>> Announcer: Live from Vancouver, Canada it's theCUBE, covering OpenStack Summit North America 2018. Brought to you by Red Hat, the OpenStack foundation, and its Ecosystem partners. >> Welcome back, I'm Stu Miniman and my cohost John Troyer and you're watching theCUBE's coverage of OpenStack Summit 2018 here in Vancouver. Happy to welcome first-time guest Roland Cabana who is a DevOps Manager at Vault Systems out of Australia, but you come from a little bit more local. Thanks for joining us Roland. >> Thank you, thanks for having me. Yes, I'm actually born and raised in Vancouver, I moved to Australia a couple years ago. I realized the potential in Australian cloud providers, and I've been there ever since. >> Alright, so one of the big things we talk about here at OpenStack of course is, you know, do people really build clouds with this stuff, where does it fit, how is it doing, so a nice lead-in to what does Vault Systems do for the people who aren't aware. >> Definitely, so yes, we do build cloud, a cloud, or many clouds, actually. And Vault Systems provides cloud services infrastructure service to Australian Government. We do that because we are a certified cloud. We are certified to handle unclassified DLM data, and protected data. And what that means is the sensitive information that is gathered for the Australian citizens, and anything to do with big user-space data is actually secured with certain controls set up by the Australian Government. The Australian Government body around this is called ASD, the Australian Signals Directorate, and they release a document called the ISM. And this document actually outlines 1,088 plus controls that dictate how a cloud should operate, how data should be handled inside of Australia. >> Just to step back for a second, I took a quick look at your website, it's not like you're listed as the government OpenStack cloud there. (Roland laughs) Could you give us, where does OpenStack fit into the overall discussion of the identity of the company, what your ultimate end-users think about how they're doing, help us kind of understand where this fits. >> Yeah, for sure, and I mean the journey started long ago when we, actually our CEO, Rupert Taylor-Price, set out to handle a lot of government information, and tried to find this cloud provider that could handle it in the prescribed way that the Australian Signals Directorate needed to handle. So, he went to different vendors, different cloud platforms, and found out that you couldn't actually meet all the controls in this document using a proprietary cloud or using a proprietary platform to plot out your bare-metal hardware. So, eventually he found OpenStack and saw that there was a great opportunity to massage the code and change it, so that it would comply 100% to the Australian Signals Directorate. >> Alright, so the keynote this morning were talking about people that build, people that operate, you've got DevOps in your title, tell us a little about your role in working with OpenStack, specifically, in broader scope of your-- >> For sure, for sure, so in Vault Systems I'm the DevOps Manager, and so what I do, we run through a lot of tests in terms of our infrastructure. So, complying to those controls I had mentioned earlier, going through the rigmarole of making sure that all the different services that are provided on our platform comply to those specific standards, the specific use cases. So, as a DevOps Manger, I handle a lot of the pipelining in terms of where the code goes. I handle a lot of the logistics and operations. And so it actually extends beyond just operation and development, it actually extends into our policies. And so marrying all that stuff together is pretty much my role day-to-day. I have a leg in the infrastructure team with the engineering and I also have a leg in with sort of the solutions architects and how they get feedback from different customers in terms of what we need and how would we architect that so it's safe and secure for government. >> Roland, so since one of your parts of your remit is compliance, would you say that you're DevSecOps? Do you like that one or not? >> Well I guess there's a few more buzzwords, and there's a few more roles I can throw in there but yeah, I guess yes. DevSecOps there's a strong security posture that Vault holds, and we hold it to a higher standard than a lot of the other incumbents or a lot of platform providers, because we are actually very sensitive about how we handle this information for government. So, security's a big portion of it, and I think the company culture internally is actually centered around how we handle the security. A good example of this is, you know, internally we actually have controls about printing, you know, most modern companies today, they print pages, and you know it's an eco thing. It's an eco thing for us too, but at the same time there are controls around printed documents, and how sensitive those things are. And so, our position in the company is if that control exists because Australian Government decides that that's a sensitive matter, let's adopt that in our entire internal ecosystem. >> There was a lot of talk this morning at the keynote both about upgrades, and I'm blanking on the name of the new feature, but also about Zuul and about upgrading OpenStack. You guys are a full Upstream, OpenStack expert cloud provider. How do you deal with upgrades, and what do you think the state of the OpenStack community is in terms of kind of upgrades, and maintenance, and day two kind of stuff? >> Well I'll tell you the truth, the upgrade path for OpenStack is actually quite difficult. I mean, there's a lot of moving parts, a lot of components that you have to be very specific in terms of how you upgrade to the next level. If you're not keeping in step of the next releases, you may fall behind and you can't upgrade, you know, Keystone from a Liberty all the way up to Alcatel, right? You're basically stuck there. And so what we do is we try to figure out what the government needs, what are the features that are required. And, you know, it's also a conversation piece with government, because we don't have certain features in this particular release of OpenStack, it doesn't mean we're not going to support it. We're not going to move to the next version just because it's available, right? There's a lot of security involved in fusing our controls inside our distribution of OpenStack. I guess you can call it a distribution, on our build of OpenStack. But it's all based on a conversation that we start with the government. So, you know, if they need VGPUs for some reason, right, with the Queens release that's coming out, that's a conversation we're starting. And we will build into that functionality as we need it. >> So, does that mean that you have different entities with different versions, and if so, how do you manage all of that? >> Well, okay, so yes that's true. We do have different versions where we have a Liberty release, and we have an Alcatel release, which is predominant in our infrastructure. And that's only because we started with the inception of the Liberty release before our certification process. A lot of the things that we work with government for is how do they progress through this cloud maturity model. And, you know, the forklift and shift is actually a problem when you're talking about releases. But when you're talking about containerization, you're talking about Agile Methodologies and things like that, it's less of a reliance on the version because you now have the ability to respawn that same application, migrate the data, and have everything live as you progress through different cloud platforms. And so, as OpenStack matures, this whole idea of the fast forward idea of getting to the next release, because now they have an integration step, or they have a path to the next version even though you're two or three versions behind, because let's face it, most operators will not go to the latest and greatest, because there's a lot of issues you're going to face there. I mean, not that the software is bad, it's just that early adopters will come with early adopter problems. And, you know, you need that userbase. You need those forum conversations to be able to be safe and secure about, you know, whether or not you can handle those kinds of things. And there's no need for our particular users' user space to have those latest and greatest things unless there is an actual request. >> Roland, you are an IAS provider. How are you handling containers, or requests for containers from your customers? >> Yes, containers is a big topic. There's a lot of maturity happening right now with government, in terms of what a container is, for example, what is orchestration with containers, how does my Legacy application forklift and shift to a container? And so, we're handling it in stages, right, because we're working with government in their maturity. We don't do container services on the platform, but what we do is we open-source a lot of code that allows people to deploy, let's say a terraform file, that creates a Docker Host, you know, and we give them examples. A good segue into what we've just launched last week was our Vault Academy, which we are now training 3,000 government public servants on new cloud technologies. We're not talking about how does an OS work, we're talking about infrastructures, code, we're talking about Kubernetes. We're talking about all these cool, fun things, all the way up to function as a service, right? And those kinds of capabilities is what's going to propel government in Australia moving forward in the future. >> You hit on one of my hot buttons here. So functions as a service, do you have serverless deployed in your environment, or is it an education at this point? >> It's an education at this point. Right now we have customers who would like to have that available as a native service in our cloud, but what we do is we concentrate on the controls and the infrastructure as a service platform first and foremost, just to make sure that it's secure and compliant. Everyone has the ability to deploy functions as a service on their platform, or on their accounts, or on their tenancies, and have that available to them through a different set of APIs. >> Great. There's a whole bunch of open-source versions out there. Is that what they're doing? Do you any preference toward the OpenWhisk, or FN, or you know, Fission, all the different versions that are out there? >> I guess, you know, you can sort of like, you know, pick your racehorse in that regard. Because it's still early days, and I think open to us is pretty much what I've been looking at recently, and it's just a discovery stage at this point. There are more mature customers who are coming in, some partners who are championing different technologies, so the great is that we can make sure our platform is secure and they can build on top of it. >> So you brought up security again, one of the areas I wanted to poke at a little bit is your network. So, it