>> Hey Jeff Rick here with the cube. We're here in Palo Alto at the Chertoff event, its called security in the boardroom. We're talking about the security conversations that need to happen in the boardroom not just at the IT department and locking down your phone and your VPN. Its really how do we elevate the conversation, especially as things continue to change, digital transformation is forcing people to move quickly and everyone's becoming a digital company. All our assets are becoming digital. So it needs to get elevated. We're excited to have, our next guest, he's Paul Farrell, he's the CEO of Nehemiah. Paul welcome. >> Thank you. >> And joining us again, Jason Cook from the Chertoff Group. Good to see you again. >> Hi. Alright so lets jump into it, so you're CEO... Well before you get it, first tell people about Nehemiah, you are familiar with the company. >> Nehemiah has a cyber security suite where we know, manage and help protect organizations and the knowing part is what we're probably going to talk more about today which is our risk quantifier software. >> Well lets jump in what is risk quantifier software? >> We take a bottoms up look at the organization to get a high fidelity copy of the corporate network and then we layer business applications on top of it so boards can get a look at what the business exposure is to the cyber security risk. >> So the network and the application. So very techy piece of it, how much of it, in terms of the process and the people get filled into that piece as well. >> We call that process BIA or Business Impact Analysis and a lot of the Fortune 500 firms have already been doing this to be compliant with Sarbanes Oxley and other regulations. And its being able to work with them to take some of that information out of the system and combine it with the cyber information we have, to give them a good look at risk. So if I'm looking to invest $2 million dollars, what's my risk buy down. Is it 10 million? Is it two million? Is it nothing? I just need to do it. So these are some of the questions we're trying to help boards answer. >> I'm just curious, from a why do we need to do this point of view. How much of it is compliance and governance and regulation? And how much of it is not? Its just, we need to protect ourselves from the bad guys. I would imagine especially financial services and healthcare, a lot of it was driven by compliance before but is that percentage going down? >> Go ahead. >> So, no not at all. >> Not at all, still mainly governance, compliance regulation. >> And what you have to bring together now is security risk and compliance. Its all the one thing. And at the board level, you don't have those as separate agenda topics anymore and that's why we talk about a risk management program. Especially the Fortune 500 boards becoming very educated and also actioning and taking forward and that's really where that stuff comes together. Compliance, especially if you look at the finance industry, health care industry for example, its always going to be there cause its a duty of care as to the industry, how to run the business and to all of the consumers at the end of the day at the end of that. So you need a bit of (indistinct talking) and its a very useful tool, if you apply risk management to it, if you're applying security to it and bring those things together. Many CSOs will talk about situational awareness and one of things they need to do, if they've got a seat at the board table, is, what do I have, what's my assets? And that's no longer just purely from a technical perspective. You hear the phrase, many organizations have technology silos, that don't talk, that don't come together, perhaps different business units that are running those silos. And at the board level how do you ascertain what you've got when you have an issue and that situational awareness then, is also going to help drive, what parties do I take when I have to take action. So that's something that Nehemiah's security is really focusing on. So they're saying let us put together for you and work with you to assemble your silos of IT network and everything else there. Essentially underpinning your digital footprint as you go on that digital journey. But then how do you have actionable business intelligence that's going to help you prioritize how to run that, how to secure it but also how to invest and run your business through this journey. >> You're going to say summn? >> I think its the word that Jason used a lot is the journey and there's a lot of things we should be doing just because its cyber hygiene and its intelligence, is what we should do to run our business by taking the business information and marrying what we got up and then communicate it in language that the board knows. Which is key, don't be talking about WannaCry viruses and all that and SNB ports. That doesn't make any sense to them, they make business decisions every day, so its we're investing X and you take a risk profile overtime and you say, this will help reduce our exposure here, but its good and we need to do it. Whether compliance says it or not, we need to be protecting our data. That's one of the things that... Compliance is a checklist and we need to check, make sure that's done and everybody does audited financial statements and that's great, we should do it every year but there's somethings that are basic we should do basic stuff in finance, we should do basic stuff in cyber hygiene as well as updating our systems, keeping them current, educating our employees on scams and stuff that happen. These are things that need to happen over time and so its a journey for the board and for the senior management but for every employee, to be able to know these things and to actually integrate it as part of their everyday job, in my opinion. >> It sounds like the cyber hygiene stuff is still just not (laughs), we're not hygienic enough (laughs) as we should be. Its amazing that just continues to be a recurring thing. >> One of the ethos approaches that Nehemiah is taking to this is, they call it know. What do you know about your environment and it starts there. To say so, especially for an organization, as many are on a digital journey. Well what is underpinning all of our digital footprint. Do you know that? And unfortunately so many organizations out there have bits of it but they don't maintain that. So when you have, for example, the famous WannaCry incident, they kicked off very very large organizations as well as many small one were impacted. Why? Well cause they didn't actually understand what they had and they didn't have the business intelligence and the business analytics to make a prioritization to say, we need to invest our focus and time and effort here to respond to this activity from a hygiene perspective. And until those things are addressed, you're not actually going to truly be able to go on your digital journey as an organization. So if anything, what this is doing is heightening the awareness at the board level that you need to have an articulated dialogue, where at the board level you can understand the impact to the business of what's going on here but then take all of that and take all the knowledge that you're building to then drive actionable intelligence, business as well as technology coming together, which underpins risk management in that context. >> And I would imagine those types of incidents are helpful in terms of helping to define what is that risk. >> Tragically helpful. >> Yeah tragically helpful but still without those types of things its probably harder or harder to really monetize what is the risk so that I can come up with a portfolio that then I can validate my investment. >> Its about being prepared. Its about thinking about what are your critical business systems. And so when you got something happening, no matter what it is, lets make sure that critical business systems are protected first and then we'll get to the the less priority systems. Its not that they're not all important, its just that there're some that are more critical. Inventory systems or sales at the end of the quarter, it tends to be we find to be, not only the systems but also the time of the year. If you're selling seeds, March and April, North America is really big. If you're Amazon its Christmas time. The inventory system and order entry system has got to be going so but its taking that step back now and saying; what are our critical business systems, what are the risks and then, the only thing we also look at that we've talked to Jason about is, we know what the risks are but what's the probability those risks are going to hit you. Everybody's not a 100%, some people are 20%. So when you go to the board you got to give them a true idea of, this is the true risk that we're seeing and we've tempered it down by saying if it was a 100 million at risk but you only have a 20% chance of getting that exploit then its really just $20 million that we're talking about not 100 cause the days are gone where we slam our hand on the board that you must do this, you must do this. Boards are more cyber aware now than ever and they don't want to just pay people throw information at them they want to understand it to be able to respond properly and not react. >> Right. So really the Net Nat is speaking a language, boil it down into language in the decision making process in which they're use to doing. Cause its not a zero sum game, it not a one or zero anymore, its really a probability decision and the risk assessment. >> Yeah that happens over time. That's the whole thing. There's ebbs and flows of the year and you look at things over time and I think that's the other thing that we'd like to talk about. And its renassessing, and one of the things that we talk is, we talk with a lot of people and the chief information security officers are embracing us because they're looking for new ways to be able to communicate properly and succinctly to the boards and that's one of the big things that we see. >> Good cause when they get bumped up the agenda items on the board that's what you want to see right. (laughing) >> Absolutely. >> Well Paul and Jason thanks for stopping by really appreciate your time >> Thank you. >> I'm Jeff Rick you're watching the cube, we'll see you next time, thanks for watching.

