>> Hey Jeff Rick here with the cube. We're here in Palo Alto at the Chertoff event, its called security in the boardroom. We're talking about the security conversations that need to happen in the boardroom not just at the IT department and locking down your phone and your VPN. Its really how do we elevate the conversation, especially as things continue to change, digital transformation is forcing people to move quickly and everyone's becoming a digital company. All our assets are becoming digital. So it needs to get elevated. We're excited to have, our next guest, he's Paul Farrell, he's the CEO of Nehemiah. Paul welcome. >> Thank you. >> And joining us again, Jason Cook from the Chertoff Group. Good to see you again. >> Hi. Alright so lets jump into it, so you're CEO... Well before you get it, first tell people about Nehemiah, you are familiar with the company. >> Nehemiah has a cyber security suite where we know, manage and help protect organizations and the knowing part is what we're probably going to talk more about today which is our risk quantifier software. >> Well lets jump in what is risk quantifier software? >> We take a bottoms up look at the organization to get a high fidelity copy of the corporate network and then we layer business applications on top of it so boards can get a look at what the business exposure is to the cyber security risk. >> So the network and the application. So very techy piece of it, how much of it, in terms of the process and the people get filled into that piece as well. >> We call that process BIA or Business Impact Analysis and a lot of the Fortune 500 firms have already been doing this to be compliant with Sarbanes Oxley and other regulations. And its being able to work with them to take some of that information out of the system and combine it with the cyber information we have, to give them a good look at risk. So if I'm looking to invest $2 million dollars, what's my risk buy down. Is it 10 million? Is it two million? Is it nothing? I just need to do it. So these are some of the questions we're trying to help boards answer. >> I'm just curious, from a why do we need to do this point of view. How much of it is compliance and governance and regulation? And how much of it is not? Its just, we need to protect ourselves from the bad guys. I would imagine especially financial services and healthcare, a lot of it was driven by compliance before but is that percentage going down? >> Go ahead. >> So, no not at all. >> Not at all, still mainly governance, compliance regulation. >> And what you have to bring together now is security risk and compliance. Its all the one thing. And at the board level, you don't have those as separate agenda topics anymore and that's why we talk about a risk management program. Especially the Fortune 500 boards becoming very educated and also actioning and taking forward and that's really where that stuff comes together. Compliance, especially if you look at the finance industry, health care industry for example, its always going to be there cause its a duty of care as to the industry, how to run the business and to all of the consumers at the end of the day at the end of that. So you need a bit of (indistinct talking) and its a very useful tool, if you apply risk management to it, if you're applying security to it and bring those things together. Many CSOs will talk about situational awareness and one of things they need to do, if they've got a seat at the board table, is, what do I have, what's my assets? And that's no longer just purely from a technical perspective. You hear the phrase, many organizations have technology silos, that don't talk, that don't come together, perhaps different business units that are running those silos. And at the board level how do you ascertain what you've got when you have an issue and that situational awareness then, is also going to help drive, what parties do I take when I have to take action. So that's something that Nehemiah's security is really focusing on. So they're saying let us put together for you and work with you to assemble your silos of IT network and everything else there. Essentially underpinning your digital footprint as you go on that digital journey. But then how do you have actionable business intelligence that's going to help you prioritize how to run that, how to secure it but also how to invest and run your business through this journey. >> You're going to say summn? >> I think its the word that Jason used a lot is the journey and there's a lot of things we should be doing just because its cyber hygiene and its intelligence, is what we should do to run our business by taking the business information and marrying what we got up and then communicate it in language that the board knows. Which is key, don't be talking about WannaCry viruses and all that and SNB ports. That doesn't make any sense to them, they make business decisions every day, so its we're investing X and you take a risk profile overtime and you say, this will help reduce our exposure here, but its good and we need to do it. Whether compliance says it or not, we need to be protecting our data. That's one of the things that... Compliance is a checklist and we need to check, make sure that's done and everybody does audited financial statements and that's great, we should do it every year but there's somethings that are basic we should do basic stuff in finance, we should do basic stuff in cyber hygiene as well as updating our systems, keeping them current, educating our employees on scams and stuff that happen. These are things that need to happen over time and so its a journey for the board and for the senior management but for every employee, to be able to know these things and to actually integrate it as part of their everyday job, in my opinion. >> It sounds like the cyber hygiene stuff is still just not (laughs), we're