%20-%20Thumbnail%201.png?width=1280&height=720&name=PMIYC%20Episode%201%20-%20Richard%20Hiralal%20(Grammarly)%20-%20Thumbnail%201.png)
Show Notes
Transcript
Richard Hiralal [00:00:00]:
We're usually the tech support for everybody in our personal lives. And so thinking of how you would attack that issue with the people in your personal lives.
Arek Dreyer [00:00:08]:
This is Patch Me If You Can, a show about the IT and security leaders rewriting the rules. Not just patching what's broken, but building what's next. Every episode we explore replacing outdated ways of working with simpler, smarter and more strategic approaches. I'm your host, Arek Dreyer. Today's guest is someone who knows what it takes to make complex systems actually work for both users and security teams. Richard Hiral is a system engineer at Grammarly, where he's focused on keeping endpoints secure without slowing people down. He's got a sharp eye for where friction shows up between teams, between policies and real world workflows. And he's learned firsthand that the real unlock often comes from how teams work together, not just what tools they use.
Arek Dreyer [00:01:04]:
Richard welcome to Patch Me If You Can.
Richard Hiralal [00:01:07]:
Much appreciated. It's an honor to be here. I don't, I don't know if I'd call myself an expert. I try to tell myself that, but we'll see.
Arek Dreyer [00:01:17]:
Well, really excited for this one. And for anyone listening, make sure you subscribe so you don't miss out on what's coming next. So let's start off with a backstory question. Where do you see the biggest tension between security and user experience today?
Richard Hiralal [00:01:33]:
I'd have to say it's the balance between user experience and security, right. Striking that half a balance just because if you sway one way too far in either direction, you end up with a subpar solution or potential holes in your strategy. Right.
Arek Dreyer [00:01:52]:
So do you, do you have an example of when that tension, how that's created is real? It's. Or that tension slows things down?
Richard Hiralal [00:02:02]:
I guess this wouldn't necessarily be like a tension necessarily between security and it, but this was some tension between the users and the solution that was put out.
Richard Hiralal [00:02:15]:
Right.
Richard Hiralal [00:02:15]:
Which is also not great. It's what you try to avoid. This was a, a while back we were trying to wrangle Chrome patching and anybody listening is probably going to chuckle like, yeah, Chrome patching, that's always a fun adventure. Historically there's a lot of stuff put in place before I got there, but trying to nail down something that just worked for both users and us. And there's a few different routes you can go. You can go through something built in through your MDM like auto apps, you can go through a third party patching solution. You can use Chrome's Native features. So figuring out what works best in the user experience, dialing that in, that was probably the hardest part.
Richard Hiralal [00:02:57]:
And through a lot of testing, a lot of trial and error, we landed on doing things through the Chrome Enterprise console, just because that gave us a cross platform means to patch Chrome. And we built in deferral mechanisms, we built in enforcement mechanisms and very clear guidance to the user. Hey, you've got two more hours or this browser is going to reboot, right? Or restart. Upon rolling that out, we saw patch compliance for Chrome skyrocketing. And this was actually around the time you might laugh because it's kind of like always the case, but this is the time there were back to back zero days for Chrome, right? And when that hit shortly after we had a pocket of users, I think developers were saying like, hey, what is up with all of these updates? It feels like daily Chrome updates. And it was one of those things that our security team had decided, hey, these are severe enough that we want to get them patched as quickly as possible. Again, we still maintained all the deferral mechanisms, all the messaging, all the guidance to users, but there were a pocket of users that found it excessive. And this was all happening in Slack.
Richard Hiralal [00:04:07]:
So I hop in there, hey, this is the why behind it. And still I was getting pushback. And that's where I took a step back and I realized I'm some faceless IT guy saying, hey, I put these settings on your machine. So I went to the CorpSec team that we worked on this with and I said, hey, it's one thing coming from me, but it's another thing coming from CorpSec. And so they jumped into the conversation and not only reinforced what we're doing, but the whys behind it, what we're trying to fix, what we're trying to solve and protect ourselves against. And just explaining the why and giving the peek behind the curtain for the end user made the most difference and the complaints pretty much stopped from there.
Arek Dreyer [00:04:54]:
So why do you think that balance is so hard to find in the first place?
Richard Hiralal [00:05:00]:
I think when you look at that problem, you have to really recognize that it's not one singular group that's typically implementing these things. It's a partnership between security, a partnership between it and also potentially your GRC team, depending on what the controls are.
Richard Hiralal [00:05:18]:
Right.