being an IS provider, networking's critical, what are you doing from a networking standpoint is micro-segmentation part of your environment? >> Definitely. So natively to build in our cloud, the functions that we build in our cloud are all around security, obviously. Micro-segmentation's a big part of that, training people in terms of how micro-segmentation works from a forklift and shift perspective. And the network connectivity we have with the government is also a part of this whole model, right? And so, we use technologies like Mellanox, 400G fabric. We're BGP internally, so we're routing through the host, or routing to the host, and we have this... Well so in Australia there's this, there's service from the Department of Finance, they create this idea of an icon network. And what it is, is an actually direct media fiber from the department directly to us. And that means, directly to the edge of our cloud and pipes right through into their tenancy. So essentially what happens is, this is true, true hybrid cloud. I'm not talking about going through gateways and stuff, I'm talking about I speed up an instance in the Vault cloud, and I can ping it from my desktop in my agency. Low latency, submillisecond direct fiber link, up to 100g. >> Do you have certain programmability you're doing in your network? I know lots of service providers, they want to play and get in there, they're using, you know, new operating models. >> Yes, I mean, we're using the... I draw a blank. There's a lot of technologies we're using for network, and the Cumulus Networking OS is what we're using. That allows us to bring it in to our automation team, and actually use more of a DevOps tool to sort of create the deployment from a code perspective instead of having a lot of engineers hardcoding things right on the actual production systems. Which allows us to gate a lot of the changes, which is part of the security posture as well. So, we were doing a lot of network offloading on the ConnectX-5 cards in the data center, we're using cumulus networks for bridging, we're working with Neutron to make sure that we have Neutron routers and making sure that that's secure and it's code reviewed. And, you know, there's a lot of moving parts there as well, and I think from a security standpoint and from a network functionality standpoint, we've come to a happy place in terms of providing the fastest network possible, and also the most secure and safe network as possible. >> Roland, you're working directly with the Upstream OpenStack projects, and it sounds like some others as well. You're not working with a vendor who's packaging it for you or supporting it. So that's a lot of responsibility on you and your team, I'm kind of curious how you work with the OpenStack community, and how you've seen the OpenStack community develop over the years. >> Yeah, so I mean we have a lot of talented people in our company who actually OpenStack as a passion, right? This is what they do, this is what they love. They've come from different companies who worked in OpenStack and have contributed a lot actually, to the community. And actually that segues into how we operate inside culturally in our company. Because if we do work with Upstream code, and it doesn't have anything to do with the security compliance of the Australian Signals Directorate in general, we'd like to Upstream that as much as possible and contribute back the code where it seems fit. Obviously, there's vendor mixes and things we have internally, and that's with the Mellanox and Cumulus stuff, but anything else beyond that is usually contributed up. Our team's actually very supportive of each other, we have network specialists, we have storage specialists. And it's a culture of learning, so there's a lot of synchronizations, a lot of synergies inside the company. And I think that's part to do with the people who make up Vault Systems, and that whole camaraderie is actually propagated through our technology as well. >> One of the big themes of the show this year has been broadening out of what's happening. We talked a little bit about containers already, Edge Computing is a big topic here. Either Edge, or some other areas, what are you looking for next from this ecosystem, or new areas that Vault is looking at poking at? >> Well, I mean, a lot of the exciting things for me personally, I guess, I can't talk to Vault in general, but, 'cause there's a lot of engineers who have their own opinions of what they like to see, but with the Queens release with the VGPUs, something I'd like, that all's great, a long-term release cycle with the OpenStack foundation would be great, or the OpenStack platform would be great. And that's just to keep in step with the next releases to make sure that we have the continuity, even though we're missing one release, there's a jump point. >> Can you actually put a point on that, what that means for you. We talked to Mark Collier a little bit about it this morning but what you're looking and why that's important. >> Well, it comes down to user acceptance, right? So, I mean, let's say you have a new feature or a new project that's integrated through OpenStack. And, you know, some people find out that there's these new functions that are available. There's a lot of testing behind-the-scenes that has to happen before that can be vetted and exposed as part of our infrastructure as a service platform. And so, by the time that you get to the point where you have all the checks and balances, and marrying that next to the Australian controls that we have it's one year, two years, or you know, however it might be. And you know by that time we're at the night of the release and so, you know, you do all that work, you want to make sure that you're not doing that work and refactoring it for the next release when you're ready to go live. And so, having that long-term release is actually what I'm really keen about. Having that point of, that jump point to the latest and greatest. >> Well Roland, I think that's a great point. You know, it used to be we were on the 18 month cycle, OpenStack was more like a six month cycle, so I absolutely understand why this is important that I don't want to be tied to a release when I want to get a new function. >> John: That's right. >> Roland Cabana, thank you the insight into Vault Systems and congrats on all the progress you have made. So for John Troyer, I'm Stu Miniman. Back here with lots more coverage from the OpenStack Summit 2018 in Vancouver, thanks for watching theCUBE. (upbeat music)

>> Announcer: Live from Las Vegas, it's theCUBE. Covering IBM Think 2018. Brought to you by IBM. >> Welcome back to theCUBE live at the inaugural IBM Think 2018 event. I'm Lisa Martin with Dave Vellante. Excited to be joined by a guest from down under, Garrett McDonald, the head of Enterprise Architecture at the Department of Human Services in Australia. Welcome to theCUBE. >> Thank you very much. >> Great to have you. So tell us about the Department of Human Services, DHS. You guys touch 99 percent of the Australian population. >> Yeah, we do. We sit within federal government, we're a large service delivery organization. So through a range of programs and services we touch pretty much every Australian citizen on an annual basis. And within our organization we're responsible for delivery of our national social welfare system, and that picks up people pretty much across the entire course of their lives at different points, we're also responsible for delivering the federally administered portion of our national health system, and that picks up pretty much every Australian every time you go to a doctor, a pharmacy, a hospital, a path lab, indirectly both the provider and the citizen are engaging with our services. We're responsible for running the child support system, but then we also provide IT services for other government departments, so we implement and operate for the Department of Veterans Affairs, and also the National Disability Insurance Agency. And then finally we also run Whole-of-government capabilities, so DHS we operate the myGov platform, that's a Whole-of-government capability for citizens who government authentication and within out program we have 12 million active users and that number continues to grow year on year, and that's the way that you access authenticated services for most of the major interactions that a citizen would have online with government. >> And your role is formerly CTO, right? >> Yep. >> You've got a new role. Can you explain it? >> Yeah, I'm a bit of a jack-of-all-trades within the senior executive at DHS, I've had roles in ICT infrastructure, the role of CTO, the role of national manager for Enterprise Architecture, and I've also had application delivery roles as well. >> Okay, so let's get into the healthcare talk because the drivers in that industry are so interesting, you've got privacy issues, in this country it's HIPAA, I'm sure you're got similar restrictions on data. Um, what's driving your business? You've got that regulation environment plus you've got the whole digital disruption thing going on. You've got cloud, private cloud, what's driving your organization from a technology perspective? >> I think there's two main factors there. We have changing citizen expectations, like we've got this continued explosion in the rate of changing technology, and through that people are becoming increasingly comfortable with the integration of technology in their lives, we've got people who are living their lives through social media platforms and have come to expect a particular user experience when engaging through those platforms, and they're now expecting the same experience when they interact with government. How do I get that slick user experience, how do I take the friction out of the engagement, and how do I take the burden out of having to interact with government? But at the same time, given we are a government agency and we do have data holdings across the entire Australian population, whether it's social welfare, whether it's health or a range of other services, there's this very very high focus on how do we maintain privacy and security of data. >> Yeah, I can't imagine the volumes of transactional data for 12 million people. What are some of the things that DHS is using or leveraging that relationship with IBM for to manage these massive volumes of data? You mentioned like different types of healthcare security requirements alone. What is that like? >> We've been using IBM as our dominant security partner for quite some years now, and it's been the use of data power appliances and ISM power appliances out at the edge to get the traffic into the organization. We're deploying Qradar as our Next Gen SIEM and we're slowly transitioning over to that. And then as we work out way through the mid-range platform through our investment in the power fleet and back to our System Z, we've been using Db2 on Z for quite some years in the health domain to provide that security, the reliability and the performance that