>> Narrator: theCUBE presents Ignite 22. Brought to you by Palo Alto Networks. >> Hey, welcome back to Las Vegas. Lisa Martin here with Dave Vellante. This is day two of theCUBE's coverage of Palo Alto Ignite 2022. Dave we're just talking about how many times we're in Vegas. And we were here two weeks ago with our guest who's back in Alumni. And it's a blur, right? >> It's true, I lost count. Luckily I'm not flying red eye tonight. So that's good. >> I'm impressed. >> Excited about that. >> Yeah >> I'm actually going to enjoy the, nightlife here for a period of time. And, you know, we were at re-Invent. >> Yeah. >> And what a difference. This is nice and relaxed. You have time. You're not getting bumped in the hallway. >> Right. >> A lot of time for learning. So it's been great show. >> It's been great. And one of the things that we've been talking about is the supply chain. Securing the modern software supply chain is really complicated. We've got an Alumni back with us, to talk about what Palo Alto is doing in that respect. Ankur Shah joins us. The SVP and GM of Cloud Security at Palo Alto Networks. Welcome back. >> Yeah, happy to be back. Good to see you again. Dave and Lisa. >> It's been two long weeks. >> Ankur: I know. It's been two weeks, yeah >> Dave: It's kind of crazy. I mean, ReInvent really was a blur. And it's like you had everything coming at you. And there was obviously a big chunk of security, but you. It was just so much to absorb. >> Yeah. >> Right? >> Yeah, and I couldn't get into any of the sessions versus at Ignite. I mean, you could, you could learn a lot. To your point Dave. And 70,000 people versus 3000 in change. Big difference. >> Dave: Yeah. >> Lisa: Huge difference. >> Yeah. >> Lisa: Huge difference. So we touched on the Cider acquisition. >> Ankur: Yeah. >> Which was announced the intent to acquire last month. Let's dig into a little bit more of that, and then some of the great things that had been announced. >> Ankur: Yeah. >> In the last couple of days. >> Oh, absolutely. So, this is something that we have been marinating for last nine months. Thinking about how best to secure supply chain. And this is software supply chain. The modern application software is fairly complex. You know, back in the days when I was a developer, it was a simple three tier application. Ship the code once a year, et cetera. But now with microservices, new architectures, Kubernetes Public Cloud, we talked about this. It's getting super complicated, and the customers are really worried about securing their entire supply chain. Which is nothing but the software pipeline. And so we started looking at a whole bunch of companies and Cider really stood out. I mean, they had, they were the innovators in this space. Very early days, we've seen supply chain attack. But there hasn't been a really good and strong solution in that space. And Cider just delivered that incredible team. Great technology, super excited about what that integration will look like. in the coming quarters. >> What do we need to know about them? I mean, I'll be honest with you, I wasn't familiar with Cider until I saw you guys made the announcement of the intent to acquire them. What, what should we know about them? Why Cider? What was it that attracted you to them? >> Ankur: Yeah, so, you know, we have a history of technology acquisitions as you know, over the last four years, just in the public cloud. We acquire over half a a dozen companies, small and large. And typically we are always looking for companies who have the next gen technology available. Technology that is more in tune with how application software is going to look like in future. So we're not always going after companies that are making you know, tens of hundreds of millions of dollars in a year and all. We're looking for the right tech. The future. And that's what we found in Cider. Like they have a really strong application security background. And AppSec just broadly speaking, supply chain is part of it. But application security, just broadly speaking, is right for disruption. You've got a lot of vendors, who have been around for like last two decades. Old school stuff, lots and lots of false positives. So we've been bolstering, beefing up our portfolio in the application security space. And Cider really fits right nicely into it. Because it can like I said, secure a lot of technology and tooling, that software developers use as part of their software supply chain. So, great founding team, great technology. It was a perfect fit. >> Talk about integration. We spoke with Nikesh yesterday, with Nir, with a whole bunch of folks. Lee this morning. BJ yesterday as well. And one of the things that seems to stick out at me. With all the shows that we do, is the focus that Palo Alto has on ensuring that it's making the right acquisitions. But that it's the integration, is really seems to be like leading part of the strategy. That seems to be a little bit of a differentiator to me. >> Yeah, it absolutely is. There are two ways to integrate a technology into an existing platform. And Prisma Cloud is a platform as you know. Code-to-cloud, CNAPP platform as we call it. One is just kind of slotted in, put the whole thing in a box. And that's basically making one plus one equal to two. We're looking for high leverage in integrations, whereby once that integration comes along. It makes the rest of the platform even better and superior. It makes that technology look even better. So that's why there's a lot of focus on ensuring that we're delivering the right type of integration, that delivers instant customer value. And that makes the overall platform even superior. So customers don't feel like hey, like there's just one more add-on, on top of the other thing. >> Lisa: Right, not a bolt on. >> So that's why there's a lot of focus on that. Getting the strategy nailed. Because the founding teams generally have a preconceived notion about how the world looks like. Then they understand how Prisma cloud and Palo Alto Networks think about it. And then, we sort of merge the two ideas, and build something that's incredible. So I am, we're spending a lot of time in integration. That honeymoon phase of like, let's high five acquisitions done, that's over. Now it's the grinding work of actually getting this right. And you know, getting hundreds and thousands of customers. >> Well I like how you don't have the private equity mentality. It's not about EBITDA and cashflow. We'll take care of that. >> Ankur: Yeah. >> You know, it's about getting that integration. Getting that flywheel effect, inside the platform. You know, we said one plus one equals, maybe even more than two. Can you explain Prisma Cloud Secrets Security? What is that all about? What do we need to know about that? >> Ankur: Absolutely. So, the developers, you know generally store some stuff in the code repo for their automation work to build application. And that thing, the API keys or as Secrets are stored in code repo. It shouldn't be. Or even if they are, they should be encrypted, or locked down and things of that nature. But, you know, the need for speed trumps everything else. Developers want to go fast. And sometimes they're like, okay well. I guess my application needs this particular, you know API access token or secret. I'm just going to stick it in the code. Now the challenge with that is that, if somebody gets hold of your code repo. Now not only is your code repo, which has all your sensitive data. Your code is the life and blood of a technology company. That's in trouble. But also those secrets and API access keys can be used to log into your cloud accounts. And there you may have sensitive customer data. Everything that you have as a technology company stored in that public cloud accounts. So that's the worry. It's usually the initial access for the kill chain. Because that's where the attacks start. Let me get the secret, let me get the API access key. And let me see what I can do in public cloud. So we are now giving customers the visibility into where the secrets are stored. More importantly, it just right there on developer's face. In the code repo as they're checking in the code. They say why, hey, there's a secret here. Are you sure you want to, you want to keep it like this, no? Okay, well then you can either encrypt it, or just get rid of it. So we're making, we're bringing security where the developers are in their code repo, et cetera. >> So I can see a lot of developers saying, yeah, go ahead, encrypt it. So I don't have to do anything else, you know, extra. It's almost, the analogy is a very small you know, version of this. Its like, use a password manager. You store all your passwords in your contacts on your phone, right? I mean, somebody gets a hold of your contacts, you're screwed. >> Ankur: That's exactly right. >> And so, but I could still see a lot of developers say, check in the box. Say, yeah just encrypt it, leave it there. But you're saying best practice is to not to do that, right? >> Yeah, usually you're not supposed to, you know, store all your secrets, et cetera in code repo to begin with. But if you do, you know, you use a key wall like technology to really encrypt it and store it in a secret manner, yeah. >> Dave: There's an old saying, bad user behavior trump's great security every time. >> Ankur: Every time. >> But this is an example where, we know you're going to have bad behavior. So we're going to protect the bad behavior. >> Yeah, and actually, sorry Lisa, just to that point. The bad user behavior trumps good security. The classic example, this happened three weeks ago. Three, four weeks ago, where Dropbox, one of the file sharing companies there. 120 plus code repos were exposed. And the way their attack started, was a simple social engineering attack. Bad user behavior. There was an email, hey, like your passwords are updated for your, you know, this code plugin. Can you enter the password? And boom, now you have access to the code repo. And now if you have secrets inside of it, now, you know all bets are off. >> Are there hard-coded secrets versus like, I mean, like I think like, like you were saying, Dave. Like usernames and passwords and tokens, versus like soft coded secrets. >> Ankur: It's, I think it, this is more so two forms of it, you know. The most primary one is what we call the API access keys. And this keys are used to access cloud accounts, workloads and things of that nature. But there are actually secret secrets. Could be database login passwords, et cetera. The application is using it to spin up databases. Now, you know, you have access to the data stores. Any other application, there's a login password, all of that stuff. So it's less about the user password, but more the application and databases and things of that nature. >> Dave: So again, and, again, everybody should be using password managers. But when you use a password manager, it's going to give you a long list of passwords, that are either been compromised or are weak. And you just go uh, okay. So can you help? How do you help customers identify what the high risk? You know, API, you know, access are versus those ones that they may not have to worry about. >> Ankur: Yeah, look. You know, secrets aside. Risk prioritization is one of the biggest topics that our customers have across the board, in cloud security. All the security vendors are really, really good at one thing, generating alerts. Everybody does it. They generate an alert. You know, your ring camera, if you've got one. I mean this pop up every day, like every minute rather. Well like can you prioritize it for me? What should I really look at it? So that's a number one thing. What Prisma Cloud does is, you know, contextualize it. What the real risk is? They can tell you like, hey, here's the kill chain. If this thing, you know, goes to public internet. These are the potential exposures that you have. So we provide a prioritized risk of critical alerts that customers have to take care of before they can start taking care of more hygiene type of stuff, right? So that's how we do it. Like we leverage a lot of technology. We apply a lot of context. We tell you like, hey, this code repo is not protected by multifactor authentication. And then there's a secret inside. Are you sure, you know, you don't want to fix it? So that's what we do. But it's a great question. Top of mind for all our customers. And that's how we think about it across the board. Versus generating just alerts all the time. >> Dave: Is the strategy, Because we all know phishing is the sort of most, you know obvious way to. It's the top way in which people get hacked. >> Ankur: Yeah. >> Is your strategy essentially to say. Okay we know that's going to happen, so we're going to try to protect it at the back end. How much of the, maybe it's an industry question. more so than just a Palo Alto specifically, How much emphasis is do you think the industry is taking or should be taking on stopping that, you know that those phishing attacks? Because if that's the number one problem you know, maybe that's where we should be starting. >> Yeah, it's a great question. It's typically the initial vector, for a lot of attacks to your point. But there is one thing that technology and AI cannot solve. Which is the user behavior, to your point. Like we can't get into the heads of the user. I mean, you can train them, you can do everything. You can't prevent somebody from clicking a button. Of course there's technology out there for email security that does that. But your point is, right, it's going to happen. Now what do you do? How do you protect your applications, your crown jewel? You know, whether it's in the cloud or it's in the code repo. So a lot of what we are trying to do in code security, or cloud security, or in general at Palo Alto Networks. is to protect those crown jewel. Because we can't prevent somebody from doing something. User behavior is hard to change. >> Dave: So it's almost like, okay, you left your front door open. Somebody's going to walk in, but oh, they walk into a vault. And they don't know where to go. And there's nowhere they can- >> Ankur: Yeah. >> You know, nothing they can take. They can't get to the silverware or the jewelry. >> I think that's it, yeah. >> What are some of the things, like as we look at, we're wrapping up calendar year '22 heading into '23. That customers can look to Palo Alto Networks to help them achieve? One of the things that we talked about with Nikesh and Niri yesterday, is consolidation. Like, and you guys just did a recent, survey. >> Ankur: Yeah. >> About the state of Cyber, and organizations on average have 366 apps in their environment. 31 security tools, 30 to 50 security tools. >> Ankur: Yeah. >> Consolidation is really key there. What are some of the things that you are excited about to deliver to customers where consolidation is concerned? >> Ankur: Yeah. >> Where software supply chain security is concerned in the next year? >> Yeah, absolutely. Look, there are over 3000 security vendors. And this can be, I mean you talked about average customer having 300. I was talking to a CSO, this was last year for one of the largest financial institution I go, "How many security tools do you have?" He got 120. I said, why? He goes, we have a no vendor left behind policy. >> Wow. >> It's crazy. >> Dave: What? >> Obviously he was joking, but it's crazy, right? Like that's how the CSO's are. >> Dave: I mean, he was kidding. >> Yeah. >> Dave: But recognized that. Wow. >> Yeah, and, this is the state the security industry is in. And our mission has been, and Lee and Nikesh and Niri talked about it. Is just platforms, will platforms take moonshots, things long term. And especially the, macro headwinds that we're seeing. We're hearing more and more from the customers that, look we're not going to buy point product. Then we got to buy another product that stitches it all together. We need platforms, whether it's for zero trust, Prisma SaaS, whether it's cloud. Prisma cloud or for your sock transformation. You know XIM and Cortex line of products. So I think you're going to see more and more of that in 2023. I'm confident in that. >> We heard from Lee today, the world record's 400. >> Yes. >> Yeah. >> That's crazy. >> He's going for it. He's got a ways to go. 120 He's got to... >> Maybe he wasn't, that guy wasn't kidding about his no vendor left behind policy. (laughing) Do you have Ankur, a favorite customer story that really articulates the value of what Palo Alto delivers and continues to. You know, 'cause one of the things that Nikesh said in his keynote was that you know, security's a data problem. Well every company these days, in every industry has to be a data company. But really what they need to be able to be is a secured data company. >> Ankur: Yeah. >> How are you guys enabling that? >> Oh, absolutely. Look, many customer examples come to mind, but speaking of data. You know, one of, some of our largest customers who are protecting their PCI workers where they have sensitive data. They're using for example, Prisma Cloud, to ensure that malicious attacks don't happen. And those workloads are used for credit card processing. They're processing tens of thousands of credit card transactions a second. And make sure that nobody gets hold of that. And that's why they have to make sure that nobody is. No attacker is trying to get hold of the sensitive data, to your point, So we have customers across financial services, media and entertainment technology company. Where we are helping them go as fast as possible in public cloud. Go through digital transformation, by securing their applications. >> Dave: What's the T-shirt say? I see code. >> Oh yeah. >> Dave: Secure from Code to Cloud. >> Lisa: Shift Happens. >> Shift Happens, Secrets from Code to Cloud. >> I love that. I was looking at that, going back to that, what's next in cyber survey? >> Ankur: Yeah. >> It said 74% of respondents, and I believe there was 1300 CIO's, CXO's that were surveyed globally. Where they said security is slowing down DevOps. Can customers look to Palo Alto Networks to help them? >> Ankur: Be enablers? >> Yes. >> Yeah, hundred percent. Look, the conversation over the last few years have changed now. Security used to say like, oh, I don't know about these people who are building applications. The DevOps is like security slowing down. I think there's an opportunity for companies like Palo Alto Networks, to build the bridge between the two. And the way we do it is make the securities easy, simple and not super intrusive. Where developers have to do a natural thing. And one part of it, and I talked about it earlier, is bring security where the developers are. In their code repo, in their IDE. Make it super simple. Don't make them do unnatural things. And it just, this is no different from changing the behavior of our kids. Right? Like you make them do unnatural things, they're not going to do it. But if it is part of their regular, you know, day-to-day operating procedures. I think they're going to be more open to change. Yeah. So I think it's possible. And Palo Alto has a huge responsibility to bridge the divide between the apps team, or the DevOps and the security organization. >> Lisa: Lots of great stuff to come. We thank you so much for coming back, two weeks. Only being on two weeks ago. We appreciate your insights, learning more information. It's great to see you at Palo Alto Ignite. And we'll have to have you back on. 'Cause we know that there's so much more to follow with respect to what you're doing. And shifting left, shift happens. >> Awesome. Lisa, Dave, thank you so much. It's been a pleasure. >> Lisa: Thank you so much. For Ankur Shah and Dave Vellante. I'm Lisa Martin. You're watching theCUBE. The leader in live and emerging tech coverage.

