>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Welcome back to the cubes. Live coverage here in Boston, Massachusetts, for AWS reinforce Amazon web services. First inaugural conference around Cloud Security. I'm John for your Michael's Day. Volante, our next Katie Jenkins s V P. C. Vice President. See? So, Chief Information Security officer with Liberty Mutual Big Company, Lot of activity insurance. Lot of probably a lot of action on your side. Welcome to the Cube. Thanks. Thanks for coming on. So you've been in this job for about a year. Tell us about what's going on in Libya. Means you guys have a large company. 100 plus years old. You're see. So you're in charge. You're running everything. We're gonna security conference. Tell us the reality. What's going on in the real world? >> Yeah, well, this is super exciting. That reinforce, of course, is in Boston. This is Liberty Mutual's hometown assed. You mentioned 107 year old security, not security company >> insurance company. But we're >> doing really cool things in technology and security. Specifically, um, I would say to kind of bring this gathering together. We have a really rich pool of security talent of security and innovators. It really matches up with what what we're doing. So Liberty Mutual has made a very significant commitment to moving to the public cloud for our technology and computing needs. We're in about your three of that journey, maybe 25% of our workload in the public cloud. It's really been a catalyst for not just transforming our technology organisation but transforming the way security does its work in the way security engages with our development community. >> While you're the head honchos, they say there's a C so but you had 20 plus years in cyber security. This is now kind of a new category with reinforced being a branded show over AWS. I see this deserves its own conversation, and industry is a lot of action going on. What is cloud security mean to you? Because this is the focus of this show. It's not just pure clouds, a lot on premise and on cloud interactions with hybrid etcetera. You guys have been doing tons of I t over the generations with Liberty Mutual, but cloud security is the focus. What does that mean? Thio to? You guys have a cyber security standpoint? >> Yeah, um, in a word. Enablement, um, I think that the public cloud offers us, um, really interesting opportunity to reinvent security. Right? So if you think about all of the technologies and processes and many of which were manual over the years, I think we have an opportunity to leverage automation to make our work easier in some ways to to, um, avoid the situation where we have air oversight. Gosh, we encrypted everything, but you know, this set of assets over here, So through using automation and enforcement, it's a new, exciting opportunity to further develop our security capabilities. But also, you know, cloud security at cloud in general has bred a transformation of the way that are practitioners do work through agile. And it means that security has toe no work with our technologists in a different way. >> So you've had a really interesting background. Um you work for a company that does audits. I can infer from that. You've worked for service is company. You work for a technology vendor. You worked as a practitioner. So you've seen it all sides and you know Amazon. It made some comments yesterday that said, Look, the narrative in the security industry has always been fear, fear, fear. And we'd like to put forth forth the narrative. That is about Listen, the state of security is really good and strong. The union is strong and we're gonna work together in a positive message. So my question is, are you an optimist? >> Ah, a reluctant activist. Um, I think the days of having security be something that's fearful, uh are just not not doing us any any any justice in that area. I mean, security is an area of partnership. There's very little of what we do. Insecurity. It's just done by security practitioners. We need asset managers. We need compliance people. We need the privacy team. We need our auditors way. Need procurement. I mean, there's just so many different parties involved in security that if we're just instilling fear and everyone, I think it'll be difficult for us tow. Get that partnership and we need Thio. Empower people, right. We need Thio. Both empower our developers to do their work in a secure manner and we have to empower our whole workforce and our trusted third parties to make good decisions. We're educating them on how to prevent phishing attacks were doing all sorts of kind of culture based initiatives, recognizing that if it's just the security folks doing security, we're gonna have a big gap. >> One of the things that we were discussing a lot of other C. So So we've been talking privately. Off the record in the hallways and private briefings is the common theme of integration as a big part of dealing with ecosystem, either suppliers and or different teams within their different pillars of how they're organized internally and externally, and then also reducing the number of security vendors that they've been buying products from to get some also in house coding, teams working more closely on the use cases that matter. So this has become kind of ah, see, So a conversation where what? What is that criteria? How do you figure out who to have a suppliers who's gonna be around for the long haul? We're gonna be that a partnership for the enablement. So rather than having hundreds of vendors, we want to get him down to a handful. Is that something that you think about or is it a trend that you see it's happening now? >> Uh, it is a trend. I think it starts at how we even procure in select our suppliers. I mean, we're really giving a lot of thought to the area of third party risk management. And do we understand not just the elements of cyber risk and engaging with 1/3 party? But but privacy and continuity kind of risk, too. So it starts there. I don't have a sort of fabricated number in terms of I'm trying to go from X number of vendors down toe Why? But I think that there's a very purposeful thought process that we're undergoing to say, Yeah, we recognize and for certain technologies, we want to have different providers to provide some of that redundancy. Let's be smart about them. Let's make sure we really understand where those overlapping capabilities are because we don't want to be wasteful either. Right >> on the span, the question comes up to around Devil's because what we're seeing is the devil ops and security paradigms kind of coming together in terms of the concepts agility. You could do some prototyping, a hackathon do some things and then ultimately trying to get