>> Brought to your by Amazon Web Services and its ecosystem partners. (smooth music) >> Okay, welcome back everyone. This is theCUBE's live coverage in Boston, Massachusetts. I'm John Furrier with Dave Vellante at AWS, Amazon Web Services' inaugural conference called re:Inforce. This is the first conference that Amazon Web Services is putting on around security, and we've got a great guest, we've got CISO, Brian Lozata, CISO for Dataminr, also on the advisory board for Twistlock, which was recently purchased by, well, intent to purchase by Palo Alto Networks, really cracked the code on DevSecOps, scaling up. Great to have you on, thanks for coming on. >> No, thanks for the opportunity. >> Love getting down and dirty and talking to CISOs, because you know, besides the, you know, which regime controls security, which is always evolving, a lot of the state-of-the-art activity going on in the security sector. Clearly the path of catching up to the DevOps Agility has been the big focus. >> It absolutely has. As innovation has been, you know, really pushed forward with cloud I think security's had to catch up and really start pushing towards innovation, looking at ways that we could be disruptive in the space with solving these problems that, look, CISOs, we've been facing this for 20 years and we're putting old technology at the same problem trying to fix it. Now that there's new services, you know, new emerging technology with cloud, we should be taking advantage of that and innovating ourselves in the security-- >> Brian, what's the most important story that should be told, or is being told, or isn't being told that needs to be told and covered by the media when it comes to the security industry, what's your view on this? >> The lack of talent, I mean, we're starving for talent. Cyber security's the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have, and in that lack of talent CISOs are starving. We're looking for the right things that, or tools to actually patch these holes and we just don't have it. Again, we have to force the industry to patch all of those resource gaps with innovation and automation. I think CISOs really need to start asking for more automation and innovation within their programs. >> It's a multidimensional challenge. I want to just get your thoughts on it. I mean, what pops into my head when you say that, I think "Oh, entrepreneurial." I'm an entrepreneur, it's like, "Oh, I can start a company." So, one, build something. >> Yeah. >> Build a tool, or work for a company, be talent within an enterprise, and then three, you know, be part of that, you know, game changing ecosystem community and do something. >> Yeah, how about all three, right? You could do all three, right? Like, I think security can't be thought of as that arm to go check things anymore. I think security needs to be thought of that arm that pushes innovation forward and helps the business, you know, move forward. We need to be business enablers, and the only way we're going to do it is by building something, like by shortening up the time to actually get code out there or get products out there. >> So, I want to dig into some of the Dataminr stuff we were just chatting before we came on camera, but I do want to dig into Twistlock because I think, you know, you've been in advise, you've seen that journey from day one, from seed financing to now where they're, you know, exiting to a large company. The success has been, very short period of time, only a couple years, five years or so, magic happens, it's a good thing. What happened, what's the story there? (chuckles) I mean, what's-- >> They found. >> Why so successful? >> Well, they found the gap. They found the gap that everybody's facing is the lack of talent to actually solve all of these issues with automation, and they helped fill that gap and fill it pretty quickly, right? So, I think it went from selling to taking orders very quickly because they actually helped solve a lot of, give visibility and put more security into actual the, you know, cloud-based platforms, and it helps companies modernize their tech stack quickly, right? That's what we're all about is pushing things out quickly, and to do it with security in mind. >> If you look at a typical budget pie in IT it's usually about two-thirds people. You know, one-third, you know, hardware, software services. Is it the same in your world, or is it different? >> Depends on the industry and it depends on the company. Some companies don't put security as that much of a focus, so you sometimes you are trying to get those dollars to actually fund your program, others it just depends on the risk, right, how the company's-- >> Well, if it's financial services they'l throw it in, no problem. >> Oh, they'll throw, you know, financial services will totally, totally do it, but if it's an industry or a company that hasn't had security in there and you're evangelizing security, hey, the first six, eight months you're going to be struggling for that budget. You're going to have to, you know, have that articulation that you, you know, speak on technical risk into business risk so you can fund your program, right? That's why the most important talent or skill that a security professional needs is communication skills. If you can't articulate technical risk into a business risk to fund your program, it's, you know, it's very hard for you to actually be successful in security. >> So, you speak wallet and geek, is that what... >> You have to. (chuckles) I think, yeah, (laughs) I think wallet and geek is definitely, it's a required skill in this space, probably more and more than others, right? The other thing is security, you can actually see how it equates to dollars, too, right? >> So, to whom are you speaking wallet, line of business, CEO, C-suite, CFO? >> I think it's definitely going to be up to C-suite. I think in more mature organizations you're going to get to the product line. You're going to get, you know, security into that product aspect, so as products are starting to be developed, those product managers and that product line can start funding their own security within that product development, right, and you need to have that communication style so that you can push that initiative through that product line. So, maturity-wise you'll get there, but I think initially it has to start at that C-suite at the board level. >> And how does that conversation start and what's the flow like, what's the key message that you're getting across? >> You have to talk about risk to that product line. Where's the risk that you can articulate to them and say if this product is impacted in this way, this is the damage to the brand, you know, financial, or financial damage. Once they see that and they can absolutely put dollars next to it, it'll absolutely help them fund that program when it comes to security. >> And you spend time quantifying that >> You have to. >> Is that right? >> Yeah, you absolutely have to. Everything nowadays needs to be quantified so you can put the appropriate amount of resources towards it, both in human capital and financial, right? >> How do you make that argument credible? Is it based on experience, you pull in different data sources from lines of business? >> It's different data sources. You've definitely got to leverage your experience, but it's looking at data lifecycle, where that data's being stored, process transmitted, the