(upbeat music) >> Welcome back to Fal.Con 22. We're here at the ARIA hotel in Las Vegas. We're here in Las Vegas, a lot. Dave Nicholson, Dave Alante. Fal.Con 22, wall to wall coverage, you're watching theCUBE. Anthony Kunya is here. He's the chief information security officer at Mercury Financial. And he's joined by his deputy CISO, Alex Arengo. Welcome, gentlemen. >> Good to see you. >> Thank you very much. Good to be here. Thank you for the opportunity to speak. >> Yeah, so this is a great event. This is our first time being at the, a CrowdStrike customer event. We do a lot of security shows, but this is really intimate. We got a high flying company. Tell us first about, of Mercury Financial. What are you guys all about? >> Oh, that's a fantastic question. Let's leeway into that. So Mercury Financial is a credit card company that serves people who are near prime. So be it some kind of hardship in their life. They had something impacted, be a financial impact, maybe a medical impact, an emergency, something, a death family where somehow their credit was impacted. We give 'em the opportunity through our motto, better credit, better life, to build up that credit score to add livelihood to their ability to be financially stable. >> I mean, I think this is huge because you know, so many people it's like, okay, one strike and you're out. >> Right. >> You know, that's just not right. You got- >> No, not at all. >> You got to give people another chance. And so there's so much talent out there. I think about some of the mistakes I made, Dave, when I was a younger man, but- >> No comment. >> Right. So I heard a stat today that I thought was great. Did you guys see the keynote? >> Yes. >> Of course. >> So in the keynote, the, they did the thing at Black Hat but they said what's XDR and I thought- Anthony] Oh goodness. >> My favorite, and I'm not going to ask you what XDR is. >> Okay, good, thank God. >> But my favorite answer was a holistic approach to endpoint security. And, you know, I think as a CISO you have to take a holistic approach to a security- >> Of course. >> Okay. >> Maybe talk about, a little bit about how you do that. >> Wow, a holistic approach I would say and I could, I'll give you an opportunity to speak as well, but a holistic approach it's people processes in technology. So a holistic approach would be, it isn't one box that you check. It's not a technology that is a silver bullet that fixes anything. Those technologies, those services are implemented by people. So good training, our human firewall, the forefront of implementing those technologies to build those processes and incorporate people and a level of sincerity and integrity that we build. So I feel like a holistic approach is both cyber culture to build the cyber resilience program that we so dearly need. >> And I could spend all day talking about security organizations, SecOps, DevSecOps, data SecOps, et cetera, but, but Alex, how, what is your role as the deputy CISO? How do you compliment what Anthony does? >> I got to bring it all together, right? So technically, what are we putting in place? What are the requirements that these stakeholders have? Their needs, their wants. We all have something that we need and want in our environment as an employee, as a customer, as a stakeholder. How do do we get that to market? How can we get it there quickly? You know, and it's really about finding the partners that can get us there, right? That can leverage us, that can force multiply us. >> Yes. >> You know, give my people more time to get the work done, the good work. >> Right, the hard work, of course. >> So paint a picture. You know, we hear a lot about all the different, the bevy of tools, the, how complicated CISOs tell us all the time, that we just don't have enough talent. We're looking for partners to help us compromise, but paint a picture of your environment and how you guys use CrowdStrike. >> Oh, that's a good one. Do you want to take this one? >> Great one, right? I mean, we leverage CrowdStrike at every way we can. We're a Fal.Con complete customer. So they're an extension of our team. They're an extension of our SOC right? >> Yeah. >> We leverage them for many things. We leverage them to understand the risk in our environment. Where we're at in zero trust. How we can really bring a lot of the new processes that the business wants to market, right? How can we get there as fast as possible? Can we make it secure, right? I'm a Mercury card customer also. So I'm, I have a vested interested in that. And I like to drive that, that's, so it comes down to can you align your holistic approach, or your organizational goals and bring that to a really good security product that is world class? >> And I can add a little bit to that as well. So I look at it as a triangle. So we leverage Fal.Con complete as that first level, tier one triage, people who do and understand the product extremely well, we leverage them quite a bit. We also have a VSOC service that we have this like, consider tier two or the middle of the triangle, by Verse, right? >> Yeah. >> Fantastic boutique security company that just has been working with us year over year, innovation, strategic initiatives, always there to play. And then Alex Arengo, and the threat management team, is our top tier, that's tier three, that's the top of the pyramid. By the time it bubbles up to Alex, that's when the real work happens, everyone's triaging, collecting data, putting together pieces. And then Alex and his teammates, and people that he's trained, fantastic, comes and puts it all together and paints a picture so we can then take that information and describe it in layman's terms, simple terms, to the business, to make them understand the level of risk, what we have to do to get to, and through that attack, or that indication of compromise, et cetera, so that we can remediate it, rectify it. >> Right, it's building that security culture foundation, right? It's getting everyone to buy into that. >> Yeah. >> It's a holistic approach and it's really the best way to do it, right? You get bought in from the stakeholders understand what they need to do, and what the goals of the business are. And it really works really well >> We journey together. >> We build a program together. >> Dave, I think that that cultural aspect is critical. Cause I've