(clicking sound) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in Palo Alto at the Four Seasons Hotel at the Chertoff Event is called Security in the Boardroom. Its a annual event they do they do a couple every year and we're excited to be here because the security conversation doesn't really go to the boardroom that often in most of the shows that we go to. So we're excited to be here. Steve Daly is our next guest. He's the President and CEO of Ivanti. Steve, welcome. >> Well, thank you, glad to be here. >> Absolutely. So they said you're the ransomware guy when we were preparing to come in here. >> Right on, right on. >> What special relationship does Ivanti have with ransomware? >> We do a lot of it. >> You do a lot of it? (laughing) >> No we actually, we have a number of solutions to help customers so that they don't fall prey >> Right. >> to these phishing attacks, the stuff that kind of allows somebody to come in and hijack your systems and be able to ransom you >> Right. >> for this stuff. >> So why do you see from where you're sitting the growth in the ransomware in terms of, used to always be hacking and phishing and people doing stupid things. >> Steve: Yeah. >> Clicking on things you're not supposed to. But now suddenly its gotten much more aggressive, now it's got this kind of ransomware piece to it. Why do you see that evolving? >> Well, I see a couple things happening in the industry. One is, I like to think of it is... You think about medieval times, right? You have these castles, and the castles had these walls, their moats, they're very well protected. That's what our data centers have become like. We've got really good security, we've got really good ability to keep the assets that are behind the firewall in the data center very secure. So as the bad guys keep trying to attack and they keep falling against the wall and getting crushed, they start to look at different ways to get past the walls. What they realize is that, you and me, as we're out in the wild. We're like the guys go outside of the wall, we're out there and we're getting infected, we're getting attacked, we're getting... They realize that's the easiest way for us, for them, to get back in behind the wall because if they can infect us, >> Right. >> Then we'll take them back behind the wall through our credentials and our security and get them in to where they really want to be which is where personal identifiable information is, or the high value assets are. And so, I think they've recognized that it is harder and harder to attack directly into the data centers and so let's go at the endpoints. Let's go attack the weak point and get on those and let them take us back into the data center. And so they look at us and they say, "Okay, well how are we going to get Steve to let us use his credentials?" And the best way for them to do that is to phish us. And to bring in technology that we accidentally click on. >> Right, right. >> And once they get there, then they've got access to us. >> And so, this is just an evolution of that idea that says, "Okay, well I can get back in the data center, why don't I just charge this guy just to let me let him get back to the data that he wants access to." And so I think it's just an evolution, sophistication if you will. >> Right. >> Steve: And the bad actors and their ability to extort... extort value out of companies. >> The other trend we hear about is kind of a rise in the state sponsored. It's not just the kid living in his mom's basement anymore who's hacking around, maybe even for fun, right? Just because he could and to brag to other hackers. But really, it's state sponsored, so the motivations behind, the powers behind, the investment behind, the resources behind, >> Steve: They become different. >> is very very different. >> Yeah, and in that case when you think about ransomware, this really is about somebody trying to make some money. State sponsored isn't, they're not trying to make money, right? It's not they're trying to cut their budget deficit by ransomwaring a bunch of Americans type of thing. What they're after is they really are trying to get behind the moat, behind the walls of the castle. And they know the best way for that to do is to infect me, so that I take that virus, so I take that sickness back into the data center because when I come to the door, they're going to drop the drawbridge, they're going to let me in because they know me. >> Right. >> And so, the idea of phishing, the idea of getting me to click on something that I shouldn't click on is... Those techniques are really powerful. >> Right. >> Because, one, you can either ransom somebody to get their data back, or you can use that as a vehicle to slip back in to the... >> Right. >> Steve: Behind the wall. >> But it's so interesting, the more you read up on this topic, there's so many just big gaping holes, where people are just not applying patches, and they're not doing a lot of really simple things. And then on the the other hand, you have people in processing culture. And like you said, people are the weakest link. My favorite story somebody said one time, they came to the company picnic website which was hanging off the corporate website. I don't know if they said they were the plastic fork vendor or something, but that was the way... >> (laughing) They got in.. >> They infiltrated the company... right. >> The spork. Spork vendor. >> They got in the company, right, with the spork. So as you're talking to clients, how often do you see that they are just taking care of the basics before you can really even start to get in to some of the more advanced techniques? >> I think that's a big challenge for companies. I think it comes back to, particularly when we start to talk about end user computing, the way that the industry has evolved is very fragmented in IT. The way that IT decides to support us, and our devices >> Right. >> You think about it, in an IT organization they'll be a Desktop Operations group, they'll be a Mobile group if we're using our mobile phones instead of our desktops. There's a Security group, there's a Service Delivery, there's a Service Support group, they're all separate siloed organizations that are responsible for ultimately keeping us up and running, and secure. But, when they're siloed like that, it's really hard for IT to be able to say, "Okay, well let's do the basic hygiene. Let's make sure that the Desktop Operations group is patching these things in a normal way. Let's make sure the Asset Team is bringing in assets and they're tracking through the lifecycle, making sure that the software on there is up to date, those types of things. Making sure that the Security team has visibility across all of it." It's so siloed... >> Right. >> There's no way that IT can... It's really hard for IT to really bring that together. And I think that's a fundamental problem with the way that we're organized, and I think that has to change. I think that the people, process, side of thing is we have to start to bring and unify IT, particularly when you're talking about end user compute environments. Because the way it's fragmented is one, it's really expensive, its costly, right? You've got all these different teams that have to talk and, you have to stitch technology together, and IT's responsible for that. And two, it becomes really, really risky just because, what you brought up. This team is concerned, has their own remit, it's not necessarily 100% security and so patching falls to the bottom of the list. And, yet, for the security guy, most patches, most exploits are done on exploits that have had a patch available for at least nine months. So it's not that it's a brand new thing, zero day that just pops in, it's that the teams haven't patched the systems. >> Right. >> In nine months, it's crazy. So I think if we can break down, we can unify IT, we can break down those silos, then I think we've got a much better chance of doing the basic hygiene and getting all the technologies together in a way that allows IT to really address this problem and really focus, it's really a cultural change. IT's going to have to change. And the only way for a CIO to be able to affect this change is there has to be some organizational consolidation. >> Right. As you've seen kind of the growth of cloud, right? Public clouds and private clouds, where some of that security responsibility can be shifted off to Microsoft Azure team, or to the AWS team. Now it's interesting, on one hand, they've got massive resources that they can deploy that no individual company, or very few individual companies have, on the other hand, you still have to hit the knobs even the most recent AWS breach is somebody just didn't turn the knob on to close it down, so, are you seeing, because I imagine from a smaller mid-sized company, the security challenge is across all these fronts that are escalating at a rapid rate, really tough to have the resources to fight. >> That's right. >> So, are they adopting more, not necessarily the always cloud, but the kind of larger solutions that they can leverage so that they don't have all that responsibility on their own heads. >> I think that's some of the impetus to move to cloud. I think the challenge is still, when you're talking about end user computing, all we're talking about is moving the castle and the moat to somebody else's castle and moat, right? You still as a company, you still got all these users of IT that have their own devices that are wandering around out in the forest >> Got their own pipe... >> Right and maybe they can get you back in, and maybe that moat might be a little better than the one I could build myself. I'm still held responsible for... A ransomware attack doesn't matter if I'm using Azure. >> Right. >> Right? If I'm using a Windows laptop, and somebody tells me I can win a million dollars and I click on that, bang, right? That's a problem for me as a healthcare provider for instance, right? >> (laughs) >> It doesn't matter what kind of castle I got built by Microsoft or Amazon or Google or whoever. I'm still responsible for that >> Right. >> Piece of it, and that's not going to change. >> Steve, so much to talk about, and we didn't even get into IoT and the increasing attacks, surface area of our cars, and washing machines, and watches. >> That's right. >> Alright, we'll leave it there. Thanks for stopping by enjoy the rest of the show. >> Yes, good to meet you. >> Looking forward to our next conversation we'll jump into the IoT. >> Steve: Alright. >> Alright, he's Steve Daly, I'm Jeff Frick. You're watching theCUBE. We're at the Chertoff Security in the Boardroom event in Palo Alto. Thanks for watching. (clicking sound)