we need to service the workloads that hit us on a day-to-day basis. >> So you got a little IoT thing going on. Right? You got the edge, you got the mainframe, you got Db2. Talk a little bit about how, because you've been a customer for a long time, talk about how that platform has evolved. Edge data, modernization of the mainframe, whether it's Linux, blockchain, AI, discuss that a little bit. >> Okay, so over the past three years we've been developing our Next Gen infrastructure strategy. And that really started off around about three years ago, we decided to converge on Enterprise Linux as our preferred operating system. We had probably five or six operating systems in use prior to that, and by converging down on Linux it's given us a, the ability to run same operating system whether it's on x86, on Power, or Z Linux, and that's allowed us to develop a broader range of people with deep skills in Linux, and that's really then given us a common platform upon which we can build an elastic private cloud to service our Next Gen application workloads. >> Now you've talked off-camera. No public cloud. Public cloud bad word (laughs) But you've chosen not to. Maybe discuss why and what you're doing to get cloud-like experiences. >> Yeah, so we are building out a private cloud and we do have a view towards public cloud at a point in the future, but given mandatory requirements we need to comply with within the Australian government around the use of the Cloud, given the sensitivity of the data that we hold. At this point we're holding all data on premise. >> Can we talk a little bit more about what you guys are doing with analytics and how you're using that to have a positive social impact for these 12 million Australians? >> Yeah, we've got a few initiatives on the go there. On how do we apply whether it's machine learning, AI, predictive analytics, or just Next Gen advanced analytics on how do we change the way we're delivering services to the citizens of Australia, how do we make it a more dynamic user experience, how do we make it more tailored? And on here that we're exploring at the moment is this considerable flexibility in our systems and how citizens can engage with them, so for example in the social welfare space we have a requirement for you to provide an estimate of the income you expect to learn over the next 12 months, and then based on what you actually earn through the year there can be an end-of-year true-up. Right, so that creates a situation where if you overestimate at the start of the year you can end up with an overpayment at the end of the year and we need to recover that. So what we're looking at doing is well how do we deploy predictive analytics so that we can take a look an an individual's circumstances and say well, what do we think the probability is that you may end up with an inadvertent overpayment, and how can we engage with you proactively throughout the year to help true that up so that you don't reach the end of the year and have an overpayment that we need to recover. >> So I wonder if we could talk about the data model. You talk about analytics, but what about the data model? As you get pressure from, you know, digital, let's call it. And healthcare is an industry that really hasn't been dramatically or radically transformed. It hasn't been Uberized. But the data model has largely been siloed, at least in my experience working with the healthcare industry. What's the situation in Australia, and specifically with regard to how do you get your data model in shape to be able to leverage it for this digital world? And I know you're coming at it from a standpoint of infrastructure, but maybe you could provide that context. >> Well, given for privacy reasons we continue to maintain a pretty strong degree of separation between categories of health data for a citizen, and we also have an initiative being deployed nationally around an electronic health record that the citizen is able to control, right, so when you create your citizen record, health record, there is a portion of data that is uploaded from our systems into that health record, and then a citizen can opt in around, well what information when you visit the general practitioner is available in that health record. When you go to a specialist you're able to control through privacy settings what information you're willing to share, so it's still a federated model, but there's a very, very strong focus on well how do we put controls in place so that the citizen is in control of their data. >> I want to follow up in that, this is really important, so okay, if I hear you correctly, the citizen essentially has access to and controls his or her own healthcare information. >> Yeah, that's right. And they're able to control what information are they willing to share with a given health practitioner. >> And it's pretty facile, it's easy for the citizen to do that. >> Yeah. >> And you are the trusted third party, is that right? Or -- >> It's a federated model, so we are a contributor to that service. We provide some of the functionality, we feed some of the data in, but we do have another entity that controls the overarching federation. >> Do you, is there a discussion going on around blockchain? I mean could you apply blockchain to sort of eliminate the need for that third party? And have a trustless sort of network? What's the discussion like there? >> We've been maintaining a watching brief on blockchain for a good couple of years now. We've been trying to explore, well how do we find an initial use case where we can potentially apply block chain where it provides a value and it meets the risk profile. And given it does need to be a distributed ledger, how do we find the right combination of parties where we can undertake a joint proof of technology to identify can we make this work. So not so much in HealthSpace, there are other areas where we're exploring at the moment. >> Okay, so you see the potential of just trying to figure out where it applies? >> Yeah, absolutely, and we're also watching the market to see well what's going to become the dominant distribution, how a regulatory framework's going to catch up and ensure that, you know apart from the technical implementation how do we make sure that it's governed, it's administered -- >> Do you own any Bitcoin? No, I'm just kidding. (laughter) How do you like in the Melbourne Cup? So, let's talk a little bit about the things that excite you as a technologist. We talked about a bunch of them, cloud, AI, blockchain, what gets you excited? >> I think the AI and machine learning is a wonderful area of emerging technology. So we've also been pushing quite hard with virtual assistants over the past two to three years, and we have six virtual assistants in the production environment. And those span both the unauthenticated citizen space, how do we assist them in finding information about the social welfare system, once you authenticate we have some additional virtual assistants that help guide you through the process, and then we've also been deploying virtual assistants into the staff-facing side. Now we have one there, she's been in production around about 18 months, and we've got very very complex social welfare legislation, policy, business rules, and when you're on the front line and you have a customer sitting in front of you those circumstances can be really quite complex. And you need to very quickly work through what areas of the policy are relevant, how do I apply them, how does this line up with the legislation, so what we've done is we've put a virtual assistant in place, it's a chat-based VA, and you can ask the virtual assistant some quite complex questions and we've had a 95 percent success rate on the virtual assistant answering a query on the first point of contact without the need to escalate to a subject matter expert and we figure that if we saved, we've had it round about a million questions answered in the last year, and if you think that each one of those probably saves around three minutes of time, engaging in SME, giving them the context and then sorting through to an answer, that's three million minutes of effort that our staff have been able to apply to ensuring that we get the best outcome for our citizen rather than working through how do I find the right answer. So that's a bit of a game-changer for us. >> What are some of the things that you're, related to AI, machine learning, cloud, that you're excited about learning this week at the inaugural IBM Think? And how it may really help your government as a service initiative, et cetera. >> Yeah, so I think I see a lot more potential in the space between say machine learning and predictive analytics. On based on what we know about an individual and based on what we know about similar individuals, how do we help guide that individual back to self-sufficiency? Right, so for many many years we've been highly effective and very efficient at the delivery of our services, but ultimately if we can get someone back to self-sufficiency, they're engaged in society, they're contributing to the economy, and I think that puts everyone in a pretty good place. >> Alright, so I got to ask you, I know again, architecture and infrastructure person, but I always ask everybody in your field. How long before machines are going to be able to make better diagnoses than doctors? >> Uh, not so sure about doctors, but within our space our focus has been on how do we use artificial intelligence and machine learning to augment human capability? Like, the focus is on within our business lines within our business lines we have room for discretion and human judgment. Right, so, we don't expect that the machines will be making the decisions, but given the complexity and the volume of the policy and legislation, we do think there's a considerable opportunity to use that technology to allow an individual to make the most informed and the most consistent and the most accurate decision. >> So then in your term you don't see that as a plausible scenario? >> No. >> Maybe not in our lifetime. >> As I said the focus is very much on, well, how do we augment human capability with emerging technology. >> So Garrett, last question and we've got about a minute left. What are some of the things that you are excited about in your new role as head of Enterprise Architecture for 2018 that you see by the end by the time we get to December, your summertime, that you will have wanted to achieve? >> Okay, so, over the last roughly two years I've been developing the future state technology design that will reshape out social welfare system for probably the next 30 years. This is a generational refresh we're undertaking in that space, so I think it's been a hard slog getting to this point, we're now starting to build on our new digital engagement layer, we've got a new enrichment layer starting to come to life where we do put that machine learning and AI in place and then we're also starting to rebuild the core of our social welfare system, so this is the year for me where we go from planning through to execution, and it brings me an immense sense of pleasure and pride to see the work that you've been pouring yourself into for many years start to come to fruition, start to engage with citizens, start to engage with other government agencies, and start to deliver the value that we know that it's capable of delivering. >> Well, sounds like a very exciting year ahead. We want to thank you so much, Garrett, for stopping by theCUBE and sharing the insights, what you guys are doing to help impact the lives of 12 million Australians. >> Thank you very much. >> Have a great event. >> Thank you. >> And for Dave Vellante I'm Lisa Martin. You're watching theCUBE's live coverage of the inaugural IBM Think 2018. Stick around, we'll be back with our next guest after a short break.

