(clicking) >> Hey welcome back everybody. Jeff Freck here with theCUBE. We're in Palo Alto, California at the Chertoff Event. It's called Security in the Boardroom and it's really about elevating the security conversation beyond the IT folks and the security folks out in the application space and out on the edge and really, what's the conversation going on at the boardroom, 'cause it's an important conversation. And one you want to have before your name shows up in the Wall Street journal on a Monday morning for not all the right reasons. So we're excited to have a real practitioner, Rich Baich. He's a chief information security officer for Wells Fargo. Welcome Rich. And in the company of Jason Cook who's the managing director with the Chertoff group. Great to see you Jason. So we talked a little bit off camera Rich. You've been in a lot of different seats in this game from consulting to now you're at Wells Fargo, and a few more that you ripped on this, but I can't remember them all. From your perspective, integrating this multi-dimensional approach. How do you see this conversation changing at the boardroom? >> Well I think most importantly, the board is a topic of discussion, one of the top discussions over the last couple of years. There's been a lot of guidance recently that's been put out to board directors through the National Association for Corporate Directors, as well as various consulting firms providing guidance. Board members need to be able to take this complex topic and simplify it down so that they can do their jobs. It's expected of them, and sometimes that can be a language barrier. So I think what I see happening is boards are beginning to hire individuals with some cybersecurity expertise. My example at Wells Fargo, we hired a retired general Suzanne Vautrino to come in as one of our cybersecurity, obviously experts in the board. And it's great having her in that board seat because often times, she can help me translate some of the issues and gain a different perspective from the board. >> So that's a pretty interesting statement. So they're actually putting security expertise in a formal board seat. >> Yes. >> That's a pretty significant investment in the space. >> But if you think about this. I mean why? >> Right. >> Right. >> Well most institutions today when you break them down are really technology companies that's just a business platform rolls on. So security is becoming part of not only the institution today but the institution of the future as organizations move towards digitalization. So having that ability to have someone who understands risk management side of cybersecurity as well as the practitioner side will only make, I think a boardroom that much stronger. So what's your experience in terms of trying to communicate the issues to a board? Just down and dirty. Where do you find the balance as to what they can absorb? What can they not absorb? How do you outlay the risks if you will and how they should think about driving investment in these areas? >> Well great points, the first and most important thing with boards is gaining trust. Did you have the expertise and you had the information. By no means could I bring all my data to a board meeting because it's just not digestible. So there's a little bit of an art of taking that down and building the trust and focusing on certain areas. But a point you made I think it's really important is one you have to help them understand what are the top risks and why. But when you're talking to a board, you have to be able to say, and this is what we're doing to address them and here is the time frame and here is the risk associated with this. Because in their minds, they're thinking what can I do to help you? And then secondly, Stu point was the decisioning regarding prioritization. in this particular space, there's always going to be risks but it's really the art of deciding which ones are more important. I'll talk to the board and I'll highlight things like probability of occurrence. So the higher the probability of occurrence of something happening really drives our prioritization. >> Then Jason from your perspective. You're coming in from outside the board trying to help out. How have you seen the security conversation and priority change over time, especially in the context of this other hot topic that everybody is jumping on, which is probably the agenda item, just before Rich comes in the room, which is digital transformation. We got to go, we got to go, we got to go. Everybody is evolving. We got to go, we're getting left behind, and then oh by the way. We're just going to come on afterwards and tell us what some of these risks are. >> Yeah and I think actually Rich started to touch on it. All organizations especially when you're looking at the Fortune 500 and around that shape and size are global. And they're all on a digital journey, whether they acknowledge they're actually a digital product company. All of them now, digitizing is happening. So as a result of that security is an absolute critical component of anything linked to that for all of the reasons that you can just read the headlines around. And actually at the boardroom level, it's more now, hopefully becoming a conversation that's about how do we as board members take responsibility and accountability for how to protect our organization. And it's framed now more and more so in a risk management conversation. Rather than just saying security 'cause security is like outside. But actually the reality is security and cyber activity because you're a digital organization. It's embedded into everything whether you realize it or not so the board needs to be education to what that means. How do you take risks in the context of digital activity and assign it to a risk management program approach rather than just saying it's the security guy that's got to come in and do that. And the security guy is most probably going to be the guy that absolutely has to understand that boardroom issue, and then execute upon it and bring options to the table every time in and around that space. But the main message I would say is take this from a risk management perspective and start using the language like that. And that's probability the other point that we were discussing just earlier in the security series today, that actually it's about risk management, and educating everyone very clearly as to what do we mean. What are we actually protecting. How are we protecting it and what are we doing as a set of board members, and as a leadership team to actually take forward enablement of the business. From a security perspective, understanding it but then also protecting the business. >> Right, so are you building models then for them to help them assign a value to that risk, so now they know how much that they have to invest. 