risk to losing it, and then quantify that type of data. There's different levels of sensitivity to data, right? Certain data, like you take a hit on your website, just the brochure site versus transactional data, different risk levels, different, you know, different impact to the brand, to the company. >> So, you're taking a portfolio view-- >> Absolutely. >> Weighing different values. >> Totally, you have to. >> And helping people understand where to put their bill. >> Yep. >> So, the CISO, the CIO, they care about production, what's in production, also on the DevOps ethos you've got Agility, you've got hackathons, so you have the kind of the cultural shift, so how do they mitigate the risk, from your standpoint how do you view this, and what do other CISOs think, because you want to foster that creativity to get that incubating going for new ideas, hackathons for instance, great tactic in the DevOps community. We're seeing that now happen in security-- >> Totally. >> Where the people who are close to the action are getting involved in a very DevOps way, but they're kind of not getting sanctioned clearance from the boss, but that's the production side, so again, Ops, different. How is that migration or transition between I've got a hackathon, this feature that if we roll this out this could really help us with our visibility intro threats or better quality alerts. I'm just making that up, but you see where innovation's going to come from, at the same time dealing with all the other pillars of the compliance, and audit, and security, and blah, blah, blah, all that stuff that's in production. How do CISOs deal with this? >> So, it's taking a view, look, a risk-based approach to that entire lifecycle and seeing where is the biggest risk, and then to fix that risk where the gap is and to get into that innovation piece. At my previous company we developed what's called security as code. We had a big gap that we were finding a lot of issues out there with our environment that we were finding three and four days after they were actually rolled out, so we were able to take advantage of AWS services so that we could actually get visibility live, and then we did it we actually remediated the issues with Lambda functions, right? That was innovation, we were able to do it. Now, convincing DevOps to put it into production, that took some time as well, but it was that partnership and showing them we're not going to be bothering you. >> Ballpark timeframe-- >> Yep. >> Ballpark a timeframe to invention, innovation to selling it through to production, ballpark? >> Maybe a month. >> What's the difference between infrastructure as code and security as code? >> So, infrastructure as code is you're putting out the environment, you're creating that VPC, you're setting up the routes. Security as code, what we're calling security as code is that it finds an issue with that environment and it automatically fixes it with a Lambda function or something like that, right? So, it could find the vulnerability, it knows what the fix is, and it automatically goes and fixes it. That's the benefit of cloud, immutable technology. You can fix things pretty quickly. >> Yeah. >> Well, let's, now that we have that ability, let's innovate on security so that we do do those fixes instead of waiting days for it to come back. >> And the secret sauce for that comes from what? >> Developing-- >> Homegrown math, doing. >> Homegrown, homegrown. >> No problem >> You have, like the, I think cloud has allowed emerging technology and security to get back into being innovative and not just coming in to protect or to have visibility. Like security engineers are now saying, "Now we can create," right? AWS has that, the logo, what is their motto, "Build on," right, well that should apply to security practitioners as well. We should be building just as quickly as developers. >> And by the way, the old model was hire a firm to come in, buy a product. >> Totally, yes. >> Now you're saying is let's code up some security. >> Let's do it ourselves. >> Because the practitioners are close to the action-- >> Absolutely. >> They have the innovative device, doesn't take a lot of time to whip something up, find the discovery... >> And do it. And the other thing is we spent years buying tools, buying tools, buying tools. Tools were built to solve one use case. Who knows better their environment than CISOs that are working in it, right? So, let's build tools that our customers-- >> It's like a tool shed, open up the doors, like "I bought that 10 years ago. "We're still amortizing that." It's like there's too many tools. >> Too many tools, so let's build what's appropriate for the environment based on our knowledge, right, of being working in it. >> Describe a great day for a security practitioner. >> (chuckles) A great day is that I don't get called at two in the morning, right? I think every day is a great day in security, and I'm going to tell you why, because it's growing so quickly I think organizations are starting to realize the value of security, that security is a value prop to a customer or to a client. They like to see security being baked into the products, so I think it is good for security to see it grow. I love to see that AWS has now invested in re:Inforce. I think it was about time. I had been going to re:Invent for, I don't know, maybe four or five years now, and I saw that grow and it was absolutely time for this, so-- >> It's interesting-- >> It's good. >> You hear the chatter, you hear the chatter also around security not, not just being not being a call center and being strategic, which clearly it is, because one breach and you go out of business, that's a business model problem. But as a revenue generator, seeing a trend now-- >> Totally. >> Of people who are building in-house because they have their own problems are taking the Amazon playbook. Do it for yourself first and then expose that out as a service-- >> Totally. >> With Marketplace. Dave McCann's kicking butt over there. He's got services, so the idea is that if people have a good foundation you're just buying services. >> Totally. >> Not tools. >> Yep, and investing in and buying services, not tools, and then pushing those, your resources and your talent to actually be creative and innovative, and be just as hungry when they see new services come out. I love when developers come up to us and say, "There's this new service that's "going to launch tomorrow, AWS is." Can I mess around with it? Can I throw, like I like to see that because then we can get insight into it and say yes, right? Fear is a greater threat to progress than hardship. I don't want my developers to have fear. I want them to feel, "Security team's got my back." The platform has the-- >> Yeah. >> ability to visualize it, so let's move forward with that. >> So, let's talk about fear, uncertainty, and doubt, AKA known as FUD. >> FUD, yeah. >> All right. So, it used to be that the suppliers would put FUD onto the customer saying, "No, don't buy that other product." You could, you know, use that fear. It's now flipping around with CISOs, you know, the way we're hearing that one of the mandates is to get the supplier account from hundreds to single or double digits, and so the fear is being pushed back out, saying if you don't have this kind of stack integration, this kind of API support, you're not going to be a vendor. >> Yeah. >> This is