not hygienic enough (laughs) as we should be. Its amazing that just continues to be a recurring thing. >> One of the ethos approaches that Nehemiah is taking to this is, they call it know. What do you know about your environment and it starts there. To say so, especially for an organization, as many are on a digital journey. Well what is underpinning all of our digital footprint. Do you know that? And unfortunately so many organizations out there have bits of it but they don't maintain that. So when you have, for example, the famous WannaCry incident, they kicked off very very large organizations as well as many small one were impacted. Why? Well cause they didn't actually understand what they had and they didn't have the business intelligence and the business analytics to make a prioritization to say, we need to invest our focus and time and effort here to respond to this activity from a hygiene perspective. And until those things are addressed, you're not actually going to truly be able to go on your digital journey as an organization. So if anything, what this is doing is heightening the awareness at the board level that you need to have an articulated dialogue, where at the board level you can understand the impact to the business of what's going on here but then take all of that and take all the knowledge that you're building to then drive actionable intelligence, business as well as technology coming together, which underpins risk management in that context. >> And I would imagine those types of incidents are helpful in terms of helping to define what is that risk. >> Tragically helpful. >> Yeah tragically helpful but still without those types of things its probably harder or harder to really monetize what is the risk so that I can come up with a portfolio that then I can validate my investment. >> Its about being prepared. Its about thinking about what are your critical business systems. And so when you got something happening, no matter what it is, lets make sure that critical business systems are protected first and then we'll get to the the less priority systems. Its not that they're not all important, its just that there're some that are more critical. Inventory systems or sales at the end of the quarter, it tends to be we find to be, not only the systems but also the time of the year. If you're selling seeds, March and April, North America is really big. If you're Amazon its Christmas time. The inventory system and order entry system has got to be going so but its taking that step back now and saying; what are our critical business systems, what are the risks and then, the only thing we also look at that we've talked to Jason about is, we know what the risks are but what's the probability those risks are going to hit you. Everybody's not a 100%, some people are 20%. So when you go to the board you got to give them a true idea of, this is the true risk that we're seeing and we've tempered it down by saying if it was a 100 million at risk but you only have a 20% chance of getting that exploit then its really just $20 million that we're talking about not 100 cause the days are gone where we slam our hand on the board that you must do this, you must do this. Boards are more cyber aware now than ever and they don't want to just pay people throw information at them they want to understand it to be able to respond properly and not react. >> Right. So really the Net Nat is speaking a language, boil it down into language in the decision making process in which they're use to doing. Cause its not a zero sum game, it not a one or zero anymore, its really a probability decision and the risk assessment. >> Yeah that happens over time. That's the whole thing. There's ebbs and flows of the year and you look at things over time and I think that's the other thing that we'd like to talk about. And its renassessing, and one of the things that we talk is, we talk with a lot of people and the chief information security officers are embracing us because they're looking for new ways to be able to communicate properly and succinctly to the boards and that's one of the big things that we see. >> Good cause when they get bumped up the agenda items on the board that's what you want to see right. (laughing) >> Absolutely. >> Well Paul and Jason thanks for stopping by really appreciate your time >> Thank you. >> I'm Jeff Rick you're watching the cube, we'll see you next time, thanks for watching.

(clicking) >> Hey welcome back everybody. Jeff Freck here with theCUBE. We're in Palo Alto, California at the Chertoff Event. It's called Security in the Boardroom and it's really about elevating the security conversation beyond the IT folks and the security folks out in the application space and out on the edge and really, what's the conversation going on at the boardroom, 'cause it's an important conversation. And one you want to have before your name shows up in the Wall Street journal on a Monday morning for not all the right reasons. So we're excited to have a real practitioner, Rich Baich. He's a chief information security officer for Wells Fargo. Welcome Rich. And in the company of Jason Cook who's the managing director with the Chertoff group. Great to see you Jason. So we talked a little bit off camera Rich. You've been in a lot of different seats in this game from consulting to now you're at Wells Fargo, and a few more that you ripped on this, but I can't remember them all. From your perspective, integrating this multi-dimensional approach. How do you see this conversation changing at the boardroom? >> Well I think most importantly, the board is a topic of discussion, one of the top discussions over the last couple of years. There's been a lot of guidance recently that's been put out to board directors through the National Association for Corporate Directors, as well as various consulting firms providing