(soft electronic music) >> Good afternoon guys and gals. Welcome back to theCube's Live coverage of AWS re:Invent 2022. We've been in Sin City since Monday night, giving you a load of content. I'm sure you've been watching the whole time, so you already know. Lisa Martin here with John Furrier. John, we love having these conversations at AWS re:Invent. So many different topics of conversation. We also love talking to AWS's partner ecosystem. There's so much emphasis on it, so much growth and innovation. >> Yeah, and the thing is we got two great leaders from a very popular company that's doing very well. Security, security's a big part of the story. Data and security. Taking up all the keynote time, you're hearing a lot of it. This company's a company we've been following from the beginning. Doing really good stuff in open source, cloud native, security, shifting-left. Snyk's just a great company. With the CTO and the head of the product organization, these guys have the keys to the kingdom in security. We're going to have a great conversation. >> Yeah, we are. Both from Snyk, Manoj Nair joins us, rejoins us, for your, I believe, 11th visit. Chief Product Officer of Snyk. Adi Sharabani, Chief Technology Officer. Welcome guys. Great to have you. >> Yeah, thank you. >> Great to be back. >> So what's going on at Snyk? I know we get to talk to you often, but Manoj, give us the lowdown on what are some of the things that are new since we last connected with Snyk. >> A lot of innovation going on. We just had a major launch last month and you know when we talked to our customers three big themes are happening in parallel. One is the shift to going from traditional development to, really, DevOps, but we need to make that DevSecOps and Snyk was ahead of, that was the genesis of Snyk, but we're still, you know, maybe 15, 20% of organizations have realized that. So that one big theme. Supply chain security, top of mind for everyone. And then really, cloud and, you know, how do you really take advantage of cloud. Cloud is code. So our innovation map to those three big themes, we have done a lot in terms of that shift-left. And Adi will talk about, kind of, some of our original, like, you know, thinking behind that. But we flipped the security paradigm on its head. Was to make sure developers loved what they were, you know, experiencing with Snyk. And oh, by the way, they're fixing security issues. The second one, supply chain. So you know, SBOMs and everyone hears about this and executive orders, what do you do? Who does what with that? So we launched a few things in terms of simplifying that. You can go to our website and, you know, just upload your SBOM. It'll tell you using the best security intelligence data. In fact, the same data is used by AWS inside their products, inside Inspector. So we use that data from Snyk's intelligence to light up and tell you what vulnerabilities do your third party code have. Even things that you might not be scanning. And then the last one is really code to cloud. Cloud is code. So we have brought the ability to monitor your cloud environments all the way into your platform and the security engineering teams, rather than later on and after the fact. Those are some of the big ones that we're working on. >> Lisa: Lots going on. >> Yeah. >> Lisa: Wow. >> Lots going on there. I mean, SBOMs, Software Bill of Materials. I mean, who would've thought in the developer community, going back a decade, that we'd be talking about bill of materials, open source becomes so popular. You guys are cloud native. Developer productivity's a hot trend. Not much going on here, talking about developer productivity. Maybe Werner, keynote tomorrow will talk about it. Software supply chain, huge security risk. You guys are in the front lines. I want to understand, if you can share, why is Snyk successful? Everyone is hearing about you guys. Your business is doing great. What's the secret sauce of your success? Why are you guys so successful? >> I think that, you know, I've been doing application security for more than two decades now and in the past we always saw the potential associated with transferring, shifting-left in a sense, before the term, right? Taking those security solutions out of the hands of the security people and putting it in the hands of developers. It's speeds up the process. It's very, very clear to anyone. The problem was that we always looked at it the wrong way. We did shift-left, and shift-left is not enough because in my terminology shift-left, meaning let's take those security solution put it earlier in the cycle, but that's not enough because the developer is not speaking those terms. The developer is not a security persona. The security persona is thinking in terms of risk. What are the risks that a specific issue creates? The developer is thinking in terms of the application. What would be the impact on application of a change I would might make into it. And so the root cause of Snyk success, in my opinion, is the fact that from the get-go we scratch that, we build a solution for the developer that is based on how the workflows of the developer, whether it's the ID, whether it's the change management, the pull request. Whether it's integration with the Gits and so on. And whether it's with integration with the cloud and the interaction with the cloud providers. And doing that properly, addressing the developers how they want to context, to get, with the context they want to get as part of the issues, with the workflows they want to get. That's kind of the secret sauce, in a sense. And very easy maybe to say, but very, very hard to implement properly. >> This is huge. I want to unpack that. I want to just, great call out, great description. This is huge. This is a, we're seeing the past three years in particular, maybe three with the pandemic. Okay, maybe go a couple years earlier, then. The developers' behavior is driving the change. And you know, if you look at the past three DockerCons we've covered, we've been powering that site, been following that community very closely since the beginning, as well. It just seems in the past three to four years that the developers choices at scale, not what they're buying or who's pushing tools to them, has been one big trend. >> Yeah. >> They're setting the pace. >> Developer is the king. >> If it's self-service, we've seen self-service. Whether it's freemium to paid, that works. This is the new equation. Developer, developer choice is critical. So self-service they want. And two, the language barrier or jargon between or mindsets between security and developers. Okay, so DevOps brings IT into the workflow. Check. DevSecOps brings in there. You guys crack the code on that, is that what you're saying? >> Yes, and it's both the product, like how do you use the solution, as well as the go to market. How do you consume the solution? And you alluded to that with the PLG motion, that I think Synk has done the superb job at and that really helped our businesses. >> Okay, so Manoj, product, you got the keys to the kingdom, you got the product roadmap. I could imagine, and what I'd love to get your reaction too Adi, if you don't mind. If you do that, what you've done, the consequence of that is now security teams and the data teams can build guardrails. We're reporting a lot of that in the queue. We're hearing that we can provide guardrails. So the velocity of the developer seems to be increasing. Do you see that? Is that a consequence? >> That's something that we actually measure in the product. Right, so Snyk's focus is not finding issues, it's fixing issues. So one of the things we have been able to heuristically look at our thousands of customers and say, they're fixing issues 27 days faster than they were prior to Snyk. So, you know, I'm a Formula one fan. Guardrails, you say. I say there's a speed circuit. Developers love speed. We give them the speed. We give the security teams the ability to sit on those towers and, you know, put the right policies and guardrails in place to make sure that it's not speed without safety. >> And then I'm sure you guys are in the luxury box now, partying while the developers are (Lisa laughing) no more friction, no more fighting, right? >> The culture is changing. I had a discussion with a Fortune 50 CISO a month ago, and they told me, "Adi, it's the first time in my life where the development teams are coming to me, asking me, hey I want you to buy us this security solution." And for, that was mind blowing for him, right? Because it really changes the discussion with the security teams and the development teams >> Before Lisa jumps in, well how long, okay, let me ask you that question on that point. When did that tipping point change, culturally? Was it just the past few years? Has there, has DevOps kind of brought that in, can you? >> Yeah, I think it's a journey that happened together with Snyk's, kind of, growth. So if three years ago it was the very early adopters that were starting to consume that. So companies that are very, you know, modern in the way they developed and so on. And we saw it in our business. In the early days, most of our business came from the high tech industry. And now it's like everywhere. You have manufacturing, you have banks, you have like every segment whatsoever. >> Talk about that cultural shift. That's really challenging for organizations to achieve. Are you seeing, so that, that CISO was quite surprised that the developer came and said, this is what I want. Are you seeing more of that cultural changes? Is that becoming pervasive? >> Yeah, so I think that the root cause of that is that, you mentioned the growth, like the increased speed of velocity in applications. We have 30 million developers in the world today. 30 millions. By the end of the decade it's going to be 45 millions and all of them are using open source, third party code. Look at what's going on here in the event, right? This accelerates the speed for which they develop. So with that, what happened in the digital transformation world, the organizations are facing that huge growth, exponential growth in the amount of technology and products that are being built by their teams. But the way they manage that before, from a security perspective, just doesn't scale. And it breaks and it breaks and it breaks. This is why you need a different approach. A solution that is based on the developers, who are the ones that created the problems and the ones that will be responsible of fixing the issues. This is why we are kind of centering ourselves around them. >> And the world has changed, right? What is cloud? It's code, it's not infrastructure. Old infrastructure, hosted infrastructure. So if cloud is code and cloud native applications are all code and they're being deployed with Terraform packages and cloud formations, that's code. Why take an old school approach of scanning it outside-in. I talked to CISO today who said, I feel bad that, you know, our policy makes it such that a terraform change takes six months. What did I do? I made cloud look like infrastructure. >> Yeah, it's too slow. >> So that, you know, so both sides, you know, CISOs want something that the business, you know, accepts and adopts and it's, culture changes happen because the power is with the developers because all of this is code, and we enabled that whole seamless journey, all the way from code to cloud. So it's kind, you know, I think that this is a part of it. It's by direction, it's a bridge and both sides are meeting in the middle here. >> It's a bridge. I'm curious, how are you facilitating that bridge? You, we talk about the developers being the kings and queens and really so influential in business decisions these days. And you're talking about the developers now embracing Snyk. But you're also talking to CISOs. Is your customer conversation level changing as a result of security folks understanding why it needs to shift-left. >> We had a breakfast meeting with customers, prospects and everyone, I think this morning. It was interesting, we were remarking. There are CTOs, VPs of engineering, CISOs, VPs of AppSec. And it was such a rich conversation on both sides, right? So just the joy of facilitating that conversation and dialogue. CISOs, and so the levels are changing. It started for us in CTOs and VPs of engineering and now it's both because, you know, one of the things Adi talks about is, like, that security has to become development aware. And that's starting to be like the reality. Me getting another solution, with maybe a better acronym than the old acronym, but it's still outside-in, it's scan based. I light up up the Christmas tree, who is going to fix it? And with the speed of cloud, now I got throw in more lights. Those lights are no longer valid. >> The automation. >> The automation without prioritization and actual empowerment is useless. >> All right, I know we got a couple minutes left, but I want to get into that point about automation because inside-out, you've made me think about this. I want to get your thought Adi, if you don't mind. The integration challenges now are much more part of the ecosystem, more joint engineering. You mentioned these meetings are not just salesperson and customer buyer, it's teams are talking to each other. There's a lot of that going on. How do you guys look at that? Because now the worst things that I hear and when I talk to customers is, I hate the word PenTest and AppSec review. It slows things down. People want to go faster. So how do you guys look at that? What's Snyk doing around making the AppSec review process, integration across companies, work better? >> So I'll give you an example from the cloud and then I will relate to the AppSec. And this relates to what you mentioned before. We had a discussion yesterday with a CISO that said, we are scanning the cloud, we are opening the lights, we see this issue. Now what do I do? Who needs to fix this? So they have this long process of finding the actual team that is required to fix it. Now they get to the team and they say, why didn't you tell me about it when I developed it? The same goes for AppSec, right? The audit is a very late stage of the game. You want to make sure that the testing, that the policies, everything is under the same structure, the same policies. So when you do the same thing, it's part of the first time of code that you create, it's part of the change management, it's part of the build, it's part of the deployment and it's part of the audit. And you have everything together being done under the same platform. And this is, kind of, one of the strengths that we bring to the table. The discussion changes because now you have an aligned strategy, rather than kind of blocks that we have, kind of, mashed up together. >> So the new workflow, it's a new workflow, basically, in the mindset of the customer. They got to get their arms around that thing. If we don't design it in, the wheels could come off the bus at the 11th hour. >> Adi: Yeah. >> And everything slows down. >> I had a discussion with Amazon today, actually, that they had an internal discussion and they said, like, some of the teams were like, why have you blocked my app from being released? And they said, have you ever scanned your app? Have you ever looked at your, like, and, and they're like, if you haven't, then you're not really onboard with the platform and it just breaks. This is what happens. >> Great conversation. I know we don't, I wish we had more time. We'll do a follow up on theCube for sure. Should we get into the new twist? >> I've got one final question for you guys. We're making some Instagram reels, so think about your elevator pitch in 30 seconds. And I want to ask you about Snyk's evolution. Manoj, I want to start with you. What is that elevator pitch about Snyk's evolution to the end user customer? >> Empower developers, help them go faster, more productive and do it in a way that security is really built in, not bolted on. And that's really, you know, from a, the evolution and the power that we are giving is make the organization more productive because security is just happening as a part of making the developer more productive. >> Awesome. And Adi, question for you, how, your elevator pitch on how Snyk is really an enabler for CISOs these days? >> Yeah, so I always ask the CISO first of all, are you excited about the way your environment looks like today? Do you need to have a cultural change? Because if you need to have a cultural change, if you want to get those two teams working closely together, we are here to enable that. And it goes from the product, it goes from our education pieces that we can talk about in another section, and it works around the language that we build to allow and enable that discussion. >> Awesome. Guys, that was a double mic drop for both of you. >> Manoj: Thank you. >> Adi: Thank you, Lisa. >> Thank you so much for joining John and me, talking about what's happening with Snyk, what you're enabling customers to do and how, really, you're enabling cultural change. That's hard to do. That's awesome stuff guys. And congratulations on your 11th and your first Cube. >> Second, second, >> Second. >> Adi: I will be here more, but (laughs) >> You got it, you got it. You have to come back because we have too much to talk about. >> Adi: Exactly. (laughs) >> Thanks guys, we appreciate it. >> If we can without Manoj, so I can catch up. (Manoj laughs) >> Okay. We'll work on that. >> Bring you in the studio. (everyone laughing) >> Exactly. >> Eight straight interviews. (John and Lisa laughing) >> We hope you've enjoyed this conversation. We want to thank our guests. For John Furrier, I'm Lisa Martin. You're watching theCUBE, the leader in emerging and enterprise tech coverage. (soft electronic music)

(upbeat music) >> Hello everyone, welcome back to our special presentation with TheCUBE and Horizon3.ai. I'm John Ferrier host of TheCUBE here in Palo Alto with the CEO and co-founder of Horizon3 Snehal Antani who's here with me to talk about the big news, we've been talking about your global expansion, congratulations on the growth, and international, and just overall success of, what looks like to be a very high margin, relevant business in the security space. >> Yeah, thank you John. Very excited to be here and especially this focus on partners, because partners in cyber security have such an important role and we've built a company that enables partners to grow with us. >> We had a chance to talk to some of your staff and some of the people in the industry around the channel. I mean the old school technology vendors would go in build channels and distributed resellers, VARs value added resellers, value added businesses all kinds of different ways to serve customers, indirectly. And then you got the direct sales force. You guys seem to have a perfect product for a hard, profitable, market where channels are starved for solutions in the security space. What did you guys find as you guys launched this? What was some of the feedback? What was some of the reasoning behind- obviously indirect sales helps your margins, you enable MSPs to sell for you, but what's the, what was the epiphany? >> So when you think about the telecommunications industry back in the two thousands, we always talked about the last mile in Telco, right? It was easy to get fiber run to the neighborhood but the last mile from the neighborhood to the house was very difficult. So what we found during Covid was, this was especially true in cybersecurity because in Covid you've got individuals that need security capabilities whether they are IT directors, barely treading water or CSOs and so on. And they needed these trusted relationships to decide what security technologies to use, how to improve their posture. And they're not going to go to just some website to learn. They've got years of relationships built with those regional partners, those regional resellers MSSPs, MSPs, IT consulting shops. So what we did over the past two years was embrace this idea that regional partners are the last mile of cybersecurity. So how do we build a product and a business model that enables those last miles channel partners to make even more revenue using us to underpin their offerings and services and get them to take advantage of the trust that they've built over many hard years and use that trust to not only improve the posture of their customers but have Horizon3 become a force enabler along the way. >> Yeah it's interesting you have that pre-built channel makeup, but also new opportunities for people to bring security 'cause you guys have the node zero capability. 'Cause pen testing is only one of the things you guys are starting to do now. And everyone knows, we've talked about this on our previous interviews, it's hard. People have, y'know, all kinds of AppSec review, application reviews, all the time. And if you're doing cloud native you're constantly pushing new code. So the need for a pen test is kind of a continuous thing. Okay, So I get that. The other thing that I found out on the interviews was, and I want to get your reaction to this, is that there's an existing channel of pen testers that are high IQ, high paid services. So it almost feels like you guys have created kind of like a way to automate some of the basic stuff but still enable the existing folks out there doing this work. I won't say it was below their pay grade but a lot of it was kind of, y'know remedial things, explain and react to that. Because I think that's a key nuance point to this expansion. >> Yeah, so the key thing is how do you run a security test at scale? So if you are a human pen tester maybe in a couple of weeks you could pen test 5,000 hosts. If you're really good, maybe 10,000 hosts. But when you've got a large manufacturer or a bank that's got hundreds of thousands or millions of hosts, there's no way a human's going to be able to do that. So for the really large shops, what we've found is this idea of human machine teaming. Where you run us to run infrastructure testing at scale we'll conduct reconnaissance, we'll do exploitation at scale, we'll find all the juicy interesting stuff. And then that frees up the time for the human to focus on the stuff humans are gifted at. And there's this joke that "Let us focus on all the things that will test at scale, so the human can focus on the problems that get them to speak at DEFCON and let them focus on the really hard interesting juicy stuff while we are executing tests. And at a large scale that's important but also think about Europe. In Germany there are less than 600 certified pen testers for the entire country, in Norway I think there's less than 85, in Estonia there's less than 20. There's just not enough supply of certified testers to be able to effectively meet the demand. >> It's interesting, when you ever have to see these inflection points in industries there's always a 10x multiple or some multiple inflection point that kicks up the growth. Google pioneered site reliability engineers you're seeing it now in cloud native with containers and Kubernetes writing scripts is now going to be more about architecture operating large scale systems. So instead of being a pen tester they're now a pen architect. >> Yeah, well in many ways it's a security by design philosophy which is, I would rather verify my architecture up front, verify my security posture up front, and not wait for the bad guys to show up to poke holes in my environment. And then even economically, the way we design the product most of our users are not pen testers they're actually IT admins, network engineers, people with the CISSP type certification and we give them superpowers. And there are, in back to 10x, for every one certified ethical hacker there are 10 to 20 certified CISSPs. So even the entire experience was designed around those types of security practitioners and network engineers versus the very exquisite pen test types. >> Yeah, it's a great market opportunity. I think this is going to be a big kind of a, an example of how scale works So congratulations. Couple questions I had for you for this announcement was, what are some of the obstacles that you see organizations facing that the channel partners can participate in? 'Cause again, more feet on the street, I get the expansion, but what problems are they solving? >> Yeah, when you think about, back when I was a CIO, there was a very well defined journey I went through. Assess my security posture, I have to assess it at least once or twice a year, I want to assess it as often as possible. From there, as I find problems, the hardest part of my job was deciding what not to fix. And I didn't have enough people to remediate all the issues. So the natural next step is how do I get surge expertise to remediate all of the findings from those assessments. From there, the next thing is, okay while I'm fixing those problems, did my security team or outsourced MSSP detect and respond to those attacks? Not, and if so, great, if not what are the blind spots in my detection response? And then the final step is being that trusted advisor to the executive team, the board, and the regulators around that virtual CISO or strategic security advice. So that is the spectrum of requirements that any customer has. Assess, remediate, verify your detections, and then strategic advice and guidance. Every channel partner has some aspect of those businesses within their portfolio and we enable revenue to be generated for our partners across every one of those. Use us to do assessments at scale, automatically generate the statement of work for everything that we've found, and then our partners make money fixing the issues that we've identified. Use us to audit the blind spots of your security stack and then finally use our results over time to provide strategic advice to the CISO, the board, and their regulators. >> Yeah, it's great, great gap you fill for sure. And with the op, the scale you give other pen testers a lot of growth there. The question that comes up though, I have to ask you and this is what's on people's minds, probably, 'cause it would be, first thing that I would ask Well you guys are kind of new and I get this thing. So what will make you an ideal partner? Why Horizon3.ai as the partner? What do you bring to the table? >> Yeah, I think there's a few things. One is we're approaching our three year anniversary, we've scaled very quickly, we've built a great team. But what differentiates us is our authenticity at scale, our transparency of how we work as a partner, and the fact that we've built a company, that very specifically enables partners to make money, high quality money. In my previous companies I've worked at, partners are kind of relegated to doing low level professional services type work. And if I'm a services shop, that's not going to be very valuable for me. That's a one and done come in, install a product, tune, and so on. What I want, if I'm a partner, is working with technology companies that care deeply about my growth as a partner and then is creating an offering that allows me to white label it, to build my own high margin business above it, give me predictable cost of goods sold so I can build and staff a high functioning organization. That's what we did at Horizon3 is we built the entire company around enabling MSSPs, MSPs, consulting shops, and so on. >> From day one. This is- >> From day one, that was the goal. And so the entire company's been designed you can white label the product, the entire experience can look like yours if you want it to be. The entire company was built from day one to be channel friendly >> This is again, a key point again, I want to double click on that because y'know, at the end of the day, money making's pretty big important thing. Partners don't, channel partners, and resellers, and partners don't want to lose their customer. Want to add value and make high margins. So is it easy to use? How do I consume it? How do I deploy it? You feel comfortable that you guys can deliver on that. >> Yeah, and in fact, a big cultural aspect of Horizon3 is we let our results do the talking. So I don't need to convince people through PowerPoint. What partners will do is they'll show up, they will run us for themselves, they'll run us against some trusted customers of theirs. They get blown away by the results. They get a Horizon3 tattoo at the end. >> Yeah. >> And then they become our biggest champions and advocates. >> And ultimately when you have that land and you can show results and it's a white label, it's an instant money maker. Right? For the partner. That's great Snehal, thanks so much for coming on. Really appreciate it. That's a wrap here, big news and the big news announcement around Horizon3.ai global expansion, new opportunities new channel partners, great product, good for the channel, makes money, helps customers. Can't beat that. I'm John Ferrier with TheCUBE. Thanks for watching. (upbeat music)

