Andrew Cunje joined the Appian team in May 2021. As chief information security officer, he brings over 20 years’ experience in security and compliance initiatives, having ran security engineering and operations for the Salesforce Public Sector software-as-a-service offerings.
In his off hours, he’s an avid gamer, crypto enthusiast and motorcyclist. By day, Cunje is focused on supporting customers’ cyber needs.
“Security definitely goes above and beyond compliance,” he said. “With the convergence of IT and OT, operational technology, there’s a high degree of complexity. We’re helping to simplify that.”
Appian offers a low code platform that enables businesses and government agencies to create applications at scale. Click-and-drag app creation empowers developers to standardize across platforms, in a highly secure environment.
This, in turn, helps accelerate modernization efforts.
“Instead of a government entity having to worry about hiring a contractor that has secure-cleared developers, they can use our platform with their existing workforce to create new processes or workflows off of their existing data sets,” Cunje said.
As CISO, Cunje works to ensure that happens securely.
“Customers rely on us to deliver a secure solution, whether that’s their corporate on-prem or our cloud offering,” he said. “Security is baked into the process wherever the customers and their data exist.”
To deliver on that promise, Cunje looks to leverage economies of scale: finding solutions that work across a disparate and global user base.
“The key is to discover the common denominators across all of the different compliance frameworks, then using that to raise the bar for all customers,” he said. “That yields an acceleration curve, bringing our product to as many customers as possible with the highest degree of security.”
Another key to secure IT solutions: simplicity.
“Simplicity allows you to create consistency, and the more things are consistent and measurable, the easier the job of security becomes,” Cunje said. “We want to address all of those complex requirements with a single high bar, then you can secure things consistently. What’s good for one customer or region from a security perspective is good for the next.”
In terms of business strategy, delivering on the promise of simplicity opens doors for Appian among government customers looking to accelerate their modernization efforts. They help customers to build fewer things, better, Cunje said.
“By making things more consistent in their development and deployment, we can give them easy access to the latest zero-code integrations, pre-built industry standard connectors, methodologies and tools,” he said. “We make it very easy for them to build secure applications. We give them secure methods, secure options out the box.”
As for many in the IT security space, Cunje’s biggest challenge is the fast-changing threat landscape.
“Threat actors move at a grueling pace,” he said. “But that’s also what makes it exciting. You can kind of always find new ways to break a system. The challenge is to be able to respond and protect that at scale.”
For federal agencies, the recent executive order on zero trust gives a nod to this complexity. The bad actors “are exploiting applications in more sophisticated ways,” Cunje said. “Those are interesting problems for us in the security community to solve.”
So, how can GovCons and agencies keep ahead in this highly charged threat environment?
“You have to assume the possibility of a breach,” Cunje said. “That means you build systems to be more resilient in failure.”
“As an industry, we have to think about leveraging ‘hyper least privilege’ as a concept that is core to security,” he continued. “That’s applying least-privilege not just in the traditional sense, but to everything: how you build systems and networks, how you establish trust and identities. Think micro policy on macro security principles to build highly resilient security via dynamic configuration.”
Along these same lines, it makes sense to promote a pervasive culture of cyber awareness.
“Security is everyone’s job,” Cunje said. “It needs to be considered a part of all workloads.”
It helps, too, when GovCons and other key players pool their insights to stay ahead of the bad actors.
“We do need more collaboration across the industry,” Cunje added. “We’re all up against the same bad actors and threat actors, and we in security could be working together to find solutions, not just here but with other nations as well.”
A longtime veteran of the government space, Cunje said he takes special pleasure in tackling the technical challenges around cybersecurity.
“New technologies come out all the time, and the most interesting part of the puzzle is in looking at how you can put things together in a way that make it very, very difficult to break,” he said.
“The fact that it’s continuously evolving and changing keeps me on my toes,” he added. “In this business, you always have to read the next book, learn about the next technology. In a field like this, complacency is very dangerous, and I really enjoy that sense of continuous evolution.”