guidance. Board members need to be able to take this complex topic and simplify it down so that they can do their jobs. It's expected of them, and sometimes that can be a language barrier. So I think what I see happening is boards are beginning to hire individuals with some cybersecurity expertise. My example at Wells Fargo, we hired a retired general Suzanne Vautrino to come in as one of our cybersecurity, obviously experts in the board. And it's great having her in that board seat because often times, she can help me translate some of the issues and gain a different perspective from the board. >> So that's a pretty interesting statement. So they're actually putting security expertise in a formal board seat. >> Yes. >> That's a pretty significant investment in the space. >> But if you think about this. I mean why? >> Right. >> Right. >> Well most institutions today when you break them down are really technology companies that's just a business platform rolls on. So security is becoming part of not only the institution today but the institution of the future as organizations move towards digitalization. So having that ability to have someone who understands risk management side of cybersecurity as well as the practitioner side will only make, I think a boardroom that much stronger. So what's your experience in terms of trying to communicate the issues to a board? Just down and dirty. Where do you find the balance as to what they can absorb? What can they not absorb? How do you outlay the risks if you will and how they should think about driving investment in these areas? >> Well great points, the first and most important thing with boards is gaining trust. Did you have the expertise and you had the information. By no means could I bring all my data to a board meeting because it's just not digestible. So there's a little bit of an art of taking that down and building the trust and focusing on certain areas. But a point you made I think it's really important is one you have to help them understand what are the top risks and why. But when you're talking to a board, you have to be able to say, and this is what we're doing to address them and here is the time frame and here is the risk associated with this. Because in their minds, they're thinking what can I do to help you? And then secondly, Stu point was the decisioning regarding prioritization. in this particular space, there's always going to be risks but it's really the art of deciding which ones are more important. I'll talk to the board and I'll highlight things like probability of occurrence. So the higher the probability of occurrence of something happening really drives our prioritization. >> Then Jason from your perspective. You're coming in from outside the board trying to help out. How have you seen the security conversation and priority change over time, especially in the context of this other hot topic that everybody is jumping on, which is probably the agenda item, just before Rich comes in the room, which is digital transformation. We got to go, we got to go, we got to go. Everybody is evolving. We got to go, we're getting left behind, and then oh by the way. We're just going to come on afterwards and tell us what some of these risks are. >> Yeah and I think actually Rich started to touch on it. All organizations especially when you're looking at the Fortune 500 and around that shape and size are global. And they're all on a digital journey, whether they acknowledge they're actually a digital product company. All of them now, digitizing is happening. So as a result of that security is an absolute critical component of anything linked to that for all of the reasons that you can just read the headlines around. And actually at the boardroom level, it's more now, hopefully becoming a conversation that's about how do we as board members take responsibility and accountability for how to protect our organization. And it's framed now more and more so in a risk management conversation. Rather than just saying security 'cause security is like outside. But actually the reality is security and cyber activity because you're a digital organization. It's embedded into everything whether you realize it or not so the board needs to be education to what that means. How do you take risks in the context of digital activity and assign it to a risk management program approach rather than just saying it's the security guy that's got to come in and do that. And the security guy is most probably going to be the guy that absolutely has to understand that boardroom issue, and then execute upon it and bring options to the table every time in and around that space. But the main message I would say is take this from a risk management perspective and start using the language like that. And that's probability the other point that we were discussing just earlier in the security series today, that actually it's about risk management, and educating everyone very clearly as to what do we mean. What are we actually protecting. How are we protecting it and what are we doing as a set of board members, and as a leadership team to actually take forward enablement of the business. From a security perspective, understanding it but then also protecting the business. >> Right, so are you building models then for them to help them assign a value to that risk, so now they know how much that they have to invest. 