(upbeat music) >> Hello, everyone. Welcome to theCUBE's coverage of the "AWS Startup Showcase", season two, episode one. I'm Lisa Martin, and I'm excited to be joined by Snyk, next in this episode. Liran Tal joins me, the director of developer advocacy. Liran, welcome to the program. >> Lisa, thank you for having me. This is so cool. >> Isn't it cool? (Liran chuckles) All the things that we can do remotely. So I had the opportunity to speak with your CEO, Peter McKay, just about a month or so ago at AWS re:Invent. So much growth and momentum going on with Snyk, it's incredible. But I wanted to talk to you about specifically, let's start with your role from a developer advocate perspective, 'cause Snyk is saying modern development is changing, so traditional AppSec gatekeeping doesn't apply anymore. Talk to me about your role as a developer advocate. >> It is definitely. The landscape is changing, both developer and security, it's just not what it was before, and what we're seeing is developers need to be empowered. They need some help, just working through all of those security issues, security incidents happening, using open source, building cloud native applications. So my role is basically about making them successful, helping them any way we can. And so getting that security awareness out, or making sure people are having those best practices, making sure we understand what are the frustrations developers have, what are the things that we can help them with, to be successful day to day. And how they can be a really good part of the organization in terms of fixing security issues, not just knowing about it, but actually being proactively on it. >> And one of the things also that I was reading is, Shift Left is not a new concept. We've been talking about it for a long time. But Snyk's saying it was missing some things and proactivity is one of those things that it was missing. What else was it missing and how does Snyk help to fix that gap? >> So I think Shift Left is a good idea. In general, the idea is we want to fix security issues as soon as we can. We want to find them. Which I think that is a small nuance that what's kind of missing in the industry. And usually what we've seen with traditional security before was, 'cause notice that, the security department has like a silo that organizations once they find some findings they push it over to the development team, the R&D leader or things like that, but until it actually trickles down, it takes a lot of time. And what we needed to do is basically put those developer security tools, which is what Snyk is building, this whole security platform. Is putting that at the hands and at the scale of, and speed of modern development into developers. So, for example, instead of just finding security issues in your open source dependencies, what we actually do at Snyk is not just tell you about them, but you actually open a poll request to your source codes version and management system. And through that we are able to tell you, now you can actually merge it, you can actually review it, you can actually have it as part of your day-to-day workflows. And we're doing that through so many other ways that are really helpful and actually remediating the problem. So another example would be the IDE. So we are actually embedding an extension within your IDEs. So, once you actually type in your own codes, that is when we actually find the vulnerabilities that could exist within your own code, if that's like insecure code, and we can tell you about it as you hit Command + S and you will save the file. Which is totally different than what SaaS tools starting up application security testing was before because, when things started, you usually had SaaS tools running in the background and like CI jobs at the weekend and in deltas of code bases, because they were so slow to run, but developers really need to be at speed. They're developing really fast. They need to deploy. One development is deployed to production several times a day. So we need to really enable developers to find and fix those security issues as fast as we can. >> Yeah, that speed that you mentioned is absolutely critical to their workflow and what they're expecting. And one of the unique things about Snyk, you mentioned, the integration into how this works within development workflow with IDE, CIDC, they get environment enabling them to work at speed and not have to be security experts. I imagine are two important elements to the culture of the developer environment, right? >> Correct, yes. It says, a large part is we don't expect developers to be security experts. We want to help them, we want to, again, give them the tools, give them the knowledge. So we do it in several ways. For example, that IDE extension has a really cool thing that's like kind of unique to it that I really like, and that is, when we find, for example, you're writing code and maybe there's a batch traversal vulnerability in the function that you just wrote, what we'll actually do when we tell you about it, it will actually tell you, hey, look, these are some other commits made by other open source projects where we found the same vulnerability and those commits actually fixed it. So actually giving you example cases of what potentially good code looks like. So if you think about it, like who knows what patch reversal is, but prototype pollution like many types of vulnerabilities, but at the same time, we don't expect developers to actually know, the deep aspects of security. So they're left off with, having some findings, but not really, they want to fix them, but they don't really have the expertise to do it. So what we're doing is we're bridging that gap and we're being helpful. So I think this is what really proactive security is for developers, that says helping them remediate it. And I can give like more examples, like the security database, it's like a wonderful place where we also like provide examples and references of like, where does their vulnerability come from if there's like, what's fogging in open-source package? And we highlight that with a lot of references that provide you with things, the pull requests that fixed date, or the issue with where this was discussed. You have like an entire context of what is the... What made this vulnerability happen. So you have like a little bit more context than just specifically, emerging some stuff and updating, and there's a ton more. I'm happy to like dive more into this. >> Well, I can hear your enthusiasm for it, a developer advocate it seems like you are. But talking about the burdens of the gaps that you guys are filling it also seems like the developers and the security folks that this is also a bridge for those teams to work better together. >> Correct. I think that is not siloed anymore. I think the idea of having security champions or having threat modeling activities are really, really good, or like insightful both like developers and security, but more than just being insightful, useful practices that organizations should actually do actually bringing a discussion together to actually creating a more cohesive environment for both of those kind of like expertise, development and security to work together towards some of these aspects of like just mitigating security issues. And one of the things that actually Snyk is doing in that, in bringing their security into the developer mindset is also providing them with the ability to prioritize and understand what policies to put in place. So a lot of the times security organizations actually, the security org wants to do is put just, guardrails to make sure that developers have a good leeway to work around, but they're not like doing things that like, they definitely shouldn't do that, like prior to bringing a big risk into today organizations. And that's what I think we're doing also like great, which is the fact that we're providing the security folks to like put the policies in place and then developers who actually like, work really well within those understand how to prioritize vulnerabilities is an important part. And we kind of like quantify that, we put like an urgency score that says, hey, you should fix this vulnerability first. Why? Because it has, first of all, well, you can upgrade really quickly. It has a fix right there. Secondly, there's like an exploit in the wild. It means potentially an attacker can weaponize this vulnerability and like attack your organizations, in an automated fashion. So you definitely want to put that put like a lead on that, on that broken window, if so to say. So we ended up other kind of metrics that we can quantify and put this as like an urgency score, which we called a priority score that helps again, developers really know what to fix first, because like they could get a scan of like hundreds of vulnerabilities, but like, what do I start first with? So I find that like very useful for both the security and the developers working together. >> Right, and especially now, as we've seen such changes in the last couple of years to the threat landscape, the vulnerabilities, the security issues that are impacting every industry. The ability to empower developers to not only work at the speed with which they are accustomed and need to work, but also to be able to find those vulnerabilities faster prioritize which ones need to be fixed. I mean, I think of Log4Shell, for example, and when the challenge is going on with the supply chain, that this is really a critical capability from a developer empowerment perspective, but also from a overall business health and growth perspective. >> Definitely. I think, first of all, like if you want to step just a step back in terms of like, what has changed. Like what is the landscape? So I think we're seeing several things happening. First of all, there's this big, tremendous... I would call it a trend, but now it's like the default. Like of the growth of open source software. So first of all as developers are using more and more open source and that's like a growing trend of have like drafts of this. And it's like always increasing across, by the way, every ecosystem go, rust, .net, Java, JavaScript, whatever you're building, that's probably like on a growing trend, more open source. And that is, we will talk about it in a second what are the risks there. But that is one trend that we're saying. The other one is cloud native applications, which is also worth to like, I think dive deep into it in terms of the way that we're building applications today has completely shifted. And I think what AWS is doing in that sense is also creating a tremendous shift in the mindset of things. For example, out of the cloud infrastructure has basically democratized infrastructure. I do not need to, own my servers and own my monitoring and configure everything out. I can actually write codes that when I deploy it, when something parses this and runs this, it actually creates servers and monitoring, logging, different kinds of things for me. So it democratize the whole sense of building applications from what it was decades ago. And this whole thing is important and really, really fast. It makes things scalable. It also introduces some rates. For example, some of these configuration. So there's a lot that has been changed. And in that landscape of like what modern developer is and I think in that sense, we kind of can need a lead to a little bit more, be helpful to developers and help them like avoid all those cases. And I'm like happy to dive into like the open source and the cloud native. That was like follow-ups on this one. >> I want to get into a little bit more about your relationship with AWS. When I spoke with Peter McKay for re:Invent, he talked about the partnership being a couple of years old, but there's some kind of really interesting things that AWS is doing in terms of leveraging, Snyk. Talk to me about that. >> Indeed. So Snyky integrates with almost, I think probably a lot of services, but probably almost all of those that are unique and related to developers building on top of the AWS platform. And for example, that would be, if you actually are building your code, it connects like the source code editor. If you are pushing that code over, it integrates with code commits. As you build and CIS are running, maybe code build is something you're using that's in code pipeline. That is something that you have like native integrations. At the end of the day, like you have your container registry or Lambda. If you're using like functions as a service for your obligations, what we're doing is integrating with all of that. So at the end of the day, you really have all of that... It depends where you're integrating, but on all of those points of integration, you have like Snyk there to help you out and like make sure that if we find on any of those, any potential issues, anything from like licenses to vulnerabilities in your containers or just your code or your open source code in those, they actually find it at that point and mitigate the issue. So this kind of like if you're using Snyk, when you're a development machine, it kind of like accompanies you through this journey all over what a CIC kind of like landscape looks like as an architectural landscape for development, kind of like all the way there. And I think what you kind of might be I think more interested, I think to like put your on and an emphasis would be this recent integration with the Amazon Inspector. Which is as it's like very pivotal parts on the AWS platform to provide a lot of, integrate a lot of services and provide you with those insights on security. And I think the idea that now that is able to leverage vulnerability data from the Snyk's security intelligence database that says that's tremendous. And we can talk about that. We'd look for shell and recent issues. >> Yeah. Let's dig into that. We've have a few minutes left, but that was obviously a huge issue in November of 2021, when obviously we're in a very dynamic global situation period, but it's now not a matter of if an organization is going to be hit by vulnerabilities and security threats. It's a matter of when. Talk to me about really how impactful Snyk was in the Log4Shell vulnerability and how you help customers evade probably some serious threats, and that could have really impacted revenue growth, customer satisfaction, brand reputation. >> Definitely. The Log4Shell is, well, I mean was a vulnerability that was disclosed, but it's probably still a major part and going to be probably for the foreseeable future. An issue for organizations as they would need to deal with us. And we'll dive in a second and figure out like why, but in like a summary here, Log4Shell was the vulnerability that actually was found in Java library called Log4J. A logging library that is so popular today and used. And the thing is having the ability to react fast to those new vulnerabilities being disclosed is really a vital part of the organizations, because when it is asking factful, as we've seen Log4Shell being that is when, it determines where the security tool you're using is actually helping you, or is like just an added thing on like a checkbox to do. And that is what I think made Snyk's so unique in the sense. We have a team of those folks that are really boats, manually curating the ecosystem of CVEs and like finding by ourselves, but also there's like an entire, kind of like an intelligence platform beyond us. So we get a lot of notifications on chatter that happens. And so when someone opens an issue on an open source repository says, Hey, I found an issue here. Maybe that's an XSS or code injection or something like that. We find it really fast. And we at that point, before it goes to CVE requirement and stuff like that through like a miter and NVD, we find it really fast and can add it to the database. So this has been something that we've done with Log4Shell, where we found that as it was disclosed, not on the open source, but just on the open source system, but it was generally disclosed to everyone at that point. But not only that, because look for J as the library had several iterations of fixes they needed. So they fixed one version. Then that was the recommendation to upgrade to then that was actually found as vulnerable. So they needed to fix the another time and then another time and so on. So being able to react fast, which is, what I think helped a ton of customers and users of Snyk is that aspect. And what I really liked in the way that this has been received very well is we were very fast on creating those command line tools that allow developers to actually find cases of the Log4J library, embedded into (indistinct) but not true a package manifest. So sometimes you have those like legacy applications, deployed somewhere, probably not even legacy, just like the Log4J libraries, like bundled into a net or Java source code base. So you may not even know that you're using it in a sense. And so what we've done is we've like exposed with Snyk CLI tool and a command line argument that allows you to search for all of those cases. Like we can find them and help you, try and mitigate those issues. So that has been amazing. >> So you've talked in great length, Liran about, and detail about how Snyk is really enabling and empowering developers. One last question for you is when I spoke with Peter last month at re:Invent, he talked about the goal of reaching 28 million developers. Your passion as a director of developer advocacy is palpable. I can feel it through the screen here. Talk to me about where you guys are on that journey of reaching those 28 million developers and what personally excites you about what you're doing here. >> Oh, yeah. So many things. (laughs) Don't know where to start. We are constantly talking to developers on community days and things like that. So it's a couple of examples. We have like this dev site community, which is a growing and kicking community of developers and security people coming together and trying to work and understand, and like, just learn from each other. We have those events coming up. We actually have this, "The Big Fix". It's a big security event that we're launching on February 25th. And the idea is, want to help the ecosystem secure security obligations, open source or even if it's closed source. We like help you fix that though that yeah, it's like helping them. We've launched this Snyk ambassadors program, which is developers and security people, CSOs are even in there. And the idea is how can we help them also be helpful to the community? Because they are like known, they are passionate as we are, on application security and like helping developers code securely, build securely. So we launching all of those programs. We have like social impact related programs and the way that we like work with organizations, like maybe non-profit maybe they just need help, like getting, the security part of things kind of like figured out, students and things like that. Like, there's like a ton of those initiatives all over the boards, helping basically the world be a little bit more secure. >> Well, we could absolutely use Snyk's help in making the world more secure. Liran it's been great talking to you. Like I said, your passion for what you do and what Snyk is able to facilitate and enable is palpable. And it was a great conversation. I appreciate that. And we look forward to hearing what transpires during 2022 for Snyk so you got to come back. >> I will. Thank you. Thank you, Lisa. This has been fun. >> All right. Excellent. Liran Tal, I'm Lisa Martin. You're watching theCUBE's second season, season two of the "AWS Startup Showcase". This has been episode one. Stay tuned for more great episodes, full of fantastic content. We'll see you soon. (upbeat music)

(bright upbeat music) >> Welcome, everyone, to theCUBE's, continuing coverage of AWS re:Invent 2021. I'm your host, Lisa Martin. And we are running one of the industry's most important and largest hybrid tech events of the year with AWS and its ecosystem partners. We have two live sets, two remote studios, and over 100 guests on the program talking about the next decade in cloud innovation. We're very excited to be welcoming back one of our CUBE alumni, Peter McKay, the CEO of Snyk. He's set to talk about reinventing application security with Snyk. Peter, welcome back to the program. >> It's great to be back, Lisa. Thanks for having me. >> Great to talk to you. So, my goodness, Snyk has had an incredible year, last year, this year, I was just looking at your Series F funding raised over 600 million in the month of September alone. Your valuation is, I think I saw over 9.6 billion, which is nearly doubled. This year-- >> Don't rush at 8.6, but yes, it was double the last time. Yeah, it's been been a crazy 2021, that's for sure. >> So, talk to me about some of that before we get into what you guys are doing with AWS. Let's talk about that, we talked about that funding. What are some of the strategic areas of investment? I know you've done a recent acquisition cloud skiff, but where are you really going to be focusing the Series F funding? >> Yeah, we've been very aggressive in building out our platform. We have a great vision for where we see developer security evolving and we want to get there fast. A lot of our customers and developers are kind of pushing us in that direction of really consolidating a platform. And so, to get there quickly, we do it organically building it ourselves, and we do it in inorganically where we can see other companies accelerate that roadmap. And so, it's this combination of very aggressive, organic expansion of both the breadth of our products, but also the depth, like adding more to our platform, but also the inorganic, because a lot of companies who have team and technologies that are very complimentary to what we're doing and allows us to continue to consolidate what is a very fragmented market in and around developers security. And so, we're going to continue to use the resources to accelerate that roadmap. The second part of it is, we are a little bit different than some companies where they kind of follow where the decision headquarters are of companies for us, we follow developers. And so, around the globe, Multinational Corporations have developers in the Philippines, in Argentina and all around the world and we needed to be there. And so, expanding our community, expanding our customer success organization around the world is critical for us. And so, that's something part of our kind of use of proceeds is the expansion of our go-to-market as well. >> Peter, modern development has changed. Next thing modern development has changed. So, traditional AppSec doesn't apply anymore. A new approach is needed. Talk to me about why Snyk believes that and what that new approach is. >> Yeah, you just go back to for 30 years, security was owned by application security teams and that's when it was kind of this waterfall application development model where they develop an app and every three, six, nine months, and then the security teams would audit that application and kind of send all the feedback, hear all the issues, go fix it, developers, and it was incredibly inefficient. And then you throw on top of this digital transformation and companies moving incredibly fast in building new applications. This agile development motion and all the incredible tools that allow developers to develop really fast. But then you get this very slow antiquated way of kind of testing it at the very end, right before you move the applications in production. So, it just didn't scale. And so, the concept is just way too late in the process. You really need to move security testing into that developer environment from the IDE, the CI/CD all the way through. So, when you're developing along the way, you're fixing the issues well ahead of time. And that's where modern development organizations are all this concept of shift left and building it in, into that's really the driver is moving security earlier and earlier in the software development life cycle. >> And that's key, especially you talked about the acceleration of digital transformation, but we've also seen the acceleration of the threat landscape in the last 20 months. There's been significant changes. The perimeter is so fragmented, it's expanding, the threat landscape goes all the way into outer space to low earth orbit these days. Talk to me about that as kind of a facilitator or an accelerator of what Snyk is doing to really focus on shifting security left with those developers. >> Yeah, I think people are kind of waking up to the fact that up to this point, they've spent billions and billions of dollars on endpoint securities and runtime security and all the things that are kind of in production. And they're realizing that, okay, well, why are we still vulnerable? Why are we still have these issues? And I think it's the realization that they're waiting too long to fix it. And a lot of the issues are happening. They're either new issues with moving to the cloud or they're issues that happen well before it got into production. And so, this realization that we've got to go earlier and earlier and fix these issues well before we go into production and don't wait till the very end. So, I think that's really driving the market to this shift lab. >> And you guys have actually kind of really pivoted your go-to-market model around that developers don't try and buy software the way that IT and security teams do. Talk to me about Snyk's GTM. >> Yeah, it's very unique in that it's really marrying this model developer security approach with the way developers want to buy. So, we start with our community and we do free content and tools all around building awareness for the developer community. We have, all of our products are free, so developers can try before they buy. And if you're truly a developer solution, you offer it free and let them use it. And then when they want to collaborate and they want to integrate and automate that moves from free to paid. So, it's very much of this bottoms up motion that really allowed developers to try MI. That's a big, big driver for our business, inbound motion drives 70% of our pipeline