>>Fly from San Francisco. It's the cube covering RSA conference 2020 San Francisco brought to you by Silicon angled medias >>live in. Welcome to the cube coverage here in San Francisco at Moscone hall for RSA 2020 I'm John furrier, host of the cube. We're here breaking down all the actions in cyber security. I'll say three days of wall-to-wall cube coverage. You got two great guests here, experts in the cybersecurity enterprise security space. Over 25 years. We've got two gurus and experts. We've got Bob Mindell, executive vice president of North America cyber practice for cap Gemini and Joe McMahon, head of North America cyber strategy, even a practitioner in the intelligence community. Langley, you've been in the business for 25 years. You've seen the waves guys, welcome to the cube. Thank you John. Thanks for having us. So first let's just take a step back. A cyber certainly on the number one agenda kind of already kind of broken out of it in terms of status, board level conversation, every CSO, risk management and a lot of moving parts. >>Now, cyber is not just a segment in the industry. It is the industry. Bob, this is a big part of business challenge today. What's your view? What was going on? So John has a great point. It's actually a business challenge and that's one of the reasons why it's now the top challenge. It's been a tech challenge for a long time. It wasn't always a business challenge for you as was still considered an it challenge and once it started impacting business and got into a board level discussion, it's now top of mind as a business challenge and how it can really impact the business continuity. Joe is talking before we came on camera about you know CEOs can have good days here and there and bad days then but sees us all have bad days all the time because there's so much, it's so hard. You're on the operations side. >>You see a day to day in the trenches as well as the strategy. This is really an operations operationalizing model. As new technology comes out, the challenge is operationalizing them for not only a business benefit but business risk management. It's like changing an airplane engine out at 35,000 feet. It's really hard. What are you seeing as the core challenge? This is not easy. It's a really complex industry. I mean, you take the word cybersecurity, right? Ready? Cybersecurity conference. I see technology, I see a multitude of different challenges that are trying to be solved. It means something different to everybody, and that's part of the problem is it's a really broad ecosystem that we're in. If you meet one person that says, I know all of cyber, they're lying, right? It's just like saying, I know active directory and GRC and I know DNS and I know how to, how to code, right? >>Those people don't exist and cyber is a little bit the same way. So for me, it's just recognizing the intricacies. It's figuring out the complexities, how people processing technology really fit together and it's an operation. It is an ongoing, and during operation, this isn't a program that you can run. You run it for a year, you install and you're done. There's ebbs and flows. You talked about the CISOs and the bad days. There's wins and there's losses. Yeah. And I think part of that is just having the conversation with businesses. Just like in it, you have bad days and good days wins and losses. It's the same thing in cybersecurity and we've got to set that expectation. Yeah, you didn't bring up a good point. I've been saying this on the cube and we've been having conversations around this. It used to be security as part of it, right? >>But now that it's part of the business, the things that you're mentioning around people, process, technology, the class, that kind of transformational formula, it is business issues, organizational behavior. Not everyone's an expert specialism versus generalists. So this is like not just a secure thing, it's the business model of a company is changing. So that's clear. There's no doubt. And then you've got the completion of the cloud coming, public cloud, hybrid multi-cloud. Bob, this is a number one architectural challenge. So outside of the blocking and tackling basics, right, there's now the future business is at risk. What does cap Gemini do? And because you guys are well known, great brand, helping companies be successful, how do you guys go to customers and say, Hey, here's what you do. What's the, what's the cap Gemini story? >>So the cat termini stories is really about increasing your cybersecurity maturity, right? As Joe said, starting out at the basics. If you look at a lot of the breaches that have occurred today have occurred because we got away from the basics and the fundamentals, right? Shiny new ball syndrome. Really. Exactly exasperates that getting away from the basics. So the technology is an enabler, but it's not the be all and end all right, go into the cloud is absolutely a major issue. That's increasing the perimeter, right? We've gone through multiple ways as we talked about, right? So now cloud is is another way, cloud, mobile, social. How do you deal with those from on prem, off prem. But ultimately it's about increasing your cyber cyber security maturity and using the cloud as just increasing the