>> Hey, welcome back everybody. Jeff Frick here with theCube. We're in Palo Alto, California, at one of the Chertoff events. It's called Security in the Boardroom. They have these events all over the country, and this is really kind of elevating the security conversation beyond the edge, and beyond CISOs to really the boardroom, which is really where the conversation needs to happen. And our next guest, really excited to have We've got Chad Sweet, he's the co-founder and CEO of the Chertoff Group. Welcome Chad. >> Great to be here. >> And with him also Reggie Brothers, he's the principal at the Chertoff Group, and spent a lot of time in Washington. Again you can check his LinkedIn and find out his whole history. I won't go through it here. First off, welcome gentlemen. >> Thank you. >> Thank you. >> So, before we jump in a little bit of-- What are these events about? Why should people come? >> Well, basically they're a form in which we bring together both practitioners and consumers of security. Often it's around a pragmatic issue that the industry or government's facing, and this one, as you just said, priority of security, cyber screening in particular, in the boardroom, which is obviously what we're reading about everyday in the papers with the Petya and NotPetya and the WannaCry attacks, these are basically, I think, teachable moments that are affecting the whole nation. And so this is a great opportunity for folks to come together in a intimate form, and we welcome everybody who wants to come. Check out our website at chertoffgroup.com >> Okay, great, and the other kind of theme here, that we're hearing over and over is the AI theme, right? >> Yeah. >> We hear about AI and machine learning all over the place and we're in Mountain View and there's self-driving cars driving all over the place and Google tells me, like, "you're home now." And I'm like, "Ah, that's great." But there's much bigger fish to fry with AI and there's a much higher level. And Reggie you just came off a panel talking about some much higher level-- I don't know if issues is the right word, maybe issues is the right word, around AI for security. So, I wonder if you can share some of those insights. >> I think issues, challenges, are the right words. >> Challenges, that's probably a better word. >> Those are good words, because particularly you're talking about security application. Whether it's corporate or government the issue becomes trust. How do you trust that this machine has made the right kind of decision, how do you make it traceable. One of the challenges with the current AI technology is it's mostly based on machine-learning. Machine-learning tends to be kind of a black box where you know know what goes in and you train what comes out. That doesn't necessarily mean you understand what's going inside the box. >> Right. >> So then if you have a situation where you really need to be able to trust this decision this machine's making How do you trust it? What's the traceability? So, in the panel we started discussing that. Why is it so important to have this level of trust? You brought up autonomous-vehicles, well of course, you want to make sure that you can trust your vehicle to make the right decision if it has to make a decision at an intersection. Who's it going to save? How do you trust that machine becomes a really big issue. I think it's something that in the machine-learning community, as we learn in the panel, is really starting to grapple with and face that challenge. So I think there's good news, but I think it's a question that when think about what we have to ask when we're adopting these kind of machine-learning AI solutions we have to make sure we do ourself. >> So, it's really interesting, the trust issue, because there's so many layers to it, right? We all get on airplanes and fly across country all the time, right? And those planes are being flown by machines, for the most part. And at the same time if you start to unpack some of these crazy algorithms, even if you could open up the black box, unless you're a data scientist and you have a PhD, in some of these statistical analysis could you really understand it anyway? So how do you balance it? We're talking about the boardroom. What's the level of discovery? What's the level of knowledge that's appropriate without necessarily being a full-fledged data scientist who are the ones that are actually writing those algorithms? >> So I think that's a challenge, right, because I think when you look at the types of ways that people are addressing this trust challenge it is highly technical, alright. People are making hybrid systems where you can do some type of traceability but that's highly technical for the boardroom. I think what's important is that the-- and one thing that we did talk about on the panel and even prior to panel was on cybersecurity and governance, we talked about the importance of being able to speak in a language that everyone-- that the laborers can understand. You can't just speak in a computer science jargon kind of manner. You have to be able to speak to the person that's actually making the decision. Which means you have to really understand the problem, because I think my experience the people that can speak in the plainest language understand the problem the best. So these problems are things that can be explained they just tend not to be explained, because they're in this super technical domain. >> But you know, Reggie is being very humble. He's got a PhD from MIT and worked at the defense advanced research-- >> Well he can open the box. >> He can open the box. I'm a simple guy from Beaumont, Texas, so I can kind of dumb it down for the average person. I think on the trust issue over time whether, and you just mentioned some of it, if you use the analogy of a car or the board room or a war scenario, it's the result. So you get comfortable, you know the first time, I have a Tesla, the first time I let go of the wheel and let it drive it's self was a scary experience but then when you actually see the result and get to enjoy and experience the actual performance of the vehicle that's when the trust can begin. And I think in a similar vein, in the military context, you know, we're seeing automation start to take hold. The big issue will be in that moment of ultimate trust, i.e. do you allow a weapon actually to have lethal decision-making authority, and we just talked about that on the panel, which is the ultimate trust is-- is not really today in the military something that we're prepared to trust yet. I think we've seen in, there's only a couple places, like the DMZ in North Korea where we actually do have a few systems that are, if they actually detect an attack because there's such a short response time, those are the rare exceptions of where lethal authority is at least being considered. I think Elon Musk has talked about how the threat of AI, and how this could, if it's not, we don't have some norms put around it then that trust could not be developed, cause there wouldn't be this checks and balances. So, in the boardroom that last scenario, I think, the boards are going to be facing these cyber attacks and the more that they experience once the attack happens how the AI is providing some immediate response in mitigation and hopefully even prevention, that's where the trust will begin. >> The interesting thing, though, is that the sophistication of the attacks is going up dramatically, right? >> Chad: Yep. >> Why do we have machine-learning in AI? Because it's fast. It can react to a ton of data and move at speeds that we as people can't, such as your self-driving car. And now we're seeing an increase in state-sponsored threats that are coming in, it's not just the crazy kid in the basement, you know, hacking away to show his friend, but you know, now they're trying to get much more significant information, trying to go after much more significant systems. So, it almost begs then that you have to have the North Korean example when your time windows are shorter, when the assets are more valuable and when the sophistication of the attacking party goes up, can people manage it, you know, I would assume that the people role, you know, will continue to get further and further up the stack where the automation takes an increasing piece of it. >> So let's pull on that, right. So if you talk to the Air Force, cause the Air Force does a lot of work on autonomy, DoD General does, but the Air Force has this chart where they show that over time the resource that will be dedicated by a machine, autonomous machine, will increase and resources to a human decrease, to a certain level, to a certain level. And that level is really governed by policy issues, compliance issues. So there's some level over which because of policy and compliance the human will always be in the loop. You just don't let the machine run totally open loop, but the point is it has to run at machine speed. So let's go back to your example, with the high speed cyber attacks. You need to have some type of defensive mechanism that can react at machine speed, which means at