Security is an essential element in any company, regardless of the sector in which it operates. The CISO has become an essential figure and has an increasingly important function in the strategy and business of organizations. If your work is fundamental, in the case of a technology company, it multiplies: not only has to protect the company for which you work, but also develop and make the solutions they develop, be safe. This is the case of Andrew Cunje, Appian’s Ciso. We talk to him about his work and the growing importance of cybersecurity.

Interview with Andrew Cunje, Appian Ciso

What is your function in Appian?

I’ve been in this company for five years. Before Appian, I was in Salesforce, where I had a lot of work related to infrastructure. Upon arriving in Appian, the team I direct is responsible for the security of both production and the company. So we have two separate engineering equipment that create services in the company, protect the company and create services for production, building infrastructure blocks. We also have the incident response equipment and the marketing function. So we take care of trust, GRC, sales and security, and also when there are questionnaires or audits. We also have two lawyers specialized in cybersecurity. The team has grown a lot. Now we are about 70 people. It is a great investment.

What is the company’s cybersecurity strategy? Do they apply the same strategy to your customers?

Yes. The best way to describe the security in Appian is that we have 30 different certifications, so we are very regulated for our clients. And we take those certifications in all the countries in which we operate. And it is a common language for us. When we think of any control, parameter or security solution, we try to do it for all customers. And in that scenario we include Appian as a client.

In these 30 certifications, we apply security in all cases, because what is good for a client is good for the next one, unless it is something concrete such as, for example, FIP Safety (Federal Information Processing Standards). Perhaps the Spanish government does not want FIPS or FIPS encryption. So, first, we reduce it to that basic concept. The next thing we do is set the foundations of security, and point. What I mean by this is that, when we incorporate safety in the product, we want to ensure that the fundamental basic components that make it safe are present. Thus, if we create a workload in the company or for the infrastructure of a client, it will have all the basic elements or the appropriate supply chain that will allow it to start a service safely. Our idea happens, in short, to lay the bases of security and then expand it.

Today, AI agents occupy several use cases and look like fashion technology. What implications do agents have in terms of security, since they act within the platform and trigger different actions within the Appian platform? Does this also affect your area of responsibility?

Yes. Any product developed internally for our customers or any solution for our internal employees would interact with the security equipment. So we have an evaluation of threats, compliance controls and regulatory controls. In short, security is integrated into our software development life cycle, either in production or in the company. As for AI agents and how we see it differently, the best way to start thinking about that panorama or our way of seeing it is that it is simply a non -human identity. It is just another identity that interacts with the data. And all our security follows the data. So, regardless of where the data is, depending on the context of that data, depending on the risks associated with that data or that application, a different policy will be applied. And this is what we offer or expand to our clients when they work with Appian.

How can attackers access the data? For example, I could create an agent on the march and ask him to look for the data that interest me. What are the scenarios that you have evaluated and what corrective measures have applied?

With the safety of the AI, it is both to protect the data and check the models. Therefore, one of the things that Appian has very clear is, in the first place, that it is a private AI. Second, we have an object. It is called “list of software materials.” This is the list of AI materials. Some of the things we do are like a disinfection of the entrance. We want to make sure they don’t try to deceive the model to do something you would not like to do. But, again, everything goes back to the base of our infrastructure, which has all these safety barriers, starting with access to objects. We do not want them to have excessively permissive access. Of course, this is something that is integrated into the process in each step of the road for customers.

But what about protecting the agent himself?

The agents themselves are created within the Appian platform. That platform has all regulatory frameworks and all security elements. It is built with the same infrastructure platform on which Appian is based and creates the same agents infrastructure inside Appian.

All platforms, including Appian’s, are based on three elements, which are technology, safety and regulatory compliance. Is it very difficult to combine these three factors on a platform like Appian’s?

The best way to combine the three elements must always start from the point of view of security. In Appian we will implement everything that is necessary to guarantee security. We will never relax controls. Now, the question is: how can you advance rapidly on a large scale? I think it goes back to what I said at the beginning, which is to have a solid security strategy based on safe innovation principles. So, if we are going to create this new service, we know that it will resort to the appropriate services for certificates and safe containers, so we can climb very quickly. Because the last thing we want is to slow down innovation. For me, security and innovation are not incompatible. They are complementary.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.