perimeter, right? So you need to, you really need to understand, you have your first line defense and then your maturity is in place. Whether the data resides in your organization, in the cloud, on a mobile device, in a social media, you're responsible for it all. And if you don't have the basics, then you're, you're really, and you guys bring a playbook, is that what you guys come in and do? Correct. Correct. Right. So our goal is to coordinate people, process technology and leverage playbooks, leverage the run books that we had been using for many years. >>I want to get down to you on this one because of what happens when you take that to the, into the practitioner mode or at implementation. Customers want the best technology possible. They go for the shiny new choice. Bob just laid out. There's also risks too because it may or may not be big. So you've got to balance out. I got to get an edge technically because the perimeters becoming huge surface area now or some say has gone. Now you've got edge, just all one big exposed environment, surface area for vulnerabilities is massive. So I need better tech. How do you balance and obtain the best tech and making sure it works and it's in production and secure. So there's a couple of things, right, and this is not, it's not just our, and you'll hear it from other people that have been around a long time, but a lot of organizations that we see have built themselves so that their cybersecurity organization is supporting all these tools that we see. >>That's the wrong way to do it. The tools should support the mission of the organization, right? If my mission is to defend my enterprise, there are certain things that I need to do, right? There's questions I need to be able to ask and get answers to. There's data I need visibility into. There's protections and controls I need to be able to implement. If I can lay those out in some coordinated strategic fashion and say, here's all the things I'm trying to accomplish, here's who's going to do it. Here's my really good team, here's my skilled resources, here's my workflows, my processes, all that type of stuff. Then I can go find the right technology to put into that. And I can actually measure if that technology is effective in supporting my mission. But too often we start with the technology and then we hammer against it and we run into CISOs and they say, I bought all this stuff and it's not working and come hell yeah. >>And that's backing into it the wrong. So I've heard from CSOs, I'd like they buying all these tools. It's like a tool shed. Don't be the fool with the wrong tool as they I say. But that brings up the question of, okay, as you guys go to customers, what are some of the main pain points or issues that they're trying to overcome that that are opportunities that you guys are helping with? Uh, on the business side and on the technical side, what are some of the things? So on the business side, you know, one is depending on their level of maturity and the maturity of the organization and the board of directors and their belief in, in how they need to help fund this. We can start there. We can start by helping draw out the threat landscape within that organization where they are maturity-wise and where they need to go and help them craft that message to the board of directors and get executive sponsorship from the board down in order to take them from baby, a very immature organization or you know, a reactive organization to an adaptive organization, right. >>And really become defenders. So from a business perspective, we can help them there. From the technology perspective, Joe, uh, you know, or an implementation perspective. I think, you know, it's been a really interesting road like being in this a long time, you know, late two thousands when nation States were first really starting to become a thing. All the industries we were talking to, every customer is like, I want to be the best in my industry. I want to be the shining example. And boards in leadership were throwing money at it and everybody was on this really aggressive path to get there. The conversation is shifted a little bit with a lot of the leadership we talked to. It's, I just want to be good enough, maybe a little bit better than good enough, but my, my objective anymore is it to leave the industry. Cause that's really expensive and there's only one of those. >>My objective is to complete my mission maybe a little bit above and beyond, but I need the right size and right. So we spent a lot of time helping organizations, I would say optimize, right? It's what is the right level of people, what is the right amount of resources, what's the right spend, what's the right investment, the right allocation of technology and mix of everything, right? And sometimes it's finding the right partner. Sometimes it's doing certain things in house. It's, there's no one way to solve this problem, but you've got to go look at the business challenges. Look at the operational realities of the customer, their budgets, all those, their geographies mattered, right? Some places it's easy to hire talent. Some places it's not so easy to hire talent. And that's a good point, right? Some organizations, >>they just need to understand what