Matt Ramberg is the VP of Information Security at Sanmina, which is one of the world’s leading integrated manufacturing solutions providers. Ramberg has been with the organization for the majority of his career, and in that time, he’s seen security evolve from an afterthought to one of the most important departments across the organization.
In her latest installment of this interview series, our chief customer officer Rachel Orston sat down with Ramberg to discuss his career, the organization’s transition to a Zero Trust model, and the team’s strategies for enabling remote work during the pandemic.
Editor’s note: This interview has been edited lightly for clarity.
I’d like to open it up by hearing a little bit about yourself and the role you’re in today. What were some of the key leadership opportunities you’ve had along the way that helped you get to where you are?
I’ve been with Sanmina for about 22 years. I joined in an IT capacity. Traditional IT didn’t really exist in the company so I was hired as what they called a software coordinator, which was just the guy that ran around with CDs and installed things. At the time we didn’t even use Office. We used WordPerfect, if you remember that. It was a good time because that’s when everything started changing from a technical perspective. As time went on, I just progressed up the chain. And about 10 years ago, I became the director of IT.
Around that time, security started to become really important. Before then, it was one of those things where you’d say, “We have to spend money on it, but somebody is taking care of that, so don’t worry about it.” So around that time, we created an actual security department. Security used to be an additional duty for someone like me. But customers started asking us about how we secured various things, so the CEO and CIO came to me and said that we needed someone to run that department—and I got to build it from scratch.
As I mentioned, I came up in a traditional IT world, not a security world. I didn’t possess a CISSP or any other credentials like that. So we went out and hired a few people, which is when we started finding out just how much we didn’t have from a security perspective. And over the past five years, we’ve poured in lots of money into security.
At each step, we’d realize something else that we didn’t have. And that’s what eventually led to BetterCloud. We looked at all the tools we had in place, and then realized that we didn’t have what we needed to secure that part of the business.
I love that. Can you describe how your adoption of cloud services has gone? Where do you see it going? And how has the company adapted to the cloud?
Several years ago, you could see that everything was going that direction because we were all doing it in our private lives. And it was obvious that people at the company were eventually going to want more things in the cloud.
It was one of the things that I liked about BetterCloud Discover. It helps us look at our plans and see what our employees believed they needed to do their jobs. We didn’t have anything like that in the past, but we were already going down that road.
And we just started moving things. The very first thing we moved was our email platform. We had Outlook and Exchange, and that was the very first thing we moved. And to be brutally honest, the employees did not take it well. Once they learned it, they got on board and understood it.
But the adoption has just been a complete 180. It used to be, “Explain why we should look at using the cloud.” And now it’s, “Explain why we should ever buy hardware and do anything on-prem.” That’s generally the approach we take from an IT governance standpoint. We just assume a need is cloud-based, and when it’s not, folks need to explain why it’s on-prem. I would dare say, except for a couple of applications, we probably would not have a true data center anymore. It would still be a data center, of course, but it wouldn’t be on prem.
How did that prepare you then for some of the challenges that came with the pandemic? Would you have had some of those challenges regardless? Or were some new things introduced as a result of people having to work from home?
I was talking to our CIO about this recently. I’m not going to brush it off as though it was an easy transition, but we had every solution in place. So this didn’t necessarily change our approach to anything; it simply sped it up.
We had already planned to have a number of people working from home. We were going to put more solutions in the cloud so people could get to them from anywhere. It was already in the works. The pandemic simply sped it up. The biggest challenge, like any company was: “Yesterday, Rachel didn’t need to work from home. Today, Rachel does.” And that’s more of a configuration challenge. You have to go into the system, grant her VPN access, and things like that. I think as a company, we dealt with it really well. And we have a Zero Trust implementation.
Was that a big shift for you to move in that direction?
It was. Employees are used to getting on a network and going wherever they need to go. And Zero Trust is a whole different mindset where I’ll put you on the network, but you have to tell me where you need to go. So it was a much more secure route, but employees weren’t thrilled about it. So getting them to understand all of that was probably our hardest challenge. Also just as hard was coming up with enough laptops for people, because we didn’t want them using their personal computers
In other interviews I’ve done, procuring hardware is a universal challenge, especially in the first few months of the pandemic. Were there other opportunities to innovate this year that you feel better positioned to take on than you were before the pandemic?
There are. We wanted Zero Trust in place because we knew that that’s the future. One of the challenges I was having was that people wanted to leave our old VPN boxes in place, and we were slow-rolling the move to Zero Trust. The VPN boxes give you everything. You might still use traditional VPN today, but once you get on it, you’re on it.
And that was probably my favorite. Because I’m a security person, it allowed me to say, “No more excuses, turn that thing off.” There were people that were not thrilled about that, but it really was something we had always planned to do. Without the pandemic, the plan was to get rid of our traditional VPN boxes by December 31st. Because of the pandemic, we got rid of them in June. So it just really pushed things forward on that scale.
To people that are reading this and are also trying to tackle Zero Trust, can you share any lessons learned or advice?
Probably two things. And the very first one is what I told my team: Stick to your guns.
I explained to them that we were going to get negative feedback from employees. I knew they were going to be upset, but we needed to understand where they’re coming from and try not to get frustrated with them. It was our job to explain to them why we’re doing what we do. Too often, IT in general and security in particular, we just do things. “Ah, it’s for the benefit of Rachel.” But we never explained to Rachel why we’re doing it.
Number two, now I’m sure you’ve heard this a million times, you need to have buy-in from management. If management is not on board, it goes nowhere. If my boss didn’t agree with it, it’d be very tough for me to enforce anything if people are going around me to him. So the fact that we had that level of buy-in was extremely helpful. But again, it’s because we explained to them why.
We broke it down into simple, basic terms. “Here’s the issue if we don’t do this.” And they understood it, and understood why we’re pushing it. And so I didn’t have to worry about getting an email from some executive VP that said, “What the heck are you doing?” He understood it. Many of the emails I got were simply, “Can we do it faster? Can we get this person up and running?”
That brings up an interesting thought too. Obviously the “why” is important. In this new era of remote work and productivity, where IT is underpinning every interaction, what does success look like to you one year from today?
That’s a heck of a question there. I’ll start with a very basic thing. We have nothing in place today where our employees can find our policies and read them. Again, it’s a very basic thing, but we just don’t have that in place. Most employees have never even read our policies. They didn’t know that Twitter is blocked on the network, for example.
Like most security people, I just want there to be one day where there isn’t a ticket that says something was hacked, or stolen, or breached. But most of the tickets we get are things that we look at and go, “Well, you should have already known that.” It’s either in the policy or it was in part of our training. And our biggest goals have always been to reduce that.
I really like that. I usually wrap these up by asking about the one thing you miss most and hope to do again in the near future when the pandemic is over.
The travel and the presentations. For years, we’ve been trying to cut back on travel. But I can get so much more accomplished if I’m in front of a group with a presentation, explaining what we do. And every year, we would work it out somehow. I’m a United 1K flyer, and this year, I don’t have that. That’s not to knock this sort of interaction, which I think is great. But when it’s any group larger than just you and me, I don’t think it’s tremendously helpful, especially compared to speaking to a group of 200 people at a remote plant.
Want more insights from other IT leaders on navigating the new normal? Check out Orston’s previous conversation with Karel vanBeekom, IT Manager at Justworks.
Have a story you’d like to share with us? Send us an email here.