shifting. >> You agree? >> 1000% agree. I think we needed to, like we should not have taken our tempo for so many years from vendors. They were dictating our programs at that particular point. Now we can take control of our program, saying we don't want to partner with you if you don't integrate with the way we've built our program, that we know our environment, right? So, I think we're taking a little bit more control of our destiny and our platforms versus just taking the tempo from vendors. >> And the key here is having that platform built-- >> Absolutely. >> To start thinking through the critical thinking around tech stack, purpose, and this is their shift, this is what, and some families aren't there yet. They, because they have to build it up. >> They have to build it up, and-- >> How long does it take to do that? >> The most important thing to build that up, talent. Look, you're only as good as the talent you have. If you don't have the talent to build that platform up you're going to be stuck in that vendor loop forever. I mean-- >> Had a CISO saying to me privately, "Love multi-cloud, love the vision, "but honestly I'm not investing in Diamond multi-cloud "until I get my team on one cloud, "and I'll use secondary clouds for, you know, "either rollover, backup, or some other point feature, "or inherited workload through an M&A or other project. "No big deals, shadow IT, but in terms of my talent "I don't want to have three different teams. "I want one team to build the stack "and continue to think about automation, "then we'll get to multi-cloud when it's ready." Your thoughts to that. >> I 1000% agree. I think that we need to get one cloud right first before we start thinking about putting our talent, our limited talent resources, again, everybody's starving for talent, into investigating and remediating other cloud issues. I think you definitely have to get one thing right first before moving over. I do think, though, that the time's going to come where there's going to be a lot of companies doing, you know, production workloads in multiple clouds. I, you know, I'm actually eager to see that day, and see it publicly and see how it's being managed, right? >> Well, the one who cracks that nut is going to win big lottery ticket. >> Oh, totally, totally. >> Metrics. I want to quickly defrost on metrics. Metrics is something that if you, if you, if you serve the metrics master too hard you could actually miss out on what your real purpose is. The joke I heard was that you could turn into Chernobyl, like that movie that's on Netflix, or Prime, I forget which show. Oh, it's on HBO actually, it's an HBO series where they were pressing buttons. They had no idea what was going on with the reactor, it blew up, and the rest is history. That's the metrics problem and challenge, isn't it? What's your thoughts on metrics? >> I agree, I'm not a fan of metrics. I don't think security programs should be either built or measured against metrics. I don't think metrics really provide too much detail behind any of that. Metrics are just there I think to provide a little bit of insight of where you could double-click and actually do a little bit more diligence, but they should not be measured, they should not be used to measure your program. I don't run my program on metrics. It's not like I'm escalating metrics, either, up to the board or anything like that. Providing relevant data and how that data impacts the business from a security perspective is how I like to escalate, not putting up, you know, charts or anything like that of what, you know, how many vulnerabilities were remediated. Guess what, you did your job. I don't want to put a metric up there that actually says, you know, something like that. I want to show some real value with some real data. >> So, what are you communicating to the board specifically? >> How we've integrated information security, the security program, into the workflow without slowing down the business. I think that's the key part, and how, security at the end of the day it's a culture change, right, and you are changing behavior, right? So, how you're able to do that without slowing down production, especially in technology companies, because you don't want to slow down that development pipeline, that's a key metric to put out there. >> Mm-hm. >> And we've been able to, you know, enable static and dynamic code analysis without slowing things down. Things are still getting to product at that time, or using container security for our infrastructure so that it takes that out of the developer's mind when they're actually building out a, you know, new environment, right? >> Digital transformation equations, people, process, technology. >> Totally. >> Heard that over and over, and it's cliche, but the people part, okay, you could get more people, totally agree, technology, plenty of tools and services, that's a huge opportunity, but the process is where the focus has been, and I heard a quote earlier on theCUBE today. It says, "Process is a reflection of your culture." >> True. >> And a lot of those cultures won't yield the process control to either CISOs or teams. Your thoughts to that comment and where that kind of goes. That's the key breakdown on digital transformation, isn't it? >> It is, it is. That is true, I think the one thing that CISOs need to remind themselves is when they introduce themselves to the organization they need to be a customer service organization. CISOs need to be available to the users and to the business, and offer their services as a partnership instead of as a mandate. I think that warms the waters a little bit for that behavioral change and that culture change so that process can change into the new, innovative way of actually pushing security as code and infrastructure as code as the new way of actually doing business. >> And success has got, is contagious. >> Totally. >> Like at Twistlock. You're advising that company. Boom. >> Yeah. Absolutely is contagious, and showing those type of examples actually throughout the business actually help, you know what I'm saying? Breaking down those old silos of security is viewed is important, right, so. >> You kind of implied before in the earlier days vendors sort of controlled the table. You were sort of beholden to their way of doing things. Steve Schmidt today made the statement that, you know, all the negative fear factor is not helping our industry. It really, the state of cloud security, anyway, is good, the union is strong. Do you agree with that and are there other things that vendors are doing that drive you crazy as a practitioner that they shouldn't be doing? >> So, two great questions. I think the first one, I think cloud security absolutely is, does exist, and it gives power back to the CISOs, so they can actually make more controlled decisions over their environment, you know, instead of being beholden to vendors. I think understanding the shared responsibility model between a company in the cloud is crucial for CISOs to make those decisions. >> Mm-hm. >> And I think for years that was misunderstood and that's why it took time, probably, to migrate to the cloud or to be born in the cloud initially, but I think once that's understood it empowers, you know, the CISOs and the technology organizations, I think that's one. On your second questions, I think everybody in the world has vendor fatigue. I think vendors, what drives me nuts