'Cause the crazy thing about security, I'm sure you could always invest more right. You can always use a little bit more budget. There's a little bit more that you can do to make yourself a little bit more secure than you were without that investment. But nobody has infinite resources so as you said bad things can happen, it's really risk mitigation and knowing the profile and what to do about it. So how do help them model that? >> I can answer that and I know Rich can jump in, so what you're seeing is a brand new leader role emerging from the traditional IT security guy to now, the guy that isn't or person should I say more accurately that's engaged at the boardroom. That's there to talk about risks in the context of how the board sees it. And so what does that means? It means that absolutely, you need to know what you've got from a digital perspective. Everything from the traditional network to all of the IT assets and everything there. The key thing is you need to know what you've got, but you have then contextualize all of that against business risks. And pulling those two things together is the challenge that you see across the industry today 'cause there have been silos. And usually underneath that silos and many other silos so bringing that together is really important. And I think if you look at how we're going to see disrupt it is and how things are managed in the risk management perspective. Actually, that's what you're going to see come together. How do you bring those models together to give actionable intelligence that the board can react to or predict against, and that's not an easy thing to pull together. >> Yeah, and to take it more down to a tactical arena so you know at some point, like you said, you can't asking for more money. Because you're not practicing good business attributes because everybody can ask for more money. So I think as organizations mature their security programs, they're going to go to the board with issues like this. Endpoint security, there's so many different Endpoints security products out there that you could buy. But if you're practicing good risk management. You're starting off by saying what is the risk. Let's just talk about malware. So malware is the risk, well how much malware gets to your Endpoint. Unless just say in this particular instance, you're here. You go into a program where you're enhancing your tools, your techniques, you're shutting down USB ports. You're not allowing people to connect to the internet unless they go through the VPN. You're buying endpoint solutions to put on there. You're encrypting the endpoint, you're doing all these things and you suddenly see your monthly average of malware go from here to here. And then when you do that and you walk into a boardroom, and you can show them that and you say this is kind of our risk appetite. 'Cause we're never going to be able to reduce it but I could go spend some more money. I could go spend five million more dollars that I'm going to move it this much. I'd rather take that five million move it over to this risk which is right here to reduce it to that area. So I think that goes hand in hand with what Jason's saying but when you can get to that level to the board to help them understand their decision. They have a greater comfort level that the money is being spent and prioritization is occurring. >> Yeah, so if I may so that one of the things that you just touch on, I think is really useful for us kind of expand upon more. One of the advise points Chertoff Group had in our series session was around bringing cybersecurity experts to the boardroom. I know obviously, you're very active in the whole finance sector, providing advice and direction in that space. Can you tell us more about that? >> Sure so, what's particular in my world also as the chair or the financial services sector coordinating council. What we do is we work closely with the government, with policy and doctrine and then the FSI sector, financial services sector, analysis center is the group that really goes out, and kind of operationalize it through information sharing and that sort. But what we've seen is a desire to have, honestly more security professionals on boards. So CISOs potentially being asked to sit on public and private company boards to provide that expertise back to the company. So that the boardroom can help understand and transcend what is going on. Again from my standpoint, I feel very privileged to have one of them on my board today. And she's been just a wonderful addition, not only does she bring cyber expertise, but being a retired general brings a lot it to other additional. So I would predict, we'll see more and more CISOs being asked to sit on public and private boards. They bring that perspective as the business models move to digitalization. >> We can go on forever, forever and ever but we can't unfortunately, but I have one more question for you Rich. Is kind of this change in attitude amongst the CISO community and other people ideal security in terms sharing information. You mentioned on this group and you use to be, we didn't want to share if we got attacked for a lot of different reasons, but there's a real benefit to sharing information even across industries about the profile of some of these things that are happening. How are we seeing that kind of change and how much more valuable is it to have some other input from some other peers, than just kind of you with you're jewels that they're trying to protect. >> Sure so in general, from an industry standpoint, the financial services are much further ahead than a lot of the other industries 'cause we've been doing it along time. So sharing occurs officially through the FSI site but also you'll pick you phone up and call a friend right a way, and say hey, I've just seen some of you're IP space associated with so and so. So that informal sharing is there. It's a very tight community, in particularly from the financial services. You don't think of security as a differentiator necessarily because the reality of it is when an adversary chooses to point their direction at you. It's just a matter of time before they get around to your institution. So sharing occurs and secondly, the government been doing a great job of trying to break down those barriers. Work through all the issues that are related with sharing of