(bright orchestral music) >> John: Hello there and welcome to this special cube conversation, I'm John Furrier, here in theCUBE's Palo Alto studio. We're here with Jonathan Nguyen, who's with, formerly Verizon, now with Fortinet. What's your title? >> Jonathan: Vice President of Strategy. >> John: Vice President of Strategy, but you're really, more of a security guru. You, notably, were the author of the Verizon data breach investigative report. Great report >> Jonathan: Thank you. >> John: It really has been the industry standard. Congratulations, great to have you here. >> Jonathan: Thanks, it was a great 16 years at Verizon in the security business, ran that data breach investigations team. So yeah, that was a great honor in my career. >> John: So you call it "strategy" because they don't want you to word cyber security in your title on LinkedIn in case they spearfish you. Is that right? (laughs) >> Jonathan: Yeah, having started my career as a US Foreign Service Officer, as a victim of the OPM data breach, everything about me is out there. I love in the perfect universe about how do you defend your identity when everything about you has been compromised to begin with. >> John: So many stories I had a Cube guest talk about LinkedIn and the tactics involved in spearfishing and the efforts that people go in to attack that critical resource that's inside a perimeter. This is a big problem. This is the problem with cyber warfare and security and crime. >> Jonathan: Yes. >> John: Talk about that dynamic, because this is, I mean, we always talk about the cloud changes, the perimeter, but of course, more than ever this is really critical. >> Jonathan: So, fundamentally as we begin going into digital transformation and notions about where data is today and the nature of computing, so everything has changed and the notion of a traditional perimeter has changed as well. So I'm going to borrow a great analogy from my friend Ed Amoroso and he said Look, let's pretend that this is your traditional enterprise network and all of your assets are in there, and we all agreed that that perimeter firewall is being probed every day by nation-state actors, organized criminal syndicates, hacktivists, anybody. Everyone's probing that environment. It's also dissolving because you've got staffers inside there using shadow IT, so they're opening up that firewall as well. Then, you've got applications and portals that need to be accessed by your stakeholders, your vendors, your customers. And so that traditional wall is gradually eroding, but yet that's where all of our data is, right? And against this environment you've got this group, this unstoppable force, as Ed calls it, these nation-state actors, these organize crime, these hacktivist groups, all highly sophisticated, and we all agree, that with time and effort, they can all penetrate that traditional perimeter. We know that because that's why we hire pin testers and red-teamers to demonstrate how to get into that network and how to protect that. So, if that's the case that we have this force, and they're going to break in eventually, why are we still spending all of our time and effort to defend this traditional perimeter that's highly vulnerable? Well the answer is, of course, that we need to distribute these work loads, into multiple clouds and into multi-hybrid cloud solutions. The challenge has been, well how do you do that with enough control and visibility and detection as you would have in a traditional perimeter, because a lot of folks just simply don't trust that type of deployment. >> John: That's the state of the art, that's the state of the art problem. How to deal with the complexity of IT as with digital transformation as it becomes so complicated and so important at the same time, yet cloud is also on the horizon and it's here. We see the results with Amazon Web Services. We see what Azur's doing and Google, etc., etc. And some companies are building their own cloud, so you have this new model, with cloud computing, data-driven applications, and it's complex, but does that change the security paradigm? How does the complexity play into it? >> Jonathan: Absolutely, so complexity has always been the enemy of security and at Fortinet, what we essentially do is that we help companies understand and manage complexities to manage risk. So complexity is only going to increase, so digital transformation, the widespread adoption of digital technologies to enable exponential and explosive productivity growth, right? Societal-level changes, right? >> John: Right. >> Jonathan: Also massive expand the inter connective nature of our society. More and more introductions. Accelerated cycles across the board. Greater levels of complexity. The challenge is going to be, not about whether you're moving into the cloud. Everyone is going to move into the cloud, that is the basis of computing moving next. So in the Australian government, the US government, all the agencies have a cloud-first migration initiative. It's not about whether. It's not about, it's really about when, so how do you move forward with moving your computing, your workload into the cloud? In many ways, it goes back to fundamentals about risk management. It's about understanding your users and your systems, the criticality, the applications you're associated with, and understanding what can you move into the cloud and what do you keep on prim in a private cloud as it were. >> John: I want to ask you more about global, more about cyber security, but first let's take a step back and set the table. What is the wholistic and the general trend in cyber security today. I mean, what is the, what's going on in the landscape and what are the core problems people are optimizing for? >> Jonathan: Sure. So, across my 20-odd years in cyber, what we've seen consistently has been the acceleration of the volume, the complexity, and the variety of cyber threats. 10 years ago, 2007 or so, there were about 500 threat factors. Today we're north of 5,000. Back in that point, there were maybe 200 vendors, today we're north of 5,000 vendors. There was less than $1 billion of cyber security spent. Today we're north of $80 billion of spend and yet the same challenges pervade. And what's happening now, they're only becoming more accelerated, so in the threat environment, the criminal environment, the nation-state threat actors, they're all becoming more sophisticated. They're all sharing information. They're sharing TTP and they're sharing in a very highly effective marketplace. The dark web cyber crime marketplace is an effective mechanism on sharing information, on matching threat actors to targets. So the frequency, the variety, the intelligence of attacks, automated ransomware attacks, is only going to grow. Across the board, all of us on this side of the fence, our challenge is going to be, how do we effectively address security at speed and scale. And that's the key because you can effect security very well in very discrete systems, networks, facilities, but how do you do it from the IoT Edge, from the home area network, the vehicle area network, the personal area network, to the enterprise network, then to a hybrid cloud. A highly distributed ecosystem and how do you have visibility and scale across that when the interval of detection between the detonation of malware to the point of irrecoverable damage, is in seconds. >> John: So tons of attack vectors, but also I would add to complicate the situation further is the surface area. You mentioned IoT. >> Jonathan: Yeah. >> John: We've seen examples of IoT increasing, more avenues in. >> Jonathan: Yeah. >> John: Okay, so you've got more surface area, more attack vectors with technology. Malware is one. We've seen that and ransomware certainly number one. But it's not just financial gain, it's also, there's terrorism involved. >> Jonathan: Absolutely. >> John: So, it's not just financial services, get the cash and embarrass a company. It's, I want to take down that power plant. >> Jonathan: Sure. >> John: So, is there a common thread, because you can, I mean, every vertical is going to have their own rendering issues, have their own kind of situation contextually. But is there a common thread across the industry that cyber security is run, is there a baseline that you guys are attacking and that problems are being solved on? Can you talk about that? >> Jonathan: Sure. So, at the heart of that is a convergence of operational technologies and information technology. Operational technologies were never designed to be IP enabled. They were air-gapped. Never designed to be integrated and interconnected with information technology systems. The challenge has been, as you said, is that as you go through digital transformation, become more interconnected, how do you understand when a thermostat has gone offline, or a conveyor belt has gone offline, or a furnace is going out of control, how do you understand that the HVAC system for the operating theater, the surgery theater, is operating properly? Now we have this notion of functional safety and you have to marry that with cyber security and so, in many ways, the traditional approaches are still relevant today. Understanding what systems you have, the users that use them, and what's happening in that and to detect those anomalies and mitigate that in a timely fashion. Those themes are still relevant, it's just that they're much, much larger now. >> John: Let's get back to the perimeter erosion issue because... >> Jonathan: Yeah. >> John: One of the things we're seeing on The Cube is digital transformation, it's out there, to kick around the buzzword, it's out there, but it's certainly, it's relevant. People are transforming to a digital business. Peter Burrows had (unintelligible) they talk about this all the time and it's a lot, a lot involves IT, business process, putting data to work, all that good stuff, transforming the business, drive revenue, but security is more coarse. And sometimes it's, we're seeing it being unbundled from IT and reporting directly up to either the board level or C level. So, that being said, how do you solve this? I'm a digital transformation candidate. I'm doing it. I got, my mind's full of security