about all of them is that they say they integrate with everything and that they're going to give me more visibility than before. Great, man, like that's what everybody's been doing for the past 20 years. They're giving me a lot of information. I want them to fix things, don't give me alerts. Don't give me alarms unless you're going to say, "Here's the alert, here's the alarm, "here's the automated script that you can "put into your environment to fix it." Knowing that every CISO in the world is starving for talent, we don't have the resource to double-click on that, due diligence, and write it, do it for me. I think vendors need to start innovating and stop doing the same thing that we've been doing for the past 20 years. >> So, you're seeing, furring from that is a lot of incrementalism, kind of taking safe bets, and really you're looking for a step function. >> Totally, I want vendors to take a more aggressive approach in their innovation, I don't want, so you're giving me more alerts that I've seen in different shapes, in different sizes from different vendors. Tell me how you're going to fix it, or fix it for me. That's what I really want, we need to push, we need to exceed that more from vendors, and look, since we're not getting it it's making us, or I'm happy to do it actually, is to start innovation. >> Do it. >> And doing it ourselves, right? >> Yeah. >> So, it, I'm investing more in resources, in talent, doing it that way-- >> Yeah. >> Instead of outsourcing and getting a vendor, so-- >> And that's a trend that's happening more and more. >> Totally. >> And that's an indictment on the community itself and the vendors. >> Yeah. >> Brian-- >> We need to exceed more from the vendors. >> Thanks so much for coming on. Great insights, profound commentary. Great to have CISOs on theCUBE, thanks for sharing. It's theCUBE's live coverage, Boston. I'm John Furrier with Dave Vellante. Day one of two days of CUBE coverage of the inaugural AWS re:Inforce conference, we'll be right back. (smooth music) People want to work for a mission--

>> From the SiliconANGLE Media office in Boston, Massachusetts, it's the cube. Now, here's your host, Dave Vellante. >> Hello everyone and welcome to this week's Wikibon cube insights powered by ETR. In this breaking analysis ahead of the RSA conference, we want to update you on the cyber security sector. This year's event is underlined by coronavirus fears, IBM has pulled out of the event and cited the epidemic as the reason and it's also brings to the front the sale of RSA by Dell to STG partners and private equity firm. Now in our last security drill down, we cited several mega trends in the security sector. These included the ever escalating sophistication of the attacker, the increased risk from the data economy, the expanded attack surface with the huge number of IP addresses that are that are exploding out there, and the lack of skills and the number of cyber tools that are coming to the market. Now, as you know, in these segments, we'd like to share insights from the cube. And I want you to listen to two American statesman and what they said, on The Cube. Here's general Keith Alexander, who's the former director of the NSA, along with Dr. Robert Gates, who's the former director of the CIA and former Secretary of Defense, play the clip. >> When you think about threats, you think about nation states, so you can go to Iran, Russia, China, North Korea, and then you think about criminal threats, and all the things like ransomware. Some of the nation state actors are also criminals at night, so they can use nation state tools and my concern about all the evolution of cyber threats is that the attacks are getting more destructive. >> I think cyber and the risks associated with cyber, and IT need to be a regular part of every board's agenda. >> So you hear General Alexander really underscore the danger, as well, Dr. Gates is articulating what we've said many times on the cube that cyber security is a board level agenda item. Now, the comments from both of these individuals represent what I would consider tailwinds for cyber technology companies. Now we're going to drill into some of those today. But it's not all frictionless. There are headwinds to in this market space, cloud migration, the shift from north south south to East West network traffic, its pressure traditional appliance based perimeter security solutions, increase complexity and lack of skills and other macro factors, including questions on ROI. CFO saying, hey, we spend all this cash, why aren't we more secure? Now, I want you to hear from two chief information security officers officers on both the challenges that they face and how they're dealing with them. Roll the clip. >> Lack of talent, I mean, we're starving for talent. Cybersecurity is the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have and in that lack of talent Cecil's are starving. >> I think that the public cloud offers us a really interesting opportunity to reinvent security right. So if you think about all of the technologies and processes and many of which are manual over the years, I think we have an opportunity to leverage automation to make our work easier in some ways. >> Now I featured Brian Lozada and Katie Jenkins before and breaking analysis segments, and you can hear it from the cyber leaders, we lack the talent, and cloud computing and automation are areas we're pursuing. So this challenges security companies to respond. But at the end of the day, companies have no no choice. In other words, organizations buying security solutions, the sophistication of the attacker is very high and the answer to my CFO and ROI is fear based. If you don't do this, you might lose billions in market cap. Now, I want you to take a listen to these cubilam talking about the attacker of sophistication and the importance of communication skills in order to fund cyber initiatives, really to keep up with the bad guys, please play the clip. >> The adversary is talented and they're patient, they're well funded okay, that's that's where it starts. And so, you know why why bring an interpreter to a host when there's already one there right? Why write all this complicated software distribution when I can just use yours. And so that's that's where the play the game starts. And and the most advanced threats aren't leaving footprints because the footprints already there, you know, they'll get on a machine and behaviorally they'll check the cash to see what's hot. And what's hot in the cash means that behaviorally, it's a fast they can go they're not cutting a new trail most of the time, right? So living off the land is not only the tools that they're using the automation, your automation they're using against you, but it's also behavioral. >> That's why the most the most important talent or skill that a security professional needs is communication skills. If you can't articulate technical risk into a business risk to fund your program, it's, you know, it's very hard for you to actually be successful in security. >> Now, the really insidious thing about what TK Keanini just said is the attackers are living off the land, meaning they're using your tools and your behaviors to sneak around your data unnoticed. And so as Brian Lozada said, as a security Pro, you need to be a great communicator in order to get the funding that you need to compete with the bad guys. Which brings me to the