classified, unclassified information. So there exists a model today, it seems to be working pretty well. Formal as well as informal and if you look at some of the past history. That sharing has really helped a lot of organizations. I see they only getting better and better as time goes by. >> And the point, I'd add to that is the financial services I said for example is one of the most mature out there. In fact, it is probably the most mature or global even out there. But that's taken time to establish the trust and the collaboration there. And the one recommendation that we would all give out to the industry as a whole is you need to be getting those types of things stood up. And you have to invest time into them to generate the collaboration and trust. You're not going to get it over night but you have to start somewhere in doing the same. Because really what good work is happening here, needs to be happening across the global industry as a whole. >> Right, alright Rich and Jason, we'll have to leave it there unfortunately. Really great insight and thanks for sharing your insight with us. >> Rich: And thank you. >> Alright, I'm Jeff Freck. You're watching theCUBE. We're at Security in the Boardroom at the Chertoff event, Palo Alto. Thanks for watching. (clicking)

>> Hey, welcome back everybody. Jeff Frick here with theCube. We're in Palo Alto, California, at one of the Chertoff events. It's called Security in the Boardroom. They have these events all over the country, and this is really kind of elevating the security conversation beyond the edge, and beyond CISOs to really the boardroom, which is really where the conversation needs to happen. And our next guest, really excited to have We've got Chad Sweet, he's the co-founder and CEO of the Chertoff Group. Welcome Chad. >> Great to be here. >> And with him also Reggie Brothers, he's the principal at the Chertoff Group, and spent a lot of time in Washington. Again you can check his LinkedIn and find out his whole history. I won't go through it here. First off, welcome gentlemen. >> Thank you. >> Thank you. >> So, before we jump in a little bit of-- What are these events about? Why should people come? >> Well, basically they're a form in which we bring together both practitioners and consumers of security. Often it's around a pragmatic issue that the industry or government's facing, and this one, as you just said, priority of security, cyber screening in particular, in the boardroom, which is obviously what we're reading about everyday in the papers with the Petya and NotPetya and the WannaCry attacks, these are basically, I think, teachable moments that are affecting the whole nation. And so this is a great opportunity for folks to come together in a intimate form, and we welcome everybody who wants to come. Check out our website at chertoffgroup.com >> Okay, great, and the other kind of theme here, that we're hearing over and over is the AI theme, right? >> Yeah. >> We hear about AI and machine learning all over the place and we're in Mountain View and there's self-driving cars driving all over the place and Google tells me, like, "you're home now." And I'm like, "Ah, that's great." But there's much bigger fish to fry with AI and there's a much higher level. And Reggie you just came off a panel talking about some much higher level-- I don't know if issues is the right word, maybe issues is the right word, around AI for security. So, I wonder if you can share some of those insights. >> I think issues, challenges, are the right words. >> Challenges, that's probably a better word. >> Those are good words, because particularly you're talking about security application. Whether it's corporate or government the issue becomes trust. How do you trust that this machine has made the right kind of decision, how do you make it traceable. One of the challenges with the current AI technology is it's mostly based on machine-learning. Machine-learning tends to be kind of a black box where you know know what goes in and you train what comes out. That doesn't necessarily mean you understand what's going inside the box. >> Right. >> So then if you have a situation where you really need to be able to trust this decision this machine's making How do you trust it? What's the traceability? So, in the panel we started discussing that. Why is it so important to have this level of trust? You brought up autonomous-vehicles, well of course, you want to make sure that you can trust your vehicle to make the right decision if it has to make a decision at an intersection. Who's it going to save? How do you trust that machine becomes a really big issue. I think it's something that in the machine-learning community, as we learn in the panel, is really starting to grapple with and face that challenge. So I think there's good news, but I think it's a question that when think about what we have to ask when we're adopting these kind of machine-learning AI solutions we have to make sure we do ourself. >> So, it's really interesting, the trust issue, because there's so many layers to it, right? We all get on airplanes and fly across country all the time, right? And those planes are being flown by machines, for the most part. And at the same time if you start to unpack some of these crazy algorithms, even if you could open up the black box, unless you're a data scientist and you have a PhD, in some of these statistical analysis could you really understand it anyway? So how do you balance it? We're talking about the boardroom. What's the level of discovery? What's the level of knowledge that's appropriate without necessarily being a full-fledged data scientist who are the ones that are actually writing those algorithms? >> So I think that's a challenge, right, because I think when you look at the types of ways that people are addressing this trust challenge it is highly technical, alright. People