Richard Hiralal [00:05:18]:
And to go a step further, partnership with your help desk team, it's absolutely crucial. I think that's one of involving help desk in general, I think is something that kind of goes to the B side sometimes because you can Kind of look at it on opposite ends of the spectrum, right? On one end you've got security, right? And they're typically going to be looking at things through a security lens. On the opposite end, you've got help desk. That's more than likely looking at things from a user experience perspective because they get the brunt of everything from the end users, right? They get all the complaints, all the flak. So when something goes wrong, their day is rough. And then like from an IT engineering perspective, you're somewhere, you're somewhere in the middle, all right? And so making sure that you have all of the stakeholders, if you will, involved in some, at some point in that process, if it's just getting feedback on, hey, here's what the experience is going to look like. Getting your help desk's perspective on, yeah, that looks good. Or hey, maybe we need to tweak the messaging.
Richard Hiralal [00:06:20]:
Maybe we need to create some more documentation or better communication around what we're doing, around what we're rolling out. From what I've seen, that's really what makes the difference. It's really odd to say, but usually the technical side of it is sometimes the least amount of effort. It's making it palatable to your security team and to your end user. That's usually a little bit tougher sometimes, not all time.
Arek Dreyer [00:06:49]:
It's interesting that you mentioned there's all these different elements. There's the different teams, there's the users. And so your answer wasn't o know it's the right tool or the right mindset. It's. It's more like how teams work together.
Richard Hiralal [00:07:04]:
Exactly. That, that collaboration, right. I'm sure many people listening can, can agree with this where lots of times you end up in silos, right? Whether you want to or not. It's very easy to end up in silos. And again, you get stuck kind of looking at things from your perspective, as hard as it is, trying to pull yourself out of that and also kind of build bridges of communication with those other teams is so valuable. I think one of the things that works well for us at Grammarly is we just have in general regular conversations with other teams, right? We try to break down the silos as much as possible. And it's not necessarily even, you know, calls to discuss a specific project or whatnot. It might be regular syncs, it might be, I hate to put it this way, but nonsense calls, like calls with no set agenda, just kind of talking about, hey, what's on your mind, what's coming down the road, especially between Like IT Engineering and Help desk.
Richard Hiralal [00:08:11]:
That's an extremely valuable thing to kind of let them know, hey, here's what's on the horizon. Here's what we're working on. Here's what I'm going to be testing on you guys today.
Arek Dreyer [00:08:22]:
Right?
Richard Hiralal [00:08:23]:
Yeah. That's a huge, huge deal.
Arek Dreyer [00:08:26]:
It's funny you said that you almost labeled it a nonsense conversation, but those conversations are so important because you don't want the first time you communicate with someone to be a difficult conversation. You've got to get that trust battery built up.
Richard Hiralal [00:08:43]:
Yeah, exactly. And trust is honestly everything. The trust between within your team, the trust across teams, and also trust with the end users.
Richard Hiralal [00:08:52]:
Right.
Richard Hiralal [00:08:53]:
And that's especially important. And making sure you have that clear communication when you're building something, strategizing it's going to lead to a better solution in the end, which is going to help maintain that trust. The big thing is you always want to try to do your best to avoid user scratching the pitchforks.
Richard Hiralal [00:09:11]:
Right.
Richard Hiralal [00:09:11]:
And I think we've all been there at some point where, you know, we maybe didn't plan as well as we should have. The tough thing is, is that if you do have bad rollouts or consistently bad user experiences and you start losing that trust with users, making changes in the future gets a lot harder.
Richard Hiralal [00:09:31]:
Right.
Richard Hiralal [00:09:32]:
When users lose trust in what you're doing as IT or security, they're going to start second guessing what you do and you may even inadvertently push them to try to circumnavigate your security controls, which is even more dangerous.
Richard Hiralal [00:09:45]:
Right.
Richard Hiralal [00:09:46]:
So that's where things like forming internal pilot groups. Right, That's. At one point I actually had a pilot group of users across different orgs within, within the company. So some people from marketing, some people from finance, engineering, and it was an agreement, hey, we're kind of going to be giving you the first round of things. You might see problems and issues and if you do report them to us so we can fix them. I've seen that be immensely helpful in avoiding problems with a larger scale rollout. And overall it just leads to a smoother experience. And also I think usually when users know that there is a pilot process that we do care about this, we're taking the initiative to avoid impacts and just keep people productive.
Richard Hiralal [00:10:38]:
It goes a long way and again solidifies that trust with the users.
Arek Dreyer [00:10:42]:
So that's the communication about expectations.
Richard Hiralal [00:10:47]:
Exactly, exactly.