all the time. How do I solve the security problems, cyber security problem? Just prevention, other things? What's the formula? >> Jonathan: Okay, so at the heart of cyber security is risk management. So digital transformation is the use of digital technology to drive exponential productivity gains across the board and it's about data-driven decision making versus intuitive-led human decision making. So, the heart of digital transformation is making sure that the business leaders have the timely information to make decisions in a much more timely fashion. So that you have better business outcomes and better quality of life, safety, if you will. And so the challenge is about how do you actually enable digital transformation and it comes down to trust. And so, again across the pillars of digital transformation and they are first, IoT, these devices that are connected to collect and share information, to make decisions, the sheer volume of data, zetabytes of data that will be generated in a process of these transactions. Then you have ubiquitous access and you're going to have 5G. You have this notion of centralized and distributed computing. How will you enable those decisions to be made across the board? And then, how do you secure all of that? And so, at the heart of this is the ability to have automated, and that's key, automated deep visibility and control across an ecosystem. So you've got to be able to understand, at machine speed, what is happening. >> John: How do I do that? What do I do? Do I buy a box? Do I, is it a mindset? Is it everything? What's the, how do I stop those cyber attacks? >> Jonathan: So, you need a framework of automated devices that are integrated. So a couple of things you're going to need. You're going to need to have the points across this ecosystem where you can detect. So, whether that is a firewall on that IoT Edge or in the Home or there's an internally segmented firewall, across the enterprise network into the hybrid cloud. You're also going to need to have intelligence and by intelligence, I mean you're going to need a partner who has a global infrastructure of telemetry to understand what's happening in real time, in the wild. And once you collect that data, you're going to need to have intelligence analysts, researchers, that can put into context what that data means, because data doesn't become information on its own. You actively have to have someone analyze that. So you have to have a team. At Fortinet, we have hundreds of people who do just that. And once you have the intelligence, you've got to have a way of utilizing it, right? And so, then you've got a way of orchestrating that intelligence into that large framework of integrated devices so you can act. And in order to do that effectively, you have to do that at machine speed and that's what I mean by speed and scale. The big challenge about security is the ability to have deep visibility and control at speed, at machine speed, and at scale from that IoT Edge way across into the cloud. >> John: Scale's interesting, so I want to ask you about the Fortinet. How are you guys at Fortinet solving this problem for customers because you have to, is it, the totality of the offering? Is it some here, technology here and again, you've got 5,000 attack vectors, you mentioned that earlier and you did the defense report at Verizon, your former job. So you kind of know the landscape. What does Fortinet do? What do you guys, how do you solve that problem? >> Jonathan: So, from day one, every CISO has been trying to build the fabric. We didn't call it that, but from my first packet-filtering firewall to my first stateful firewall, then I deployed intrusion-detection systems and when all that generated far more lists than I can manage, I deployed an SEM. And then I went to intrusion prevention and I had to look at logs, and so I went to an SIEM. And when that didn't work, I deployed Sandbox, which was called dynamic malware inspection back in the day. And then when that didn't work, I had to go to analytics. And then I had to bring in third-party technology, third-party intelligence feeds and all along, I hoped I was able to make those firewalls, those defense sensors, that platform integrated with intelligence, work somehow to detect the attack and mitigate that in real time. Now, what we essentially do in the Fortinet security fabric is we reduce that complexity. We bring that level of automa-... >> John: And by the way, your ad hoc, you're reacting in that mode. You're just, ya know, I got to do this. I got to add that to it. So it's almost like sprawling, software sprawl. You're just throwing solutions at the wall. >> Jonathan: Right, and a lot of that time, no one knows if the devices are properly configured. No one has actually done the third party technology integration. No one has actually met the requirements that we'd employ three years ago through requirements today and the requirements three years from now. And so, that's a huge level of complexity and I think at the heart of that complexity, that's reflected in the fact that we're missing the basic elements in security across today. The reason the large data attacks and the data breaches didn't come because of advanced malware. They didn't happen of nation-state threats. These were known vulnerabilities. The patches existed. They weren't patched. In my experience, 80% of all the attacks could be mitigated through simple to intermediate controls. >> John: Deploying the patches. Doing the job. >> Jonathan: Complexity. Patch management sounds easy. It's hard. Some applications, there is no patch available. You can't take things offline. You have to have virtual patches or unintended consequences. And there are a lot of things that don't happen. There's the handoff between the IT team and the security team and it adds complexity. And if you think about this, if our current teams are so overwhelmed that they cannot mitigate known attacks, exploits against known vulnerabilities, how are they going to be able to grapple with the complexity of managing zetabytes of data with an ecosystem that spans around the world, that operates in milliseconds, where now it's not just digital issues. It's health, safety, physical security. How can we trust that a connected vehicle is secure or not. >> John: Talk about the dynamic between machines and humans because you mentioned patches, and this is, you can argue that it's a human mistake, but also you mentioned automation earlier. The balance between automation, using machines and humans, because prevention and risk management seem to be the axis of the practice. It used to be all prevention, now it's a lot more risk management. There's still a human component in here. >> Jonathan: Yeah. >> John: How are you guys talking about that and how is that rendering itself as a value proposition for customers? >> Jonathan: So, humans are the essence, both the challenge, in so many cases we have faulty passwords, we have bad hygiene. That's why security's awareness training is so critical, right? Because humans are part of the problem, on one end. On the other end, within the sock, humans are grappling with huge amounts of data and trying to understand what is malicious, what needs to be mitigated, and then prioritizing that. For us, it's about helping, the complexity, reducing the complexity of that challenge and helping automate those areas that should be automated so the humans can act better and faster, as it were. >> John: We're here with Jonathan Nguyen with Fortinet. I want to ask you about the ecosystem you mentioned that early and also the role of CISO, the Chief Information Security Officer and CIO, essentially the executives in charge of security. Say you have executives in charge of the risk management, don't get hacked, don't get breached, and also the ecosystem partners. So, you have a very interesting environment right not where people are sharing information, you mentioned that earlier as well. So you got the ecosystem of sharing and you have executives in charge of running their businesses effectively and not have security breaches happen. What's happening in... What are they working on? What are the key things that chief security officers are working on with CIOs? What specifics are on their plate and what's the ecosystem doing around that too? >> Jonathan: Sure. So digital transformation dominates all discussions today. And every CISO has two masters. They have a productivity master, which is always the business-side of the house and they have a security master, which is ensuring that reasonable level of security is, in the advent, managing risk, right? And that's the challenge, how do you balance that? So, across the board, CISOs are being challenged to make sure that the applications, the digital transformation initiatives are actually occurring and at the same time, in the advent of a data breach, understanding the risk and managing the risk. How do you tell your board of directors, your governments that you're not only compliant, but that you have handled risk to a reasonable level of assurance? And that means, in my opinion, across my experience, you've got to be able to demonstrate a couple of things: one, you have identified and adopted, with third-party implementation and attestation, a recommended best practices and controls. Second, you've implemented and used best-in-class products and technologies like Fortinet. Products that have gone through clearances, gone through common criteria, where things are properly certified and that's how you demonstrate a reasonable level. It's really about risk management, understanding what level of risk you will tolerate, what level of risk you will mitigate, and what level of risk you're going to transfer. And I think that's the discussion at the board level today. >> John: So more, make people feel comfortable, but also have a partner that can actually do the heavy lifting on new things. 'Cause there's always going to be a new attack vector out there. >> Jonathan: Absolutely. So I think the key to it is understanding what you're really good at and so then one of the questions I ask ever CISO is that when you look at technology, what is it that your organization is really good at? Is it using technology? Is it operationalizing that experience? Or is it really about ensuring that the firewall is integrated with your sim and that the sim works and trying to create your own threat intelligence. And I think that one of the things we do better than anybody else is that we reduce the level of complexity of that, allowing our clients to really focus on providing security, using the best-in-class technologies to do that. >> John: Jonathan, a final question. In 2018, what's your outlook for the year for CISOs and companies with cyber right now? >> Jonathan: I think it's going to be an exciting time. I think, is there going to be a focus back on basics? Because before we take this next evolutionary leap, in terms of cyber and computing and the digital nature of our society, we've got to get the basics done right. And I think the way Fortinet's going, our ability to use the fabric, to help manage risk, and reduce risk, is going to be the path forward. >> John: This is The Cube, bringing you commentary and coverage of cyber security of course, here in our Palo Alto studio. I'm John Furrier, thanks for watching. (orchestral music) The Cube.

