We did that by building a series of tech guilds. We built a cloud guild, a data guild, an insourcing framework. We built our NAB Engineering Foundation and with a goal of building a culture of innovation of cloud, of agile, and being able to deliver great products and services to our customers in a cost effective, but very safe way. And as part of that, we started on our cloud migrations and that is really moving at pace now.
Laurel: Insourcing seems to be working so far, but it didn’t happen overnight, as you said. And even though 2018 wasn’t that long ago, what was the journey like to first realize that you had to change the way you were working and then convince everyone to work in a very different way?
Steve: We did realize that if we didn’t get the culture embedded that we would not be successful. So building that capability and building the culture was number one on the list. It was five years ago. It feels like a very long time ago to me. But we started that process and through the cloud guild we trained 7,000 people in cloud and 2,700 of those today are industry certified and working in our teams. So we’ve made really good progress. We’ve actually moved a lot of the original teams that were a bit hesitant, a bit concerned about having to move to this whole new way of working. And remember that our original teams didn’t have a lot of tech skills, so to tell them that they were going to have to take on all of this technical accountability, an operational task that had previously been handed to our outsourcers, was daunting. And the only way we were going to overcome that was to build confidence. And we built confidence through education, through a lot of cultural work, a lot of explaining the strategy, a lot of explaining to people what good looked like in 2020, and how we were going to get to that place.
Laurel: NAB’s proportion of apps on public cloud will move from one third to about 80% by 2025, but security and regulatory compliance have been primary concerns for organizations and regulated industries like healthcare and financial services. How has NAB addressed these concerns in the cloud?
Steve: Initially, there was a lot of concern. People were not sure about whether cloud was resilient, whether it was secure, whether it could meet the compliance requirements of our regulators, or whether the board and our senior leadership team would be happy to take such a large change to the way we did business. We actually flew the board over to meet with many of the companies in the Valley to give them an idea of what was going on. We did a huge education program for our own teams. We created a new thing called The Executive Guild, so that middle management would have a great feel on what we were doing and why we were doing it. And as part of that, we created a set of tools that would help us move safely.
One of those was CAST, a framework that we use to migrate applications to cloud. CAST stands for Cloud, Adoption, Standards, and Techniques. And it really covers all the controls we use and how we apply those controls in our environment to make sure that when we migrate applications to cloud, they are the absolute safest they can be. It’s safe to say that when we built CAST, we actually did an uplift in our requirements. That enabled a lot of people to see that we were taking it very seriously, and that it was actually quite a high bar to achieve this compliance. But we were willing to invest, and we invested a lot in getting the applications to that level.
Another thing we did was build compliance as code. Now, infrastructure as code, what cloud is built on, allows you to then create compliance as code. So all of the checks and balances that used to be done manually by people with check boards, I used to say, are now being done in the code itself. And because a server is no longer a piece of tin in the corner, it’s an actual piece of code itself, a piece of software, you can run a lot of compliance checks on that, also from software.
A third thing that we did to give everyone a sense of comfort is we didn’t pin the success of NAB to the success of any one cloud company. We came up with a public, multi-cloud strategy, and that meant that at least for all our significant applications, we would run them on two different cloud providers. Now that would be expensive if you did every cloud in the most robust way, which would be active-active across both clouds. So we created our multi-cloud framework, which was about categorizing each application across multi-dimensions, and then assigning that workload to one of six multi-cloud treatments. Multi-cloud treatment one being, basically no multi-cloud, it’s an app for convenience. It doesn’t really matter if that application goes away. We allow that to sit in one cloud all the way through to our most critical applications, which we insist on running active-active across both clouds. And in our case, that would be MCT6. So given all of those frameworks, the tools, and the focus that we put on that, I think we gave the organization and the leadership at the organization some confidence that what we were doing was the right move and that it would give us our ability to serve customers well, while also remaining safe.