RSA conference. This is why you as a security practitioner attend, you want to learn more, you want to obtain new skills, you want to bring back ideas to the organization. Now one of the things I did to prepare for this segment is to read the RSA conference content agenda, which was co authored by Britta Glade and I read numerous blogs and articles about what to expect at the event and from all that I put together this word cloud, which conveys some of the key themes that I would expect you're going to hear at the shows. Look at skills jump right out, just like Brian was saying, the human element is going to be a big deal this year. IoT and the IT OT schism, everyone's talking about the Olympics, and seeing that as a watershed event for cyber, how to apply machine learning and AI is a big theme, as is cloud with containers and server less. phishing, zero trust and frameworks, framework for privacy, frameworks for governance and compliance, the 2020 election and weaponizing social media with deep fakes, and expect to hear a lot about the challenges of securing 5G networks, open source risks, supply chain risks, and of course, the need for automation. And it's no surprise there's going to be a lot of talk about cyber technology, the products and of course, the companies that sell them. So let's get into the market and unpack some of the ETR spending data and drill into some of these companies. The first chart I want to show you is spending on cyber relative to other initiatives. What this chart shows is the spending on cyber security highlighted in the green in relation to other sectors in the ETR taxonomy. Notice the blue dot. It shows the change in spending expected in 2020 versus 2019. Now, two points here. First, is that despite the top of my narrative that we always hear, the reality is that other initiatives compete for budget and you just can't keep throwing cash at the security problem. As I've said before, we spend like .014% percent of our global GDP on cyber, so we barely scratched the surface. The second point is there's there's there's a solid year on year growth quite high at 12% for a sector that's estimated at 100 to 150 billion dollars worldwide, according to many sources. Now let's take a look at some of the players in this space, who are going to be presenting at the RSA conference. You might remember to my 2020 predictions in that breaking analysis I focused on two ETR metrics, Net Score, which is a measure of spending velocity and Market Share, which measures pervasiveness in the data set. And I anointed nine security players as four star players. These were Microsoft, Cisco, Palo Alto Networks, Splunk, Proofpoint, Fortinet, Oka, Cyber Ark and CrowdStrike. What we're showing here is an update of that data with the January survey data. My four star companies were defined as those in the cyber security sector that demonstrate in both net scores or spending momentum, that's the left hand chart and market share or pervasiveness on the right hand chart. Within the top 22 companies, why did I pick 22? Well, seemed like a solid number and it fit nicely in the screen and allowed more folks. So a few takeaways here. One is that there are a lot of cyber security companies in the green from the standpoint of net score. Number two is that Fortinet and Cisco fell off the four star list because of their net scores. While still holding reasonably well, they dropped somewhat. Also, some other companies like Verona's and Vera code and Carbon Black jumped up on the net score rankings, but Cisco and Fortinet are still showing some strength in the market overall, I'ma talk about that. Cisco security businesses up 9% in the quarter, and Fortinet is breaking away from Palo Alto Networks from a valuation perspective, which I'm going to drill into a bit. So we're going to give Cisco and Fortinet two stars this survey period. But look at Zscaler. They made the cut this time their net score or spending momentum jumped from 38% last quarter to nearly 45% in the January survey, with a sizable shared in at 123. So we've added Zscaler to the four star list, they have momentum, and we're going to continue to watch that quarterly horse race. Now, I'd be remiss if I didn't point out that Microsoft continues to get stronger and stronger in many sectors including cyber. So that's something to really pay attention to. Okay, I want to talk about the valuations a bit. Valuations of cyber security space are really interesting and for reasons we've discussed before the market's hot right now, some people think it's overvalued, but I think the space is going to continue to perform quite well, relative to other areas and tech. Why do I say that? Because cyber continues to be a big priority for organizations, the software and annual recurring revenue contribution ARR continues to grow, M&A is going to continue to be robust in my view, which is going to fuel valuations. So Let's look at some of the public companies within cyber. What I've compiled in this chart is eight public companies that were cited as four star or two star firms, as I defined earlier, now ranked this by market value. In the columns, we show the market cap and trailing 12 month revenue in billions, the revenue multiple and the annual revenue growth. And I've highlighted Palo Alto Networks and Fortinet because I want to drill into those two firms, as there's a valuation divergence going on between those two names, and I'll come back to that in just a minute. But first, I want to make a few points about this data. Number one is there's definitely a proportional relationship between the growth rate and the revenue multiple or premium being paid for these companies. Generally growth ranges between one and a half to three times the revenue multiple being paid. CrowdStrike for example has a 39 x revenue multiple and is growing at 110%, so they're at the high end of that range with a growth at 2.8 times their revenue multiple today. Second, and related, as you can see a wide range of revenue multiples based on these growth rates with CrowdStrike, Okta and now Zscaler as the standouts in this regard. And I have to call at Splunk as well. They're both large, and they have high growth, although they are moving beyond, you know, security, they're going into adjacencies and big data analytics, but you you have to love the performance of Splunk. The third point is this is a lucrative market. You have several companies with valuations in the double digit billions, and many with multi billion dollar market values. Cyber chaos means cash for many of these companies, and, of course for their investors. Now, Palo Alto throw some of these ratios out of whack, ie, why the lower revenue multiple with that type of growth, and it's because they've had some execution issues lately. And this annual growth rate is really not the best reflection of the stock price today. That's really being driven by quarterly growth rates and less robust management guidance. So why don't we look into that a bit. What this chart shows is the one year relative stock prices of Palo Alto Networks in the blue and compared to Fortinet in the red. Look at the divergence in the two stocks, look at they traded in a range and then you saw the split when Palo Alto missed its quarter last year. So let me share what I think is happening. First, Palo Alto has been a very solid performance since an IPO in 2012. It's delivered more than