some level the humans are out of that part of the loop, but you still have to have the corporate board person, as Chad said, have trust in that machine to operate at this machine speed, out of the loop. >> In that human oversight one of the things that was discussed on on the panel was that interestingly AI can actually be used in training of humans to upgrade their own skills, and so right now in the Department of Defense, they do these exercises on cyber ranges and there's about a 4 month waiting period just to get on the ranges, that's how congested they are. And even if you get on it, if you think about it, right now there's a limited number of human talent, human instructors that can simulate the adversary and oversee that, and so actually using AI to create a simulated adversary and being able to do it in a gamified environment is something that's increasingly going to be necessary to make it, to keep everyone's skills, and to do it real-time 24/7 against active threats that are being morphed over time. That's really where we have to get our game up to. So, watch for companies like Circadence, which are doing this right now with the Air Force, Army, DISA, and also see them applying this, as Reggie said, in the corporate sphere where a lot of the folks who will tell you today they're facing this asymmetric threat, they have a lot of tools, but they don't necessarily trust or have the confidence that when the balloon goes up, when the attack is happening, is my team ready? And so being able to use AI to help simulate these attacks against their own teams so they can show the board actually our guys are at this level of tested-ness and readiness. >> It's interesting Hal's talking to me in the background as you're talking about the cyber threat, but there's another twist on that, right, which is where machines aren't tired, they didn't have a bad day, they didn't have a fight with the kids in the morning. So you've got that kind of human frailty which machines don't have, right, that's not part of the algorithm generally. But it's interesting to me that it usually comes down to, as most things of any importance, right, it's not really a technical decision. The technical pieces was actually pretty easy. The hard part is what are the moral considerations, what are the legal considerations, what are the governance considerations, and those are what really ultimately drive the decision to go or no-go. >> I absolutely agree. One of the challenges that we face is what is our level of interaction between the machine and the human, and how does that evolve over time. You know, people talk about the centaur model, where the centaur, the mythical horse and human, where you have this same kind of thing with the machine and human, right? You want this seamless type of interaction, but what does that really mean, and who does what? What they've found is you've got machines have beaten, obviously, our human chest masters, they've beaten our goal masters. But the things that seems to work best is when there's some level of teaming between the human and the machine. What does that mean? And I think that's going to be a challenge going forward is how we start understanding what that frontier is where the human and machine have to have this really seamless interaction. How do we train for that, how do we build for that? >> So, give your last thoughts before I let you go. The chime is running, they want you back. As you look down the road, just a couple years, I would never say more than a couple years, and, you know, Moore's Law is not slowing down people argue will argue they're crazy, you know, chips are getting faster, networks are getting faster, data systems are getting faster, computers are getting faster, we're all carrying around mobile phones and just blowing off tons of digital exhaust as our systems. What do you tell people, how do boards react in this rapidly evolving, you know, on like an exponential curve environment in which we're living, how do they not just freeze? >> Well if you look at it, I think, to use a financial analogy and almost every board knows the basic foundational formula for accounting which is assets equals liabilities plus equity. I think in the future because no business today is immune from the digital economy every business is being disrupted by the digital economy and it's-- there are businesses that are underpinned by the trust of the digital economy. So, every board I think going forward has to become literate on cybersecurity and Artificial Intelligence will be part of that board conversation, and they'll need to learn that fundamental formula of risk, which is risk equals threat, times vulnerability, times consequence. So in the months ahead part of what the Chertoff Group will be doing is playing a key role in helping to be an educator of those boards and a facilitator in these important strategic discussions. >> Alright, we'll leave it there. Chad Sweet, Reggie Brothers thanks for stopping by. >> Thank you. >> Thank you, appreciate it. >> Alright, I'm Jeff Frick, you're watching theCube. We're at the Chertoff event, it's security in the boardroom. Think about it, we'll catch ya next time.

>> Welcome back everybody. Jeff Frick here with theCUBE, we're at Security in the Boardroom. It's a Chertoff event, they go all around the country and have these small intimate events talking about security, and today it's really about the boardroom, and escalating the conversation into the boardroom. So it's not a tech conversation, it's not a mobile phone management conversation, but really how do we get it up into the boardroom. And I'm really excited for our next guest. He's Michael Chertoff, he's the Co-Founder, Executive Chairman of the Chertoff Group, with a long established career, and I'll let you go check out his LinkedIn. He's been Homeland Security, and it's a long, long list, so I won't even go there. And Jim Pflaging, he's the Principal, Technology Sector and Strategy Performance Lead also for the Chertoff Group. Thanks, Jim kicked it off this morning. And welcome both of you. So first off, Jim, a little bit about this event. What is this event? And what is Chertoff trying to accomplish with this little bit of a road tour? >> So I think it's important to know that we're passionate about the importance of security. I mean, with Secretary Chertoff and Chad Sweet's background, they were at the ground floor of seeing the importance to our country. So we created the firm to focus wholly on security, and to help firms with the whole lifecycle of issues. As a risk, as a business opportunity, as a catalyst for growth. And it was back in 2013 when some stakeholders around said, "Hey you guys have a bunch of ex-DHS folks, there's a bunch of interesting identity technology issues that are coming to the surface, and other technology issues, why don't you bring a group together and do it?" >> Jeff: Right. >> We said, well, we're not an event company. But we went ahead and had a conversation back in D.C. It was a big success, and then it was a little bit like that line from the Godfather, you know when they say, "They keep pulling me back, they keep pulling me back". (laughs) So here we are on our tenth event, we've been to Silicon Valley three times, New York, Houston, and then D.C. And each time, the idea is, make it topical to the local community, and make it topical for the issues at hand at the moment. >> Yeah, it's interesting, the relationship and security. Specifically between government and technology companies. You know, we do a lot of big technology shows, and at IBM and HP. With the customers that we have distributed around the world and the regulations and compliance issues, in some ways we know more from a broad base of these global international customers than the government. On the other hand, the government's driving the compliance, and has the privacy issues, and hopefully looking out for people, so how do the two work more closely together to deliver better solutions? >> Well, in fairness to the government, the government also has access to information and intelligence that the private sector doesn't have. >> That's true >> So each brings to the table a certain set of capabilities, and part of the challenge is to have people speak the same language. The government has tended over the years to develop a very rigid system of procuring, of interacting with the private sector. Out here in Silicon Valley and in other tech centers there's a lot of focus on being innovative and nimble, and sometimes those two cultures need to be bridged. And actually one of the things that we started out doing, was trying to bridge those cultures. Helping the technology companies understand some of the objectives that the government had in terms of security and the economy. And helping the government understand what's out there, what are the capabilities and the techniques that you might use. Because without an awareness of the art of the possible, it's very hard to lay out a strategy for securing cyberspace. >> Right. And the whole security space to me, we talked a little bit before we put the cameras on, feels like insurance. You know you got to do something, right, you can't go unprotected, but by the same token, you can't be 100%, but do you invest forever? Because at the end of the day, for a private company, you know you have limited resources, government too. So, when these conversations are happening, and then what we're talking about here, the boardroom, the worst way a board member wants to get involved is when he reads the Wall Street Journal on Monday morning and he sees that his company has been breached, and he's in big, big trouble. So, how is the relative importance of security investment changing in the boardrooms? What are you seeing? How is that evolving? >> So, from my standpoint, it's about, first of all, understanding that it's a risk, not security. You're