into production or two different animals. So that enablement of doing innovative things, his agility, that that's been a key theme, a positive theme. And the question is, is there a funding model? Doesn't automatically get security funding. And where's the spin that you're spending going up? So all the monetary spend questions come up. >> How do you >> deal with that ballistically? And how do you think about, you know, spend conversation? >> Yeah, um, >> it's a really interesting one, because, of course, expense >> pressures. I'm not immune to those. But I >> also think that we're in a position where, um, our executive leadership team understands the value of the work that we're doing understands the important to our policy holders. So it's less often a need to justify why we need more spend. It's a demonstration of using that spend responsibly and understanding where we might have an uplift from something that we automated to say. Well, now we have these resource is that could be doing something else. >> There's >> always something else and security, right? So if we're committed to re Skilling and making sure that people are evolving the work that they do in the talents that they have to adjust a different kind of >> no rule of thumb per se. It's more of your management recognizes the criticality of it. Therefore, you could make those calls on your own building built in building, >> project tough questions and making >> responsible decisions. But I think it comes down and knowing your technology, >> so the skills gap, obviously a huge challenge in your industry would talk to somebody else, they said. We just can't find people, so we have to bring him in and train them ourselves. We have the homegrown and take the long view. Amazon talks about the shared responsibility model, and a lot of small companies don't really understand that things misunderstood. Obviously, Liberty Mutual gets it. My question is, as you see Amazon focusing on compute in the storage and data base layer, and you guys have the opportunity to focus on other areas that are your responsibility that shared responsibility model. Have you been able to shift? Resource is how have you handled that you retrain people? Has it freed up, not freed up time to do some of those more strategic things that you want to do maybe respond more quickly. Prioritized, better automate, etcetera, etcetera. Can you talk about that from your perspective? >> Yeah. So the shared responsibility model is, uh, you know, I think that's video unimportant speaking point of this whole ecosystem. At the end of the day, Liberty Mutual. Our duty is to protect policyholder data. It doesn't matter. It's in the cloud. If it's in our data, Southers, we have that duty. It's >> on you. >> So I think a lot about the skills that we will need in the future. So I've referenced sort of vaguely that yet. Compliance area is a particularly interesting area where we have opportunities to able to more easily Bingley produced artifacts on our auditors need to really bring automation to a process that just has a very steep history and being manual in nature. So, yeah, I understand that tomorrow we're not gonna ask everyone to make a big switch and I'll become developers. But way do you know plenty of people to this conference and they are participating in the tracks on how to bring of automation to compliance. And I think that's pretty heavily in training opportunities for people. >> How do you look about the vendor lock in conversation because of cloud. The value proposition certainly shifts in the old model was, Oh, you by event supplier and you're in, You're locked in with database or whatever with Cloud. There's a lot of switching costs, opportunities to move around. But people generally settling in on one main cloud and having this may be a hybrid backup cloud or the cloud is the secondary is the focus of the team's How do you view, um, lock And when you deal with suppliers because you don't want to be stuck with once a fire? If you have the need to be agile, you want to have options. How do you guys think about that? Because being in agility is key for you guys to be successful. Not someone's just dealing with the vendors. >> Um, >> it does come down to balance. We do leverage multiple cloud providers, right? I think that, um, if we're too focused on making sure that we have that portability, and we could quickly move from one to another than we miss an opportunity to kind of deeply leverage. Some of the service is, for example, that the eight of us provides, but we also, you know, you've been around the block of >> your first rodeo. Exactly. >> And I think that it's important to have that perspective and prepare for the future. >> Do you, um, attend board meetings regularly? >> I do. I do for sent out to our board of directors. >> Is that a sort of frequent thing? And once a year, once 1/4 of interested in what the board conversation is like with >> it happens in a couple different context, whether it's specific to sort of an audit readout or sort of a general state of State of Security type A report out. But yeah, we have a really engaged board that asked great questions about our partners, right about things that are more culture base in terms of how we're doing with our anti phishing protection. And we talk about technology architectures, too, in the work that we're doing to make sure that we're being more fine grain in the way that we're authenticating users and devices, no matter where they work in a more secure way. They're they're interested in that. So I feel pretty lucky. Thio both have the opportunity and get deeply. Would >> you say the conversation is more of a strategic nature with the board. Is it more tactic? You just mentioned some tactical items. Is it more metrics driven or a sort of a combination of all three? >> It's a It's a combination right? I think they want to see demonstrated progress against areas that we have self identified Azarias that we'd like to prove improve. But they're also looking to see that I have a vision for where we're going to fully cognizant of the work that we've done in the public cloud and want to understand that the level of trust and they had in their security programme on premise will perpetuate and advance into the cloud. So >> when you look at clouds, security and now security, you guys have you had a perspective on full sides and clouds certainly accelerating involving fast when you find a legacy app that you're working with. We've heard other seasons. We've talked us who have had frank conversations, that look, we're deciding whether we lift and shifted more rebuild on. So there's been some visibility into when it's great to have lifted shifts and when it's great to