from them coming to us from this community. And then we come in kind of top down once they kind of get into different places. And we go in through those security organizations, which are trying to shift labs, trying to move security earlier, earlier and we work together with the security organizations to help move that to the developer world. So, you've got this bottoms up, developer adoption, viral adoption of Snyk within those organizations. Now, with the top-down kind of, and we become this bridge between the developer teams in engineering, and the security teams that are all trying to move in the same direction. And so, that's kind of how this market is evolved. And we're kind of that bridge for both those organizations. >> I was going to ask you about that, that bridge is critical, but also that bridge is a cultural change. I'm curious, how do you see organizations? It sounds like obviously you're, what over, I think, six, 700 customers now, a couple of million developers using the technology, so-- >> 1300 customers today >> 1300, okay. Wow! You have had a big year. 1300 customers, millions of developers using the technology. Talk to me a little bit about how you guys have figured out how to facilitate that cultural shift and shift security left, but also bridge between the IT and the security folks which have tended to be on sort of opposite sides of the spectrum. >> Yeah, I think the realization, I think a lot of people are very early on and I was... We'd been in the software industry for 25 years. Even nobody ever thought developers would care about security. Like there's no way developers really care about security. And really, if you think about, if you asked the developer, would you rather develop a secure app or an insecure app? If all things were equal, of course, they'd want it to be secure, but it needs to be easy. It needs to be like, don't slow me down, whatever you do, don't slow me down. And so, we have this, "Hey, it's all about speed of development, speeds, speed, speed." So, for us, we need to make it embedded, like integrated completely into that software development life cycle. So, developers don't have to be security experts, developers don't have to get out of their flow to do it, learn a different piece of software to figure out it's all embedded into that process. So, you can be fast and you can be agile, but you can also be secure at the same time. And so, part of that is embedding education and other things in there to learn that expansion of getting in the door and kind of building that momentum within these development communities all around the world. And so, I think we help all our customers with that kind of developer adoption and working together with the security teams and engineering teams on how we roll that out around best practices. And in some of the things we've learned over the six and a half years of doing this. >> It sounds very strategic and methodical and a great approach that is obviously quite successful. We talked about the growth trajectory now, 1300 customers. Let's talk about what you guys are doing with AWS. Here we are at reinvent this year. Talk to me about this Snyk, AWS partnership. >> Yeah, it's been really gaining momentum over the past year and a half, almost two years now. AWS, a lot of the workloads, one of the reasons, a lot of the applications don't go to the cloud is because of security issues and moving workloads to the cloud. Also developing applications in the cloud, security is a critical part of it. So, AWS is obviously infrastructure, but they also need solutions that allow them to make sure that those companies that are developing on AWS are secure. And so, we've integrated our Intel database into AWS inspector. We have a lot of offerings, very specific AWS offerings that our mutual customers can leverage. And we work very collaboratively with AWS in not only our technical roadmap with them, but also our go-to-market side, which is very much aligned. And it's continuing, we kind of, I say, we're in the second inning of that game. We got a lot more coming. >> Okay, but well aligned. Give me a customer example, if you will, have joined AWS Snyk customer that you've really helped with this transition, shifting security left they're building apps in the AWS cloud very successfully and securely. >> Yeah, I'd well, almost every company has some relationship with size with AWS. And so, for us, it's one of the first questions we ask anybody coming in is what's your relationship with one of the cloud vendors? And that inevitably it'll be, yeah, we have a relationship with AWS. And so, we talk about our roadmap that we have with AWS. They can buy our software through the AWS marketplace. You could leverage kind of your EDPs that you have with AWS to kind of build that scale. So, we're very technically aligned with the AWS platform. And so, you look at financial services, we've done a fair amount of financial services, insurance companies that are all kind of moving more workloads to AWS. Some of them have been our customers before, some of them separate from AWS, and now they're kind of, "Hey, can I move all my apps over and leveraged, Snyk in that process?" So, it's now, a good part of our go-to-market motion is coming through AWS marketplace as well. So, it's been a very successful partnership on both parties. >> A lot of momentum there, speaking of momentum, we talked about the funding raise this year alone, tremendous momentum going on for the company. What are some of the things that we can expect to see from Snyk in calendar year 22? >> Yeah, well, aggressive roadmap. I mean, that's still, we see, we have four modules today. We started with one and we added to, that was open to a security. We added a container security, infrastructure as code security. Then we added code security or a stats solution. We see modules five, six, seven coming out. we made an acquisition of drift technology, adding into kind of adding some more depth. So, you're going to see just a lot more continued aggressiveness on our side, as we scale both our engineering, organically and inorganically, but also, the go-to-market, now we're almost in all the major countries around the world and we're going to continue to invest in building that out and going where the developers are, the 28 million developers around the world. Our goal is to reach every one of them as fast as we possibly can with our free or paid, or whatever way is to get to 28 million developers as fast as we can. >> So, for those developers watching, where do you want to point them to go to, to start their free trial. >> Just go right to our website, snyk.io and you can get all of our products free, you can chat, schedule demos, you can do everything very easily if not. And it's very self-service so, if you don't want to talk to anybody, you don't have to talk to anybody, but if you do, we have plenty of people you can talk to. That's our world, frictionless motion. >> Frictionless and contactless at the same time, Peter, congratulations on the growth and momentum of the company. What you're doing, the evolution of the partnership with AWS and that lofty goal to reach 28 million developers. Am looking forward to our next conversation to see where you are on that progress. >> Same thing, same here, Lisa, thank you for your time. >> Oh, likewise. For Peter McKay, I'm Lisa Martin and you're watching theCUBE's continuous coverage of AWS re:Invent 2021. Stick around, more great content coming up next. (soft upbeat music)

(bright upbeat music) >> Welcome, everyone, to theCUBE's, continuing coverage of AWS re:Invent 2021. I'm your host, Lisa Martin. And we are running one of the industry's most important and largest hybrid tech events of the year with AWS and its ecosystem partners. We have two live sets, two remote studios, and over 100 guests on the program talking about the next decade in cloud innovation. We're very excited to be welcoming back one of our CUBE alumni, Peter McKay, the CEO of Snyk. He's set to talk about reinventing application security with Snyk. Peter, welcome back to the program. >> It's great to be back, Lisa. Thanks for having me. >> Great to talk to you. So, my goodness, Snyk has had an incredible year, last year, this year, I was just looking at your Series F funding raised over 600 million in the month of September alone. Your valuation is, I think I saw over 9.6 billion, which is nearly doubled. This year-- >> Don't rush at 8.6, but yes, it was double the last time. Yeah, it's been been a crazy 2021, that's for sure. >> So, talk to me about some of that before we get into what you guys are doing with AWS. Let's talk about that, we talked about that funding. What are some of the strategic areas of investment? I know you've done a recent acquisition cloud skiff, but where are you really going to be focusing the Series F funding? >> Yeah, we've been very aggressive in building out our platform. We have a great vision for where we see developer security evolving and we want to get there fast. A lot of our customers and developers are kind of pushing us in that direction of really consolidating a platform. And so, to get there quickly, we do it organically building it ourselves, and we do it in inorganically where we can see other companies accelerate that roadmap. And so, it's this combination of very aggressive, organic expansion of both the breadth of our products, but also the depth, like adding more to our platform, but also the inorganic, because a lot of companies who have team and technologies that are very complimentary to what we're doing and allows us to continue to consolidate what is a very fragmented market in and around developers security. And so, we're going to continue to use the resources to accelerate that roadmap. The second part of it is, we are a little bit different than some companies where they kind of follow where the decision headquarters are of companies for us, we follow developers. And so, around the globe, Multinational Corporations have developers in the Philippines, in Argentina and all around the world and we needed to be there. And so, expanding our community, expanding our customer success organization around the world is critical for us. And so, that's something part of our kind of use of proceeds is the expansion of our go-to-market as well. >> Peter, modern development has changed. Next thing modern development has changed. So, traditional AppSec doesn't apply anymore. A new approach is needed. Talk to me about why Snyk believes that and what that new approach is. >> Yeah, you just go back to for 30 years, security was owned by application security teams and that's when it was kind of this waterfall application development model where they develop an app and every three, six, nine months, and then the security teams would audit that application and kind of send all the feedback, hear all the issues, go fix it, developers, and it was incredibly inefficient. And then you throw on top of this digital transformation and companies moving incredibly fast in building new applications. This agile development motion and all the incredible tools that allow developers to develop really fast. But then you get this very slow antiquated way of kind of testing it at the very end, right before you move the applications in production. So, it just didn't scale. And so, the concept is just way too late in the process. You really need to move security testing into that developer environment from the IDE, the CI/CD all the way through. So, when you're developing along the way, you're fixing the issues well ahead of time. And that's where modern development organizations are all this concept of shift left and building it in, into that's really the driver is moving security earlier and earlier in the software development life cycle. >> And that's key, especially you talked about the acceleration of digital transformation, but we've also seen the acceleration of the threat landscape in the last 20 months. There's been significant changes. The perimeter is so fragmented, it's expanding, the threat landscape goes all the way into outer space to low earth orbit these days. Talk to me about that as kind of a facilitator or an accelerator of what Snyk is doing to really focus on shifting security left with those developers. >> Yeah, I think people are kind of waking up to the fact that up to this point, they've spent billions and billions of dollars on endpoint securities and runtime security and all the things that are kind of in production. And they're realizing that, okay, well, why are we still vulnerable? Why are we still have these issues? And I think it's the realization that they're waiting too long to fix it. And a lot of the issues are happening. They're either new issues with moving to the cloud or they're issues that happen well before it got into production. And so, this realization that we've got to go earlier and earlier and fix these issues well before we go into production and don't wait till the very end. So, I think that's really driving the market to this shift lab. >> And you guys have actually kind of really pivoted your go-to-market model around that developers don't try and buy software the way that IT and security teams do. Talk to me about Snyk's GTM. >> Yeah, it's very unique in that it's really marrying this model developer security approach with the way developers want to buy. So, we start with our community and we do free content and tools all around building awareness for the developer community. We have, all of our products are free, so developers can try before they buy. And if you're truly a developer solution, you offer it free and let them use it. And then when they want to collaborate and they want to integrate and automate that moves from free to paid. So, it's very much of this bottoms up motion that really allowed developers to try MI. That's a big, big driver for our business, inbound motion drives 70% of our pipeline from them coming to us from this community. And then we come in kind of top down once they kind of get into different places. And we go in through those security organizations, which are trying to shift labs, trying to move security earlier, earlier and we work together with the security organizations to help move that to the developer world. So, you've got this bottoms up, developer adoption, viral adoption of Snyk within those organizations. Now, with the top-down kind of, and we become this bridge between the developer teams in engineering, and the security teams that are all trying to move in the same direction. And so, that's kind of how this market is evolved. And we're kind of that bridge for both those organizations. >> I was going to ask you about that, that bridge is critical, but also that bridge is a cultural change. I'm curious, how do you see organizations? It sounds like obviously you're, what over, I think, six, 700 customers now, a couple of million developers using the technology, so-- >> 1300 customers today >> 1300, okay. Wow! You have had a big year. 1300 customers, millions of developers using the technology. Talk to me a little bit about how you guys have figured out how to facilitate that cultural shift and shift security left, but also bridge between the IT and the security folks which have tended to be on sort of opposite sides of the spectrum. >> Yeah, I think the realization, I think a lot of people are very early on and I was... We'd been in the software industry for 25 years. Even nobody ever thought developers would care about security. Like there's no way developers really care about security. And really, if you think about, if you asked the developer, would you rather develop a secure app or an insecure app? If all things were equal, of course, they'd want it to be secure, but it needs to be easy. It needs to be like, don't slow me down, whatever you do, don't slow me down. And so, we have this, "Hey, it's all about speed of development, speeds, speed, speed." So, for us, we need to make it embedded, like integrated completely into that software development life cycle. So, developers don't have to be security experts, developers don't have to get out of their flow to do it, learn a different piece of software to figure out it's all embedded into that process. So, you can be fast and you can be agile, but you can also be secure at the same time. And so, part of that is embedding education and other things in there to learn that expansion of getting in the door and kind of building that momentum within these development communities all around the world. And so, I think we help all our customers with that kind of developer adoption and working together with the security teams and engineering teams on how we roll that out around best practices. And in some of the things we've learned over the six and a half years of doing this. >> It sounds very strategic and methodical and a great approach that is obviously quite successful. We talked about the growth trajectory now, 1300 customers. Let's talk about what you guys are doing with AWS. Here we are at reinvent this year. Talk to me about this Snyk, AWS partnership. >> Yeah, it's been really gaining momentum over the past year and a half, almost two years now. AWS, a lot of the workloads, one of the reasons, a lot of the applications don't go to the cloud is because of security issues and moving workloads to the cloud. Also developing applications in the cloud, security is a critical part of it. So, AWS is obviously infrastructure, but they also need solutions that allow them to make sure that those companies that are developing on AWS are secure. And so, we've integrated our Intel database into AWS inspector. We have a lot of offerings, very specific AWS offerings that our mutual customers can leverage. And we work very collaboratively with AWS in not only our technical roadmap with them, but also our go-to-market side, which is very much aligned. And it's continuing, we kind of, I say, we're in the second inning of that game. We got a lot more coming. >> Okay, but well aligned. Give me a customer example, if you will, have joined AWS Snyk customer that you've really helped with this transition, shifting security left they're building apps in the AWS cloud very successfully and securely. >> Yeah, I'd well, almost every company has some relationship with size with AWS. And so, for us, it's one of the first questions we ask anybody coming in is what's your relationship with one of the cloud vendors? And that inevitably it'll be, yeah, we have a relationship with AWS. And so, we talk about our roadmap that we have with AWS. They can buy our software through the AWS marketplace. You could leverage kind of your EDPs that you have with AWS to kind of build that scale. So, we're very technically aligned with the AWS platform. And so, you look at financial services, we've done a fair amount of financial services, insurance companies that are all kind of moving more workloads to AWS. Some of them have been our customers before, some of them separate from AWS, and now they're kind of, "Hey, can I move all my apps over and leveraged, Snyk in that process?" So, it's now, a good part of our go-to-market motion is coming through AWS marketplace as well. So, it's been a very successful partnership on both parties. >> A lot of momentum there, speaking of momentum, we talked about the funding raise this year alone, tremendous momentum going on for the company. What are some of the things that we can expect to see from Snyk in calendar year 22? >> Yeah, well, aggressive roadmap. I mean, that's still, we see, we have four modules today. We started with one and we added to, that was open to a security. We added a container security, infrastructure as code security. Then we added code security or a stats solution. We see modules five, six, seven coming out. we made an acquisition of drift technology, adding into kind of adding some more depth. So, you're going to see just a lot more continued aggressiveness on our side, as we scale both our engineering, organically and inorganically, but also, the go-to-market, now we're almost in all the major countries around the world and we're going to continue to invest in building that out and going where the developers are, the 28 million developers around the world. Our goal is to reach every one of them as fast as we possibly can with our free or paid, or whatever way is to get to 28 million developers as fast as we can. >> So, for those developers watching, where do you want to point them to go to, to start their free trial. >> Just go right to our website, snyk.io and you can get all of our products free, you can chat, schedule demos, you can do everything very easily if not. And it's very self-service so, if you don't want to talk to anybody, you don't have to talk to anybody, but if you do, we have plenty of people you can talk to. That's our world, frictionless motion. >> Frictionless and contactless at the same time, Peter, congratulations on the growth and momentum of the company. What you're doing, the evolution of the partnership with AWS and that lofty goal to reach 28 million developers. Am looking forward to our next conversation to see where you are on that progress. >> Same thing, same here, Lisa, thank you for your time. >> Oh, likewise. For Peter McKay, I'm Lisa Martin and you're watching theCUBE's continuous coverage of AWS re:Invent 2021. Stick around, more great content coming up next. (soft upbeat music)

(cheerful music) >> Hello everyone, welcome to today's session of theCUBE's presentation of AWS Startup Showcase, New Breakthroughs in DevOps, Data Analytics, Cloud Management Tools, featuring Okera from the cloud management migration track. I'm John Furrier, your host. We've got two great special guests today, Nong Li, founder and CTO of Okera, and Sanjeev Mohan, principal @SanjMo, and former research vice president of big data and advanced analytics at Gartner. He's a legend, been around the industry for a long time, seen the big data trends from the past, present, and knows the future. Got a great lineup here. Gentlemen, thank you for this, so, life in the trenches, lessons learned across compliance, cloud migration, analytics, and use cases for Fortune 1000s. Thanks for joining us. >> Thanks for having us. >> So Sanjeev, great to see you, I know you've seen this movie, I was saying that in the open, you've at Gartner seen all the visionaries, the leaders, you know everything about this space. It's changing extremely fast, and one of the big topics right out of the gate is not just innovation, we'll get to that, that's the fun part, but it's the regulatory compliance and audit piece of it. It's keeping people up at night, and frankly if not done right, slows things down. This is a big part of the showcase here, is to solve these problems. Share us your thoughts, what's your take on this wide-ranging issue? >> So, thank you, John, for bringing this up, and I'm so happy you mentioned the fact that, there's this notion that it can slow things down. Well I have to say that the old way of doing governance slowed things down, because it was very much about control and command. But the new approach to data governance is actually in my opinion, it's liberating data. If you want to democratize or monetize, whatever you want to call it, you cannot do it 'til you know you can trust said data and it's governed in some ways, so data governance has actually become very interesting, and today if you want to talk about three different areas within compliance regulatory, for example, we all know about the EU GDPR, we know California has CCPA, and in fact California is now getting even a more stringent version called CPRA in a couple of years, which is more aligned to GDPR. That is a first area we know we need to comply to that, we don't have any way out. But then, there are other areas, there is insider trading, there is how you secure the data that comes from third parties, you know, vendors, partners, suppliers, so Nong, I'd love to hand it over to you, and see if you can maybe throw some light into how our customers are handling these use cases. >> Yeah, absolutely, and I love what you said about balancing agility and liberating, in the face of what may be seen as things that slow you down. So we work with customers across verticals with old and new regulations, so you know, you brought up GDPR. One of our clients is using this to great effect to power their ecosystem. They are a very large retail company that has operations and customers across the world, obviously the importance of GDPR, and the regulations that imposes on them are very top of mind, and at the same time, being able to do effective targeting analytics on customer information is equally critical, right? So they're exactly at that spot where they need this customer insight for powering their business, and then the regulatory concerns are extremely prevalent for them. So in the context of GDPR, you'll hear about things like consent management and right to be forgotten, right? I, as a customer of that retailer should say "I don't want my information used for this purpose," right? "Use it for this, but not this." And you can imagine at a very, very large scale, when you have a billion customers, managing that, all the data you've collected over time through all of your devices, all of your telemetry, really, really challenging. And they're leveraging Okera embedded into their analytics platform so they can do both, right? Their data scientists and analysts who need to do everything they're doing to power the business, not have to think about these kind of very granular customer filtering requirements that need to happen, and then they leverage us to do that. So that's kind of new, right, GDPR, relatively new stuff at this point, but we obviously also work with customers that have regulations from a long long time ago, right? So I think you also mentioned insider trading and that supply chain, so we'll talk to customers, and they want really data-driven decisions on their supply chain, everything about their production pipeline, right? They want to understand all of that, and of course that makes sense, whether you're the CFO, if you're going to make business decisions, you need that information readily available, and supply chains as we know get more and more and more complex, we have more and more integrated into manufacturing and other verticals. So that's your, you're a little bit stuck, right? You want to be data-driven on those supply chain analytics, but at the same time, knowing the details of all the supply chain across all of your dependencies exposes your internal team to very high blackout periods or insider trading concerns, right? For example, if you knew Apple was buying a bunch of something, that's maybe information that only a select few people can have, and the way that manifests into data policies, 'cause you need the ability to have very, very scalable, per employee kind of scalable data restriction policies, so they can do their job easier, right? If we talk about speeding things up, instead of a very complex process for them to get approved, and approved on SEC regulations, all that kind of stuff, you can now go give them access to the part of the supply chain that they need, and no more, and limit their exposure and the company's exposure and all of that kind of stuff. So one of our customers able to do this, getting two orders of magnitude, a 100x reduction in the policies to manage the system like that. >> When I hear you talking like that, I think the old days of "Oh yeah, regulatory, it kind