managing the risk, you're not guaranteeing people nothing bad will ever happen. And now, GI uses, I say to people it's like physical health. You don't go to your doctor and say, "Doctor, I want you to guarantee I'll never get sick". The doctor would throw you out of the office, or he'd have you committed. What you do, is you say, "Look Doctor, I'd like to be healthy, I'd like to have a healthy immune system, I'd like to keep most of the bacteria and the viruses out of my body, but I'd like to know if I do get invaded by bacterial viruses, which will inevitably happen, I've got a system that can detect it and white blood cells will eliminate it. That's why I get vaccinated, that's why I do other things to keep my immune system up." And that sense of managing expectations I think is critical for the board. If the board wants a guarantee we will never get hacked, then it's not realistic. If the board wants to understand what are the most important parts of our body politic, or our corporate body, we have to protect, and how do we build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough. >> Right. But then as you said, you want to be healthy, but then we still go to bars and have a drink, and we eat ice cream when we probably shouldn't. And the security, so many percentages of the security problems are caused by people didn't update their patches, or they're respondent to this great opportunity to get a bunch of money out of an African Prince. So how are we changing the culture on the people process? You made an interesting comment about culture. We always talk about people process and technology, but you threw the culture piece in it. Which I though was a pretty interesting twist on just people. >> I think that's a key piece, and it's an area where the board can actually lead. This is when it has to start from the top. You know, if management and the board says, "Hey this is a technical issue, we're just gonnna leave it for that security team down the hall". I think you've failed right out of the gate. You need a CEO-lead, cyber-conscious culture, security-conscious culture, that shows that we value it. And that ultimately, you're going to spend time and money to reward the behavior that you're looking for, to then retain and grow that organization. But it's then looking at it both as a risk, as Secretary said, but increasingly, it's part of an opportunity. It's part of an opportunity to engage your customers in new way. Show that you're really a trusted partner. You value, and will hold private, the information that you're collecting about them. As we hurdle into IOT and driverless cars, that are generating massive amounts of information, more and more, people are going to want to do business with people that are good stewards of that information. >> Right. And I think the interesting thing that came up, as well, is it's not even the technology is not even the breaches, you know we talked a little bit about the whole iPhone encryption thing. Now we all have Alexa sitting at our house, you know, is Alexa listening all the time? I heard of a case where they actually went back to the Alexa on a domestic dispute, or domestic violence to see if Alexa had collected evidence and listened in to this domestic violence attack. But the privacy issues are tremendous. So as all these things get weighed, again, you made an interesting comment, how do we define success? What does success look like? Cause it's not never. In the financial services industry, your worst nightmare is too many false positives, if your turning down people's bank account credit card. So what does success look like? How should people be thinking about success? >> I think there's a couple different dimensions to this. As Jim mentioned earlier, to the extent that you are a steward of other people's data, your ability to promise them that it'll be secure, it'll be private, and execute on the promise, is an important part of your business proposition. To the extent that you have your own business secrets, and your own business confidences you want to protect, that's important. But you raise a somewhat different issue, which is, we do make deliberate decisions sometimes to bring into our homes, into our lives, the kind of collection of information that is a feature, not bug. That's got to be a deliberate decision, because once you collect the information, as in the example of the Alexa recording some domestic disturbance, that's going to be there for somebody else to get using a lawful process or otherwise. So, part of, again, the process of culture and education is always asking, "Why do we want to collect?" Why do we want to hold? What are we connecting to?" You can make an intelligent decision, but you've got to ask the question first. >> Right. Although I heard an interesting twist on that one time. Even if you go through that analysis, and you say, okay, based on these, on yes, yes, and this is why, we're going to collect this data, which you don't know, is what someone else might do with that data in a different scenario down the road. So even if you're a responsible steward of that activity, there's always a chance that something else could happen. So there's even kind of a double whammy. >> I mean, this is one of the byproducts that people talk about with big data. And it's techy term, but people talk about a data lake, where we're collecting this, we're collecting this, we're collecting that. In and of itself, it's not sensitive information. But if you connect different breadcrumbs about a person's activity, and their identity, wow, all of sudden that could be incredibly sensitive. >> Right. >> So that's one of the issues that we've been dealing with in the tech community is how to enable us to collect that information, make good decisions from it, but understand the resulting security issues that come. >> Yeah, that's a fascinating issue because, I think that what a lot of people don't understand is although individual items collected may seem fairly benign, the ability to aggregate, and store all the amount of data is huge. And a perfect example is, you know, people are always walking around taking selfies, or pictures, or putting things in their social media, and the third parties and everybody get into that. And normally you'd say, "That's fine, somebody took a picture of me, it's going to be in their house or whatever, who cares." But if it's all up in the cloud, and someone has the ability to aggregate all that, and all of a sudden get a picture of everybody who's ever taken a photograph of me, or mentioned me, or have had some interaction with, all of a sudden, unbeknownst to me, someone could really get a 24/7 picture of all of my life. So how do you deal with those issues? Some of these are legal questions, some of them are technical questions, but I do think we're on the cusp of having some serious conversations about this. >> So they're going to come yank you guys back into the conference. So thank you for taking a few minutes to come sit down with us. So I just want to wrap up again with the board. As you talk to the boards, we've talked about things that are happening now, and things that are happening in the relative recent past, as you look forward, what's your take away for them as you've sat around, you've talked about all this crazy, scary stuff, and how they should think about it. As you tell them to look forward, what's your advice? >> Well, if I could start with that, so today we released some results from a study we did around this topic. What do boards really think about security? Is it discussed? Is it a boardroom competency? And we interviewed over a hundred senior execs, a vast percentage, forty percent, who were responding as a board member. And what we found was, there's a tale of two cities, two cyber cities. If you're in a large public, US company, in what would be called critical infrastructure, finance, healthcare, telecom, yeah, the directors and the board, they're very well versed in cyber, it's been discussed, it's part of a risk management program, and they have very good CSOs, good interaction with the board. Then there's everybody else. And I would say this actually reflects the boards that I sit on. Is that, you know, cyber's not discussed, it's maybe in reaction to a breach, but it's a technical discussion. And most directors self report, we're not where we need to be on education. So then, just quickly, as a finish, what we launched today was a seven point plan, a blueprint for directors, to help guide areas that they can ask questions, document, review. Kind of move them up their cyber-literacy curve. >> The other thing that I would say, is this, I really sympathize with that small and medium enterprises, which simply don't have the money to invest in terms of building up a whole stand alone security system. I think that takes is more and more to outsourcing some of these functions. Some of it is the cloud, because you put your data up there. Some of it is outsourcing the intelligence and information to know what's coming. It's managed services. Because most of these smaller companies, even if their heart is in the right place, they just don't have the scale to do what a major bank, for example, can do in terms of an operation center. >> Yeah, I think that's such a big piece of the cloud story, is sitting through some of the James Hamilton Tuesday night. If you ever get a chance to go to that He's talks about the investment, infrastructure, security, networking, you name it. That Amazon can make at scale, nobody else, except a very small group of companies can make type of investment. >> Exactly. >> There's just not enough money. Alright, we'll leave it there for now. Really appreciate you stopping by, great event, and thanks for having theCUBE. >> Michael: Great, thanks for having us. >> Okay, it's Michael, Jim, I'm Jeff, you're watching theCUBE. We'll be right back.