said many times, bad user behavior trumps good security every time. >> Yeah, absolutely. >> Oh goodness. >> Every time. >> Nicely put, I like that. >> So, I know we're early in the week still, but we did have the keynote. Is there anything that you are hearing, in terms of vision, that peaks your interest specifically, and then also sort of the follow up question is, are you guys kind of like lifeguards who can't ever relax at the beach? >> That's why I have a deputy CISO. Well, nobody can take time off, we have to share this. Of course we do. Most definitely. What would you say would be the next, most innovative thing that were looking for? >> Yeah, what's the next big thing, as far as you're concerned? >> The next biggest thing is definitely building the relationships we have. As we bring in new technologies, we go even more Cloud native. How do we leverage that expertise, that of the partners that we're bringing on board like Zscaler, CrowdStrike, Verse, right? How do we make them a part of the team, and make them perform, bring that world class quality talent across the spectrum, you know, from DevOps to that security analyst, picking up the phone and saying, I'm not really sure what's going on, but there's a culture that's built there where everybody comes to the table to feed, right? We all eat together. >> The ecosystem. >> Yes. >> That is the tooling that we leverage day in and day out. That's how we sleep at night. We have to pick our partners. >> You know, we talked about the ecosystem up front, and you look around, you can see the ecosystem and it's growing. >> Yes. >> And I predict it's going to grow a lot more. >> Yes. >> That's, and it has to, right? I mean, exactly what you're saying is that no one company can do it alone. And we heard, you know, we heard, it is confusing. You hear CrowdStrike's doing Identity, but then they partner with Okta. Right, and they're here out on the floor. So that's what you guys need. Talk a little bit more about the importance of ecosystem and partnerships from your perspective. >> Oh I got a good one for this. So I use the metaphor of having a restaurant. So we run a restaurant really well. We know what we want in the menu. We have a chef, we know how we want to put together, but we need excellent ingredients. You make muffins well. Bring your muffin into the restaurant. That brings and builds that rapport. That I want the menu to be rich and empower people to come in and say, you know, I've never had scallops or octopus before, I hear you guys make it better than anyone else, well, our ingredients are fantastic. Therefore, no matter what we do when we present it, it's perfect, it's palatable. >> Yeah. That's great. You're not making ice cream, but you're serving it. >> I can't, if you ever want to show us. >> We're just converging our bakery, you know? >> Yeah, yeah, yeah, salt, salt is the key. >> We're just working the bakery part out, yeah. >> Okay, I want to ask you about Cloud because you know, in 2010, 2011, when you talk to a financial services firm, Cloud, no, that's an evil word, now everybody's Cloud first. George Kurts talks about how, I mean essentially CrowdStrike is dogmatic. We are Cloud native. We have a Cloud native architecture. I know Gartner has this term CNAP or Cloud native application platform. So what does the Cloud mean to you guys? How does it fit in? What does Cloud native architecture do for you? >> It lets us converge everything we've been talking about. How do we, you know, that's a really big struggle that all security teams are having at, having today. How do I converge threat intelligence? How do I converge the environment that I'm in? How do I converge the threat intel that's coming in, right? All this, you're getting, security teams are constantly on a swivel, right? They're looking left, they're looking right. They're trying to identify what to do first. And you bring in the right partners. >> Yes. >> And you get in, you build the right program. You cement that culture internally. And it really provides dividends. >> You know what I think as well, Dave, is in the past, everyone was more data center based. >> Right. >> The Cloud was like a thing we'd forklift, we'd move over, we were born in the Cloud. So Cloud native Application protection is something that we need and will drive innovation. Will align with our strategic initiatives. We need people to think like the Cloud is what's happening. Super Cloud, some of the things that we spoke about. >> Yeah, so I was at, when we were at reinforced, I had this new mental model emerge, and it sort of hit me in the face. And you tell me, I'd love to talk to practitioners to say, yeah, that makes sense or, no, that's crap. So it seems like the Cloud has become the first line of defense for CISOs. Now you're Cloud first or Cloud native, so, okay. But then now you've got the shared responsibility model. And I don't know if you use multiple Clouds. Do you use multiple Clouds? >> We cannot say. >> Cannot say, okay, let's assume for a second, your, some of your colleagues, CISO colleagues, use multiple Clouds. >> They should, okay, sure. >> Now they've got multiple shared responsibility models. Now you've got also the application development team. They're being asked to be the pivot point to actually execute, they got to secure the platform. They got to secure the containers, their run time. >> Workloads, yes. >> And then you got audit behind you is kind of the last line of defense. So things are shifting. Describe sort of the organizational dynamic that you see, not necessarily specific to Mercury Financial, or that would be cool, but generally in the industry. >> Oh, I would say, I could say this, that having Cloud, multitenancy Cloud or the super Cloud model where we could abstract our services our protection, the different levels of security tooling, being able to abstract and speak a common language where you could run in Azure, GCP or AWS, and still have a common language that you can interpret and leverage between all the tooling would be something I would love to see. >> That's Super Cloud >> A magical, that is that. >> That is a Cloud interpreter essentially. >> I think we use different words, but yes. >> A PAs layer, super PAs layer, sorry to take it too far. >> Yeah, like, I want to be able to abstract it and speak a language that would