'Cause the crazy thing about security, I'm sure you could always invest more right. You can always use a little bit more budget. There's a little bit more that you can do to make yourself a little bit more secure than you were without that investment. But nobody has infinite resources so as you said bad things can happen, it's really risk mitigation and knowing the profile and what to do about it. So how do help them model that? >> I can answer that and I know Rich can jump in, so what you're seeing is a brand new leader role emerging from the traditional IT security guy to now, the guy that isn't or person should I say more accurately that's engaged at the boardroom. That's there to talk about risks in the context of how the board sees it. And so what does that means? It means that absolutely, you need to know what you've got from a digital perspective. Everything from the traditional network to all of the IT assets and everything there. The key thing is you need to know what you've got, but you have then contextualize all of that against business risks. And pulling those two things together is the challenge that you see across the industry today 'cause there have been silos. And usually underneath that silos and many other silos so bringing that together is really important. And I think if you look at how we're going to see disrupt it is and how things are managed in the risk management perspective. Actually, that's what you're going to see come together. How do you bring those models together to give actionable intelligence that the board can react to or predict against, and that's not an easy thing to pull together. >> Yeah, and to take it more down to a tactical arena so you know at some point, like you said, you can't asking for more money. Because you're not practicing good business attributes because everybody can ask for more money. So I think as organizations mature their security programs, they're going to go to the board with issues like this. Endpoint security, there's so many different Endpoints security products out there that you could buy. But if you're practicing good risk management. You're starting off by saying what is the risk. Let's just talk about malware. So malware is the risk, well how much malware gets to your Endpoint. Unless just say in this particular instance, you're here. You go into a program where you're enhancing your tools, your techniques, you're shutting down USB ports. You're not allowing people to connect to the internet unless they go through the VPN. You're buying endpoint solutions to put on there. You're encrypting the endpoint, you're doing all these things and you suddenly see your monthly average of malware go from here to here. And then when you do that and you walk into a boardroom, and you can show them that and you say this is kind of our risk appetite. 'Cause we're never going to be able to reduce it but I could go spend some more money. I could go spend five million more dollars that I'm going to move it this much. I'd rather take that five million move it over to this risk which is right here to reduce it to that area. So I think that goes hand in hand with what Jason's saying but when you can get to that level to the board to help them understand their decision. They have a greater comfort level that the money is being spent and prioritization is occurring. >> Yeah, so if I may so that one of the things that you just touch on, I think is really useful for us kind of expand upon more. One of the advise points Chertoff Group had in our series session was around bringing cybersecurity experts to the boardroom. I know obviously, you're very active in the whole finance sector, providing advice and direction in that space. Can you tell us more about that? >> Sure so, what's particular in my world also as the chair or the financial services sector coordinating council. What we do is we work closely with the government, with policy and doctrine and then the FSI sector, financial services sector, analysis center is the group that really goes out, and kind of operationalize it through information sharing and that sort. But what we've seen is a desire to have, honestly more security professionals on boards. So CISOs potentially being asked to sit on public and private company boards to provide that expertise back to the company. So that the boardroom can help understand and transcend what is going on. Again from my standpoint, I feel very privileged to have one of them on my board today. And she's been just a wonderful addition, not only does she bring cyber expertise, but being a retired general brings a lot it to other additional. So I would predict, we'll see more and more CISOs being asked to sit on public and private boards. They bring that perspective as the business models move to digitalization. >> We can go on forever, forever and ever but we can't unfortunately, but I have one more question for you Rich. Is kind of this change in attitude amongst the CISO community and other people ideal security in terms sharing information. You mentioned on this group and you use to be, we didn't want to share if we got attacked for a lot of different reasons, but there's a real benefit to sharing information even across industries about the profile of some of these things that are happening. How are we seeing that kind of change and how much more valuable is it to have some other input from some other peers, than just kind of you with you're jewels that they're trying to protect. >> Sure so in general, from an industry standpoint, the financial services are much further ahead than a lot of the other industries 'cause we've been doing it along time. So sharing occurs officially through the FSI site but also you'll pick you phone up and call