>> Hey, welcome back everybody. Jeff Frick here with the CUBE. We're in Palo Alto, California at the Chertoff's event, "Security in the Boardroom." And again, this is an event about elevating the security conversation beyond speeds and feeds and in-points and IOT and ever-increasing attack surfaces, and really, how do we elevate it into the boardroom discussion, because that's where it needs to be before they wake up on Monday morning and see their company's name in the newspaper, which is when you don't want to have your first conversation. So we're excited to have our next guest. He's Joe Gottlieb, the Senior Vice President of Corporate Development for Sailpoint. Joe, welcome. >> Thank you, good to be here, Jeff. >> Absolutely, so for people who aren't familiar with Sailpoint, why don't you give us a quick overview. >> Sure, so Sailpoint helps large enterprises control who has access to what. So at the end of the day, all the access that you need to do your job should fall into what your role is in the company, and what projects you're working on, and for many companies, that's not what is proactively being delivered. You're accumulating a set of things based upon who you ask, who you know, and a lot of inadvertent accumulation of things that you might need or you might not need. So we help companies put that under lock and key and under control, make sure that there's a process for who should approve your access. How can we empower you quickly when you start your job? How can we transfer you to a new role if you move jobs? And most importantly, oftentimes, how do we take away things very systematically when you leave the company? So that's what we do in a nutshell. >> So I would imagine, before you get there, it's a hodgepodge of spreadsheets and Google Docs and all types of assorted random things. >> You bet, for the average large company, this is a manual effort, and it is just not systematic, which it has to be. What you have when you don't have a systematic effort here that's filtered by business approvals and work flow processes is a cumulated surface area that need not be available to the attacker. We want to narrow that surface area by narrowing your access to only that's what's needed and keep it pruned as you evolve with your role in the company. >> It seems like there's so much low-hanging fruit, about just doing what you should be doing, just doing it and so many people don't apply patches, they don't systematically take people out of things when they leave the company. All these things that seem relatively simple on the surface from the outside, but in fact, in a large organization, are not simple by any stretch of the imagination. >> It's so true. In security in particular, it's a really hard job but consistency and patience and methodic progress is really, really key. I liken it to the quality movement that we experienced in manufacturing over two decades ago. We started measuring, we started being consistent, we started thinking about what is the root cause of this or that and how can we continually make ourselves a bit better every time period. And so that's what some of the basics are all about, and governance is a big part of that. >> Okay, so you just got off a panel. And the event here is really focused about the boardroom conversation, so let's just jump into that. You made an interesting conversation from the board about a portfolio approach, which is only natural since you're a corp dev guy, thinking of portfolio strategies. So how should they think about the portfolio? I haven't heard anyone discuss their tools in a portfolio strategy method. >> So, let's zoom out on the context here. Boards are trying to provide governance. They need wisdom to provide governance. If they don't understand security at all, how can they be wise about it? So there's definitely a really, really strong push to get the board being more proactive about demanding the right levels of security and being shown the data that they can have for how security is being applied. I look at security portfolio management as a great way to step out of the Fudd domain, where we have vendors selling us technologies that we don't understand and most of the people talking to us don't even understand, and into a domain where there is less of a bet on prevention, which we know isn't going to happen, and more of a bet on monitoring a response, governance, which is just going back to the source and making sure people have the right access, and education, helping end users understand what that phishing attack would look like, actually going through testing and really accumulating awareness of what to avoid. Because we know that's the easiest way to get started. Every attack starts with a phishing attack that compromises an end-user point in-station, and then moves laterally to the good stuff. That portfolio view allows the board to start understanding how we're not making a bunch of hopeful bets on prevention that is elusive, and we're actually making some balanced bets around the pieces of the puzzle that we know can give us immediate returns and we can measure against the returns. >> Now what about the scale of the bets? We've talked about this with a few of the other guests that came on, 'cause again I liken it to insurance. You'd add some, you could be probably over-insured. There's not infinite resources, so there's always a ying and yang on how much do we invest and then what came up in the kickoff this morning and then how do we measure success? Because obviously success would be no problems, but you probably need a much softer way to measure success. >> Very true. So this came up earlier in the discussion, and that is you've got to get the board thinking about a risk posture, where there are tradeoffs. You can't ask them, you can't use Fudd on the board. You're going to freak 'em out. You have to say, "This is what I have to do "to enable this business to operate at this velocity." And if they don't want that risk, here's the velocity that they ought to be operating within because we are less exposed at that velocity. And so translating it into these sorts of terms that the board understands in the world of business. They're well experienced in advising you on how to operate your business. They've thought about travel risks. They've thought about plant closure risks. And they've thought about employee lawsuit risks. Translate security into risks that they can also understand and then present your measurements and your investment trade-offs in that context. That's what the best practice appears to be. It's still really hard, and so here's the knock: you can have all that great thinking and still struggle because of the degree of difficulty here. You just have to keep at it. >> Now unfortunately, the CISO on the agenda at the board meeting was down toward the end of the day and just before him was the CMO and the Head of Sales and Operations and they're like, "We got to go, we got to go, it's digital transformation. "We got to go, we got to go, competitors are going like crazy. "Speed, speed, speed, digital transformation." That's what you beat us up about last quarter. So as people are trying to really evolve their companies, they're trying to move to a more digital platform, they're innovate faster, they're trying to enable more people in the company to have access to the data, and access to the tools so they can innovate faster. How does that then bang up when he sits down and the CISO stands up? >> So, digital transformation is an opportunity. For me, it's just code for reinventing business around customer engagement, for many companies that have direct relationships to their customers in a broad form, at least it's that for them. That means there's an investment elasticity opportunity. And so building security into that velocity we talked about, or the mode of digital transformation that you're going to deliver is really, really key. It's less about defending security as a horizontal utility that is generic and hard to place within the context of that digital transformation, that customer engagement, that velocity of business, it's that latter scenario. Actually, one of the folks of the panel that I was on, Debbie from PNC Bank, made a great point. She talks about security as part of the brand, part of the brand prompts. We want people to trust our brand. And so more and more, I would argue that the monetization and the maturation of the attack life cycle, and the ability to take customer records and sell them, has forced us to realize that's a distinct business risk. So losing all of our customer data is a huge business risk that business people now understand and you can equip them to reduce that risk with good security measures. While you're doing digital transformation, you have an opportunity to bake it in. So now, you can suddenly say, "Hey look! "We can fit that into the overall architecture." You want it to be a collaborative part of the new design, versus an overlay, which has typically been the approach, when we've automated business on top of IT and then wrapped security around that. >> It's funny, you're the first person that's ever really tied security to trust and trust to brand, because there's always an ongoing conversation about, "Do brands matter? "What is a brand? "How are brands defined "in an increasingly competitive world?" So, is security in that context, table stakes or is it a competitive advantage? >> Well, let me ask you a question. How's Yahoo's brand today? >> Not so good. >> After repeated losses, right, I could name plenty. The circumstance and the experience, and our ability to absorb that experience frankly through a lot of reporting, has helped us to know what we're up against. What are the downsides? That's just education. I think that's the good part of Fudd, when things are reported accurately and we understand that these things have happened, even if we learn a bit later, that's very necessary for us to say, "This is what needs to be done." Just like anything else. When transportation evolved and we reinvented business at the speed of our new transportation in the way we collaborate, that was an impact. We now have to continue to think about business as being more digital and has to be more secure. >> Well, Joe, this has been a great conversation and the other thing you nailed, you're the first person that has ever talked about digital transformation as redefining your business process around customer engagement. That is spectacular. >> Wow. >> Thanks for sharing that, we'll use that. >> Good stuff. >> Alright. Thanks for stopping by. >> You bet. >> He's Joe Gottlieb, I'm Jeff Frick, you're watching the CUBE. We'll catch you next time, thanks for watching.