work in any of the- >> What does that do for you as a technology practitioner? >> Well, imagine if you had to speak three different languages with three different people, get lost in translation. If we could speak a common language across all the different platforms and all the different footprints, it would be easier to define our security posture. Where are we? Are we secure? You might say security groups in AWS, it might be, mean something else, but it's still a level of protection that surrounds the end point, right? Something that would abstract that level would be very fun. Very good for me. >> It's, you know, it's pretty easy to understand your use case for this. When you're talking about here we are, Mercury Financial, you have the most sensitive financial information about people, right? >> Right, absolutely. >> A data breach where all of the information about your customers getting out there on the dark web. Right? Heart attack time. >> Instantly. >> What are some things that people might not think about though, that are going on in your world? What would surprise someone who maybe isn't a security specialist in terms of the things that you're dealing with as far as threats are concerned? >> I'm going to leave that on you. >> Can you think of some examples of things that you could, you know, obviously generic examples. >> Right. >> Yes. >> I'm going to point to the number one and two most common ways that applications and businesses are getting owned right now. And that's misconfigurations on your web app or a vulnerable application or phishing. And those are both very important things, right? A lot of development teams, they want to get things to market as soon as possible. And maybe security's on the back foot. It's about building that culture and to, you know, being Cloud native helps you have a, you can provide different tool sets to your organization that helps you understand that posture and makes you help those business decisions. Are we in a good posture to go forward right now? That's a big question that I think most security organizations need to ask themselves and the need to hold other stakeholders accountable. >> So phishing and the concept of social engineering, still alive and well? >> Oh, goodness. >> Always. >> Everything starts with people. The human firewall has to be front of mind. Security can't be an afterthought or a bolt on, that's something that you think about, well, I guess if I have to meet our compliance, it doesn't work with us. >> Comes back to the culture that you're actually talking about before. >> 100%, yeah, cyber resiliency starts with cyber culture. >> Kevin Mandy has said it today. I, never underestimate the adversary. The adversary- >> Of course. >> Is highly capable, motivated, big ROI and it just keeps getting bigger. The more technology gets embedded into our lives. The more lucrative hacking becomes. >> And more attack vectors. We have more areas that we could be potentially penetrated. >> They have a lot of time. Those threat actors have a lot of time. >> They do have a lot of time, yeah. >> Right. >> Right and to your point, you're constantly on the swivel. Right, you don't have time. >> Right. >> No, we don't. >> So do your responsibilities touch on things like fraud detection as well? >> Yeah, oh, that- >> Is that a silly question? I'm thinking- >> Yeah, no, it really is, so- >> No, not at all. >> Or there isn't segregation between what we would think of as IT and the credit card transaction that fires up a red flag. >> Those are integrated. >> It's definitely important. And in any business, right? Is to, like I mentioned, I use this word a lot converge, right? It's converging that intel, that fraud intelligence and making it into a process where we're reducing the risk and the losses that the business is incurring. >> Yes. >> It's so important, right? That we build that culture within the fraud teams, the operational teams, the, you know really anybody who has a really large stake in whatever the business product is. And, you know, being Cloud native, bringing in the right partners, building that security culture. I mean, that's the biggest one. >> Yeah, we've flown. >> It's last and definitely not least, it is, the culture's where you need to be. >> Absolutely. >> You know, you guys, I'm sure, you know, work with a lot of different vendors, a lot of tools, or sometimes the tools are point tools, they're best to breed. CrowdStrike says it wants to be a generational company. >> Oh, yeah. >> It says this notion of an unstoppable breach is a myth. You guys can't live that way. You have to assume you're going to breach but can CrowdStrike be a generational company? >> I think they've proven themselves. They've been around over a decade now. it's 11 years. They just had their birthday yesterday, right? >> Yeah. >> Or anniversary, the company started? >> Yeah. 11 years, yeah. >> I absolutely, and I also agree to add it a little bit part, from the fraud part. I think CrowdStrike would be an integral piece of the overall solution that we have. It hits so many different aspects and looks at so many different potential attack vectors. I keep using that word, but I think integrating fraud in other parts and other functions of the business will start to see that they can leverage CrowdStrike. That there's tooling within CrowdStrike innovatively, like ahead of the game. And I always like that about CrowdStrike, being way ahead of the game and thinking in front of our adversaries. I think other departments will be like, what tools do you have, how can we use them? This is fantastic, this makes us feel better. We don't have to worry about that. We can focus in on what we're good at and build that best of breed solution. So fraud can focus on fraud and you can leverage the tooling and the infrastructure that we provide them together holistically to build a security program that's beyond reproach. >> Guys, we got to go, great perspectives. Always love having the practitioners on. >> Yeah, thank you. >> I really appreciate your time, thank you. >> Yeah, absolutely, always a pleasure. Thank you so much for your time. >> Anthony, Alex, Dave and Dave will be right back, right after this short break. You're watching theCUBE from Fal.Con 2022 from the ARIA in Las Vegas. >> Cheers my friend. >> Yeah, of course. (cheerful music)