four Rex returns to shareholders over that period. Now, what they're trying to do is cloud proof their business. They're trying to transition more to an AR model, and rely less on appliance centric firewalls, and firewalls are core part of the business and that has underperformed expectations lately. And you just take Legacy Tech and Cloud Wash and Cloud native competitors like Zscaler are taking advantage of this and setting the narrative there. Now Palo Alto Network has also had some very tough compares in 2019 relative to 2018, that should somewhat abate this year. Also, Palo Alto has said some execution issues during this transition, especially related to sales and sales incentives and aligning that with this new world of cloud. And finally, Palo Alto was in the process of digesting some acquisitions like Twistlock, PureSec and some others over the past year, and that could be a distraction. Fortinet on the other hand, is benefiting from a large portfolio refresh is capitalizing on the momentum that that's bringing, in fact, all the companies I listed you know, they may be undervalued despite, of all the company sorry that I listed Fortinet may be undervalued despite the drop off from the four star list that I mentioned earlier. Fortinet is one of those companies with a large solution set that can cover a lot of market space. And where Fortinet faces similar headwinds as Palo Alto, it seems to be executing better on the cloud transition. Now the last thing I want to share on this topic is some data from the ETR regression testing. What ETR does is their data scientists run regression models and fit a linear equation to determine whether Wall Street earnings consensus estimates are consistent with the ETR spending data, they started trying to line those up and see what the divergence is. What this chart shows is the results of that regression analysis for both Fortinet and Palo Alto. And you can see the ETR spending data suggests that both companies could outperform somewhat expectations. Now, I wouldn't run and buy the stock based on this data as there's a lot more to the story, but let's watch the earnings and see how this plays out. All right, I want to make a few comments about the sale of the RSA asset. EMC bought RSA for around the same number, roughly $2 billion that SDG is paying Dell. So I'm obviously not impressed with the return that RSA has delivered since 2006. The interesting takeaway is that Dell is choosing liquidity over the RSA cyber security asset. So it says to me that their ability to pay down debt is much more important to Dell and their go forward plan. Remember, for every $5 billion that Dell pays down in gross debt, it dropped 25 cents to EPS. This is important for Dell to get back to investment grade debt, which will further lower its cost. It's a lever that Dell can turn. Now and also in thinking about this, it's interesting that VMware, which the member is acquiring security assets like crazy and most recently purchased carbon black, and they're building out a Security Division, they obviously didn't paw on the table fighting to roll RSA into that division. You know maybe they did in the financial value of the cash to Dell was greater than the value of the RSA customers, the RSA product portfolio and of course, the RSA conference. But my guess is Gelsinger and VMware didn't want the legacy tech. Gelsinger said many times that security is broken, it's his mission to fix it or die trying. So I would bet that he and VMware didn't see RSA as a path to fixing security, it's more likely that they saw it as a non strategic shrinking asset that they didn't want any part of. Now for the record, and I'm even won't bother showing you the the data but RSA and the ETR data set is an unimpressive player in cyber security, their market share or pervasiveness is middle of the pack, so it's okay but their net score spending velocities in the red, and it's in the bottom 20th percentile of the data set. But it is a known brand, certainly within cyber. It's got a great conference and it's been it's probably better that a PE company owns them than being a misfit toy inside of Dell. All right, it's time to summarize, as we've been stressing in our breaking analysis segments and on the cube, the adversaries are very capable. And we should expect continued escalation. Venture capital is going to keep pouring into startups and that's going to lead to more fragmentation. But the market is going to remain right for M&A With valuations on the rise. The battle continues for best of breed tools from upstarts like CrowdStrike and Okta and Zscaler versus sweets from big players like Cisco, Palo Alto Networks and Fortinet. Growth is going to continue to drive valuations. And so let's keep our eyes on the cloud, remains disruptive and for some provides momentum for others provides friction. Security practitioners will continue to be well paid because there's a skill shortage and that's not going away despite the push toward automation. Got in talk about machine intelligence but AI and ML those tools, there are two edged sword as bad actors are leveraging installed infrastructure, both tools and behaviors to so called live off the land, upping the stakes in the arms race. Okay, this is Dave Vellante for Wikibon's CUBE Insights powered by ETR. Thanks for watching this breaking analysis. Remember, these episodes are all available as podcasted Spotfire or wherever you listen. Connect with me at david.vellante at siliconangle.com, or comment on my LinkedIn. I'm @dvellante on Twitter. Thanks for watching everybody. We'll see you next time. (upbeat music).

>> From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. >> Hello, everyone, and welcome to this week's Cube Insights, powered by ETR. Today is November 8, 2019 and I'd like to address one of the most important topics in the minds of a lot of executives. I'm talking about CEOs, CIOs, Chief Information Security Officers, Boards of Directors, governments and virtually every business around the world. And that's the topic of cyber security. The state of cyber security has changed really dramatically over the last 10 years. I mean, as a cyber security observer I've always been obsessed with Stuxnet, which the broader community discovered the same year that theCUBE started in 2010. It was that milestone that opened my eyes. Think about this. It's estimated that Stuxnet cost a million dollars to create. That's it. Compare that to an F-35 fighter jet. It costs about $85-$100 million to build one. And that's on top of many billions of dollars in R&D. So Stuxnet, I mean, it hit me like a ton of bricks. That the future of war was all about cyber, not about tanks. And the barriers to entry were very, very low. Here's my point. We've gone from an era where thwarting hacktivists was our biggest cyber challenge to one where we're now fighting nation states and highly skilled organized criminals. And of course, cyber crime and monetary theft is the number one objective behind most of these security breaches that we see in the press everyday. It's estimated that by 2021 cyber crime is going to cost society $6 trillion in theft, lost productivity, recovery costs. I mean, that's just a staggeringly large number. It's even hard to fathom. Now, the other C-change is how organizations have had to respond to the bad guys. It used to be pretty simple. I got a castle and the queen is inside. We need