rebuild. So that's been a conversation that I don't think been fully baked out yet. In the full narrative in the industry, it's one people are talking about. What's your view on when you have a legacy app, you want a lift and shifted or rebuild it? What goes through your mind? What's a conversation like? >> It's a conversation that we have. We have legacy. I won't hide behind behind that. But it's not a conversation in a decision that's just made by technologists, right? I think we have to articulate what the options are, and that has to be a joint decision with our business partners. I think generally I'm not preferring a lift and shift because I think that we are may be overlooking some of the opportunities to make similar security improvements that I see. But when we can get an application that's using our software development pipelines that we have embedded security controls, we have better visibility. We have better enforcement, ensuring what we know that we know what's going into. The cloud has met, you know, a number of our security standards, so to speak, that's a much better position. >> So the destruction of multiple clouds I'm interested in how you handle that you take separate teams is the same team, sort of handling everything, and it's sort of a follow up on that is I'm interested in your relationship with AWS and how that's affected your business. >> Yeah, so the security team does not. Oh, the cloud environment, so to speak. That's that's, Ah Secure Dev Ops team within our infrastructure organization. And they're very close partner of ours, right? So, yes, I do have a resource. Is that our specialist in AWS versus other clouds and others that are identity and access management specialists are able to work on the development of those patterns across different cloud environments. Right. You know, I there's nothing bad that I could say about the relationship with our AWS partners that we felt very supported and understanding what we're trying to do introduce us to new service is and introduced it probably most importantly, introducing us to other customers that have but you know, are a little bit ahead of us in their journey. So weaken, hopefully not repeat, >> not helping you with security pieces. Well, I'm that's something that they with shared responsibility there are there working with you on this securing those workloads as you move. Glad >> be Definitely leverage their expertise. >> And you mentioned that you guys kind of made a decision a few years ago. Toe go all in on the cloud. How has that affected your business? What kind of results have you seen? A zit met expectations. Is it exceeded? You know, I >> mean, is I mentioned we do still have, Ah, a lot of a lot of our technology on premise, but for the use cases that have really seen that rapid acceleration of agile practices allowed teams to develop code so much more quickly. I think the business is generally delighted that their needs are being far more quickly met. Then >> I could ask you, there's a perpetual line in the men's room. It's quite long. So what's it like to be long? And the lady I was going to say? I don't think it is because I would say the proportion of women here is actually lower than even the industry and most conferences that we attend. So what's it like being a woman in this male dominated security business? >> I been in it so on, but I certainly have. You're in a little bit of custom toe, but not so accustomed that I'm not motivated on a daily basis to bring more women in. I think that security just has tremendous opportunities and, you know, certainly the marketing of security professionals is hoody wearing white male kind of persona. Just >> their opportunity. What some of those opportunities for women who are stem science, they might your daughters all stem love public policy, the sociology impact side. The impact that's here is a lot of range of skills. What are some of those that you would inspire someone >> I studied? Math is an undergrad. We didn't have security >> back then and since got a Masters >> degree in cyber security. So that's cool. But, you know, I think a great security professional is a great communicator, a great collaborator. I need technologists. I need developers. I need process experts. I need people that think you know very deeply about assurance type control so way have tried to attract people out of other technology round. >> And it's just not just math and computer science is creativity involved. There's a lot of things that that blend sells all kinds of diversity. >> There is, you know, you think about human psychology, right? We just totally transformed one of the systems that we use for approving for managers to approve the access of their people. Right Past system was ugly. People didn't know how to interact with it. I mean, that user experience expertise that over laid and how we developed our new platform just makes all the difference to make sure that it's actually invaluable process. Now, like I'm so frustrated. I'm just gonna sign off on this because I I give up >> really interesting because you spend a lot of time and effort and money on things that drive revenue. But this drives so much productivity in business value that, you know he's not maybe direct dollars, but clearly there. I have a question. When you recruit people, presumably you tap your network. And it's not just the good old boys network your women. Are you able to successfully find women or young women in particular that you can attract and recruit into your business as security practitioners? They had much success there. >> Yeah, so we definitely are outpacing industry numbers in terms of women and security. We have a long way to go, you know, historically excluded people right? Not just women people of color. I mean, we just have a long ways to go, right. And I think it takes more than sitting back and waiting for a recruiter to bring recruiter to bring me a slate of candidates to say no. I know people. I know people that know people. And I really have toe invest myself and make sure that my leaders know that that's my expectation of them, right? I mean, I think that way feel that diversity of thought, no matter how that diversity is expressed, is really important doing the work. >> Let us know how we could help in Silicon Valley days here in Boston as well. Love help get the word out. So anything you need for muscle now. Okay. Thanks so much for his great insights. Love to have you on the cube again sometime. Thanks. Coming on S V p. C. So at Liberty Mutual here in the cube, extracting the signal, sharing the reality of what's going on in the security equation for cloud security. I'm John for Dave. A lot. Right back after this short break