Arek Dreyer [00:10:49]:
Earlier you were talking about the dangers of being in a silo and it sounds like you've been in a silo. Do you have an example you could walk us through about how sometimes or a specific instance when tensions boiled over and because you were in a silo, things didn't go quite right. And how you got out of that silo.
Richard Hiralal [00:11:15]:
I would say probably at a past company we had done a complete security overhaul, implementing CIS controls and whatnot. One of the big things that we did was removing admin rights. That's always, that's, that's always fun.
Richard Hiralal [00:11:34]:
Right?
Arek Dreyer [00:11:35]:
Right. If people had admin rights and then they didn't have admin rights, just historically.
Richard Hiralal [00:11:40]:
In the company, you've always had admin rights. That's tough. And the solution that was proposed was implementing a privilege access management tool, which in theory is great.
Richard Hiralal [00:11:52]:
Right.
Richard Hiralal [00:11:52]:
It makes sense. But because of the silos, there were kind of those gaps in perspectives that I was mentioning.
Richard Hiralal [00:12:02]:
Right.
Richard Hiralal [00:12:02]:
Where security ends up looking at things solely from a security perspective of hey, here's all the things we're going to restrict and functionally speaking, here's how we enable people to do what they need to do.
Richard Hiralal [00:12:15]:
Right.
Richard Hiralal [00:12:18]:
On the opposite end on the IT side, you can immediately see, hey, there's some, there's some problems, some gaps, some risks. And in a situation like that where there are silos, we ended up, we were kind of pushed to roll it out faster than we would have liked. And because of that, those user experience problems weren't really fully addressed. And it led to. Because we ended up taking a block every block everything approach. So an allow list model for software installs and anybody who's done that knows how tough it is.
Richard Hiralal [00:12:57]:
Right.
Richard Hiralal [00:12:58]:
So that paired with the admin. Right. Revocation is recipe for disaster not done.
Richard Hiralal [00:13:05]:
Right, Right.
Richard Hiralal [00:13:06]:
So what it led to was I led the implementation for the PAM tool, but there weren't really processes set up around it.
Richard Hiralal [00:13:13]:
Right.
Richard Hiralal [00:13:14]:
And as things started kind of going haywire, immediately seeing that, hey, we don't have everything pre approved, there's thousands of apps.
Richard Hiralal [00:13:23]:
Right.
Richard Hiralal [00:13:23]:
And also a bunch more that we probably don't know about.
Richard Hiralal [00:13:27]:
Right.
Richard Hiralal [00:13:27]:
When. Because when you're kind of going from zero to one, it's really tough to try to cover those bases. And that's why kind of slow rolling changes is so important as well. So ultimately what we ended up doing is kind of taking a step back and saying, okay, while we're working on trying to pre approve everything that we know about, which itself is a monumental task, how do we enable a user to get from point A to point B? I have the need for this app and you know, to where I get it installed.
Richard Hiralal [00:13:57]:
Right.
Richard Hiralal [00:13:57]:
What are all. What's the sequence of events that has to happen with the security approvals, the implementation IT side or approving it from the pan tool to install? There's just so many pieces there. Eventually we got there, but it was painful, right? On the flip side, another control that we had put in place was I keep saying USB storage control, but it's a lot more than that. It's external media control, right? So because you got USB, Bluetooth, AirDrop network storage, cloud storage. So we implemented those controls as well. I think it was after the admin rights one I think we had learned it's been so long. I think we did learn from past experience, but we had better communication. I think everybody came together, there was regular conversations around it and from the jump with designing things we figured out how does the user get from point A to point B? And hey, I and one of the first things I called out because I used to do video editing or whatnot back in the day I was like our multimedia team will be living off of external media.
Richard Hiralal [00:15:05]:
I don't know any of them, but I know enough that they're going to be living off of external media. And so one step that we took was running the tools in audit mode, discovering figuring out who who is using external storage and let's find out if it's legitimate uses, right, that we're okay with. And then if they are, let's get them pre approved before we even roll this out. The next layer is the point A to point B And so on one end we made sure we had dedicated ticket items set up in our in our help portal to make sure it goes through a flow. But we had it where hey, I'm a user that has this need I open a ticket for usb, read write, let me that kicks off a tick that goes to corps sec and they give a yay or nay. And if it's a no they put the reasoning why and if it's yes it would kick openref to my end. Now I don't wanna sit there and manually manage all of these permissions. So what we did is tied everything to groups right now Director groups Now depending on the situation because this will probably be a hot debate of oh, do you do Device based exclusions vs user based exclusions? I honestly think it depends on the situation, the control and also what your what your security team is okay with.
Richard Hiralal [00:16:22]:
Right?