of slows down innovation, got to go faster," pretty basic variables, not a lot of combination of things to check. Now with cloud, there seems to be combinations, Sanjeev, because how complicated has the regulatory compliance and audit environment gotten in the past few years, because I hear security in a supply chain, I hear insider threats, I mean these are security channels, not just compliance department G&A kind of functions. You're talking about large-scale, potentially combinations of access, distribution, I mean it seems complicated. How much more complicated is it now, just than it was a few years ago? >> So, you know the way I look at it is, I'm just mentioning these companies just as an example, when PayPal or Ebay, all these companies started, they started in California. Anybody who ever did business on Ebay or PayPal, guess where that data was? In the US in some data center. Today you cannot do it. Today, data residency laws are really tough, and so now these organizations have to really understand what data needs to remain where. On top of that, we now have so many regulations. You know, earlier on if you were healthcare, you needed to be HIPAA compliant, or banking PCI DSS, but today, in the cloud, you really need to know, what data I have, what sensitive data I have, how do I discover it? So that data discovery becomes really important. What roles I have, so for example, let's say I work for a bank in the US, and I decide to move to Germany. Now, the old school is that a new rule will be created for me, because of German... >> John: New email address, all these new things happen, right? >> Right, exactly. So you end up with this really, a mass of rules and... And these are all static. >> Rules and tools, oh my god. >> Yeah. So Okera actually makes a lot of this dynamic, which reduces your cloud migration overhead, and Nong used some great examples, in fact, sorry if I take just a second, without mentioning any names, there's one of the largest banks in the world is going global in the digital space for the first time, and they're taking Okera with them. So... >> But what's the point? This is my next topic in cloud migration, I want to bring this up because, complexity, when you're in that old school kind of data center, waterfall, these old rules and tools, you have to roll this out, and it's a pain in the butt for everybody, it's a hassle, huge hassle. Cloud gives the agility, we know that, and cloud's becoming more secure, and I think now people see the on-premise, certainly things that'd be on-premises for secure things, I get that, but when you start getting into agility, and you now have cloud regions, you can start being more programmatic, so I want to get you guys' thoughts on the cloud migration, how companies who are now lifting and shifting, replatforming, what's the refactoring beyond that, because you can replatform in the cloud, and still some are kind of holding back on that. Then when you're in the cloud, the ones that are winning, the companies that are winning are the ones that are refactoring in the cloud. Doing things different with new services. Sanjeev, you start. >> Yeah, so you know, in fact lot of people tell me, "You know, we are just going to lift and shift into the cloud." But you're literally using cloud as a data center. You still have all the, if I may say, junk you had on-prem, you just moved it into the cloud, and now you're paying for it. In cloud, nothing is free. Every storage, every processing, you're going to pay for it. The most successful companies are the ones that are replatforming, they are taking advantage of the platform as a service or software as a service, so that includes things like, you pay as you go, you pay for exactly the amount you use, so you scale up and scale down or scale out and scale in, pretty quickly, you know? So you're handling that demand, so without replatforming, you are not really utilizing your- >> John: It's just hosting. >> Yeah, you're just hosting. >> It's basically hosting if you're not doing anything right there. >> Right. The reason why people sometimes resist to replatform, is because there's a hidden cost that we don't really talk about, PaaS adds 3x to IaaS cost. So, some organizations that are very mature, and they have a few thousand people in the IT department, for them, they're like "No, we just want to run it in the cloud, we have the expertise, and it's cheaper for us." But in the long run, to get the most benefit, people should think of using cloud as a service. >> Nong what's your take, because you see examples of companies, I'll just call one out, Snowflake for instance, they're essentially a data warehouse in the cloud, they refactored and they replatformed, they have a competitive advantage with the scale, so they have things that others don't have, that just hosting. Or even on-premise. The new model developing where there's real advantages, and how should companies think about this when they have to manage these data lakes, and they have to manage all these new access methods, but they want to maintain that operational stability and control and growth? >> Yeah, so. No? Yeah. >> There's a few topics that are all (indistinct) this topic. (indistinct) enterprises moving to the cloud, they do this maybe for some cost savings, but a ton of it is agility, right? The motor that the business can run at is just so much faster. So we'll work with companies in the context of cloud migration for data, where they might have a data warehouse they've been using for 20 years, and building policies over that time, right? And it's taking a long time to go proof of access and those kind of things, made more sense, right? If it took you months to procure a physical infrastructure, get machines shipped to your data center, then this data access taking so long feels okay, right? That's kind of the same rate that everything is moving. In the cloud, you can spin up new infrastructure instantly, so you don't want approvals for getting policies, creating rules, all that stuff that Sanjeev was talking about, that being slow is a huge, huge problem. So this is a very common environment that we see where they're trying to do that kind of thing. And then, for replatforming, again, they've been building these roles and processes and policies for 20 years. What they don't want to do is take 20 years to go migrate all that stuff into the cloud, right? That's probably an experience nobody wants to repeat, and frankly for many of them, people who did it originally may or may not be involved in this kind of effort. So we work with a lot of companies like that, they have their, they want stability, they got to have the business running as normal, they got to get moving into the new infrastructure, doing it in a new way that, you know, with all the kind of lessons learned, so, as Sanjeev said, one of these big banks that we work with, that classical story of on-premise data warehousing, maybe a little bit of Hadoop, moved onto AWS, S3, Snowflake, that kind of setup, extremely intricate policies, but let's go reimagine how we can do this faster, right? What we like to talk about is, you're an organization, you need a design that, if you onboarded 1000 more data users, that's got to be way, way easier than the first 10 you onboarded, right? You got to get it to be easier over time, in a really, really significant way. >> Talk about the data authorization safety factor, because I can almost imagine all the intricacies of these different tools creates specialism amongst people who operate them. And each one might have their own little authorization nuance. Trend is not to have that siloed mentality. What's your take on clients that want to just "Hey, you know what? I want to have the maximum agility, but I don't want to get caught in the weeds on some of these tripwires around access and authorization." >> Yeah, absolutely, I think it's real important to get the balance of it, right? Because if you are an enterprise, or if you have diversive teams, you want them to have the ability to use tools as best of breed for their purpose, right? But you don't want to have it be so that every tool has its own access and provisioning and whatever, that's definitely going to be a security, or at least, a lot of friction for you to get things going. So we think about that really hard, I think we've seen great success with things like SSO and Okta, right? Unifying authentication. We think there's a very, very similar thing about to happen with authorization. You want that single control plane that can integrate with all the tools, and still get the best of what you need, but it's much, much easier (indistinct). >> Okta's a great example, if people don't want to build their own thing and just go with that, same with what you guys are doing. That seems to be the dots that are connecting you, Sanjeev. The ease of use, but yet the stability factor. >> Right. Yeah, because John, today I may want to bring up a SQL editor to go into Snowflake, just as an example. Tomorrow, I may want to use the Azure Bot, you know? I may not even want to go to Snowflake, I may want to go to an underlying piece of data, or I may use Power BI, you know, for some reason, and come from Azure side, so the point is that, unless we are able to control, in some sort of a centralized manner, we will not get that consistency. And security you know is all or nothing. You cannot say "Well, I secured my Snowflake, but if you come through HTFS, Hadoop, or some, you know, that is outside of my realm, or my scope," what's the point? So that is why it is really important to have a watertight way, in fact I'm using just a few examples, maybe tomorrow I decide to use a data catalog, or I use Denodo as my data virtualization and I run a query. I'm the same identity, but I'm using different tools. I may use it from home, over VPN, or I may use it from the office, so you want this kind of flexibility, all encompassed in a policy, rather than a separate rule if you do this and this, if you do that, because then you end up with literally thousands of rules. >> And it's never going to stop, either, it's like fashion, the next tool's going to come out, it's going to be cool, and people are going to want to use it, again, you don't want to have to then move the train from the compliance side this way or that way, it's a lot of hassle, right? So we have that one capability, you can bring on new things pretty quickly. Nong, am I getting it right, this is kind of like the trend, that you're going to see more and more tools and/or things that are relevant or, certain use cases that might justify it, but yet, AppSec review, compliance review, I mean, good luck with that, right? >> Yeah, absolutely, I mean we certainly expect tools to continue to get more and more diverse, and better, right? Most innovation in the data space, and I think we... This is a great time for that, a lot of things that need to happen, and so on and so forth. So I think one of the early goals of the company, when we were just brainstorming, is we don't want data teams to not be able to use the tools because it doesn't have the right security (indistinct), right? Often those tools may not be focused on that particular area. They're great at what they do, but we want to make sure they're enabled, they do some enterprise investments, they see broader adoption much easier. A lot of those things. >> And I can hear the sirens in the background, that's someone who's not using your platform, they need some help there. But that's the case, I mean if you don't get this right, there are some consequences, and I think one of the things I would like to bring up on next track is, to talk through with you guys is, the persona pigeonhole role, "Oh yeah, a data person, the developer, the DevOps, the SRE," you start to see now, developers and with cloud developers, and data folks, people, however they get pigeonholed, kind of blending in, okay? You got data services, you got analytics, you got data scientists, you got more democratization, all these things are being kicked around, but the notion of a developer now is a data developer, because cloud is about DevOps, data is now a big part of it, it's not just some department, it's actually blending in. Just a cultural shift, can you guys share your thoughts on this trend of data people versus developers now becoming kind of one, do you guys see this happening, and if so, how? >> So when, John, I started my career, I was a DBA, and then a data architect. Today, I think you cannot have a DBA who's not a developer. That's just my opinion. Because there is so much of CICD, DevOps, that happens today, and you know, you write your code in Python, you put it in version control, you deploy using Jenkins, you roll back if there's a problem. And then, you are interacting, you're building your data to be consumed as a service. People in the past, you would have a thick client that would connect to the database over TCP/IP. Today, people don't want to connect over TCP/IP necessarily, they want to go by HTTP. And they want an API gateway in the middle. So, if you're a data architect or DBA, now you have to worry about, "I have a REST API call that's coming in, how am I going to secure that, and make sure that people are allowed to see that?" And that was just yesterday. >> Exactly. Got to build an abstraction layer. You got to build an abstraction layer. The old days, you have to worry about schema, and do all that, it was hard work back then, but now, it's much different. You got serverless, functions are going to show way... It's happening. >> Correct, GraphQL, and semantic layer, that just blows me away because, it used to be, it was all in database, then we took it out of database and we put it in a BI tool. So we said, like BusinessObjects started this whole trend. So we're like "Let's put the semantic layer there," well okay, great, but that was when everything was surrounding BusinessObjects and Oracle Database, or some other database, but today what if somebody brings Power BI or Tableau or Qlik, you know? Now you don't have a semantic layer access. So you cannot have it in the BI layer, so you move it down to its own layer. So now you've got a semantic layer, then where do you store your metrics? Same story repeats, you have a metrics layer, then the data centers want to do feature engineering, where do you store your features? You have a feature store. And before you know, this stack has disaggregated over and over and over, and then you've got layers and layers of specialization that are happening, there's query accelerators like Dremio or Trino, so you've got your data here, which Nong is trying really hard to protect, and then you've got layers and layers and layers of abstraction, and networks are fast, so the end user gets great service, but it's a nightmare for architects to bring all these things together. >> How do you tame the complexity? What's the bottom line? >> Nong? >> Yeah, so, I think... So there's a few things you need to do, right? So, we need to re-think how we express security permanence, right? I think you guys have just maybe in passing (indistinct) talked about creating all these rules and all that kind of stuff, that's been the way we've done things forever. We get to think about policies and mechanisms that are much more dynamic, right? You need to really think about not having to do any additional work, for the new things you add to the system. That's really, really core to solving the complexity problem, right? 'Cause that gets you those orders of magnitude reduction, system's got to be more expressive and map to those policies. That's one. And then second, it's got to be implemented at the right layer, right, to Sanjeev's point, close to the data, and it can service all of those applications and use cases at the same time, and have that uniformity and breadth of support. So those two things have to happen. >> Love this universal data authorization vision that you guys have. Super impressive, we had a CUBE Conversation earlier with Nick Halsey, who's a veteran in the industry, and he likes it. That's a good sign, 'cause he's seen a lot of stuff, too, Sanjeev, like yourself. This is a new thing, you're seeing compliance being addressed, and with programmatic, I'm imagining there's going to be bots someday, very quickly with AI that's going to scale that up, so they kind of don't get in the innovation way, they can still get what they need, and enable innovation. You've got cloud migration, which is only going faster and faster. Nong, you mentioned speed, that's what CloudOps is all about, developers want speed, not things in days or hours, they want it in minutes and seconds. And then finally, ultimately, how's it scale up, how does it scale up for the people operating and/or programming? These are three major pieces. What happens next? Where do we go from here, what's, the customer's sitting there saying "I need help, I need trust, I need scale, I need security." >> So, I just wrote a blog, if I may diverge a bit, on data observability. And you know, so there are a lot of these little topics that are critical, DataOps is one of them, so to me data observability is really having a transparent view of, what is the state of your data in the pipeline, anywhere in the pipeline? So you know, when we talk to these large banks, these banks have like 1000, over 1000 data pipelines working every night, because they've got that hundred, 200 data sources from which they're bringing data in. Then they're doing all kinds of data integration, they have, you know, we talked about Python or Informatica, or whatever data integration, data transformation product you're using, so you're combining this data, writing it into an analytical data store, something's going to break. So, to me, data observability becomes a very critical thing, because it shows me something broke, walk me down the pipeline, so I know where it broke. Maybe the data drifted. And I know Okera does a lot of work in data drift, you know? So this is... Nong, jump in any time, because I know we have use cases for that. >> Nong, before you get in there, I just want to highlight a quick point. I think you're onto something there, Sanjeev, because we've been reporting, and we believe, that data workflows is intellectual property. And has to be protected. Nong, go ahead, your thoughts, go ahead. >> Yeah, I mean, the observability thing is critically important. I would say when you want to think about what's next, I think it's really effectively bridging tools and processes and systems and teams that are focused on data production, with the data analysts, data scientists, that are focused on data consumption, right? I think bridging those two, which cover a lot of the topics we talked about, that's kind of where security almost meets, that's kind of where you got to draw it. I think for observability and pipelines and data movement, understanding that is essential. And I think broadly, on all of these topics, where all of us can be better, is if we're able to close the loop, get the feedback loop of success. So data drift is an example of the loop rarely being closed. It drifts upstream, and downstream users can take forever to figure out what's going on. And we'll have similar examples related to buy-ins, or data quality, all those kind of things, so I think that's really a problem that a lot of us should think about. How do we make sure that loop is closed as quickly as possible? >> Great insight. Quick aside, as the founder CTO, how's life going for you, you feel good? I mean, you started a company, doing great, it's not drifting, it's right in the stream, mainstream, right in the wheelhouse of where the trends are, you guys have a really crosshairs on the real issues, how you feeling, tell us a little bit about how you see the vision. >> Yeah, I obviously feel really good, I mean we started the company a little over five years ago, there are kind of a few things that we bet would happen, and I think those things were out of our control, I don't think we would've predicted GDPR security and those kind of things being as prominent as they are. Those things have really matured, probably as best as we could've hoped, so that feels awesome. Yeah, (indistinct) really expanded in these years, and it feels good. Feels like we're in the right spot. >> Yeah, it's great, data's competitive advantage, and certainly has a lot of issues. It could be a blocker if not done properly, and you're doing great work. Congratulations on your company. Sanjeev, thanks for kind of being my cohost in this segment, great to have you on, been following your work, and you continue to unpack it at your new place that you started. SanjMo, good to see your Twitter handle taking on the name of your new firm, congratulations. Thanks for coming on. >> Thank you so much, such a pleasure. >> Appreciate it. Okay, I'm John Furrier with theCUBE, you're watching today's session presentation of AWS Startup Showcase, featuring Okera, a hot startup, check 'em out, great solution, with a really great concept. Thanks for watching. (calm music)

>> Announcer: From around the globe, it's theCUBE. With digital coverage of AWS re:Invent 2020. Special coverage sponsored by AWS global partner network. >> Okay, welcome back everyone to theCUBE virtual coverage of re:Invent 2020 virtual. Normally we're in person, this year because of the pandemic we're doing remote interviews and we've got a great coverage here of the APN, Amazon Partner Network experience. I'm your host John Furrier, we are theCUBE virtual. Got a great guest from Tel Aviv remotely calling in and videoing, Nimrod Vax, who is the chief product officer and co-founder of BigID. This is the beautiful thing about remote, you're in Tel Aviv, I'm in Palo Alto, great to see you. We're not in person but thanks for coming on. >> Thank you. Great to see you as well. >> So you guys have had a lot of success at BigID, I've noticed a lot of awards, startup to watch, company to watch, kind of a good market opportunity data, data at scale, identification, as the web evolves beyond web presence identification, authentication is super important. You guys are called BigID. What's the purpose of the company? Why do you exist? What's the value proposition? >> So first of all, best startup to work at based on Glassdoor worldwide, so that's a big achievement too. So look, four years ago we started BigID when we realized that there is a gap in the market between the new demands from organizations in terms of how to protect their personal and sensitive information that they collect about their customers, their employees. The regulations were becoming more strict but the tools that were out there, to the large extent still are there, were not providing to those requirements and organizations have to deal with some of those challenges in manual processes, right? For example, the right to be forgotten. Organizations need to be able to find and delete a person's data if they want to be deleted. That's based on GDPR and later on even CCPA. And organizations have no way of doing it because the tools that were available could not tell them whose data it is that they found. The tools were very siloed. They were looking at either unstructured data and file shares or windows and so forth, or they were looking at databases, there was nothing for Big Data, there was nothing for cloud business applications. And so we identified that there is a gap here and we addressed it by building BigID basically to address those challenges. >> That's great, great stuff. And I remember four years ago when I was banging on the table and saying, you know regulation can stunt innovation because you had the confluence of massive platform shifts combined with the business pressure from society. That's not stopping and it's continuing today. You seeing it globally, whether it's fake news in journalism, to privacy concerns where modern applications, this is not going away. You guys have a great market opportunity. What is the product? What is smallID? What do you guys got right now? How do customers maintain the success as the ground continues to shift under them as platforms become more prevalent, more tools, more platforms, more everything? >> So, I'll start with BigID. What is BigID? So BigID really helps organizations better manage and protect the data that they own. And it does that by connecting to everything you have around structured databases and unstructured file shares, big data, cloud storage, business applications and then providing very deep insight into that data. Cataloging all the data, so you know what data you have where and classifying it so you know what type of data you have. Plus you're analyzing the data to find similar and duplicate data and then correlating them to an identity. Very strong, very broad solution fit for IT organization. We have some of the largest organizations out there, the biggest retailers, the biggest financial services organizations, manufacturing and et cetera. What we are seeing is that there are, with the adoption of cloud and business success obviously of AWS, that there are a lot of organizations that are not as big, that don't have an IT organization, that have a very well functioning DevOps organization but still have a very big footprint in Amazon and in other kind of cloud services. And they want to get visibility and they want to do it quickly. And the SmallID is really built for that. SmallID is a lightweight version of BigID that is cloud-native built for your AWS environment. And what it means is that you can quickly install it using CloudFormation templates straight from the AWS marketplace. Quickly stand up an environment that can scan, discover your assets in your account automatically and give you immediate visibility into that, your S3 bucket, into your DynamoDB environments, into your EMR clusters, into your Athena databases and immediately building a full catalog of all the data, so you know what files you have where, you know where what tables, what technical metadata, operational metadata, business metadata and also classified data information. So you know where you have sensitive information and you can immediately address that and apply controls to that information. >> So this is data discovery. So the use case is, I'm an Amazon partner, I mean we use theCUBE virtuals on Amazon, but let's just say hypothetically, we're growing like crazy. Got S3 buckets over here secure, encrypted and the rest, all that stuff. Things are happening, we're growing like a weed. Do we just deploy smallIDs and how it works? Is that use cases, SmallID is for AWS and BigID for everything else or? >> You can start small with SmallID, you get the visibility you need, you can leverage the automation of AWS so that you automatically discover those data sources, connect to them and get visibility. And you could grow into BigID using the same deployment inside AWS. You don't have to switch migrate and you use the same container cluster that is running inside your account and automatically scale it up and then connect to other systems or benefit from the more advanced capabilities the BigID can offer such as correlation, by connecting to maybe your Salesforce, CRM system and getting the ability to correlate to your customer data and understand also whose data it is that you're storing. Connecting to your on-premise mainframe, with the same deployment connecting to your Google Drive or office 365. But the point is that with the smallID you can really start quickly, small with a very small team and get that visibility