(bright music) >> Hello everybody, welcome to this special CUBE Conversation. I'm John Furrier here in theCUBE's Palo Alto studio. We're here with Jonathan Nguyen, who's with, formally Verizon, now with Fortinet. What's your title? >> Vice President of Strategy. >> Vice President of Strategy, but you're really, I would say, more of a security guru. You had, notably, with the author of the Verizon Data Breach Investigative Report. Great report, it really has been interesting. Congratulations, it's great to have you here. >> Thanks, it was great, 16 years at Verizon, in the security business. ran the data breach investigations team, so that was a great honor in my career, yeah. >> John: So, you called strategy, 'cause they didn't want you to use the word cyber security on your title on LinkedIn in case they spearfish you, is that right, no? (laughs) >> Jonathan: You know, having started my career as a US foreign service officer, as a victim of the OPM data breach, everything about me is out there. >> Yeah. (laughs) >> I live in a perfect universe about how do you defend your identity when everything about you's been compromised to begin with? >> Some of these stories, I had a CUBE guest talk about LinkedIn, and attackers involved in spearfishing, and the efforts that people go into to attack that critical resources inside the parameter. This is a big problem. This is the problem with cyber warfare and security, and crime. >> Yes. Talk about that dynamic, 'cause this is, we always talk about the cloud change, the perimeter, of course. >> Sure. >> More than ever, this is really critical. >> Jonathan: Fundamentally, as we begin going into digital transformation and notions about where data is today and the nature of computing, everything has changed, and the notion of a traditional perimeter has changed as well. I'm going to borrow a great analogy from my friend, Ed Amoroso, and he said, "Look, let's pretend "this is your traditional enterprise network, "and all your assets are in there. "And we all agree that that perimeter firewall "is being probed everyday by nation state actors, "organized criminal syndicates, hacktivists, anybody. "Everyone's probing that environment." It's also dissolving because we've got staffers inside there using shadow IT, so they're opening up that firewall as well. Then you've got applications and portals that need to be accessed by your stakeholders, your vendors, your customers. And so that traditional wall is gradually eroding, yet, that's where all of our data is, right? And against this environment, you've got this group, this unstoppable force, as Ed calls it. These nation-state actors, these organized crime, these hacktivist groups, all highly sophisticated. And we all agree, that with time and effort, they can all penetrate that traditional perimeter. We know that because that's why we hire pin testers, and red teamers, to demonstrate how to get into that network and how to protect that. So if that's the case, that we have this force, and they're going to break in eventually, why are we still spending all of our time and effort to defend this traditional perimeter that's highly vulnerable? Well, the answer is, of course, that we need to distribute these workloads, into multiple clouds, into multi hybrid cloud solutions. The challenge has been, well, how do you do that with enough control and visibility and detection as you have with a traditional perimeter, because a lot of folks just simply don't trust that type of deployment. >> That's the state of the, I mean, that's the state of our problem. How to deal with the complexity of IT, with digital transformation, as it becomes so complicated, and so important, at the same time. Yet, cloud is also on the horizon, it's here. We see the results of Amazon Web Services, see what Azure is doing, Google, et cetera, et cetera. And some companies are doing their own cloud. So, you have this new model, cloud computing. Data driven applications. And it's complex, but does that change the security paradigm? How does the complexity play into it? >> Jonathan: Absolutely, so, complexity has always been the enemy of security. And at Fortinet, what we essentially do is that we help companies understand and manage complexity to manage risk. So complexity is only going to increase. So digital transformation, the widespread adoption of digital technology is to enable exponential explosive productivity growth. Societal level changes, right? Also, massively expand the inter-connective nature of our society. More and more connections, accelerated cycles across the board, greater levels of complexity. The challenge is going to be not about whether we're moving to the cloud, everyone is going to move into the cloud, that is the basis of computing moving next. So in the Australian government, the US government, all of the agencies have a cloud-first migration initiative. It's not about whether, it's not about, it's really about when. So how you move forward with moving your computing, your workloads into the cloud? In many ways it goes back to fundamentals about risk management. It's about understanding your users and your systems, the criticality, the applications you're associated with. And understanding what can you move into the cloud, and what do you keep on-prem, in a private cloud, as it were? >> I want to ask you more about global, more about cybersecurity, but first, take a step back and set the table. What is the holistic and the general trend, in cybersecurity today? What's going on in the landscape, and what are the core problems people are optimizing for? >> Sure. >> So, across my 20-odd years in cyber, what we've seen consistently has been the acceleration of the volume, the complexity, and the variety of cyber threats. So, 10 years ago, 2007 or so, there were about 500 threat factors; today, we're north of 5000. Back at that point, there were maybe 200 vendors; today, we're north of 5000 vendors. There was less than a billion dollars of cybersecurity spent; today, we're north of 80 billion dollars spent. And yet, the same challenges pervade. And what's happening now, they're only becoming more accelerated. So in the threat environment, the criminal environment, the nation-state threat actors, they're all becoming more sophisticated. They're all sharing information! (laughs) They're sharing TTP, and they're sharing it on a highly effective marketplace: the dark web cyber crime marketplace is an effective mechanism of sharing information, of matching threat actors to targets. So the frequency, the variety, the intelligence of attacks, automated ransomware attacks, is only going to grow. Across the board, all of us on this side of the fence, our challenge is going to be, how do we effectively address security at speed and scale? And that's the key. Because you can affect security very well, in very discreet systems, networks, facilities. But how do you do it from the IOT edge? From the home area network, the vehicle area network, the personal area network? To the enterprise network, to then, to a hybrid cloud. A highly distributed ecosystem. And how do you have visibility and scale across that, when the interval of detection, between the detonation of malware, to the point of irrecoverable damage, is in seconds. >> So, tons of attack vectors, but, also, I would add, to complicate the situation further is, the service area, you mentioned IOT. We've seen examples of IOT increasing more avenues in. Okay, so you've got more surface area, more attack vectors with technology. Malware, we see that in ransomware, certainly, number one. But it's not just financial gain, there's also this terrorism involved. >> Absolutely. It's not just financial services get the cash, and embarrass the company, it's, I want to take down that power plant. So, is there a common thread? I mean, every vertical is going to have their own, kind of situation, contextually. But is there a common thread across the industries, that cybersecurity, is there a baseline, that you guys are attacking, that problems are being solved? Can you talk about that? >> Sure. >> So, at the heart of that is a convergence of operational technologies and information technology. Operational technologies were never designed to be IP enabled, they were air gapped. Never designed to be integrated and interconnected, with information technology systems. The challenge has been, as you said, is that as you go through digital transformation, become more interconnected, how do you understand when a thermostat has gone offline, or a conveyor belt has gone offline, or a furnace is going out of control? How do you understand that the HVAC system for the operating theater, the surgery theater, is operating properly? Now we have this notion of functional safety, and you have to marry that with cybersecurity. So, in many ways, the traditional approaches are still relevant today. Understanding what systems you have, the users that use them, and what's happening, in that. And detect those anomalies and to mitigate that, in a timely fashion? Those same themes are still relevant. It's just that they're much, much larger now. >> John: Let's get back to the perimeter erosion issue because one of the things that we're seeing on theCUBE is digital transformations out there. And that's, I kicked a lot of buzzwords out there, but certainly, it's relevant. >> Yeah. People are transforming to digital business. Peter Burroughs had research, we keep on top of those all of the time. And it's, a lot involves IT. Business process, putting data to work, all that good stuff, transforming the business, drive revenue. But security is more coarse. And sometimes we're seeing it unbundled from IT, and we're reporting directly to the board level, or CEO level. That being said, how do you solve this? I'm a digital transformation candidate, I'm doing it, and I'm mindful of security all the time. How do I solve the security problem, cyber security problem? Just prevention, other things? What's the formula? >> Okay, so at the heart of cybersecurity is risk management. So digital transformation is the use of digital technologies to drive exponential productivity gains across the board. And it's about data driven decision making, versus intuitive led human decision making. So at the heart of digital transformation is making sure that the business leaders have their timely information to make decisions, in a much more timely fashion, so they have better business outcomes and better quality of life. Safety, if you will. And so the challenge is about, how do you actually enable digital transformation, it comes down to trust. And so, again, across the pillars of digital transformation. And