to protect her, so what do we do? We built a mote, put it around the perimeter. Now, think of the queen as data. Well, what's happened? The queen has cloned herself a zillion times. She's left the castle. She's gone up to the sky with the clouds. She's gone to the edge of the kingdom and beyond. She's also making visits to machines and the factories and hanging out with the commoners. She's totally exposed. Listen, by 2020, there's going to be hundreds of billions of IP addresses. These are going to be endpoints and phones, TVs, cameras, tablets, automobiles, factory machines, and all these represent opportunities for the bad guys to infiltrate. This explosion of endpoints that I'm talking about is created massive exposures, and we're seeing it manifest itself in the form of phishing, malware, and of course the weaponization of social media. You know, if you think that 2016 was nuts, wait 'til you see how the 2020 presidential election plays out. And of course, there's always the threat of ransomware. It's on everybody's minds these days. So I want to try to put some of this in context and share with you some insights that we've learned from the experts on theCUBE. And then let's drill into some of the ETR data and assess the state of security, the spending patterns. We're going to try to identify some of those companies with momentum and maybe some of those that are a little bit exposed. Let me start with the macro and the challenged faced by organization and that's complexity. Here's Robert Herjavec on theCUBE. Now, you know him from the Shark Tank, but he's also a security industry executive. Herjavec told me in 2017 at the Splunk.com Conference that he thought the industry was overly complex. Let's take a look and listen. >> I think that the industry continues to be extremely complicated. There's a lot of vendors. There's a lot of products. The average Fortune 500 company has 72 security products. There's a stat that RSA this year, that there's 1500 new security start-ups every year. Every single year. How are they going to survive? And which ones do you have to buy because they're critical and provide valuable insights? And which ones are going to be around for a year or two and you're never going to hear about again? So it's a extremely challenging complex environment. >> So it's that complexity that had led people like Pat Gelsinger to say security is a do-over, and that cyber security is broken. He told me this years ago on theCUBE. And this past VM World we talked to Pat Gelsinger and remember, VMware bought Carbon Black, which is an endpoint security specialist, for $2.1 billion. And he said that he's basically creating a cloud security division to be run by Patrick Morley, who is the Carbon Black CEO. Now, many have sort of questioned and been skeptical about VMware's entrance into the space. But here's a clip that Pat Gelsinger shared with us on theCUBE this past VM World. Let's listen and we'll come back and talk about it. >> And this move in security, I am just passionate about this, and as I've said to my team, if this is the last I do in my career is I want to change security. We just not are satisfying our customers. They shouldn't put more stuff on our platforms. >> National defense issues, huge problems. >> It's just terrible. And I said, if it kills me, right, I'm going to get this done. And they says, "It might kill you, Pat." >> So this brings forth an interesting dynamic in the industry today. Specifically, Steven Smith, the CISO of AWS, at this year's Reinforce, which is their security conference, Amazon's big cloud security conference, said that this narrative that security is broken, it's just not true, he said. It's destructive and it's counterproductive. His and AWS's perspective is that the state of cloud security is actually strong. Kind of reminded me of a heavily messaged State of the Union address by the President of the United States. At the same time, in many ways, AWS is doing security over. It's coming at it from the standpoint of a clean slate called cloud and infrastructure as a surface. Here's my take. The state of security in this union is not good. Every year we spend more, we lose more, and we feel less safe. So why does AWS, the security czar, see if differently? Well, Amazon uses this notion of a shared responsibility security model. In other words, they secure the S3 buckets, maybe the EC2 infrastructure, not maybe, the EC2 infrastructure. But it's up to the customer to make sure that she is enforcing the policies and configuring systems that adhere to the EDIX of the corporation. So I think the shared security model is a bit misunderstood by a lot of people. What do I mean by that? I think sometimes people feel like well, my data's in the cloud, and AWS has better security than I do. Here I go, I'm good. Well, AWS probably does have better security than you do. Here's the problem with that. You still have all these endpoints and databases and file servers that you're managing, and that you have to make sure comply with your security policies. Even if you're all on the cloud, ultimately, you are responsible for securing your data. Let's take a listen to Katie Jenkins, the CISO of Liberty Mutual, on this topic and we'll come back. >> Yeah, so the shared responsibility model is, I think that's an important speaking point to this whole ecosystem. At the end of the day, Liberty Mutual, our duty is to protect policyholder data. It doesn't matter if it's in the cloud, if it's in our data centers, we have that duty to protect. >> It's on you. >> All right, so there you have it from a leading security practitioner. The cloud is not a silver bullet. Bad user behavior is going to trump good security every time. So unfortunately the battle goes on. And here's where it gets tricky. Security practitioners are drowning in a sea of incidents. They have to prioritize and respond to, and as you heard Robert Herjavec say, the average large company has 75 security products installed. Now, we recently talked to another CISO, Brian Lozada, and asked him what's the number one challenge for security pros. Here's what he said. >> Lack of talent. I mean, we're starving for talent. Cyber security's the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have. And in that lack of talent CISOs are starving. We're looking for the right things or tools to actually patch these holes and we just don't have it. Again, we have to force the industry to patch all of those resource gaps with innovation and automation. I think CISOs really need to start asking for more automation and innovation within their programs. >> So bottom line is we can't keep throwing humans at the problem. Can't keep throwing tools at the problem. Automation is the only way in which we're going to be able to keep up. All right, so let's pivot and dig in to some of the ETR data. First, I want to share with you what ETR is saying overall, what their narrative looks like around spending. So in the overall security space, it's pretty interesting what ETR says, and it dovetails into some of the macro trends that I've just shared with you. Let's talk about CIOs and CISOs. ETR is right on when they tell me that these executives no longer have a blank check to spend on security. They realize they can't keep throwing tools and people at the problem. They don't have the bodies, and as we heard from Brian Lozada. And so what you're seeing is a slowdown