Appian’s Andrew Cunje Secures IT Solutions to Accelerate Modernization Efforts
Andrew Cunje joined the Appian team in May 2021. As Chief Information Security Officer, he brings over 20 years of experience in security and compliance initiatives, having led engineering and operations security for Salesforce Public Sector software-as-a-service offerings.
In his off hours, he is an avid gamer, crypto enthusiast, and motorcyclist. By day, Cunje focuses on supporting customers’ cyber needs.
“Security definitely goes beyond compliance,” he said. “With the convergence of IT and OT, operational technology, there is a high degree of complexity. We help make it simple.
Appian offers a low-code platform that enables enterprises and government agencies to build applications at scale. Click-and-drag application building allows developers to standardize across platforms, in a highly secure environment.
This, in turn, helps to accelerate modernization efforts.
“Instead of a government entity having to worry about hiring a contractor with secure developers, they can use our platform with their existing workforce to create new processes or workflows from of its existing datasets,” Cunje said.
As a CISO, Cunje ensures that this happens safely.
“Customers rely on us to provide a secure solution, whether it’s their on-premises enterprise offering or our cloud offering,” he said. “Security is built into the process wherever customers and their data exist.”
To deliver on that promise, Cunje seeks to leverage economies of scale: finding solutions that work across a disparate, global user base.
“The key is to discover the common denominators across all the different compliance frameworks and then use them to raise the bar for all customers,” he said. “It provides an acceleration curve, bringing our product to as many customers as possible with the highest degree of safety.”
Another key to secure IT solutions: simplicity.
“Simplicity allows you to create consistency, and the more things are consistent and measurable, the easier the job of security becomes,” Cunje said. “We want to meet all of these complex requirements with one high bar, then you can secure things consistently. What’s good for one customer or region from a security perspective is good for the next.
In terms of business strategy, delivering on the promise of simplicity opens doors for Appian among government customers looking to accelerate their modernization efforts. They help customers build less, better, Cunje said.
“By making things more consistent in their development and deployment, we can give them easy access to the latest no-code integrations, prebuilt standard connectors, methodologies, and tools,” he said. “We make it very easy for them to create secure applications. We give them secure methods, secure options out of the box.
As with many in the IT security field, Cunje’s biggest challenge is the rapidly changing threat landscape.
“Threat actors are evolving at a breakneck pace,” he said. “But that’s also what makes it exciting. You can kind of always find new ways to break a system. The challenge is to be able to respond and protect this at scale.
For federal agencies, the recent Zero Trust Executive Order gives a nod to this complexity. Bad actors “exploit apps in more sophisticated ways,” Cunje said. “These are interesting problems for us in the security community to solve.”
So how can GovCons and agencies stay ahead of the game in this highly charged threat environment?
“You have to assume the possibility of a violation,” Cunje said. “It means you’re building systems to be more resilient in the event of failure.”
“As an industry, we need to think about leveraging ‘hyper least privilege’ as a security-critical concept,” he continued. “It applies least privilege not just in the traditional sense, but to everything: how you build systems and networks, how you establish trust and identities. Think micro-policy over macro-security principles to create highly resilient security through dynamic configuration. »
Along the same lines, it makes sense to promote a pervasive culture of cyber awareness.
“Security is everyone’s business,” Cunje said. “It should be considered part of all workloads.”
It also helps when GovCons and other key players pool their ideas to stay ahead of bad actors.
“We need more industry collaboration,” Cunje added. “We all face the same malicious actors and threat actors, and we in security could work together to find solutions, not just here but also with other nations.”
A longtime veteran of government space, Cunje said he takes particular pleasure in tackling technical challenges around cybersecurity.
“New technologies come out all the time, and the most interesting part of the puzzle is how you can put things together in a way that makes them very, very hard to break,” he said.
“The fact that it is continually evolving and changing keeps me on my toes,” he added. “In this business, you always have to read the next book, learn about the next technology. In a field like this, complacency is very dangerous, and I really appreciate that feeling of continuous evolution.