>> Brought to your by Amazon Web Services and its ecosystem partners. (smooth music) >> Okay, welcome back everyone. This is theCUBE's live coverage in Boston, Massachusetts. I'm John Furrier with Dave Vellante at AWS, Amazon Web Services' inaugural conference called re:Inforce. This is the first conference that Amazon Web Services is putting on around security, and we've got a great guest, we've got CISO, Brian Lozata, CISO for Dataminr, also on the advisory board for Twistlock, which was recently purchased by, well, intent to purchase by Palo Alto Networks, really cracked the code on DevSecOps, scaling up. Great to have you on, thanks for coming on. >> No, thanks for the opportunity. >> Love getting down and dirty and talking to CISOs, because you know, besides the, you know, which regime controls security, which is always evolving, a lot of the state-of-the-art activity going on in the security sector. Clearly the path of catching up to the DevOps Agility has been the big focus. >> It absolutely has. As innovation has been, you know, really pushed forward with cloud I think security's had to catch up and really start pushing towards innovation, looking at ways that we could be disruptive in the space with solving these problems that, look, CISOs, we've been facing this for 20 years and we're putting old technology at the same problem trying to fix it. Now that there's new services, you know, new emerging technology with cloud, we should be taking advantage of that and innovating ourselves in the security-- >> Brian, what's the most important story that should be told, or is being told, or isn't being told that needs to be told and covered by the media when it comes to the security industry, what's your view on this? >> The lack of talent, I mean, we're starving for talent. Cyber security's the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have, and in that lack of talent CISOs are starving. We're looking for the right things that, or tools to actually patch these holes and we just don't have it. Again, we have to force the industry to patch all of those resource gaps with innovation and automation. I think CISOs really need to start asking for more automation and innovation within their programs. >> It's a multidimensional challenge. I want to just get your thoughts on it. I mean, what pops into my head when you say that, I think "Oh, entrepreneurial." I'm an entrepreneur, it's like, "Oh, I can start a company." So, one, build something. >> Yeah. >> Build a tool, or work for a company, be talent within an enterprise, and then three, you know, be part of that, you know, game changing ecosystem community and do something. >> Yeah, how about all three, right? You could do all three, right? Like, I think security can't be thought of as that arm to go check things anymore. I think security needs to be thought of that arm that pushes innovation forward and helps the business, you know, move forward. We need to be business enablers, and the only way we're going to do it is by building something, like by shortening up the time to actually get code out there or get products out there. >> So, I want to dig into some of the Dataminr stuff we were just chatting before we came on camera, but I do want to dig into Twistlock because I think, you know, you've been in advise, you've seen that journey from day one, from seed financing to now where they're, you know, exiting to a large company. The success has been, very short period of time, only a couple years, five years or so, magic happens, it's a good thing. What happened, what's the story there? (chuckles) I mean, what's-- >> They found. >> Why so successful? >> Well, they found the gap. They found the gap that everybody's facing is the lack of talent to actually solve all of these issues with automation, and they helped fill that gap and fill it pretty quickly, right? So, I think it went from selling to taking orders very quickly because they actually helped solve a lot of, give visibility and put more security into actual the, you know, cloud-based platforms, and it helps companies modernize their tech stack quickly, right? That's what we're all about is pushing things out quickly, and to do it with security in mind. >> If you look at a typical budget pie in IT it's usually about two-thirds people. You know, one-third, you know, hardware, software services. Is it the same in your world, or is it different? >> Depends on the industry and it depends on the company. Some companies don't put security as that much of a focus, so you sometimes you are trying to get those dollars to actually fund your program, others it just depends on the risk, right, how the company's-- >> Well, if it's financial services they'l throw it in, no problem. >> Oh, they'll throw, you know, financial services will totally, totally do it, but if it's an industry or a company that hasn't had security in there and you're evangelizing security, hey, the first six, eight months you're going to be struggling for that budget. You're going to have to, you know, have that articulation that you, you know, speak on technical risk into business risk so you can fund your program, right? That's why the most important talent or skill that a security professional needs is communication skills. If you can't articulate technical risk into a business risk to fund your program, it's, you know, it's very hard for you to actually be successful in security. >> So, you speak wallet and geek, is that what... >> You have to. (chuckles) I think, yeah, (laughs) I think wallet and geek is definitely, it's a required skill in this space, probably more and more than others, right? The other thing is security, you can actually see how it equates to dollars, too, right? >> So, to whom are you speaking wallet, line of business, CEO, C-suite, CFO? >> I think it's definitely going to be up to C-suite. I think in more mature organizations you're going to get to the product line. You're going to get, you know, security into that product aspect, so as products are starting to be developed, those product managers and