Richard Hiralal [00:16:22]:
And your GRC team. But we landed on user based exclusions. But with those groups I just set them up in the MDM on read read Write for each one of these media types. That way, as soon as they got the approval, they're immediately in the group. But that also enables security to take action if they need to. Let's say that they need to revoke that access. They don't have to come to it, they don't have to come to me. They can pull somebody out of that group.
Richard Hiralal [00:16:49]:
As soon as the machine syncs, the access is blocked. Right. So it really enabled help Desk IT engineering and security to build a solid solution and a clear flow. But also from a user experience perspective, it was pretty seamless, all things considered.
Richard Hiralal [00:17:06]:
Right.
Richard Hiralal [00:17:07]:
You'd get it sorted out as soon as somebody clicks that approve button.
Arek Dreyer [00:17:10]:
I want to dig into the communication with users. Can you talk some strategy, like how that first started out and how it ended up being.
Richard Hiralal [00:17:24]:
It was tough. In my past company, we did have official IT comms people, but we basically give them the rough and dirty and then they would pretty it up.
Arek Dreyer [00:17:37]:
I mean, was it like, hey, here's what CIS is and here's why it's important to the business?
Richard Hiralal [00:17:42]:
Yeah, so that's, that's the whole thing. And when I, when I kind of look at communicating or, or even building something out from a user experience perspective, I, I kind of look at it as, can I put this in front of my mom?
Richard Hiralal [00:17:56]:
Right.
Richard Hiralal [00:17:56]:
Will this can. Would my mom be able to understand these comms or understand these steps that has to be taken and, you know, be okay with that?
Richard Hiralal [00:18:05]:
Right.
Richard Hiralal [00:18:06]:
Be able to successfully complete that task, kind of putting yourself in that mindset. It's never going to be perfect.
Richard Hiralal [00:18:12]:
Right.
Richard Hiralal [00:18:12]:
But being cognizant of that goes a long way. And so over time you kind of learn, okay, let me think of, hey, somebody in finance is probably not going to know what CIS controls are, and they probably shouldn't even have to know what CIS controls are, but explain to them, hey, we are going to be managing USB drives, right? And unless you have a valid business use case, we're going to be blocking it. Here's why we're blocking it, right? Here's the risk that we're trying to mitigate. Here's what we're trying to protect ourselves from. And explaining the whys goes such a long way. Demystifying security as much as you can for users really, really helps gain and build that trust with the users.
Arek Dreyer [00:18:54]:
Just as a, as a side note, for any of the moms who are listening, you may be more technical than someone else on your team. So Richard's use of mom was a stand in For a non technical user.
Richard Hiralal [00:19:10]:
Yes. Yeah, let's clarify that. I thought of my mom when I did that. So when I started doing that. So yeah, because I think everybody can kind of relate. We're usually, we're usually the tech support for everybody in our personal lives.
Richard Hiralal [00:19:25]:
Right.
Richard Hiralal [00:19:26]:
And so thinking of how you would attack that issue with the people in your personal lives.
Richard Hiralal [00:19:32]:
Right.
Richard Hiralal [00:19:33]:
You're not just going to, you know, tell them, hey, just hit XYZ and you know, upload, download, whatever, you're going to explain them. Here's what downloading means, here's what rebooting means. Because at the end of the day they're not going to know we're the nerds for a reason.
Arek Dreyer [00:19:48]:
You know, and that empathy that you show to family members and that patience, and sometimes it might be easier to have patience with your colleagues than with your family members, but that empathy that you show to your family, to non technical users, that's super important.
Richard Hiralal [00:20:09]:
Absolutely. It can make or break the situation.
Arek Dreyer [00:20:14]:
So once, once you knew what needed to happen and communicated. Here's the steps that we gotta take. How did you approach designing the security policies and controls, maybe that were already laid out by, you know, the CIS that you're trying to achieve and also preserve a great user experience?
Richard Hiralal [00:20:39]:
Well, that's, that's the whole thing is I think the biggest thing is figuring out what direction you want to head in from a security cluster.
Richard Hiralal [00:20:49]:
Right.
Richard Hiralal [00:20:50]:
And that's only going to happen with that cross team collaboration between not just you and Corpsec, but also TRC as well.
Richard Hiralal [00:20:57]:
Right.
Richard Hiralal [00:20:57]:
Making sure everything's palatable. Are we going to adhere to what we're going to get audited on and what are we getting audited on? That's a big deal because you can't necessarily know where you're, you know, you can't necessarily walk down the road unless you know where you're going.
Richard Hiralal [00:21:12]:
Right.