very quickly. >> Nimrod, I want to ask you a question. What is the definition of cloud native data discovery? What does that mean to you? >> So cloud native means that it leverages all the benefits of the cloud. Like it gets all of the automation and visibility that you get in a cloud environment versus any traditional on-prem environment. So one thing is that BigID is installed directly from your marketplace. So you could browse, find its solution on the AWS marketplace and purchase it. It gets deployed using CloudFormation templates very easily and very quickly. It runs on a elastic container service so that once it runs you can automatically scale it up and down to increase the scan and the scale capabilities of the solution. It connects automatically behind the scenes into the security hub of AWS. So you get those alerts, the policy alerts fed into your security hub. It has integration also directly into the native logging capabilities of AWS. So your existing Datadog or whatever you're using for monitoring can plug into it automatically. That's what we mean by cloud native. >> And if you're cloud native you got to be positioned to take advantage of the data and machine learning in particular. Can you expand on the role of machine learning in your solution? Customers are leaning in heavily this year, you're seeing more uptake on machine learning which is basically AI, AI is machine learning, but it's all tied together. ML is big on all the deployments. Can you share your thoughts? >> Yeah, absolutely. So data discovery is a very tough problem and it has been around for 20 years. And the traditional methods of classifying the data or understanding what type of data you have has been, you're looking at the pattern of the data. Typically regular expressions or types of kind of pattern-matching techniques that look at the data. But sometimes in order to know what is personal or what is sensitive it's not enough to look at the pattern of the data. How do you distinguish between a date of birth and any other date. Date of birth is much more sensitive. How do you find country of residency or how do you identify even a first name from the last name? So for that, you need more advanced, more sophisticated capabilities that go beyond just pattern matching. And BigID has a variety of those techniques, we call that discovery-in-depth. What it means is that very similar to security-in-depth where you can not rely on a single security control to protect your environment, you can not rely on a single discovery method to truly classify the data. So yes, we have regular expression, that's the table state basic capability of data classification but if you want to find data that is more contextual like a first name, last name, even a phone number and distinguish between a phone number and just a sequence of numbers, you need more contextual NLP based discovery, name entity recognition. We're using (indistinct) to extract and find data contextually. We also apply deep learning, CNN capable, it's called CNN, which is basically deep learning in order to identify and classify document types. Which is basically being able to distinguish between a resume and a application form. Finding financial records, finding medical records. So RA are advanced NLP classifiers can find that type of data. The more advanced capabilities that go beyond the smallID into BigID also include cluster analysis which is an unsupervised machine learning method of finding duplicate and similar data correlation and other techniques that are more contextual and need to use machine learning for that. >> Yeah, and unsupervised that's a lot harder than supervised. You need to have that ability to get that what you can't see. You got to get the blind spots identified and that's really the key observational data you need. This brings up the kind of operational you heard cluster, I hear governance security you mentioned earlier GDPR, this is an operational impact. Can you talk about how it impacts on specifically on the privacy protection and governance side because certainly I get the clustering side of it, operationally just great. Everyone needs to get that. But now on the business model side, this is where people are spending a lot of time scared and worried actually. What the hell to do? >> One of the things that we realized very early on when we started with BigID is that everybody needs a discovery. You need discovery and we actually started with privacy. You need discovery in route to map your data and apply the privacy controls. You need discovery for security, like we said, right? Find and identify sensitive data and apply controls. And you also need discovery for data enablement. You want to discover the data, you want to enable it, to govern it, to make it accessible to the other parts of your business. So discovery is really a foundation and starting point and that you get there with smallID. How do you operationalize that? So BigID has the concept of an application framework. Think about it like an Apple store for data discovery where you can run applications inside your kind of discovery iPhone in order to run specific (indistinct) use cases. So, how do you operationalize privacy use cases? We have applications for privacy use cases like subject access requests and data rights fulfillment, right? Under the CCPA, you have the right to request your data, what data is being stored about you. BigID can help you find all that data in the catalog that after we scan and find that information we can find any individual data. We have an application also in the privacy space for consent governance right under CCP. And you have the right to opt out. If you opt out, your data cannot be sold, cannot be used. How do you enforce that? How do you make sure that if someone opted out, that person's data is not being pumped into Glue, into some other system for analytics, into Redshift or Snowflake? BigID can identify a specific person's data and make sure that it's not being used for analytics and alert if there is a violation. So that's just an example of how you operationalize this knowledge for privacy. And we have more examples also for data enablement and data management. >> There's so much headroom opportunity to build out new functionality, make it programmable. I really appreciate what you guys are doing, totally needed in the industry. I could just see endless opportunities to make this operationally scalable, more programmable, once you kind of get the foundation out there. So congratulations, Nimrod and the whole team. The question I want to ask you, we're here at re:Invent's virtual, three weeks we're here covering Cube action, check out theCUBE experience zone, the partner experience. What is the difference between BigID and say Amazon's Macy? Let's think about that. So how do you compare and contrast, in Amazon they say we love partnering, but we promote our ecosystem. You guys sure have a similar thing. What's the difference? >> There's a big difference. Yes, there is some overlap because both a smallID and Macy can classify data in S3 buckets. And Macy does a pretty good job at it, right? I'm not arguing about it. But smallID is not only about scanning for sensitive data in S3. It also scans anything else you have in your AWS environment, like DynamoDB, like EMR, like Athena. We're also adding Redshift soon, Glue and other rare data sources as well. And it's not only about identifying and alerting on sensitive data, it's about building full catalog (indistinct) It's about giving you almost like a full registry of your data in AWS, where you can look up any type of data and see where it's found across structured, unstructured big data repositories that you're handling inside your AWS environment. So it's broader than just for security. Apart from the fact that they're used for privacy, I would say the biggest value of it is by building that catalog and making it accessible for data enablement, enabling your data across the board for other use cases, for analytics in Redshift, for Glue, for data integrations, for various other purposes. We have also integration into Kinesis to be able to scan and let you know which topics, use what type of data. So it's really a very, very robust full-blown catalog of the data that across the board that is dynamic. And also like you mentioned, accessible to APIs. Very much like the AWS tradition. >> Yeah, great stuff. I got to ask you a question while you're here. You're the co-founder and again congratulations on your success. Also the chief product officer of BigID, what's your advice to your colleagues and potentially new friends out there that are watching here? And let's take it from the entrepreneurial perspective. I have an application and I start growing and maybe I have funding, maybe I take a more pragmatic approach versus raising billions of dollars. But as you grow the pressure for AppSec reviews, having all the table stakes features, how do you advise developers or entrepreneurs or even business people, small medium-sized enterprises to prepare? Is there a way, is there a playbook to say, rather than looking back saying, oh, I didn't do with all the things I got to go back and retrofit, get BigID. Is there a playbook that you see that will help companies so they don't get killed with AppSec reviews and privacy compliance reviews? Could be a waste of time. What's your thoughts on all this? >> Well, I think that very early on when we started BigID, and that was our perspective is that we knew that we are a security and privacy company. So we had to take that very seriously upfront and be prepared. Security cannot be an afterthought. It's something that needs to be built in. And from day one we have taken all of the steps that were needed in order to make sure that what we're building is robust and secure. And that includes, obviously applying all of the code and CI/CD tools that are available for testing your code, whether it's (indistinct), these type of tools. Applying and providing, penetration testing and working with best in line kind of pen testing companies and white hat hackers that would look at your code. These are kind of the things that, that's what you get funding for, right? >> Yeah. >> And you need to take advantage of that and use them. And then as soon as we got bigger, we also invested in a very, kind of a very strong CSO that comes from the industry that has a lot of expertise and a lot of credibility. We also have kind of CSO group. So, each step of funding we've used extensively also to make RM kind of security poster a lot more robust and invisible. >> Final question for you. When should someone buy BigID? When should they engage? Is it something that people can just download immediately and integrate? Do you have to have, is the go-to-market kind of a new target the VP level or is it the... How does someone know when to buy you and download it and use the software? Take us through the use case of how customers engage with. >> Yeah, so customers directly have those requirements when they start hitting and having to comply with regulations around privacy and security. So very early on, especially organizations that deal with consumer information, get to a point where they need to be accountable for the data that they store about their customers and they want to be able to know their data and provide the privacy controls they need to their consumers. For our BigID product this typically is a kind of a medium size and up company, and with an IT organization. For smallID, this is a good fit for companies that are much smaller, that operate mostly out of their, their IT is basically their DevOps teams. And once they have more than 10, 20 data sources in AWS, that's where they start losing count of the data that they have and they need to get more visibility and be able to control what data is being stored there. Because very quickly you start losing count of data information, even for an organization like BigID, which isn't a bigger organization, right? We have 200 employees. We are at the point where it's hard to keep track and keep control of all the data that is being stored in all of the different data sources, right? In AWS, in Google Drive, in some of our other sources, right? And that's the point where you need to start thinking about having that visibility. >> Yeah, like all growth plan, dream big, start small and get big. And I think that's a nice pathway. So small gets you going and you lead right into the BigID. Great stuff. Final, final question for you while I gatchu here. Why the awards? Someone's like, hey, BigID is this cool company, love the founder, love the team, love the value proposition, makes a lot of sense. Why all the awards? >> Look, I think one of the things that was compelling about BigID from the beginning is that we did things differently. Our whole approach for personal data discovery is unique. And instead of looking at the data, we started by looking at the identities, the people and finally looking at their data, learning how their data looks like and then searching for that information. So that was a very different approach to the traditional approach of data discovery. And we continue to innovate and to look at those problems from a different perspective so we can offer our customers an alternative to what was done in the past. It's not saying that we don't do the basic stuffs. The Reg X is the connectivity that that is needed. But we always took a slightly different approach to diversify, to offer something slightly different and more comprehensive. And I think that was the thing that really attracted us from the beginning with the RSA Innovation Sandbox award that we won in 2018, the Gartner Cool Vendor award that we received. And later on also the other awards. And I think that's the unique aspect of BigID. >> You know you solve big problems than certainly as needed. We saw this early on and again I don't think that the problem is going to go away anytime soon, platforms are emerging, more tools than ever before that converge into platforms and as the logic changes at the top all of that's moving onto the underground. So, congratulations, great insight. >> Thank you very much. >> Thank you. Thank you for coming on theCUBE. Appreciate it Nimrod. Okay, I'm John Furrier. We are theCUBE virtual here for the partner experience APN virtual. Thanks for watching. (gentle music)

>> Announcer: From around the globe, it's theCUBE with digital coverage of AWS Public Sector Online brought to you by Amazon Web Services. >> Welcome back to theCUBE's Virtual coverage of Amazon Web Services, AWS Public Sector Summit Online. We couldn't be there in person, but we're doing remote interviews. I'm John Furrier, your host of the cube. We've got a great segment from Asia Pacific on the other side of the world from California, about social impact, transforming teaching and learning with Cloud technology we've got three great guests. Hugo Richard is the CEO and co-founder of Dystech and Janine Teo CEO and founder of Solve Education founders and CEOs of startups is great Vincent Quah is the APAC Regional Head of Education, Healthcare Not-For-Profit and Research for AWS. (indistinct) big program. Vincent, thanks for coming on Janine and Hugo thank you for joining. >> Thanks for having us, John. >> Thanks John So, we're not there in person. We're doing remote interviews. I'm really glad to have this topic because now more than ever social change is happening. This next generation is building software and applications to solve big problems. And it's not like yesterday's problems, they're today's problems and learning and mentoring and starting companies are all happening virtually, digitally, and also in person. So the world's changing. So I got to ask you, Vincent we'll start with you Amazon, obviously big (indistinct) culture. You got two great founders here and CEOs doing some great stuff. Tell us a little bit what's going on at APAC, a lot of activity. I mean re-invent and the summits out there are really popular. Give us an update on what's happening. >> Thank you, thank you for the question, John. I think it's extremely exciting, especially in today's context, that we are seeing so much activities, especially in the education technology sector. One of the challenges that we saw from our education technology customers is that they're always looking for help and support in many of the innovation that they're trying to develop. The second area of observation that we had was that they are always alone with very limited resources and they usually do not know where to look for in terms of support and in terms of not who they can reach out to from a community standpoint, that is actually how we started and developed this program called AWS EdStart. It is a program specifically for education technology companies that are targeting, delivering innovative education solutions for the education sector. And we bring specific benefits to these education technology companies when they joined the program, AWS EdStart. Yeah, three specific areas, one is that we support them with technical support, which is really, really key trying to help them navigate in the various ranges of AWS services that allows them to develop innovative services. The second area is leaking them and building a community of like-minded education technology founders, and linking them also to investors and VCs. And lastly, of course, in supporting innovation, we support them with a bit of AWS Cloud credits, promotional credits for them so that they can go and experiment and develop innovations for their customers. >> That's great stuff I want to get into that program a little bit further because I think, you know, that's a great example of kind of benefits AWS provides (indistinct) free credits or, no one is going to turn away free credits. We'll take the free credits all the time, all day long, but really it's about the innovation. Janine I want to get your thoughts. How was Solve Education born? What problems were you solving? What made you start this company and tell us your story. >> Thank you so much for the question. So actually my co-founder was invited to speak at an African Innovation Forum couple of years back, and the topic that he was sharing with, how can Africa skip over the industrialization phase and go direct to the knowledge economy and that discussion went towards, in order to have access to the knowledge commonly you need knowledge and how do you get knowledge well through education. So that's when everybody in the Congress was a bit stuck, right? And the advice was in order to scale fast, we need to figure out a way to not while, you know, engaging the government and schools and teachers, but not depend on them for the success of the education initiative. So, and that's was what (indistinct) walk away from the conference. And when we met in Jakarta, we started talking about that also. So while I'm Singaporean, I worked in many developing countries. And the problem that we're trying to solve is it might be shocking to you, but UNESCO recently published over 600 million children and youth are not learning. And that is a big number globally, right? And out of all the SDGs per se, from UN, education, and perhaps I'm biased, because I'm a computer engineer, but I see that education is the only one that can be solved by transforming (indistinct) versus the other SDGs like, you know, poverty or hunger, right? Actually require big amount of logistic coordination and so on. So we saw a very interesting trend with mobile phones, particularly smart phones becoming more and more ubiquitous. And with that, we saw a very interesting opportunity for us to disseminate education through mobile technology. So we in self-education elevate people on a public through providing education and employment opportunities, (indistinct) on tech. And we.. our vision is to enable people to empower themselves. And what we do is that we build an open platform that provides everyone active education. >> Hugo How about your company? What problem are you solving? How did it all get started? Tell us your vision. >> Thanks, John. Well, look, it all started with a joke, one of the co-founder, Matthew, had a, he has a child who has severe learning disorder and dyslexia, and he made a joke one day about having (indistinct) that could support those kids. And I took the joke seriously. So we started sitting down and, you know, trying to figure out how we can make this happen. So it turns out that dyslexia is the most common learning disorder in the world. We have an estimated 10 to 20% of the worldwide population with the disorder, due to in context, that's between 750 million up to 1.5 billion individuals with that learning disorder. And so where we sort of try and tackle the problem is that we've identified that there's two key things for children with dyslexia. The first one is that knowing that it is dyslexia, meaning being assessed. And the second one is, so what, what do we do about it? And so given all expertise in data science and AI, we clearly saw an opportunity of sort of building something that could assess individual children and adults with dyslexia. The big problem with the assessment is that it's very expensive. We've met parents in the U.S. specifically who paid up to 6,000 U.S. Dollars for a diagnosis with an educational psychologist. On the other side, we have parents who wait 12 months before having a spot. So what we saw clearly is that the observable symptom of dyslexia are reading, and everyone has a smartphone and (indistinct) from smartphone is actually really good to record your voice. So we started collecting audio recordings from children and adults who have been diagnosed with dyslexia. And we then try to model and to recognize the likelihood of dyslexia by analyzing audio recording. So in theory, it's like diagnosed dyslexic, helping other undiagnosed dyslexic being diagnosed. So we have now (indistinct) them. That can take about 10 minutes, which requires no prior training costs, 20 U.S. Dollar, and anyone can use it to assess someone's likelihood of dyslexia. >> You know, this is the kind of thing that really changes the game because you also have learning for questions that are nonlinear and different. You've got YouTube, you've got videos, you have knowledge bases, you've got community. Vincent mentioned that Janine, you mentioned, you know, making the bits of driver and changing technology. This is the kind of thing that seems obvious now as look at it, but now you've got to put it into action. So, you know, one of the benefits of Cloud on AWS, we'll give a plug for Vincent's company here is that you can move faster. And that's something that Andy Jassy always talks about and Teresa Carlson, being builders and moving fast, but you got to build it. So Janine and Hugo, please take a minute to explain, okay, you got the idea, you're kicking the tires, you're putting it together. Now you've got to actually start writing code. What happens next? Janine, we'll start with you. >> Well, what happens next? Okay. So for us, we know education technology is not new, right. And education games are not new, but before we even started, we look at what's available and we quickly realized that the digital divide is very real, most technology out there first are not designed for (indistinct) devices, and also not designed for people who do not have internet at home. so with just that assessment, we quickly realized we need to do something about, and that's something that problem is. One is just one part of the whole puzzle. There's two other very important things. One is advocacy. Can we prove that we can teach through mobile devices? And then the second thing is motivation. And again, it's also really obvious, but, and people might think that, you know, marginalized communities are super motivated to learn. Well, I wouldn't say that they are not motivated, but just like all of us behavioral change is really hard, right? I would love to workout everyday, but you know, I don't really do that. So how do we use technology to, you know, to induce that behavioral change so that we can help support their motivation to learn. So those are the different things that we work on, certainly with it. >> Yeah, and then a motivated community, is even more impactful because then once the flywheel gets going, then it's powerful. Hugo your reaction to, you know, you got the idea, you got the vision, you're starting to put, take one step in front of the other. You got AWS, take us through the progression on the startup. >> Yeah, sure. I mean, what Janine said is, very likely to, to what we're trying to do, but for us, there's three key things that in order for us to be successful and help as much people as we can, it is three things. The first one is reliability. The second one is accessibility and the other one is affordability. So the reliability means that we have been doing a lot of work in the scientific approach as to how are we going to make this work And so we've.. We have a couple of scientific publications and we had to collect data and, you know, sort of publish this into AI conferences and things like that. So it makes sure that we have the scientific evidence behind us that support us. And so what that means is that we have to have a large amount of data and then put this to work, right on the other side of the accessibility and affordability means that Janine said, you know, it needs to be on the Cloud because if it's on the Cloud, it's accessible for anyone with any device, with an internet connection, which is, you know, covering most of the globe. So it's a good start. And so, the Cloud obviously allow us to deliver the same experience and the same value to clients and parent and teacher and (indistinct) professional around the world. And that's why, you know, it's been amazing, to be able to use the technology on the AI side as well obviously there is a lot of benefit of being able to leverage the computational power of the Cloud, to make better algorithm and better training. >> (indistinct) to come back to both of you on the AI question. I think that's super important. Vincent I want to come back to you though, because in Asia Pacific and that side of the world, you still have the old guard, the incumbents around education and learning, but there's great penetration with mobile and broadband. You have great trends as a tailwind for Amazon and these kinds of opportunities EdStart, what trends are you seeing that are now favoring you? Because with COVID, you know, the world is almost kind of like been a line in the sand is before COVID and after COVID, there's more demand for learning and education and community now than ever before, not just for education, the geopolitical landscape, everything around the younger generation is more channels, more data, the more engagement, how are you looking at this? What's your vision of these trends? Can you share your thoughts on how that's impacting learning and teaching? >> So there're three things that I want to quickly touch on. Number one, I think governments are beginning to recognize that they really need to change the way they approach solving social and economic problems. The pandemic has certainly calls into question that if you do not have a digital strategy, you can't find a better time to now develop and not just develop a digital strategy, but actually to put it in place. And so government are shifting very, very quickly into the Cloud and adopting digital strategy and use digital strategy to address some of the key problems that they are facing. And