they are, first, IOT. These devices that are connected collect, share information, to make decisions. The sheer volume of data, zettabytes of data, that will be generated in the process of these transactions. Then you have ubiquitous access. And you're going to have five G, you have this notion of centralized and distributed computing. How will you enable those decisions to be made, across the board? And then how do you secure all of that? And so, at the heart of this is the ability to have, automated, that's key, automated deep visibility and control across an ecosystem. So you've got to be able to understand, at machine speed, what is happening. >> John: How do I do that, what do I do? Do I buy a box, is it mindset, is it everything? How do I solve, how do I stop cyber attacks? >> You need a framework of automated devices that are integrated. So, a couple of things you're going to need: you're going to need to have the points, across this ecosystem, where you can detect. And so, whether that is a firewall on that IOT edge, or in the home, or that's an internally segmented firewall, across the enterprise network into the hybrid cloud. You're also going to need to have intelligence, and by intelligence, that means, you're going to need a partner who has a global infrastructure of telemetry, to understand what's happening in real time, in the wild. And once you collect that data, you're going to need to have intelligence analysts, researchers, that can put into context what that data means, because data doesn't come into information on its own, you actively have to have someone to analyze that. So you have to have a team, at Fortinet, we have hundreds of people who do just that. And once you have the intelligence, you've got to have a way of utilizing it, right? And so, then you've got to have a way of orchestrating that intelligence into that large framework of integrated devices, so you can act. And in order to do that, effectively, you have to do that at machine speed. And that's what I mean by speed and scale. The big challenge about security is the ability to have deep visibility, and control, at speed, at machine speed. And at scale, from that IOT edge, way across, into the cloud. >> Scale is interesting, so what I want to ask you about Fortinet, how are you guys, at Fortinet, solving this problem for customers? Because you have to, is it, the totality of the offering, is it, some technology here, and again, you have 5000 attack vectors, you mentioned that earlier, and you did the defense report at Verizon, in your former jobs. You kind of know the landscape. What does Fortinet do, what are you guys, how do you solve that problem? >> So, from day one, every CSO has been trying to build a fabric, we didn't call it that. But from my first packet-filtering firewall, to my first stateful firewall, then I employed intrusion detection systems, and all of that generated far more lists I can manage, and I deployed an SEM. And then I went to intrusion prevention. And I had to look at logs, so I went to an SIEM. And when that didn't work, I deployed sandboxing, which was called dynamic malware inspection, back in the day, and then when that didn't work, I had to go to analytics. And then, I had to bring in third party technology, third party intelligence feats, and all along, I hoped I was able to make those firewalls, and defense sensors, that platform, integrated with intelligence, work somehow to detect the attack, and mitigate that in real time. Now, what we essentially do, in the Fortinet security fabric is, we reduce that complexity. We bring that level of-- >> And by the way. >> John: You're Ed Hoff, you're reacting in that mode, you're just, I got to do this, I got to add that to it. So it's almost like sprawling, software sprawl. You're just throwing solutions at the wall. >> Right, and a lot of that time, no one knows if their vices are properly configured, no one has actually done the third party technology integration. No one has actually met the requirements that were deployed three years ago, there are requirements today, there are requirements three years from now. And so, that's a huge level of complexity, and I think, at the heart of that complexity. That's reflected in the fact that, we're missing the basic elements in security today. The reason, the large data attacks, and the data breaches, didn't come because of advanced malware, they didn't happen off nation-state threats. These were known vulnerabilities, the patches existed, they weren't patched! In my experience, 80% of all the attacks could be mitigated through simple to intermediate controls. >> Deploying the patches, doing the job. >> Complexity. Patch management sounds easy, it's hard. Some applications, there is no patch available. You can't take things offline, you have to have virtual patches, there are unintended consequences. And there are a lot of things that don't happen. There's the handoff between the IT team and the security team, and it adds complexity. And if you think about this, if our current teams are so overwhelmed that they cannot mitigate known attacks, exploits against known vulnerabilities. How are they going to be able to grapple with the complexity of managing zettabytes of data, with an ecosystem that spans around the world, and operates in milliseconds, where, now, it's not just digital issues, it's health, safety, physical security. How can we trust a connected vehicle, is it secure or not? >> Jon, talk about the digital transformation for industries. As we talked earlier about the commonalities of the industries, they all have their own unique use cases, contextually, I mean, oil and gas, financial services, healthcare, EDU, they all have different things. What is the digital transformation objective and agenda and challenges and opportunities for financial services, healthcare, education, and the public sector? >> So, digital transformation has some similar themes, across industry verticals. For financial services, it's about omnichannel customer engagement, it's about owning that customer experience, how will a financial service company be able to reach each connected consumer? Highly personalized way, highly customized services, suited for that customer so that they can interact, at any time, that they desire, on any device, any media they desire, across the entire experience? For when that person first becomes employed, and has a first checking account, to the point that they retire, the notion around digital transformation for financial services. How do we go about, as an FS company, to reach that customer, in an omnidirectional, omnichannel way, and maximize that experience? How do we do that with highly personalized, highly customized service, self-service, if you will, all with security, across massive amounts of data? How do you ensure that that's the challenge? And then you have to do that in a very distributed ecosystem, from the ATM, home, from the vehicle, and as we move into digitally enabled societies, from the connected car, all of those places will have transactions, all of that will have to be the purveyance of financial services companies. So the level of complexity that they're going to have to grapple with is going to be immense. >> John: And the app, too, is basically the teller, 'cause the app is driving everything, too. It brings up, essentially, the argument, not argument, our thesis, your thesis, on the obvious, which is, the perimeter is eroding. It's the app on the phone. (laughs) Okay, healthcare. Healthcare is one of those things that is near and dear to my heart because, I remember back in the days, when I was younger, HIPAA compliance, it created all of these databases. Creating complexity, but also, structured things. So, healthcare is being disrupted, and security is obviously concerned. More ransomware in hospitals, you see, everywhere these days, big, big issue. >> Yeah, so, challenges in healthcare are twofold. On the one hand, their targets are ransomware because that's where money is. They have compliance challenges, but in a very interesting way, based off of the research we've seen, is that healthcare is a lot more kin to the intelligence community than any other. Because it has insider threats. Large amounts, 7 out of 10 healthcare data breaches are the result of insider threat. So, like financial services, and the other verticals in digital transformation, again, it comes to the notion of the connected consumer and the connected citizen. How do you make sure that that person can be touched and served, irrespective of whether they're in the home, or in another healthcare facility, and all of their devices that are IP-enabled are safe and secure, and to monitor that. And to keep that secure, across a large distributed ecosystem, and for a long period of time, as well. >> Education, talk about insider threats probably there, too. Education is a huge vertical with a lot of, sure, students, but also the general EDU market is hot too. >> Jon: And it's incredibly challenging, because the environment ranges from kindergarten, preschool, to high school, to higher levels of education, that are government funded, with classified intelligence, and materials, and research labs. And the educational environment, how do you provide security, confidentiality, and availability, in an ecosystem that was designed for the free flow and access of information, and how do you do that across a highly distributed ecosystem? Again, constant themes of complexity, volumes of data, and personalized and customized services. >> John: And you got to be able to turn those services on fast, and turn them off and on. Okay, finally, my favorite area is the federal, or public sector market, of course, that also includes higher ed, whatnot. But really government and federal. Public sector, seeing govcloud booming. What are some of the challenges with digital transformation in federal? >> So the hard part of federal government is the notion of service to the connected citizen. And that connected citizen now wants to be able to access city hall, their members of Congress, the White House, in a digital way, at any time, on any device, so that they can log their opinion. It is a cacophony of demand from across the board. From state, local, to federal, that every citizen now demands access to services, on any digital media, and, at the same time, for everything from potholes, and snow removal, and trash removal, those are the types of services that are needed. So, government, now, needs to provide services in the digital way, and provide security across that. >> John: In respect to those verticals, especially public sector and education, transparency is critical. You can't hide, the government can't hide. They provide citizens connectivity, and services. There's no more excuses, they have to go faster. This is a big dynamic. >> I think that we all have expectations of what it is to grow up in a digital world. My children have only grown up in a digital world. They expect things to happen at digital speed, at