does good look like and we can, we have so many years of experience. We have so many customers use skates is we've been there and we've done that. We can bring the band and show them this is what good looks like and this is sustainable >>of what good looks like. I want to get your reactions to, I was talking to Keith Alexander, general Keith Alexander, a former cyber command had last night and we were talking about officers, his defense and that kind of reaction. How the Sony hack was was just was just, they just went after him as an example. Everyone knows about that hack, but he really was getting at the idea of human efficiency, the human equation, which is if you have someone working on something that here, but their counterpart might be working on it maybe from a different company or in the same company, they're redundant. So there's a lot of burnout, a lot of people putting out fires. So reactive is clearly, I see as a big trend that the conversation's shifting towards let's be proactive, let's get more efficient in the collaboration as well as the technology. What you, how do you guys react to that? What's your view on that statement? So >>people is the number one issue, in my opinion. In this space, there's a shortage of people. The people that are in it are working very long hours. They're burnt out. So we constantly need to be training and bringing more people into the industry. Then there's the scenario around information sharing, right? Threat information sharing, and then what levels are you comfortable with as an organization to share that information? How can you share best practices? So that's where the ice sacks come into play. That's also where us as a practitioner and we have communities, we have customers, we bring them together to really information, share, share, best practice. It's in all of our best interests. We all have the same goal and the goal is to protect our assets, especially in the United States. We have to protect our assets. So we need, the good thing is that it's a pretty open community in that regards and sharing the information, training people, getting people more mature in their people, process technology, how they can go execute it. >>Yeah. What's your take on the whole human equation piece? Right? So sharing day, you probably heard a word and the word goes back to where I came from, from my heritage as well, but I'm sure general Alexander used the word mission at some point, right? So to me, that's the single biggest rallying point for all of the people in this. If you're in this for the right reasons, it's because you care about the mission. The mission is to defend us. Stop the bad guys from doing days, right? Whether you're defending the government, whether you're defending a commercial enterprise, whether you're defending the general public, right? Whatever the case is, if you're concerned, you know, if you believe in the mission, if you're committed to the mission, that's where the energy comes from. You know, there's a lot of, there's a lot of talk about the skill gap and the talent gap and all of those types of things. >>To me, it's more of a mindset issue than anything. Right? The skill sets can be taught. They can be picked up over time. I was a philosophy major. All right? Somehow I ended up here. I have no idea how, um, but it's because I cared about the mission and everybody has a part to play. If you build that peer network, uh, both at an individual level and at an organizational and a company level, that's really important in this. Nobody's, nobody's an expert at everything. Like we said, you brought a philosophy. I think one of the things I have observed in interviewing and talking to people is that the world's changed so much that you almost need those fresh perspectives because the problems are new problems, statements, technology is just a part of the problem set back to the culture. The customer problem, Bob, is that they got to get all this work done. >>And so what are some of the use cases that you guys are working on that that is a low hanging fruit in the industry or our customer base? How do you guys engage with customers? So our target market is fortune 500 global 1000 so the biggest of the big enterprises in the world, right? And because of that, we've seen a lot of a complex environments, multinational companies as our customers. Right? We don't go at it from a pure vertical base scenario or a vertical base solution. We believe that horizontal cybersecurity can it be applied to most verticals. Right. And there's some tweaking along the way. Like in financial services, there's regulars and FFIC that you need to be sure you adapt to. But for the most part the fundamentals are applicable. All right. With that said, you know, large multinational manufacturing organization, right? They have a major challenge in that they have manufacturing sites all over the world. >>They building something that is, you know, unique. It has significant IP to it, but it's not secure. Historically they would have said, well, nobody's really gonna just deal steal what we do because it's really not differentiated in the world, but it is differentiated and it's a large corporation making a lot of money. Unfortunately ransomware, that'd