they have to solve them in a very short period of time. Right, We will talk about speed, the agility of the Cloud, and that's why the Cloud is so powerful for government to adopt. The second thing is that we saw a lot of schools close down across the world, UNESCO reported, what 1.5 billion students out of schools. So how then do you continue teaching and learning when you don't have physical classroom open and that's where education technology companies and, you know, heroes like Janine's company and others, there are so many of them around are able to come forward and offer their services and help schools go online, run classrooms online, continue to allow teaching and learning, you know, online. And this has really benefited the overall education system. The third thing that is happening is that I think tertiary education and maybe even (indistinct) education model will have to change. And they recognize that, you know, again, it goes back to the digital strategy that they've got to have a clear digital strategy and the education technology companies like what, who we have here today. Just the great partners that the education system need to look at to help them solve some of these problems and get to addressing giving a solution very, very quickly. >> Well, I know you're being kind of polite to the old guard, but I'm not that polite. I'll just be, say it. There's some old technology out there and Janine and Hugo, you're young enough not to know what IT means because you're born in the Cloud. So that's good for you. I remember what I teach. Like in fact, there's a, there's a joke here in the United States so with everyone at home the teachers have turned into the IT department, meaning they're helping the parents and the kids figure out how to go unmute and how to configure a network address translation if their routers don't work, real problems. I mean, this was technology, schools were operating with low tech Zoom's out there. You've got video conferencing, you've got all kinds of things, but now there's all that support that's involved. And so what's happening is it's highlighting the real problems of the institutional technology. So Vincent, I'll start with you. This is a big problem. So Cloud solves that one, you guys have pretty much helped IT do things that they don't want to do anymore by automation. This is an opportunity, not necessarily.. There's a problem today, but it's an opportunity tomorrow. Could you just quickly talk about how you see the Cloud, helping all this manual training and learning new tools. >> Absolutely. So I want to say and put forth a hypothesis and that hypothesis is simply this. We are all now living in a Cloud empowered economy, whether we like it or not, we are touching and using services that are powered by the Cloud. And a lot of them are powered by the AWS Cloud, but we don't know about it. A lot of people just don't know, right? Whether you are watching Netflix, well in the old days, you're buying tickets and booking hotels on Expedia, or now you're actually playing games on Epic Entertainment, you know, playing Fortnite and all those kinds of games you're already using and a consumer of the Cloud. And so one of the big ideas that we have is we really want to educate and create awareness of top computing for every single person. If it can be used for innovation and to bring about benefits to society that is a common knowledge that everyone needs to have. And so the first big idea is, want to make sure that everyone actually is educated on Cloud literacy. The second thing is for those who have not embarked on a clear Cloud strategy, this is the time don't wait for another pandemic to happen because you want to be ready. You want to be prepared for the unknown, which is what a lot of people are faced with. And you want to get ahead of the curve. And so education, training yourself, getting some learning done. And that's really very, very important as a next step to prepare yourself to face the uncertainty and having programs like AWS EdStart actually helps to empower and catalyze innovation in the education industry that our two founders have actually demonstrated. So back to you, John. >> Congratulation on the EdStart, we'll get into that and real quickly, EdStart but let's first get the born in the Cloud generation Janine and Hugo you guys are competing, you got to get your apps out there. You've got to get your solutions. You're born in the Cloud. You have to go compete with the existing solutions. How do you view that? What's your strategy? What's your mindset, Janine, we'll start with you. >> So for us, we are very aware that we are solving a problem that has never been solved, right? If not, we wouldn't have so many people who are not learning. So this is a very big problem. And being able to leverage on Cloud technology means that we are able to just focus on what we do best, right? How do we make sure that learning is sufficient and learning is effective. And how do we get people motivated and all those sort of great things leveraging on game mechanics, social network, and incentives. And then while we do that on the Cloud side, we can just put that almost ourselves, everything to AWS Cloud technology to help us not worry about that. And you were absolutely right. The pandemic actually woke up a lot of people and has organizations like myself. We start to get queries from governments and other, even big NGOs on, you know, because before COVID we had to really do our best to convince them until (indistinct) are dry >> (indistinct) knock on doors and convince people. >> Yes. And now we don't have to do that. It's the other way around. So we are really, you know, we appreciate this opportunity and also we want to help people realize that in order to.. By adopting either a blended approach or adopting technology means that you can do mass customization of learning as well. And that's, what we could do to really push learning to the next level. So, and, there are a few other creative things that we've done with governments, for example, with the government of East Java on top of just using the education platform, as it is an educational platform, which is education (indistinct) on our civilization, they have added in a module that teaches COVID because, you know, their health care system is really under a lot of strain there, right? And adding this component in and the most popular mini game in that component is this game called Hoax Or Not. And it teaches people to identify what's fake news and what's real news. And that really went very popular and very well in that region of 25 million people. So that became not only just boring school subjects, but it can be used to teach many different things. And following that project, we are working with the Federal Government of Indonesia to talk about (indistinct) and even a very difficult topic like sex education as well. >> Yeah. And the learning is nonlinear, it's horizontally scalable, it's network graph. So you can learn, share about news. And this is contextual data. It's not just learning, it's everything. It's not like, you know, linear learning. It's a whole nother ballgame, Hugo, your competitive strategy. You're out there now, you got the COVID world. How are you competing? How's Amazon helping you? >> Absolutely John, look, this is an interesting one because the common competitor that we have are educational psychologist, they're not at tech. So I wouldn't say that we're competing against a competitor per se. I would say that we are competing against some old way of doing things. The challenge for us is to empower people, to be comfortable with having a machine, you know, analyzing your kid's audio recording and telling you if it's likely to be dyslexia. And this concept obviously is very new. You know, we can see this in other industry with AI, you know, you have the app that Stanford created to diagnose skin cancer by taking a photo of your skin. So it's being done in different industry. So the biggest challenge for us is really about the old way of doing things. What's been really interesting for us is that you know, education is lifelong, you know, you have a big pot in school, but when you're an adult you learn and, you know, we've been doing some very interesting work with the Justice Department where, you know, we look at inmate and, and, you know, often when people go to jail, they have, you know, some literacy difficulty. And so we've been doing some very interesting work in this field. We're also doing some very interesting work with HR and company who want to understand their staff and put management in place so that every single person in the company are empowered to do the job and, you know, achieve success. So, you know, we're not competing against Ed Tech. And often when we talk to other Ed Tech company, we come before, you know, we don't provide a learning solution. We provide an assessment solution, an E assessment solution. So really John, what we competing against is an old way of doing things. >> And that's exactly why the Cloud's so successful. You change the economics. You're actually a net new benefit. And I think the Cloud gives you speed. And your only challenge is getting the word out because the economics are just game changing, right? So that's how Amazon does so well, by the way, you can take all our recordings from theCUBE interviews, all my interviews and let me know how I do, okay. So got all the, got all the voice recordings for my interview. I'm sure the test will come back challenging. So take a look at that. >> Absolutely. >> Vincent I want to come back to you, but I want to ask the two founders real quick for the folks watching okay and hear about Amazon. They know the history, they know the startups that started on Amazon that became unicorns that went public. I mean, just a long list of successes born in the Cloud. You get big pay when you're successful, love that business model. But for the folks watching that are in the virtual garages or in their houses innovating and building out new ideas, what does EdStart mean for them? How does it work? Would you would recommend it? And what are some of the learnings that you have from working with EdStart? Janine We'll start with you. >> For me. So I would, for me, I would definitely highly recommend EdStart. And the reason is because EdStart, our relationship with EdStart, is almost not like a client-supplier relationship it's almost like business partners. So they not only help us with providing the technology. But on top of that, they have their system architects to work with my tech team and they have, you know, open technical hours for us to interact. And on top of that, they do many other things like building a community where, you know, people like me and Google can meet. And also other opportunities like getting out there, right? As you know, all of the startups run on a very thin budget. So how do we not pour millions of dollars into getting all that out there is another big benefit as well. So I'll definitely very much recommend EdStart. And I think another big thing is this, right? Now that we have COVID and we have demands coming from all other places including like, even (indistinct) from the Government of Gambia, you know, so how do we quickly deploy our technology right there? Or how do we deploy our technology from the people who are demanding our solution in Nigeria, right? With technology it is almost brainless. >> Yeah. The great enabling technology ecosystem to support you. I think, at the regions too. So the regions do help. I love we call them cube regions because we're on Amazon, we have our Cloud Hugo, EdStart your observations, experience and learnings from working with AWS. >> Absolutely. Look, there's a lot to say, so I'll try and make it short for anyone, but, so for us and me personally, and also as an individual and as a founder, it's really been a 365 sort of support. So like Janine mentioned, there's the community where you can connect with existing entrepreneur. You can connect with experts in different industry. You can ask technical experts and have a, you know, office hour every week. Like you said, Janine with, your tech team talking to a Cloud architect just to unlock any problem that you may have. And, you know, on the business side, I would add something which for us has been really useful is the fact that when we've approached government, being able to say that we have the support of AWS and that we work with them to establish data integrity, making sure everything is properly secured and all that sort of thing has been really helpful in terms of moving forward with discussion with potential client and government as well. So there's also the business aspect side of things, where when people see you, there's a perceived value that, you know, your entourage is smart people and people who are capable of doing great things. So that's been also really helpful. >> You know, that's a great point. The AppSec review process as you do deals is a lot easier when you're on AWS. Vincent we're a little bit over time. What a great panel here. Close us out, share with us what's next for you guys. You've got a great startup ecosystem and doing some great work out there and education as well, healthcare, how's your world going on? Take a minute to explain what's going on in your world. >> John I'm part of the public sector team worldwide in AWS, we have very clear mission statements. And the first is, you know, we want to bring about disruptive innovation. And the AWS Cloud is really the platform where so many of our Ed Techs, whether it's (indistinct) Health Tech, Gulf Tech, all those who are developing solutions to help our governments and our education institutions, our healthcare institutions to really be better at what they do. We want to bring about those disruptive innovations to the market, as fast as possible. It's just an honor and a privilege for us to be working. And why is that important? It's because it's linked to our second mission, which is to really make the world a better place to really deliver.. The kind of work that Hugo and Janine are doing. We cannot do it by ourselves. We need specialists and really people with brilliant ideas and think big vision to be able to carry out what they are doing. And so we're just honored and privileged to be part of their work. And in delivering this impact to society. >> The expansion of AWS out in your area has been phenomenal growth. I've been saying to Teresa Carlson and Andy Jassy and the folks at AWS for many, many years, that when you move fast with innovation, the public sector and the private partnerships come together, you starting to see that blending. And you've got some great founders here making a social impact, transforming teaching and learning. So congratulations, Janine and Hugo. Thank you for sharing your story on theCUBE. Thanks for joining. >> Thank you for having us >> thanks John >> Thank you, John. I'm John Furrier with theCUBE Virtual we're remote. We're not in person this year because of the pandemic you're watching AWS Public Sector Online Summit. Thank you for watching. (soft music)

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angled medias. >>Hey, welcome back everybody. Jeff Frick here with the queue. We are wrapping up a Wednesday here at RSA 2020. Again, it's like 50,000 people. This is a huge conference. Everyone has got anything to do with cybersecurity is here. Uh, it's the biggest show, uh, that we cover outside I think of reinvent. So we're excited to have our next guest. She's been on the cube many times but never. And in her current role, she's Pam Murphy, the new CEO of Imperva. Pam, great to see you and congratulations on your new law, on your new gig. Thank you very much. Second month, your second month. So tell us about, you know, kind of what attracted you to the opportunity, you know, kinda, you haven't been there a whole long time, but what's, uh, what's kind of your first impression now that you've been at it for a couple of days? >>I, I'm extremely impressed. It really is. Uh, how would you describe it? Like a dark horse or sort of like the biggest kept secret. So in terms of my previous roles, as you know, we've, you've interviewed me many times, but I've always been in software vendors who basically build applications and sort of build to build databases. Um, and I guess for the last five to eight years it's been all about rebuilt again rearchitecting applications for the cloud. Right. Um, and through that I've managed dev op functions and CCL functions. And so I've been on the consuming side of security. Um, so it's always been a very, you know, area that interested me, Greg Lee, um, as a consumer, you know, obviously the landscape was very much changing. Um, and so I decided to jump over to the other side, right. And lead a company that created and delivered cybersecurity solutions. >>So, uh, so it's been awesome. As I said, month two, uh, Imperva has just amazing products. Um, I didn't quite know when I took the job exactly everything that had had, but when I came over and saw it, it was really working very hard over the last couple of years to acquire new products. And also build and innovate new solutions, uh, to have such a complete AppSec and dataset set of solutions today. I mean, I think, I can't see anybody else in the market right now that has as complete a solution covering ups and data stack that we have. So it's, it's been a really fun time. Um, I must say, you know, it's, uh, it's got a great culture as well. Um, there people have sort of a purpose and sort of, you know, have a feel that they'd be great responsibility sort of making great solutions, which really protect our customer's data and their applications. So it's been really cool. >>No, I saw it on the website. You know, the values are very clearly stated right up front and uh, it's a really important ones. But before we go deeper there, I want to kind of take you back to your old role from a, from a buyer of these services. Because as I, as I walk around the floor here, there are so many vendors, right? Big and small, established and new. So for when you were in your other role and now you, it'll be a great thing for you now that you're on this side of the house, how did you think about sorting it all out? How do you, you know, kind of keep up with, you know, the trusted and true, but yet, you know, kind of the new and innovative in this massive sea of vendors and technologies? >>Totally at one of the things that customers have been saying to me since I came to Imperva is they want a partnership from us because as you rightly said, we're in a sea of loads of vendors, a lot of whom claim to do the same, the same thing effectively. And it's becoming, and I found the same thing when I was on the other side. There is such a sea of clutter right now. It's really hard to sort of find your way through, um, costumers and like myself and my former role, you want fewer vendors, um, and you want to have more complete and integrated solutions. Uh, that's what I wanted and my former role. And that's really what I'm focused on now at Imperva is on the customer side of things. Um, making solutions easier to consume. Um, showing them the breadth of what we have, frankly speaking so that they don't have to go to other solutions. >>I mean your worst nightmare is going to a customer and finding out that you had a, B and C and they didn't realize that you actually had it. So from that perspective, I am bringing the voice of the customer with me from my previous role. It's been echoed and what I'm hearing from our customers now in terms of where they want to see us go and do. Um, so that's really what we're focused on is just doing a better job of giving customers more integrated solutions. Because, you know, as you said, the threat landscape right now, it's becoming really complex. Um, very much automated. Um, you know, in terms of automated attacks, I think by talking to my team this morning, we think based on the data we're seeing right now that bad bots are probably making up like 30% of web traffic right now. Yeah. Yeah. I mean it's getting really hard. Right? And that's in terms of, you know, what they do around account scraping, ATO, um, spam in terms of all the damage that that could do right to you as a customer. So that's what we're focused on. We're focused on, and again, it's bringing from my former old, what do customers need rather than what software companies or tech companies or security companies think that they need. Right. >>Such a good spot. Cause you were in that buyer's seat, you know, just a short, long, short time ago. Cause the other thing you've seen and where you guys applied across a lot of apps in your old space was AI and machine learning and really the power of that apply to lots of different challenges, opportunities and really changing the game now. Now you're fighting against those, those same forces that are being much more sophisticated in their, in their attacks. So when you, when you sit with the team and you look at kind of the evolution of AI, you look at the evolution of 5g and all the IOT connectivity that's going to happen in the increased vulnerabilities. Um, where do you see kind of the solution evolving? Is it just a constant, you know, kind of grind and trying to keep up? Or are there some big strategic things that you see now that you've been here for whatever, all the 60 days? Um, to kind of take advantage of these opportunities. >>So we have this, uh, we call it a threat research group within the company. And their job is to take all the data from the sensors we have. I mean, we have, we look at about 25 petabytes of data every day. All our solutions are cloud solutions as well as on-prem. So we get the benefit of basically seeing all the datas that are hitting our customers every day. I mean, we block a bed 1 million attacks every minutes, like every minute, basically every minute, right? We protect over 3 million databases and you know, we've mitigated some of the largest DDoSs, um, attacks that's ever been reported. So we have a lot of data, right, that we're seen. And the interesting thing is that you're right, we are having to always, we're using that threat research data to see what's happening, how the threat threat landscape is changing there for guiding us on how we need to augment an add to our products to prevent that. >>But interestingly, we're also consuming AI and machine learning as well on our products because we're able to use those solutions to actually do a lot of attack analytics and do a lot of predictive and research for our customers that can kind of guide them about, you know, where things are happening. Because what's happening is that before a lot of the talks were just, um, sort of fast and furious, now we're seeing a pattern towards snow, snow, and continuous, if that makes sense. And so we're seeing all these patterns and threats coming in. Uh, so we're fighting against those technologies like AI, but we're also using those technologies to help us soon, you know, decide where we need to continue to, to add capabilities to stop it. You know, the whole bad box thing wasn't a problem right. A number of years ago. And so it's, it's ever changing in our world, which frankly speaking makes it an interesting place to be because who wants to be in a static, >>in a boring place, no boring here. So another kind of interesting thing about this, this particular industry is the coopertition, you know, kind of aspects to it where there is a lot of sharing across competitors on information when there is some new new type of threat or new kind of threat pattern. So it's a little bit different than, than just a pure competition because there is a, a shared benefit in sharing some of this late breaking news. I don't know if you've started to get into to some of that or had an instant, yeah, it's probably a little bit early, but that's, that's a unique trade I think. >>No, it is for sure. And we make all of our data publicly available. If you go to our website, you look at the CTI index whereby we literally index what we, you know, see the level as being and we're providing all of this data. I mean we get that from our own sensors, but obviously we pull it as well from other third party data sources as well and bring it all together. Um, you know, T to hide that and not make it available to everyone would be would be would be just a very bad thing. Um, for us we are, and I, I'm still trying to find someone, but in terms of most of the vendors out there focus on pieces of apps or pieces of data where we've got both combined, right? Which gives us a huge closed loop advantage of being able to mesh that data together and see the full track record of what's happening from the data from the, from the application down to the data on back again. So that's a benefit that we have that literally we're taking great advantage of right now because in other cases, our competition is sort of point solution based, right? For every one of the best of breed solutions that we have. Right, >>right. It always goes back to the data, right? I mean it's always about the data. >>That's the thing. I mean at the end of the day, uh, why, why is all these things happening? HEOS and attacks and spamming. It's your, as you said, it's to get to the data. And that's why we say we protect data and all paths leading to it because fundamentally that's what customers care about, right? >>Right. So it's crazy. The date is the business and the date is what you're protecting and the business. All right, so put you on the spot. So what are some of your kind of top priorities, you know, kind of out of the gate, they brought you in, you're all excited, you see this great team and opportunity. You know, what are some of the things if we sit down a year from now or maybe six months of black hat that you, uh, that you've got on your plate that you're working on? >>So I think innovation will always be, you know, first and foremost, um, we have Gardner magic quadrant and Forester leading edge products. But in this industry, you need to be paranoid. You always need to be staying ahead. So from an innovation perspective, that's where we're focused. We're working on a lot of cool stuff which we'll be rolling out through the rest of the year. Um, platform as well is really important. I mentioned that we have the unique advantage of having a huge amount of data at the application level and also at the database level and that's allowing us to give use cases and value back to our customers that they don't have right now from any other vendor. So we're working with customers on, on getting that done. Um, I think as well, just purely in terms of, um, publicizing what we have. Right. I think we could do a, I found a lot of things right coming to Imperva and I feel we didn't communicate exactly, exactly. So I think there's a lot of capabilities that we're going to do, um, a lot in terms of publicizing them this year. So there's a lot of really, really cool stuff happening and uh, you know, great momentum going on in the company. Right. >>Well, uh, well, good for them for getting you there. Very fortunate to have you, uh, have you on board. Alright. Right. Well, thanks for taking a few minutes and again, congratulations on your new role. We really look forward to watching this story unfold. All. Alright. Geez, Pam, I'm Jeff. You're watching the cube where at R S a 2020 fear. We're supposed to know everything with the benefit of hindsight, but we're still learning. Thanks for watching. We'll see you next time.