>> Hey welcome back everybody. Jeff Frick here with theCUBE. We're at Palo Alto at the Security in the Boardroom event, it's put on by the Chertoff Group. They do a couple of these a year, all across the country and they're all about security, but what's interesting is it's not really the tech conversation of security or the gadgets, or a lot of the things we typically cover on theCUBE but really more this event's about the boardroom. And making it a boardroom topic and a boardroom conversation. So we're really excited to have our next guest. He's Brad Hibbert, he's the CTO of Beyond Trust. Brad, welcome. >> Thank you, glad to be here. >> Absolutely, so you just got off the keynote stage, talking about CSOs and how do you help those guys do their jobs, they're in a crazy position. >> That's right, I was just talking about how to make them feel more comfortable talking sort of the boardroom language and ways they can work with vendors to help out with that. So it was a good panel. I think I had a number of good perspectives on the subject. >> Beyond Trust. Give us a background on Beyond Trust. >> Yeah, sure. So Beyond Trust we're all about helping people manage their risks, sort of the internal risks of the environment. It's new area for cyber-security, it's a new layer of security if you will. A lot of people are familiar with sort of the perimeter-based security things like vulnerability scanning, which we do, so attack surface closures and so on. This is really more about when somebody's in the environment or compromised accounts, how do you really secure the environment from that type of access. So we have a number of products that can solve certain use cases around that. >> So this must be the PAM that you guys talk about all the time. >> Brad: That's right, Privileged Access Management. >> Privileged Access Management. >> That's right. >> So you say Privileged Access, so as you just said, that's people that are already on the inside. >> Yeah, so it could be anybody from administrators, leveraging shared accounts, any administrators that need elevated credentials, making sure that you control access to those credentials, and making sure that you ensure that they're using them appropriately, so not misusing them or misbehaving in some way, with all sorts of auditing capability behind that. It could be your desktop administrators, your developers, you just need elevated access in some way. What we're finding is that what hackers are doing now is, they're going after things once they kind of get a footprint in the environment. They're going after the credentials, they're going after privileges, because that gives them more access to the corporate data. >> So is it just that they're a more rich target for the hackers? Or is it because they have a different behavior than your typical person at the end of my phone or your typical access point in? >> It's a bit of both. I think one is, hackers are going to the path of least resistance. So as I mentioned from a privilege perspective, once you're inside the environment, controlling and seeing what people are doing, typically goes under the radar of the traditional security defenses. So once they can get that access, it becomes much more difficult to detect when somebody's doing something inappropriately within the environment. Also, a number of these credentials are not being managed very securely, so a lot of people sharing credentials, they never change their credentials, they use the same password on every router in the organization, they never rotate it, those sorts of things. So there are a lot of weaknesses or vulnerabilities around credentials, just like in the past there's vulnerabilities around assets, and vulnerabilities around applications, now there's vulnerabilities around how you manage access and credentials. And that seems to be an area that people are targeting. >> So you would assume that people that have privileged access would have a little bit higher education, behavior, practices on avoiding things that they're not supposed to do, but it sounds like not necessarily, or? >> Well, yeah, certainly on-- >> On paper that's what you would think. >> On paper, absolutely yeah, I think the tradeoff sometimes is from a password management perspective, it's difficult to do that manually if you think about the number of passwords in our organization, shared accounts on systems and applications, on networks, network devices and cloud apps, it's just a number of things out there. So people really need a way to harness that and control that in a more automated way. And they just lack that today. Sometimes it's around operations. When I was an admin, bad to say but I used the same password a number of different devices because for me it was easy to remember. Complex and changing passwords becomes difficult to manage in some cases, right? So password management, part of PAM, one of the components that we have, enables you to manage those things in a more automated and controlled way without putting a lot of burden on the administrative team, which is what people are looking for. >> So how far are we away from a better method than password? It amazes that we have phones with fingerprint readers and it still asks us for a password to get into our phone. We have Salesforce at work, and Salesforce is very secure so they make us change our passwords, whatever it is every four weeks or six weeks. And I've gone through kind of my core, my top 10 passwords and it still won't let me in. So it's such a not great way to access, and as you said this expanding level of applications and stuff now, our interaction with so many different things are so password-driven. Two-factor authentication is obviously helping, but when are we going to get beyond passwords? >> Well I think from my perspective, I think passwords are going to be around for a long time, because it's not just users that use passwords. Systems also use passwords. Application to application interfaces now use secrets or some sort of passwords, and so on. They're going to be around for a long time, even the ones that administrators and shared credentials, they're going to be around for ten years-plus. And I always say, even with multi-factor there's always something you have and something you know. So I always think there's a good reason to keep them in a lot of cases. But even beyond the passwords, even once you log in there's still other things that you want to make sure are being addressed. You want appropriate logging and controls, and analytics around what you're doing with those credentials. You might want to restrict when you should have access, so maybe I don't want my administrators to be able to go start patching a system or configuring a system unless appropriate tickets are in the ticketing system during certain times of the day. So you start adding more controls around when they can actually use these passwords, and then when they use them, ensuring that they're using them appropriately. So there's a number of different aspects around Privileged Access Management other than just the passwords themselves. >> But it's just funny even with all the procedures and processes, you still have, at the end of the day, behavior. It sounds like so many times people don't follow the right procedure, they like you say, share passwords, they don't apply the patches, and so you're fighting kind of the people-process thing always, in addition to the technology piece. >> Right, and sometimes it's difficult. In some organizations you still have end users that have full admin rights on their desktops, right? So if they get phished, the hacker gets on that machine, they have admin rights on that machine. Then they can use that as a footprint to go elsewhere. Then once they're on that machine of course, they could have line of sight to anything inside your environment. So if those things inside your environment aren't properly secured, network devices and so on, they could be susceptible if they're not being managed properly as well. So it's a big problem, and as I mentioned before, in a lot of organizations it's a missing security layer that they just don't have today. Which is why the market's growing so quickly. >> Well Brad, I think you got a lot of job security. (laughter) >> Well thanks for taking a few minutes out of your day, appreciate it. >> Absolutely, thanks. Alright, he's Brad Hibbert, I'm Jeff Frick. You're watching theCUBE from the Security in the Boardroom event put on by Chertoff. Thanks for watching.