be a photographer. Ransomware immediately, right? Like exact down their operations and their network, right? So their network goes down. They can have, they can, they can not have zero downtown and their manufacturing plants around the world. So for us, we're implementing solutions and it's an SLA for them is less than six seconds downtime by two that help secure these global manufacturing environment. That's classic naive when they are it. Oh wow. We've got to think about security on a much broader level. I guess the question I have for you guys, Joe, you talk about when do you guys get called in? >>I mean what's your main value proposition that you guys, cause you guys got a broad view of the industry, that expertise. Why do, why are customers calling you guys and what do you guys deliver? They need something that actually works, right? It's, it's you mentioned earlier, I think when we were talking how important experiences, right? And it's, Bob said it too, having been there, done that I think is really important. The fact that we're not chasing hype, we're not selling widgets. That we have an idea of what good looks like and we can help an organization kind of, you know, navigate that path to get there is really important. So, uh, you know, one of our other customers, large logistics company, been operating for a very long time. You know, very, very mature in terms of their, it operations, those types of things. But they've also grown through merger and acquisition. >>That's a challenge, uh, cause you're taking on somebody else's problem set and they just realize, simply put that their existing security operations wasn't meeting their needs. So we didn't come in and do anything fancy necessarily. It's put a strategic plan in place, figure out where they are today, what are the gaps, what do they need to do to overcome those gaps? Let's go look at their daily operations, their concept of operations, their mission, their vision, all of that stuff down to the individual analysts. Like we talked about the mindset and skillset. But then frankly it's putting in the hard work, right? And nobody wants to put in the heart. I don't want to say nobody wants to put in the hard work. That's fun. There's a lot of words that's gets done I guess by the questions that you guys getting called in on from CSOs chief and Mason security officers. >>Guess who calls you? So usually we're in talking to the Cisco, right? We're having the strategic level conversation with the Cisco because the Cisco either has come in new or has been there. They may have had a breach. Then whatever that compelling event may be, they've come to the realization that they're not where they need to be from a maturity perspective and their cyber defense needs revamping. So that's our opportunity for us to help them really increase the maturity and help them become defenders. Guys, great for the insight. Thanks for coming on the cube. Really appreciate you sharing the insights. Guys. Give a quick plug for what you guys are doing. Cap Gemini, you guys are growing. What do you guys look to do? What are some of the things that's going on? Give the company plug. Thanks Sean show. It's been a very interesting journey. >>You know this business started out from Lockheed Martin to Leidos cyber. We were acquired by cap Gemini a year ago last week. It's a very exciting time. We're growing the business significantly. We have huge growth targets for 2020 and beyond, right? We're now over 800 practitioners in North America, over 2,500 practitioners globally, and we believe that we have some very unique differentiated skill sets that can help large enterprises increase their maturity and capabilities plug there. Yeah, I mean, look, nothing makes us happier than getting wins when we're working with an organization and we get to watch a mid level analyst brief the so that they just found this particular attack and Oh by the way, because we're mature and we're effective, that we were able to stop it and prevent any impact to the company. That's what makes me proud. That's what makes it so it makes it fun. >>Final question. We got a lot of CSOs in our community. They're watching. What's the pitch to the CSO? Why, why you guys, we'd love to come in to understand what are their goals, how can we help them, but ultimately where do they believe they think they are and where do they need to go and we can help them walk that journey. Whether it's six months, a year, three years, five years. We can take them along that journey and increase the cyber defense maturity. Joe, speak to the CSO. What are they getting? They're getting confidence. They're getting execution. They're getting commitment to delivery. They're getting basically a, a partner in this whole engagement. We're not a vendor. We're not a service provider. We are a partner. A trusted partner. Yeah, partnerships is key. Building out in real time. A lot new threats. Got to be on offense and defense going on. A lot of new tech to deal with. I mean, it's a board level for a long time. Guys, thanks for coming on. Cap Gemini here inside the cube, bringing their practices, cybersecurity, years of experience with big growth targets. Check them out. I'm John with the cube. Thanks for watching.