machine speed, they expect a high level of customized services, so that when they go, and interact with a government agency or a vendor, that vendor, that service provider, needs to know his or her preference. And will automate that and deliver those services in an incredible fashion. As I said earlier, when my kids talk about, when they learned about Moses, and heard about Moses coming down from the mountain with tablets, they thought that he was an Apple user. You know, there was no notion of other types of tablets. The connected citizen is a digital citizen, with digital demands and expectations. And our job in cyber is to enable the digital transformation so that all of those things can be delivered, and expectations met. >> Talk about the dynamic between machines and humans, because you mentioned patches, this is, you could argue it's a human mistake. But also, you mentioned automation earlier. Balance between automation, and using machines and humans. Because prevention and risk management seem to be the axis of the practice. It used to be all prevention, now it's a lot more risk management. There's still a human component in here. How are you guys talking about that, and how is that rendering itself, as a value proposition for customers? >> Sure, so it's just, humans are the essence. Both the challenge, in so many cases, we have faulty passwords, we have bad hygiene. That's why security awareness training is so critical, right, because humans are part of the problem, on one end. On the other end, within the sock, humans are grappling with huge amounts of data, and trying to understand what is malicious, what needs to be mitigated, and then prioritizing that. For us, it's about helping reduce the complexity of that challenge, and helping automate those areas that should be automated, so that humans can act better and faster, as it were. >> We have Jonathan Nguyen with Fortinet. I wanted to ask you about the ecosystem, you mentioned that earlier, and also the role of CSOs, chief information security officers, and CIOs, essentially, they're the executives in charge of security. So, you have the executives in charge of the risk management, don't get hacked, don't get breached. And also, the ecosystem partners. So you have a very interesting environment right now where people are sharing information, you mentioned that earlier, as well. So you got the ecosystem of sharing, and you have executives in charge of running their businesses effectively, and not have security breaches happen. What's happening, what are they working on, what are they key things that chief security officers are working on with CIOs, what specifics are on their plate? And what's the ecosystem doing around that, too? >> So digital transformation dominates all discussions today. And every CSO has two masters. They have a productivity master, which is always the business side of the house, and they have a security master. Which is ensuring that reasonable level of security, in the advent, and managing risk, right? And that's the challenge, how do you balance that? So, across the board, CSOs are being challenged to make sure that the applications, those digital transformation initiatives are actually occurring. At the same time, in the advent of a data breach, understanding the risk and managing the risk. How do you tell your board of directors, your governments, that you're not only compliant, but that you have handled risk to a reasonable level of assurance? And that means, in my opinion, across my experience, you've got to be able to demonstrate a couple of things. One, you have identified and adopted, with third party implementation, and attestation, of recommended best practices and controls. Second, you have implemented and used best-in-class products and technology, like Fortinet. Products that have gone through clearances, gone through common criteria, where things are properly certified. And that's how you demonstrate a reasonable level, it's really about risk management. Understanding what level of risk you will tolerate, what level of risk you will mitigate, and what level of risk you're going to transfer. And I think that's the discussion at the board level today. >> So, make people feel comfortable. But also have a partner that can actually do the heavy lifting on new things. 'Cause there's always going to be a new attack vector out there. >> Absolutely, so, I think the key to it is understanding what you're really good at. And so one of the questions that I ask every CSO is that, when you look at technology, what is it that your organization is really good at? Is it using technology, operationalizing that experience? Or is it really about ensuring that that firewall is integrated with your sim, that the sim works in trying to create your own threat intelligence. And I think one of the things that we do better than anybody else is that we reduce the level of complexity, of that allowing our clients to really focus on providing security, using best-in-class technologies to do that. >> John: That's awesome. I want to just kind of go off the board, on a question that's a little bit more societal oriented, but it's mostly here in the US. You're seeing cryptocurrencies booming, blockchain, whatnot, and it is really kind of two vectors there, that conversation, it's attacks and regulation. So the regulatory environment in DC, on the hill, looks at tech companies these days, oh my god, the big bad, Google, Apple, Facebook. And that's kind of today's narrative. But in general, technology can be an innovation opportunity. So around cyber, it's a little bit more relevant. As govcloud becomes much more ingrained in public sector, what is the regulatory environment out there? Is it helping, is it hurting? What's your thoughts? >> Jonathan: I think, on the most part, it's helping, because regulatory and compliance environments typically lag behind technology. And that's been consistent across not just cyber, but just every field of human endeavor. And I think in cryptocurrency we're beginning to see the effects as governments around the world begin to grapple with, what does this mean, if they have no visibility, insight, or control, over a currency, and we're seeing that in East Asia today. We're seeing that in China, we're seeing that in South Korea. It will have implications, I mean, the question you have to ask, with regards to cryptocurrencies is, will governments allow a non-controlled currency to operate in their marketplace? And given that we are a more integrated and digital marketplace, unless it's adopted on a global basis, is it really compelling? Now, blockchain technology is compelling; what is going to be powering that is a different question. I think that regu-- >> And also. >> The profiteering mode of hackers, which, we talked before we came on camera, is a central part of the dynamic. So if you have a flourishing ecosystem of cryptocurrency, aka Bitcoin, you have, now, a clearinghouse for payments. And that's where ransomware is mostly paid off, in Bitcoin. >> Absolutely. So this is an interesting dynamic, I'm just trying to get a read from how that plays into some of these cybersecurity dynamics. >> I think cybersecurity is highly dynamic, as you said. It is move and countermove, active threat adversaries, active marketplaces coming up with new challenges. I think, for us, on this side of the fence, it's really about making sure, getting the fundamentals right first. I often tell people, first, do you really have all of the security controls in place? Do you really know what's operating in your system? Do you understand your users? Have you done the vulnerability scans? Where are you in those basic things, first? I mean, if you do the basics, you'll mitigate, eight, nine, out of 10 attacks. >> John: Well the costs are going up, obviously, we talked about it, global, earlier. The global impact is interesting, and that's not to say cloud is global, but you now have different regional aspects of cryptocurrencies as one example. But yeah, data breach is another, look at GEPR, the penalties involved. (laughs) And certain countries in Europe, it's going to be astronomical. So there seems to be a tax involved here. So the motivations are multifold. >> So, the motivations in cyber crime. Always consistent, whether they're monetary gain, social media gain, or some sort of political gain. And I think the way you address that is that you cannot take down the marketplace, you cannot take down the physical criminals themselves. You're going to have to take away the ability to monetize, or make gains from cyber attacks. And the way I look at it is that, if you make it so complex to actually launch a successful attack, and then, to go beyond that, and monetize what you've gained, or compromised, you effectively take away the root motivation for cyber crime. And that's, it's an interesting thought, because no one talks about that, because at an industry level, do you really have the ability to, what I call, affect the trajectory of cyber crime? That's a very different way to look at it. >> John: And it's interesting, in Jeff's position, he's basically saying, make it more complex, that'll be more effective against cybersecurity, yet, digital transformation is supposed to make it easier. With building blocks in cloud, you can almost argue that if you can make it easy to deploy in cloud, it's inherently complex. So, creating a very easy to use, complex environment, or complex system, seems to be the architecture. >> The essence of cyber, I think, moving forward, is managing complexity. If you can manage complexity then you have taken complexity and made it your advantage. Because now the cyber criminal has to figure out, where is the data? Is it in the traditional data center, that enterprise environment? Is it a multi-cloud environment, if so, which node, and if I'm successful at compromising one node, I can't get to the next node, because the security fabric separated it. >> John: Jon, the final question, 2018, what's your outlook for the year, for CSOs, and companies with cyber, right now? >> I think it's going to be an exciting time. I think, is there going to be a focus back on basics? Because before we take this next evolutionary leap, in terms of cyber, and computing, and the digital nature of our society, we've got to get the basics done right. And I think the way Fortinet is going, our ability to use the fabric, to help manage risk, and reduce risk, is going to be the path forward. >> Jonathan Nguyen, with Fortinet, former author of the Data Breach Investigation Report, which I've been a big fan of, been reading it for years. Super document, congratulations, it must have been fun working on that. >> It was the high point of my career, at this point. >> It really was a great doc, it was the Bible of state of the art, state of the union, for cyber security. This is theCUBE, bringing you commentary and coverage of cybersecurity, of course, here, in our Palo Alto studio. I'm John Furrier, thanks for watching. (bright music)