Richard Hiralal [00:21:14]:
So kind of making a roadmap of sorts helps a huge deal because you can also foresee, hey, we're also going to be doing these two things that are complementary to this other control.
Richard Hiralal [00:21:24]:
Right.
Richard Hiralal [00:21:24]:
So making sure that you kind of package things together, roll things out around the same time where it makes sense.
Richard Hiralal [00:21:30]:
Right.
Richard Hiralal [00:21:31]:
Trying to avoid as many jarring changes to users as possible is such a huge deal.
Arek Dreyer [00:21:38]:
Yeah. Preparing them for what's down the road is key. I love that. So it sounds like you had some success. And once you had better alignment between the security controls and the user experience, what did that unlock for you and your team?
Richard Hiralal [00:21:57]:
A couple things.
Richard Hiralal [00:21:58]:
Right.
Richard Hiralal [00:21:58]:
I Think acceleration and ease of implementation. It's just the nature of it is we figured out what works and we've kind of come up with a formula of what we do. Was everything perfect? Absolutely not. You know, it's never going to be perfect, but we definitely kind of figured out the flow that, you know, figuring out comps, figuring out implementation documentation, both for the help desk to support the users as well as the end users.
Richard Hiralal [00:22:22]:
Right.
Richard Hiralal [00:22:22]:
Creating as many self help options for end users as possible is also a huge deal, I think. Also regularly checking in with the help desk on, hey, how are things going? Are you seeing any problems? And adjusting from there is such a huge deal. But the other thing is that kind of, I don't want to say like you, you let off the gas, but you're able to be like, okay, this is solid, I can start thinking and building towards the future.
Richard Hiralal [00:22:53]:
Right.
Richard Hiralal [00:22:53]:
The, the V2 of this or what are some additional things or the next iteration of what we want to implement.
Richard Hiralal [00:22:59]:
Right?
Richard Hiralal [00:22:59]:
Yeah.
Arek Dreyer [00:23:01]:
And having that muscle memory of the constant communication that sets you up for success moving forward, right?
Richard Hiralal [00:23:09]:
Yeah, yeah, absolutely, absolutely. It's an ongoing thing.
Arek Dreyer [00:23:12]:
You know, if you had to summarize your approach in one sentence, how did you build systems that both secure.
Arek Dreyer [00:23:23]:
Your.
Arek Dreyer [00:23:24]:
Organizational data and achieve user friendliness?
Richard Hiralal [00:23:29]:
The biggest thing to that is just balance and cross team collaboration.
Richard Hiralal [00:23:35]:
All right.
Richard Hiralal [00:23:35]:
That's ultimately really where it all starts. Because if you don't have that, everything goes haywire.
Richard Hiralal [00:23:41]:
Right.
Richard Hiralal [00:23:42]:
It's kind of the foundational piece to enable all of that good work and solid solutions to get built because you have all these different perspectives coming together to form that solution. It's not one sided.
Arek Dreyer [00:23:56]:
Love it. So to end each episode, we like to ask our guests the same question. So Richard, if you could change instantly, if you could instantly patch something in your life, what would it be? Actually, let me ask that again. If you could instantly patch something in your world, what would it be?
Richard Hiralal [00:24:23]:
This might be a spicy one. Honestly, I think I would patch the perception that it is just a cost center, that it's not revenue impacting. And I'm sure anybody listening has probably heard this at some point before. You know, I know this is the thing to realize is the work that we do not only device manage, but it and security in general directly affects user productivity, morale and potentially even revenue. When it's done right, it enables the company success.
Richard Hiralal [00:25:02]:
Right.
Richard Hiralal [00:25:03]:
You know, a ship can't sail without a crew to keep it in good shape. And I understand the idea of revenue impacting to the extent that it does not bring in sales. I get that to a certain point. But what happens if a customer expects a certain level or baseline policies and configurations for us? What happens if you have a major security incident that gets publicized? That's revenue impacting stuff. Sometimes a customer's trust and you reflect the standards that you hold yourself to. If I had a house cleaning service and then you saw my house was a complete wreck, you'd have a hard time hiring me even if I would do a great job.
Richard Hiralal [00:25:45]:
Right?
Richard Hiralal [00:25:46]:
You'd have a hard time just kind of a trust me bro situation. Right. But yeah, great answer.
Arek Dreyer [00:25:54]:
Love it. Well, huge thanks to Richard for joining us on this episode of Patch Me If You Can and for sharing what it looks like to stop reacting and start architecting. If you like this episode, hit follow and share it with someone who's ready to lead it from the front. We'll see you next time. Thanks, Richard.
Richard Hiralal [00:26:15]:
Thank you.