>> Hey, welcome back everybody. Jeffrey here with theCUBE. We're in Palo Alto, California at the Four Seasons Hotel. An interesting event, it's called Security in the Boardroom, and it's part of the security series put on by the Chertoff Group. They do a couple of events a year, and they've returned to the Four Seasons. It's really an interesting twist on the whole security discussion, really elevating it to what's happening in the boardroom. We're excited to be here, we've got some great guests lined up, and we've got our first guest of the day. He's Bob Griffin. He's the CEO of Ayasdi. >> Correct. >> Welcome, Bob. >> Thanks. >> I got the pronunciation right, so. >> You did, indeed. >> For people that aren't familiar with the company, what is Ayasdi all about? >> Well Ayasdi's an artificial intelligence platform manufacturer that builds technologies that allows us to effectively deploy enterprise class artificial intelligence applications. >> For security's specific application or beyond security? >> Yeah, beyond security. We're fundamentally focused in three areas. We're focused in the financial crimes area, specifically around doing things like anti-money laundering, risk and compliance, waste, fraud and abuse. We're focused a lot in the healthcare area, around doing things like, clinical variation management, population health risk, and we've got a very strong focus in the federal government and the public sector, mostly around the intelligence community, DoD and so forth. >> Okay. So, financial institutions, the government, and then who's the purchaser, what's the segment that buys your healthcare focus applications? >> It's traditionally both the payers and the providers. So folks that are looking at, how do we manage costs associated, but how do we make more use of healthcare practices? So, folks like Mercy Hospital, folks like Intermountain, United Healthcare, folks like that. >> So it's interesting 'cause there's a lot of talk of machine learning and AI right now, it's hot, hot, hot like beg-id was a couple years ago. But I think, a lot of people are still confused as to how is it actually being used. Is it actually being used? It's probably affecting them in ways they have no idea. So, how is the adoption of AI progressing from your point of view in these industries, and how is it helping transform them? >> Well, it's absolutely transformational technology. The reality is all applications eventually are going to have to become intelligent or they become obsolete. The biggest challenge with artificial intelligence is that it's moving incredibly quickly. The rate of change, milestones, are daily. So if you're not running to artificial intelligence applications, or developing and deploying those, you're behind the curve. If you're sitting at the stoplight right now, and you're competitors are entering the intersection using artificial intelligence, you're never going to catch up, so you have to move quickly. >> Right. >> The second thing, I think, is that, artificial intelligence now has got an opportunity that can really focus and help with real business problems. Traditionally, what we've done with artificial intelligence is we've parked it in innovation labs, or we've parked it in R&D. It's time to take it out of that and really put it to place, in areas around opportunities we talked earlier about. Anti-money laundering. How do you reduce the number of false positives to make your 5000 investigators more effectively? Artificial intelligence can do that kind of application. >> I was wondering if there's any stories you can share publicly about some of the big impacts or maybe little impacts that people would never have guessed where you can apply this type of technology to positive outcome. >> Sure. So, let's talk a little bit about, let's take anti-money laundering as an example. We have a client that has nearly 7000 investigators. And their challenge is, they're getting almost 98% false positives. They came to >> 98% false positives? >> 98 false positives, I mean think about that. >> Which is crazy. >> Out of every hundred, only two positives are actually effective. Alright so, they came to us and said, look, if we can reduce our false positives by say 3-5%, that's a home run for us, right? What do you think you can do to help us? We took their information, their data, put ourselves within their workflow. And we we're able to give them a 26% reduction in false positives. Well that changes the game for them. Just the economic savings alone is incredible. You're talking nearly 140 million dollars. So, those are real things. I'll give you one more example in the healthcare area. We've been studying type 2 diabetes for nearly 40 years. We took that same data set that people have been studying and working with one of our partners, we were able to very quickly, through our platform, segment up that data set and show that type 2 diabetes really falls into three subsegments. And those subsegments are really indicators of what's likely to happen to patients, but more importantly, they subsegment up into things like, these clients, er these patients that have these conditions are likely to develop cancer. These clients are likely to develop retinopathy, blindness. What that's doing is it's changing the way, not only they're going to prosecute a cure, but also the way they're going to prosecute the treatment of type 2 diabetes. It's changing the game. >> So, it's interesting. You got a technology platform. Do you also deliver the data to scientists? How does it work in terms of, or are you a tool that you hand to data scientists inside the organization, the one you just, given an example of and gives them a different tool, or you also delivering services to help refine and tune? 'Cause obviously it's always implied that these things, not only do you pump the data in, that there's a continuing ongoing process of learning as they, continue to get smarter. >> Absolutely. The answer actually is yes. We provide a platform, and that platform really comes with capabilities to enable our clients to develop artificial intelligence applications in real time or near real time. So, it has things like an SDK, it has REST APIs, but more importantly, it has a tool we build called Envision. And that Envision really allows our clients to very rapidly prototype new artificial intelligence applications and get them into production incredibly quickly. Now to your point, there are, some of our clients that don't have the technological skills or prowess, but yet, need to take advantage of the technology. So we have a professional services capability that will come in. We'll bring in data scientists as required. We'll bring in subject matter experts as needed. We'll bring in program managers and so forth, and we'll take them from kind of, cradle to grave, in helping them build out those applications. As part of that we'll train them, educate them and let them to become self-sufficient. Because, one of the things that I think is incredibly important about artificial intelligence that nobody's talking about, is any machine-intelligent application has to be able to do five things. It has to be able to discover. You know, find out and do observational discovery. What does it not know about itself, What can it learn? And that's important, because if you can do unsupervised discovery, then you can do the next thing, prediction, much more effectively. So it has to be able to discover, it has to be able to do prediction, from the past we can predict the future. It has to be able to do justification, and that's probably one of the most important areas that we talk about. Justification is not necessarily what is it the algorithm did, but why did it do that, why did it take that action? Why did it segment the population to these sizes? What is it that it proved? Why did that sensor go off? And so forth. >> This is really, to kind of, unveil the black box a little bit. 'Cause nobody wants the white box anymore. >> Absolutely. And then lastly, it's got to be able to do two additional things. It's got to be able to act on what it has discovered, what it's predicted, what it's justified. And then lastly, it's got to be episodic, it's got to learn. So what did I learn from the last episode, and how do I apply that back to a new form of discovery, a new form of prediction, the next level of justification and action. >> That's a great summary, Bob. And it's interesting. 'Cause you guys talk a lot about, I was doing some homework before I came in on the justification piece. You got to open up that black box, it's no longer good enough just to kick out an answer. >> Absolutely. And if you can't on it, what's the point, you know? It's kind of more of a science experiment. Before I let you go, we're running out of time, but, the roots of the company, is around this thing called topological data analysis. And you're not a data scientist, nor am I, but conceptually, what was different about that approach, that people weren't doing previously? >> Well so, topological data science, data analysis, is the study of the shape of data. All data comes in shape. The challenge historically is most people apply traditional algorithms to data assuming that it's going to be in a linear fashion, for example. So they'll linear regression analysis. Or if it's clustered data, they'll apply clustering technologies and so forth. The challenge is, what happens if your data is in a flare shape? Or what if it's in a circular shape? Or what if it's time series based and so forth? What we do is, with TDA, the first thing it does, is we understand the shape of the data 'cause the data will tell you a lot about itself and its shape. And from that shape you can start to ask more intelligent questions about the data so you can unlock all of the insight. >> So it's really almost like, a higher order organization if you will. 'Cause we always look for patterns, right? That's what we always do as people. Alright, well Bob, really interesting conversation. >> Thanks. >> I really look forward to the next time we get a chance to sit down. >> I appreciate it. >> We'll have to leave it there for now. >> Alright, appreciate your time. >> Alright, Bob Griffin, he's the CEO at Ayasdi. I'm Jeff Frick, you're watching theCUBE. We're at the Chernoff event, it's called Security in the Boardroom, we'll be right back.