that product line can start funding their own security within that product development, right, and you need to have that communication style so that you can push that initiative through that product line. So, maturity-wise you'll get there, but I think initially it has to start at that C-suite at the board level. >> And how does that conversation start and what's the flow like, what's the key message that you're getting across? >> You have to talk about risk to that product line. Where's the risk that you can articulate to them and say if this product is impacted in this way, this is the damage to the brand, you know, financial, or financial damage. Once they see that and they can absolutely put dollars next to it, it'll absolutely help them fund that program when it comes to security. >> And you spend time quantifying that >> You have to. >> Is that right? >> Yeah, you absolutely have to. Everything nowadays needs to be quantified so you can put the appropriate amount of resources towards it, both in human capital and financial, right? >> How do you make that argument credible? Is it based on experience, you pull in different data sources from lines of business? >> It's different data sources. You've definitely got to leverage your experience, but it's looking at data lifecycle, where that data's being stored, process transmitted, the risk to losing it, and then quantify that type of data. There's different levels of sensitivity to data, right? Certain data, like you take a hit on your website, just the brochure site versus transactional data, different risk levels, different, you know, different impact to the brand, to the company. >> So, you're taking a portfolio view-- >> Absolutely. >> Weighing different values. >> Totally, you have to. >> And helping people understand where to put their bill. >> Yep. >> So, the CISO, the CIO, they care about production, what's in production, also on the DevOps ethos you've got Agility, you've got hackathons, so you have the kind of the cultural shift, so how do they mitigate the risk, from your standpoint how do you view this, and what do other CISOs think, because you want to foster that creativity to get that incubating going for new ideas, hackathons for instance, great tactic in the DevOps community. We're seeing that now happen in security-- >> Totally. >> Where the people who are close to the action are getting involved in a very DevOps way, but they're kind of not getting sanctioned clearance from the boss, but that's the production side, so again, Ops, different. How is that migration or transition between I've got a hackathon, this feature that if we roll this out this could really help us with our visibility intro threats or better quality alerts. I'm just making that up, but you see where innovation's going to come from, at the same time dealing with all the other pillars of the compliance, and audit, and security, and blah, blah, blah, all that stuff that's in production. How do CISOs deal with this? >> So, it's taking a view, look, a risk-based approach to that entire lifecycle and seeing where is the biggest risk, and then to fix that risk where the gap is and to get into that innovation piece. At my previous company we developed what's called security as code. We had a big gap that we were finding a lot of issues out there with our environment that we were finding three and four days after they were actually rolled out, so we were able to take advantage of AWS services so that we could actually get visibility live, and then we did it we actually remediated the issues with Lambda functions, right? That was innovation, we were able to do it. Now, convincing DevOps to put it into production, that took some time as well, but it was that partnership and showing them we're not going to be bothering you. >> Ballpark timeframe-- >> Yep. >> Ballpark a timeframe to invention, innovation to selling it through to production, ballpark? >> Maybe a month. >> What's the difference between infrastructure as code and security as code? >> So, infrastructure as code is you're putting out the environment, you're creating that VPC, you're setting up the routes. Security as code, what we're calling security as code is that it finds an issue with that environment and it automatically fixes it with a Lambda function or something like that, right? So, it could find the vulnerability, it knows what the fix is, and it automatically goes and fixes it. That's the benefit of cloud, immutable technology. You can fix things pretty quickly. >> Yeah. >> Well, let's, now that we have that ability, let's innovate on security so that we do do those fixes instead of waiting days for it to come back. >> And the secret sauce for that comes from what? >> Developing-- >> Homegrown math, doing. >> Homegrown, homegrown. >> No problem >> You have, like the, I think cloud has allowed emerging technology and security to get back into being innovative and not just coming in to protect or to have visibility. Like security engineers are now saying, "Now we can create," right? AWS has that, the logo, what is their motto, "Build on," right, well that should apply to security practitioners as well. We should be building just as quickly as developers. >> And by the way, the old model was hire a firm to come in, buy a product. >> Totally, yes. >> Now you're saying is let's code up some security. >> Let's do it ourselves. >> Because the practitioners are close to the action-- >> Absolutely. >> They have the innovative device, doesn't take a lot of time to whip something up, find the discovery... >> And do it. And the other thing is we spent years buying tools, buying tools, buying tools. Tools were built to solve one use case. Who knows better their environment than CISOs that are working in it, right? So, let's build tools that our customers-- >> It's like a tool shed, open up the doors, like "I bought that 10 years ago. "We're still amortizing that." It's like there's too many tools. >> Too many tools, so let's build what's appropriate for the environment based on our knowledge, right, of being working