a friend right a way, and say hey, I've just seen some of you're IP space associated with so and so. So that informal sharing is there. It's a very tight community, in particularly from the financial services. You don't think of security as a differentiator necessarily because the reality of it is when an adversary chooses to point their direction at you. It's just a matter of time before they get around to your institution. So sharing occurs and secondly, the government been doing a great job of trying to break down those barriers. Work through all the issues that are related with sharing of classified, unclassified information. So there exists a model today, it seems to be working pretty well. Formal as well as informal and if you look at some of the past history. That sharing has really helped a lot of organizations. I see they only getting better and better as time goes by. >> And the point, I'd add to that is the financial services I said for example is one of the most mature out there. In fact, it is probably the most mature or global even out there. But that's taken time to establish the trust and the collaboration there. And the one recommendation that we would all give out to the industry as a whole is you need to be getting those types of things stood up. And you have to invest time into them to generate the collaboration and trust. You're not going to get it over night but you have to start somewhere in doing the same. Because really what good work is happening here, needs to be happening across the global industry as a whole. >> Right, alright Rich and Jason, we'll have to leave it there unfortunately. Really great insight and thanks for sharing your insight with us. >> Rich: And thank you. >> Alright, I'm Jeff Freck. You're watching theCUBE. We're at Security in the Boardroom at the Chertoff event, Palo Alto. Thanks for watching. (clicking)

(clicking sound) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in Palo Alto at the Four Seasons Hotel at the Chertoff Event is called Security in the Boardroom. Its a annual event they do they do a couple every year and we're excited to be here because the security conversation doesn't really go to the boardroom that often in most of the shows that we go to. So we're excited to be here. Steve Daly is our next guest. He's the President and CEO of Ivanti. Steve, welcome. >> Well, thank you, glad to be here. >> Absolutely. So they said you're the ransomware guy when we were preparing to come in here. >> Right on, right on. >> What special relationship does Ivanti have with ransomware? >> We do a lot of it. >> You do a lot of it? (laughing) >> No we actually, we have a number of solutions to help customers so that they don't fall prey >> Right. >> to these phishing attacks, the stuff that kind of allows somebody to come in and hijack your systems and be able to ransom you >> Right. >> for this stuff. >> So why do you see from where you're sitting the growth in the ransomware in terms of, used to always be hacking and phishing and people doing stupid things. >> Steve: Yeah. >> Clicking on things you're not supposed to. But now suddenly its gotten much more aggressive, now it's got this kind of ransomware piece to it. Why do you see that evolving? >> Well, I see a couple things happening in the industry. One is, I like to think of it is... You think about medieval times, right? You have these castles, and the castles had these walls, their moats, they're very well protected. That's what our data centers have become like. We've got really good security, we've got really good ability to keep the assets that are behind the firewall in the data center very secure. So as the bad guys keep trying to attack and they keep falling against the wall and getting crushed, they start to look at different ways to get past the walls. What they realize is that, you and me, as we're out in the wild. We're like the guys go outside of the wall, we're out there and we're getting infected, we're getting attacked, we're getting... They realize that's the easiest way for us, for them, to get back in behind the wall because if they can infect us, >> Right. >> Then we'll take them back behind the wall through our credentials and our security and get them in to where they really want to be which is where personal identifiable information is, or the high value assets are. And so, I think they've recognized that it is harder and harder to attack directly into the data centers and so let's go at the endpoints. Let's go attack the weak point and get on those and let them take us back into the data center. And so they look at us and they say, "Okay, well how are we going to get Steve to let us use his credentials?" And the best way for them to do that is to phish us. And to bring in technology that we accidentally click on. >> Right, right. >> And once they get there, then they've got access to us. >> And so, this is just an evolution of that idea that says, "Okay, well I can get back in the data center, why don't I just charge this guy just to let me let him get back to the data that he wants access to." And so I think it's just an evolution, sophistication if you will. >> Right. >> Steve: And the bad actors and their ability to extort... extort value out of companies. >> The other trend we hear about is kind of a rise in the state sponsored. It's not just the kid living in his mom's basement anymore who's hacking around, maybe even for fun, right? Just because he could and to brag to other hackers. But really, it's state sponsored, so the motivations behind, the powers behind, the investment behind, the resources behind, >> Steve: They become different. >> is very very different. >> Yeah, and in that case when you think about ransomware, this really is about somebody trying to make some money. State sponsored isn't, they're not trying to make money, right? It's not they're trying to cut their budget deficit by ransomwaring a bunch of Americans type of thing. What they're after is they really are trying to get behind the moat, behind the walls of the castle. And they know the best way for that to do is to infect me, so that I take that virus, so I take that sickness back into the data center because when I come to the door, they're going to drop the drawbridge, they're going to let me in