusion: A conversation with Dr. Gena Cox