in it. >> Describe a great day for a security practitioner. >> (chuckles) A great day is that I don't get called at two in the morning, right? I think every day is a great day in security, and I'm going to tell you why, because it's growing so quickly I think organizations are starting to realize the value of security, that security is a value prop to a customer or to a client. They like to see security being baked into the products, so I think it is good for security to see it grow. I love to see that AWS has now invested in re:Inforce. I think it was about time. I had been going to re:Invent for, I don't know, maybe four or five years now, and I saw that grow and it was absolutely time for this, so-- >> It's interesting-- >> It's good. >> You hear the chatter, you hear the chatter also around security not, not just being not being a call center and being strategic, which clearly it is, because one breach and you go out of business, that's a business model problem. But as a revenue generator, seeing a trend now-- >> Totally. >> Of people who are building in-house because they have their own problems are taking the Amazon playbook. Do it for yourself first and then expose that out as a service-- >> Totally. >> With Marketplace. Dave McCann's kicking butt over there. He's got services, so the idea is that if people have a good foundation you're just buying services. >> Totally. >> Not tools. >> Yep, and investing in and buying services, not tools, and then pushing those, your resources and your talent to actually be creative and innovative, and be just as hungry when they see new services come out. I love when developers come up to us and say, "There's this new service that's "going to launch tomorrow, AWS is." Can I mess around with it? Can I throw, like I like to see that because then we can get insight into it and say yes, right? Fear is a greater threat to progress than hardship. I don't want my developers to have fear. I want them to feel, "Security team's got my back." The platform has the-- >> Yeah. >> ability to visualize it, so let's move forward with that. >> So, let's talk about fear, uncertainty, and doubt, AKA known as FUD. >> FUD, yeah. >> All right. So, it used to be that the suppliers would put FUD onto the customer saying, "No, don't buy that other product." You could, you know, use that fear. It's now flipping around with CISOs, you know, the way we're hearing that one of the mandates is to get the supplier account from hundreds to single or double digits, and so the fear is being pushed back out, saying if you don't have this kind of stack integration, this kind of API support, you're not going to be a vendor. >> Yeah. >> This is shifting. >> You agree? >> 1000% agree. I think we needed to, like we should not have taken our tempo for so many years from vendors. They were dictating our programs at that particular point. Now we can take control of our program, saying we don't want to partner with you if you don't integrate with the way we've built our program, that we know our environment, right? So, I think we're taking a little bit more control of our destiny and our platforms versus just taking the tempo from vendors. >> And the key here is having that platform built-- >> Absolutely. >> To start thinking through the critical thinking around tech stack, purpose, and this is their shift, this is what, and some families aren't there yet. They, because they have to build it up. >> They have to build it up, and-- >> How long does it take to do that? >> The most important thing to build that up, talent. Look, you're only as good as the talent you have. If you don't have the talent to build that platform up you're going to be stuck in that vendor loop forever. I mean-- >> Had a CISO saying to me privately, "Love multi-cloud, love the vision, "but honestly I'm not investing in Diamond multi-cloud "until I get my team on one cloud, "and I'll use secondary clouds for, you know, "either rollover, backup, or some other point feature, "or inherited workload through an M&A or other project. "No big deals, shadow IT, but in terms of my talent "I don't want to have three different teams. "I want one team to build the stack "and continue to think about automation, "then we'll get to multi-cloud when it's ready." Your thoughts to that. >> I 1000% agree. I think that we need to get one cloud right first before we start thinking about putting our talent, our limited talent resources, again, everybody's starving for talent, into investigating and remediating other cloud issues. I think you definitely have to get one thing right first before moving over. I do think, though, that the time's going to come where there's going to be a lot of companies doing, you know, production workloads in multiple clouds. I, you know, I'm actually eager to see that day, and see it publicly and see how it's being managed, right? >> Well, the one who cracks that nut is going to win big lottery ticket. >> Oh, totally, totally. >> Metrics. I want to quickly defrost on metrics. Metrics is something that if you, if you, if you serve the metrics master too hard you could actually miss out on what your real purpose is. The joke I heard was that you could turn into Chernobyl, like that movie that's on Netflix, or Prime, I forget which show. Oh, it's on HBO actually, it's an HBO series where they were pressing buttons. They had no idea what was going on with the reactor, it blew up, and the rest is history. That's the metrics problem and challenge, isn't it? What's your thoughts on metrics? >> I agree, I'm not a fan of metrics. I don't think security programs should be either built or measured against metrics. I don't think metrics really provide too much detail behind any of that. Metrics are just there I think to provide a little bit of insight of where you could double-click and actually do a little bit more diligence, but they should not be measured, they should not be used to measure your program. I don't run my program on metrics. It's not like I'm escalating metrics, either, up to the board or anything like that. Providing