because they know me. >> Right. >> And so, the idea of phishing, the idea of getting me to click on something that I shouldn't click on is... Those techniques are really powerful. >> Right. >> Because, one, you can either ransom somebody to get their data back, or you can use that as a vehicle to slip back in to the... >> Right. >> Steve: Behind the wall. >> But it's so interesting, the more you read up on this topic, there's so many just big gaping holes, where people are just not applying patches, and they're not doing a lot of really simple things. And then on the the other hand, you have people in processing culture. And like you said, people are the weakest link. My favorite story somebody said one time, they came to the company picnic website which was hanging off the corporate website. I don't know if they said they were the plastic fork vendor or something, but that was the way... >> (laughing) They got in.. >> They infiltrated the company... right. >> The spork. Spork vendor. >> They got in the company, right, with the spork. So as you're talking to clients, how often do you see that they are just taking care of the basics before you can really even start to get in to some of the more advanced techniques? >> I think that's a big challenge for companies. I think it comes back to, particularly when we start to talk about end user computing, the way that the industry has evolved is very fragmented in IT. The way that IT decides to support us, and our devices >> Right. >> You think about it, in an IT organization they'll be a Desktop Operations group, they'll be a Mobile group if we're using our mobile phones instead of our desktops. There's a Security group, there's a Service Delivery, there's a Service Support group, they're all separate siloed organizations that are responsible for ultimately keeping us up and running, and secure. But, when they're siloed like that, it's really hard for IT to be able to say, "Okay, well let's do the basic hygiene. Let's make sure that the Desktop Operations group is patching these things in a normal way. Let's make sure the Asset Team is bringing in assets and they're tracking through the lifecycle, making sure that the software on there is up to date, those types of things. Making sure that the Security team has visibility across all of it." It's so siloed... >> Right. >> There's no way that IT can... It's really hard for IT to really bring that together. And I think that's a fundamental problem with the way that we're organized, and I think that has to change. I think that the people, process, side of thing is we have to start to bring and unify IT, particularly when you're talking about end user compute environments. Because the way it's fragmented is one, it's really expensive, its costly, right? You've got all these different teams that have to talk and, you have to stitch technology together, and IT's responsible for that. And two, it becomes really, really risky just because, what you brought up. This team is concerned, has their own remit, it's not necessarily 100% security and so patching falls to the bottom of the list. And, yet, for the security guy, most patches, most exploits are done on exploits that have had a patch available for at least nine months. So it's not that it's a brand new thing, zero day that just pops in, it's that the teams haven't patched the systems. >> Right. >> In nine months, it's crazy. So I think if we can break down, we can unify IT, we can break down those silos, then I think we've got a much better chance of doing the basic hygiene and getting all the technologies together in a way that allows IT to really address this problem and really focus, it's really a cultural change. IT's going to have to change. And the only way for a CIO to be able to affect this change is there has to be some organizational consolidation. >> Right. As you've seen kind of the growth of cloud, right? Public clouds and private clouds, where some of that security responsibility can be shifted off to Microsoft Azure team, or to the AWS team. Now it's interesting, on one hand, they've got massive resources that they can deploy that no individual company, or very few individual companies have, on the other hand, you still have to hit the knobs even the most recent AWS breach is somebody just didn't turn the knob on to close it down, so, are you seeing, because I imagine from a smaller mid-sized company, the security challenge is across all these fronts that are escalating at a rapid rate, really tough to have the resources to fight. >> That's right. >> So, are they adopting more, not necessarily the always cloud, but the kind of larger solutions that they can leverage so that they don't have all that responsibility on their own heads. >> I think that's some of the impetus to move to cloud. I think the challenge is still, when you're talking about end user computing, all we're talking about is moving the castle and the moat to somebody else's castle and moat, right? You still as a company, you still got all these users of IT that have their own devices that are wandering around out in the forest >> Got their own pipe... >> Right and maybe they can get you back in, and maybe that moat might be a little better than the one I could build myself. I'm still held responsible for... A ransomware attack doesn't matter if I'm using Azure. >> Right. >> Right? If I'm using a Windows laptop, and somebody tells me I can win a million dollars and I click on that, bang, right? That's a problem for me as a healthcare provider for instance, right? >> (laughs) >> It doesn't matter what kind of castle I got built by Microsoft or Amazon or Google or whoever. I'm still responsible for that >> Right. >> Piece of it, and that's not going to change. >> Steve, so much to talk about, and we didn't even get into IoT and the increasing attacks, surface area of our cars, and washing machines, and watches. >> That's right. >> Alright, we'll leave it there. Thanks for stopping by enjoy the rest of the show. >> Yes, good to meet you. >> Looking forward to our next conversation we'll jump into the IoT. >> Steve: Alright. >> Alright, he's Steve Daly, I'm Jeff Frick. You're watching theCUBE. We're at the Chertoff Security in the Boardroom event in Palo Alto. Thanks for watching. (clicking sound)