(uplifting music) >> Welcome everyone to CUBEConversation here in Palo Alto, California, theCUBE Studios, I'm John Furrier, the co-host of theCUBE and co-founder of SiliconANGLE Media. Our next guest is Mike Kail, the CTO of Cybric, a security company industry veteran, welcome, good to see you. Glad we got you, get some time, your time today. >> No, absolutely John, thanks for having me. >> Yeah, so you've been through -- seen a lot of growth in the waves. The big web scale, and now as we go full cloud and hybrid cloud, private cloud and public cloud, whole new paradigm shift on security. Many have Dave Velante ask Pat Gelsinger many times, do we need a security do over? The general consensus from everyone is, yes. (laughing) We need a do over. What's the state of the market with security right now as people scratch their head, they've been throwing the kitchen sink at everything, but yet, the attacks are still up. That's not good, so what's the solution? What's going on? >> I mean I think a level set like we've talked about the definition of insanity is doing the same thing over and over, and in security for sure, we've been doing the same thing. We have firewalls, nextgen firewalls, endpoint, you know, product X, product Y, this has got a better algorithm. Has anything really helped? I think in this post Equifax world, and now post SEC world, things are not getting better. We need to step back, and I think we need to really think about how do we bring security assurance into the assembly and delivery of applications, and move it back into the code as well, which is our thesis on shifting left and embedding security into the SDLC. I think there needs to be some design thinking around security as well. Today it's like this fear, uncertainty, and doubt -- it's sold on fear, and that bad things are happening. Let's bring the conversation into visibility. >> I mean, there's so many different lifecycles you've mentioned is really key, and I think I want to just drill down on that because the observation, I'll get your reaction on this, is security shouldn't be a cost center, security should be tied to core objectives of a company, should be reporting to the board, C-level type access should be invested in. At the same time, the architecture of security, not just organizationally funded, cloud and datacenter need to be looked at holistically. There's no one product. So that means okay, one, that's the customer viewpoint, but then you got to actually put the software out there. So, what's your reaction to that trend of security being not actually part of the IT department whether it is or not is irrelevant, it's more of, how it's viewed. Are you staffing properly? How are you staffing? Is it a cost center, or is it tied to an objective? Does it have free reign to set up policies, standards, et cetera? What's your thoughts on this? >> I think, and I've talked about this recently, the technology is there. The culture is lagging behind. Security's always been -- >> Culture is lagging or not? >> Is lagging. Security is traditionally been kind of this -- Like IT was in the past, pre-DevOps culture, security is the Department of No. Coming in and not thinking about driving business revenue and outcome, but pointing fingers and accusing people and yelling at people. It creates this contentious environment, and there needs to be collaboration around, like, how do we drive the business forward with security assurance not insurance? The latter is not helping. >> So, that's a good point, I want to drill down on DevOps, you mentioned DevOps, that's -- you and I have talked about this before at events. DevOps movement has happened. It's happening, and continuing to happen at scale. DevOps is pretty much on the agenda, make it happen. But, it's hard to get DevOps going when there's so much push on application development, so, you have old school transitional application development now with DevOps, and then you got pressure for security. It seems to be a lot on the plate of executives and staffs to balance all of that. So how do you roll up the best security into a DevOps culture, in your opinion? >> I think you have to start embedding security into the DevOps culture and the software development lifecycle, and create this collaborative culture of DevSecOps. >> What is DevSecOps? >> It's making -- you think about the core tenents of DevOps being collaboration, automation, measurement, and sharing. Security needs to take that same approach. So instead of adding or bolting on security at the end of your development and delivery cycle, let's bring it in and find defects early on from what we talk about, from code commit, to build, to delivery, and correlate across all of those instead of these disparate tasks and manual tasks that are done today. >> Where are we on this? First, by the way, I agree with you, I love that idea, because you're bringing agility concepts to security. How far -- what's the progress on this relative to the industry adoption? Is it kind of pioneering right now stage, is it a small group of people, remember, go back to 2008, you remember, the cloud was a clouderati, was a hand full of people. I would go to San Francisco, there'd be six of us. Then NGR would come on, then there's Heroku, then there's like Rackspace, and then Amazon was still kind of rising up. It feels like DevOps, DevSecOps, is beyond that, I mean, where is the progress? >> I think out in the real world, especially outside of Silicon Valley, it's still really early days. People are trying to understand, but as we were chatting about before the show, I feel like in the past few months there's definitely momentum gaining rapidly. I think with conferences like DevSecCon, Security Boulevard coming out from Alan Schimmel and his team, like there's building more and more awareness, and we're been trying to drive it as well. So I think it's like the early days of cloud. You'll see that, "Okay, there's a bunch of -- okay I don't think this is a real thing", and now people are like, "Okay, now I need to do it, I don't want to be the next Equifax, or large breach. So how do I bring security in without being heavy handed." >> Interesting you mentioned Equifax, I mean our reporting soon to be showing, will demonstrate that a lot what's been reported is actually not what really happened at this. They've been sucked dry 10 times over, and that the state actors involved as a franchise in all of this, it's beyond -- Amazing how complicated this -- these hacks are, so how does a company, prepare against the coordination at that level - I mean, it's massive, I mean, someone dropped the ball on the VPN side, but I mean, clearly, they were out-maneuvered, outfoxed if you will. >> Well, I mean I think it has to come from the top, like security has to stop being quote unquote important, and become a priority. Not the number one priority, but you have to think about it with respect to business risk. And Equifax aside, a lot of companies just have poor hygiene. They don't practice good security hygiene across all of the attack vectors. If you look at now, the rise of the developer, Docker containers, moving to cloud, mobile, there's all of these ways in, and the hackers only have to be right once. We on the defensive side, have to be right all the time. >> Hygiene is a great term, but if it's also maybe even more than that. It's like they just need an IQ as well, so you got to have, you've got this growth in Kubernetes, you got containers, you got a lot going on at layer four and above in the stack, that are opportunities as you said, the tech's out there. So, again, back to the organizational mindset, because this is where DevOps really kind of kicked ass, you had an organizational mindset, then you had showcases, people built their own stuff. You go back to the early pioneers, you were involved with a few of them, Facebook built their own stuff, because they had to. >> Mike: Yeah, there was nothing else. >> There was nothing else, so they had to build it. Now a lot of the successes in the web scale days were examples of that. So is that a similar paradigm, are people building their own, are you guys working with one, is that right? How should people think about how to look for use cases, how should they look for successes, who's doing anything? Can you point to any examples of that's kickass DevSecOps? >> I mean, obviously I'm biased, but I think -- >> (laughing) >> the Cybric platform is really trying to take all of the different disparate tools and hyperconverge them onto an automation orchestration platform. Now you can be at all parts of the SDLC, and give the CIO and CSO visibility. I think the visibility aspect with the move to cloud and containers, and Kubernetes, and you name your favorite technology, there's a lack of visibility. You can't secure what you don't know about. >> Take a minute to talk about Cybric for a minute, 'cause you brought up the product, I want to just double down on that. What do you guys do, what's the product, just give a quick one minute, two minutes, update on for the folks on what you guys do. >> Sure, so we're a cloud security as a service platform, so it's delivered SAS, that has a policy driven framework to automate code and application security testing and scanning from code commit, to build assembly, to application delivery, and correlate that testing and the results and provide you, your business resiliency. So we talk about internal rate of detection, internal rate of remediation, and if you can narrow that window, you become much more resilient. >> Alright, so, let me give you an example. Just throw this out since we're here. A little test here -- Test your security mojo here. I go to China. I happen to bring my phone and my Mac, I connect to the -- oh, free Wifi! Boom, I get a certificate, my phone updates from Apple, I think I'm on a free WiFi network, it's a certificate from China, I get the certificate here, they read all my mail while I'm over there, but I'm not done, I come home. And I go back to the enterprise. How do you guys help me, the company identify that I'm now infected at maybe the firmware level or you know, I mean, that's -- what people are talking about all the time right now. You're smiling, he's like, yeah that happens. >> First of all, I would never let you leave to go to a country like that without a burner phone and a burner laptop, but not take -- and don't log into anything, don't connect to anything. >> Is that -- >> It's about building awareness, so I -- >> Hold on in all seriousness that's essentially best practice in your opinion? Not to have your laptop in China, is that the thing? >> Yeah, I don't think, you're not going to be safe. Like, there's so many ways to subvert you, whether you accidentally connect to public WiFi, you join the wrong network, somebody steals your laptop, I mean, there's just all the -- there's a lot of things that bad things that can happen, and not much upside for you. >> Okay, so now back to the enterprise, so I get back in, what kind of security -- how do you guys look at that, so if you're doing agile or DevSecOps, Is there software that does that, is it the methodology, is there mechanisms, how do companies think through some basic things like that, that entry point? Because then that becomes an insider threat from a backdoor. >> Right, so I think you have to have this continuous scanning approach. The days of doing append test on your application once a quarter, meanwhile hackers are doing it continuously behind the scenes, you have to close that chasm. But I think we need to start early on and build awareness to developers. One reporter used the anaology, it's like spell check from Microsoft Word. Now as I'm committing code, I can run a scan and say okay you have this vulnerability, here's how to go remediate it, and you do that, and we don't impact velocity. >> So you have to be on top of a lot of things. But that also is into the team's approach. What is the product that you guys have? Is it software, is it -- a box, how do you guys -- what's the business model for Cybric? >> We're software that overlays into the SDLC, and we plug in at this keypoints of the SDLC. So committing into your code repo, such as GitHub or BitBucket, at the artifact build stage, so Jenkins, Travis Circle -- >> So you're at the binary level? >> Yeah. >> Okay. >> So there we look for open source and third party library and do source code composition of the artifact. Now you make sure that you're not vulnerable to Apache Struts, you have updated and patched to the latest version. Then pre-delivery, we replicate your application environment, and aggressively scan for the OWASP Top 10. So SQL injection, cross site scripting -- >> Yeah. >> And alert you, and allow you to play offense. So we now remediate the vulnerability before it's ever exposed to production. >> Where are you guys winning, give some examples of when someone needs to get you guys in, is it a full on transformational thing, can I come in and engage with Cybric immediately in little kind of POCs, what's the normal use case that you guys are engaging with companies on? >> It really depends where you are in your company with this whole DevOps, DevSecOps migration, but we're agnostic to the methodology in your environments, so we can start at the far right, and just do AppSec scanning, we can start at the middle of the build, at the left, code, or all of that. There's this notion of I have to be ready for security, you don't have to be ready. We help you -- The hardest part is getting started, and we help you get started. You'll see a blog post or an article from us say, "Stop the fudge, just get started." That's how you have to approach this. This paralysis that exists has to end. >> That's not what the paralysis thing -- Pretend I'm a customer for a second, Mike, I'm burnt out, I got a gun to my head every day, I come in, I got every single security vendor lining up begging for my attention, why should I pay attention to you? What's in it for me? How do you answer that? >> So first of all, you know, what do you want to achieve? What is your current state? Where are your code repos, where are your application deployments, what are you doing today? How do we make that a continuous process? It's understanding the environment, having some situational awareness and a bit of EQ. Instead of going in and pounding on them with a product. >> Do you guys then go in and train my staff, I'm trying to think what's the commitment from me, what do I need to do? >> It's -- our policies are very simple, you define a target which is your source repo, your build system, or your application, you define the tool or integration you want to run, so I want to run Metasploit against my application, I want to do it every hour, and I want to be notified via a Slack Channel notification. >> That sounds really easy to implement. It sounds -- >> It's four steps. Literally a POC takes 15 minutes to onboard. >> So what's the outcome, what's some of the successes you've had after a POC? It sounds complicated but it really the methodology really is more of a mindset for the organization, so I love the DevOps angle on that, but okay, I can get in, I kick the tires, I do the four steps, I go, "Oh this is awesome." What happens next, what normally goes on? >> What often happens in the past is you run a test and you're inundated with results, it's -- you know, there's critical warnings, some informational, and some like blood red ones. But you don't know where to start on prioritizing them. We've normalized the output of all these tools so now you know where exactly to start. What are the important vulnerabilities to start with, and go down, versus throwing this over the fence to dev, and upsetting them, and having a contentious conversation. So we implicitly foster the collaborative nature of DevSecOps. >> Cool. So competition. Who do you guys compete with, how do you guys -- Who do you run into the field against, what are customers looking at that would compare to you guys that people could think about? >> I think our biggest competition to be honest is the companies that want to -- that tried to do that themselves. The DIYs are not invented here. I mean, we've talked to a couple companies, they've tried to do this for two years, and they failed, and, you know, outside of us trying to sell something, like, is that really in your company's best interest to have a team dedicated to building this platform. I think there's a couple other big companies out there that do part of it, but like we architected this from the ground up to be unique and somewhat differentiated in very crowded security market. >> What's your general advice, you know, a friend comes to you, CIO friend, hey Mike, you know dude, bottom line, what's going on with security? How do you -- what's your view of the landscape right now because it certainly is noisy, again like I said, the number of software tools, and billions of hundreds of billions of dollars being spent according to Gardner, yet the exploits are still up, so it's not like having any effect. (laughing) Someone's winning. So if there's more tools, either something's -- tools are ineffective or there's just more volume on attacks, probably both, but -- You go, Oh my God, there's nothing really going on here. There's no innovation. What's the landscape look like, how do you describe that in kind of simple terms and less security landscape? Crazy out of control chaotic, I mean, what's -- >> I mean, if you go to RSA and walk the floor, it's like all of the same buzzwords got exploded, and there's no real solutions that address the near -- like we talked about, I said earlier, the definition of insanity is doing the same thing over and over, we keep deploying the same products and having the same results, and not being more secure. I think there needs to be a rationalization process. You can't just go buy tools and expect them to solve all of your problems. You have to have a strategic framework instead of a tactical approach. >> Alright, so I'll say to you, as another example, I got IoT on my agenda, I got a lot of industrial equipment, that's now going to connect to the IP network, used to go to some of it's own proprietary backhaul, but now I'm on the IP network. Mike, how does this play into that? Obviously it's going to open up some more surface area for attacks, how do you guys work with that? >> I think it goes back to that having this continuous security scanning, if you have all of these IoT devices, you have to know how they're operating. You can't just send a bunch of log data to your SIM and try to extract that signal from the noise and overwhelm your security operation center. How do you run that through the kind of of a, let's call it map reduce for lack of a better term, to extract that signal from the noise and find out is this device talking to this one, is that correct, or is this anomalous? But it has to be continuous, that cannot be periodic. >> Obviously data is important, my final question to end the segment is, the role of data and the role of DevOps is impactive to the security practice. What's the reality, where are we? First inning, second inning? Data obviously important, comment on that, and then DevOps impact to security. Obviously you see momentum. What's your thoughts? >> I don't think we've got out of the dugout yet, to start the first inning -- >> (laughing) >> Which is exciting in some ways if you're a start-up. Or depressing if you're an enterprise. But we have to take a different approach going back to how we started this conversation. The current approaches aren't working. We have to think differently about this. >> Okay, so we're in the early innings, I'm a pioneer, an early adopter, because I'm desperate or I really want to be progressive, why am I calling Cybric? >> I think because you want -- you understand that security needs to be more of a priority, you want to shift that left, and find defects and vulnerabilities early on in your product -- Lifecycle. If you're a head of product, wouldn't you want to have some security assurance before I delay your delivery date because the security team comes in and finds a bunch of vulnerabilities the day before your launch. >> So security as a service as you said. Mike Kail with Cybric, CTO, bringing his expert opinion here into theCUBEConversation here at Palo Alto, I'm John Furrier, thanks for watching. (upbeat music)