relevant data and how that data impacts the business from a security perspective is how I like to escalate, not putting up, you know, charts or anything like that of what, you know, how many vulnerabilities were remediated. Guess what, you did your job. I don't want to put a metric up there that actually says, you know, something like that. I want to show some real value with some real data. >> So, what are you communicating to the board specifically? >> How we've integrated information security, the security program, into the workflow without slowing down the business. I think that's the key part, and how, security at the end of the day it's a culture change, right, and you are changing behavior, right? So, how you're able to do that without slowing down production, especially in technology companies, because you don't want to slow down that development pipeline, that's a key metric to put out there. >> Mm-hm. >> And we've been able to, you know, enable static and dynamic code analysis without slowing things down. Things are still getting to product at that time, or using container security for our infrastructure so that it takes that out of the developer's mind when they're actually building out a, you know, new environment, right? >> Digital transformation equations, people, process, technology. >> Totally. >> Heard that over and over, and it's cliche, but the people part, okay, you could get more people, totally agree, technology, plenty of tools and services, that's a huge opportunity, but the process is where the focus has been, and I heard a quote earlier on theCUBE today. It says, "Process is a reflection of your culture." >> True. >> And a lot of those cultures won't yield the process control to either CISOs or teams. Your thoughts to that comment and where that kind of goes. That's the key breakdown on digital transformation, isn't it? >> It is, it is. That is true, I think the one thing that CISOs need to remind themselves is when they introduce themselves to the organization they need to be a customer service organization. CISOs need to be available to the users and to the business, and offer their services as a partnership instead of as a mandate. I think that warms the waters a little bit for that behavioral change and that culture change so that process can change into the new, innovative way of actually pushing security as code and infrastructure as code as the new way of actually doing business. >> And success has got, is contagious. >> Totally. >> Like at Twistlock. You're advising that company. Boom. >> Yeah. Absolutely is contagious, and showing those type of examples actually throughout the business actually help, you know what I'm saying? Breaking down those old silos of security is viewed is important, right, so. >> You kind of implied before in the earlier days vendors sort of controlled the table. You were sort of beholden to their way of doing things. Steve Schmidt today made the statement that, you know, all the negative fear factor is not helping our industry. It really, the state of cloud security, anyway, is good, the union is strong. Do you agree with that and are there other things that vendors are doing that drive you crazy as a practitioner that they shouldn't be doing? >> So, two great questions. I think the first one, I think cloud security absolutely is, does exist, and it gives power back to the CISOs, so they can actually make more controlled decisions over their environment, you know, instead of being beholden to vendors. I think understanding the shared responsibility model between a company in the cloud is crucial for CISOs to make those decisions. >> Mm-hm. >> And I think for years that was misunderstood and that's why it took time, probably, to migrate to the cloud or to be born in the cloud initially, but I think once that's understood it empowers, you know, the CISOs and the technology organizations, I think that's one. On your second questions, I think everybody in the world has vendor fatigue. I think vendors, what drives me nuts about all of them is that they say they integrate with everything and that they're going to give me more visibility than before. Great, man, like that's what everybody's been doing for the past 20 years. They're giving me a lot of information. I want them to fix things, don't give me alerts. Don't give me alarms unless you're going to say, "Here's the alert, here's the alarm, "here's the automated script that you can "put into your environment to fix it." Knowing that every CISO in the world is starving for talent, we don't have the resource to double-click on that, due diligence, and write it, do it for me. I think vendors need to start innovating and stop doing the same thing that we've been doing for the past 20 years. >> So, you're seeing, furring from that is a lot of incrementalism, kind of taking safe bets, and really you're looking for a step function. >> Totally, I want vendors to take a more aggressive approach in their innovation, I don't want, so you're giving me more alerts that I've seen in different shapes, in different sizes from different vendors. Tell me how you're going to fix it, or fix it for me. That's what I really want, we need to push, we need to exceed that more from vendors, and look, since we're not getting it it's making us, or I'm happy to do it actually, is to start innovation. >> Do it. >> And doing it ourselves, right? >> Yeah. >> So, it, I'm investing more in resources, in talent, doing it that way-- >> Yeah. >> Instead of outsourcing and getting a vendor, so-- >> And that's a trend that's happening more and more. >> Totally. >> And that's an indictment on the community itself and the vendors. >> Yeah. >> Brian-- >> We need to exceed more from the vendors. >> Thanks so much for coming on. Great insights, profound commentary. Great to have CISOs on theCUBE, thanks for sharing. It's theCUBE's live coverage, Boston. I'm John Furrier with Dave Vellante. Day one of two days of CUBE coverage of the inaugural AWS re:Inforce conference, we'll be right back. (smooth music) People want to work for a mission--