in the growth, somewhat of a slowdown, in security spending. It's still a priority. But there's less redundancy. In other words, less experimentation with new vendors and less running systems in parallel with legacy products. So there's a slowdown adoption of new tools and more replacement of legacy stuff is what we're seeing. As a result, ETR has identified this bifurcation between those vendors that are very well positioned and those that are losing wallet share. Let me just mention a few that have the momentum, and we're going to dig into this data in more detail. Palo Alto Networks, CrowdStrike, Okta, which does identity management, Cisco, who's coming at the problem from its networking strength. Microsoft, which recently announced Sentinel for Azure. These are the players, and some of them that are best positioned, I'll mention some others, from the standpoint spending momentum in the ETR dataset. Now, here's a few of those that are losing momentum. Checkpoint, SonicWall, ArcSight, Dell EMC, which is RSA, is kind of mixed. We'll talk about that a little bit. IBM, Symantec, even FireEye is seeing somewhat higher citations of decreased spending in the ETR surveys and dataset. So there's a little bit of a cause for concern. Now, let's remember the methodology here. Every quarter ETR asks are you green, meaning adopting this vendor as new or spending more? Are you neutral, which is gray, are you spending the same? Or are you red, meaning that you're spending less or retiring? You subtract the red from the green and you get what's called a net score. The higher the net score, the better. So here's a chart that shows a ranking of security players and their net scores. The bars show survey data from October '18, July '19, and October '19. In here, you see strength from CrowdStrike, Okta, Twistlock, which was acquired by Palo Alto Networks. You see Elastic, Microsoft, Illumio, the core, Palo Alto Classic, Splunk looking strong, Cisco, Fortinet, Zscaler is starting to show somewhat slowing net score momentum. Look at Carbon Black. Carbon Black is showing a meaningful drop in net score. So VMware has some work to do. But generally, the companies to the left are showing spending momentum in the ETR dataset. And I'll show another view on net score in a moment. But I want to show a chart here that shows replacement spending and decreased spending citations. Notice the yellow. That's the ETR October '19 survey of spending intentions. And the bigger the yellow bar, the more negative. So Sagar, the director of research at ETR, pointed this out to me, that, look at this. There are about a dozen companies where 20%, a fifth of the customer base is decreasing spend or ripping them out heading into the year end. So you can see SonicWall, CA, ArcSight, Symantec, Carbon Black, again, a big negative jump. IBM, same thing. Dell EMC, which is RSA, slight uptick. That's a bit of a concern. So you can see this bifurcation that ETR has been talking about for awhile. Now, here's a really interesting kind of net score. What I'm showing here is the ETR data sorted by net score, again, higher is better, and shared N, which is the number of shared accounts in the survey, essentially the number of mentions in that October survey with 1,336 IT buyers responded. So how many of that 1,300 identified these companies? So essentially it's a proxy for the size of the install base. So showing up on both charts is really good. So look, CrowdStrike has a 62% net score with a 133 shared account. So a fairly sizable install base and a very high net score. Okta, similar. Palo Alto Networks and Splunk, both large, continue to show strength. They got net scores of 44% and 313 shared N. Fortinet shows up in both. Proofpoint. Look at Microsoft and Cisco. With 521 and 385 respectively on the right hand side. So big install bases with very solid net scores. Now look at the flip side. Go down to the bottom right to IBM. 132 shared accounts with a 14.4% net score. That's very low. Check Point similarly. Same with Symantec. Again, bifurcation that ETR has been citing. Really stark in this chart. All right, so I want to wrap. In some respects from a practitioner perspective, the sky erectus is falling. You got increased attack surface. You've got exploding number of IP addresses. You got data distributed all over the place, tool creep. You got sloppy user behavior, overwork security op staff, and a scarcity of skills. And oh, by the way, we're all turning into a digital business, which is all about data. So it's a very, very dangerous time for companies. And it's somewhat chaotic. Now, chaos, of course, can mean cash for cyber security companies and investors. This is still a very vibrant space. So just by the way of comparison and looking at some of the ETR data, check this out. What I'm showing is companies in two sectors, security and storage, which I've said in previous episodes of breaking analysis, storage, and especially traditional storage disk arrays are on the back burner spending wise for many, many shops. This chart shows the number of companies in the ETR dataset with a net score greater than a specific target. So look, security has seven companies with a 49% net score or higher. Storage has one. Security has 18 above 39%. Storage has five. Security has 31 companies in the ETR dataset with a net score higher than 30%. Storage only has nine. And I like to think of 30% as kind of that the point at which you want to be above that 30%. So as you can see, relatively speaking, security is an extremely vibrant space. But in many ways it is broken. Pat Gelsinger called it a do-over and is affecting a strategy to fix it. Personally, I don't think one company can solve this problem. Certainly not VMware, or even AWS, or even Microsoft. It's too complicated, it's moving too fast. It's so lucrative for the bad guys with very low barriers to entry, as I mentioned, and as the saying goes, the good guys have to win every single day. The bad guys, they only have to win once. And those are just impossible odds. So in my view, Brian Lozada, the CISO that we interviewed, nailed it. The focus really has to be on automation. You know, we can't just keep using brute force and throwing tools at the problem. Machine intelligence and analytics are definitely going to be part of the answer. But the reality is AI is still really complicated too. How do you operationalize AI? Talk to companies trying to do that. It's very, very tricky. Talk about lack of skills, that's one area that is a real challenge. So I predict the more things change the more you're going to see this industry remain a game of perpetual whack a mole. There's certainly going to be continued consolidation, and unquestionably M&A is going to be robust in this space. So I would expect to see continued storage in the trade press of breaches. And you're going to hear scare tactics by the vendor community that want to take advantage of the train wrecks. Now, I wish I had better news for practitioners. But frankly, this is great news for investors if they can follow the trends and find the right opportunities. This is Dave Vellante for Cube Insights powered by ETR. Connect with me at David.Vellante@siliconangle.com, or @dvellante on Twitter, or please comment on what you're seeing in the marketplace in my LinkedIn post. Thanks for watching. Thank you for watching this breaking analysis. We'll see you next time. (energetic music)