are making hybrid systems where you can do some type of traceability but that's highly technical for the boardroom. I think what's important is that the-- and one thing that we did talk about on the panel and even prior to panel was on cybersecurity and governance, we talked about the importance of being able to speak in a language that everyone-- that the laborers can understand. You can't just speak in a computer science jargon kind of manner. You have to be able to speak to the person that's actually making the decision. Which means you have to really understand the problem, because I think my experience the people that can speak in the plainest language understand the problem the best. So these problems are things that can be explained they just tend not to be explained, because they're in this super technical domain. >> But you know, Reggie is being very humble. He's got a PhD from MIT and worked at the defense advanced research-- >> Well he can open the box. >> He can open the box. I'm a simple guy from Beaumont, Texas, so I can kind of dumb it down for the average person. I think on the trust issue over time whether, and you just mentioned some of it, if you use the analogy of a car or the board room or a war scenario, it's the result. So you get comfortable, you know the first time, I have a Tesla, the first time I let go of the wheel and let it drive it's self was a scary experience but then when you actually see the result and get to enjoy and experience the actual performance of the vehicle that's when the trust can begin. And I think in a similar vein, in the military context, you know, we're seeing automation start to take hold. The big issue will be in that moment of ultimate trust, i.e. do you allow a weapon actually to have lethal decision-making authority, and we just talked about that on the panel, which is the ultimate trust is-- is not really today in the military something that we're prepared to trust yet. I think we've seen in, there's only a couple places, like the DMZ in North Korea where we actually do have a few systems that are, if they actually detect an attack because there's such a short response time, those are the rare exceptions of where lethal authority is at least being considered. I think Elon Musk has talked about how the threat of AI, and how this could, if it's not, we don't have some norms put around it then that trust could not be developed, cause there wouldn't be this checks and balances. So, in the boardroom that last scenario, I think, the boards are going to be facing these cyber attacks and the more that they experience once the attack happens how the AI is providing some immediate response in mitigation and hopefully even prevention, that's where the trust will begin. >> The interesting thing, though, is that the sophistication of the attacks is going up dramatically, right? >> Chad: Yep. >> Why do we have machine-learning in AI? Because it's fast. It can react to a ton of data and move at speeds that we as people can't, such as your self-driving car. And now we're seeing an increase in state-sponsored threats that are coming in, it's not just the crazy kid in the basement, you know, hacking away to show his friend, but you know, now they're trying to get much more significant information, trying to go after much more significant systems. So, it almost begs then that you have to have the North Korean example when your time windows are shorter, when the assets are more valuable and when the sophistication of the attacking party goes up, can people manage it, you know, I would assume that the people role, you know, will continue to get further and further up the stack where the automation takes an increasing piece of it. >> So let's pull on that, right. So if you talk to the Air Force, cause the Air Force does a lot of work on autonomy, DoD General does, but the Air Force has this chart where they show that over time the resource that will be dedicated by a machine, autonomous machine, will increase and resources to a human decrease, to a certain level, to a certain level. And that level is really governed by policy issues, compliance issues. So there's some level over which because of policy and compliance the human will always be in the loop. You just don't let the machine run totally open loop, but the point is it has to run at machine speed. So let's go back to your example, with the high speed cyber attacks. You need to have some type of defensive mechanism that can react at machine speed, which means at some level the humans are out of that part of the loop, but you still have to have the corporate board person, as Chad said, have trust in that machine to operate at this machine speed, out of the loop. >> In that human oversight one of the things that was discussed on on the panel was that interestingly AI can actually be used in training of humans to upgrade their own skills, and so right now in the Department of Defense, they do these exercises on cyber ranges and there's about a 4 month waiting period just to get on the ranges, that's how congested they are. And even if you get on it, if you think about it, right now there's a limited number of human talent, human instructors that can simulate the adversary and oversee that, and so actually using AI to create a simulated adversary and being able to do it in a gamified environment is something that's increasingly going to be necessary to make it, to keep everyone's skills, and to do it real-time 24/7 against active threats that are being morphed over time. That's really where we have to get our game up to. So, watch for companies like Circadence, which are doing this right now with the Air Force, Army, DISA, and also see them applying this, as Reggie said, in the corporate sphere where a lot of the folks who will tell you today they're facing this asymmetric threat, they have a lot of tools, but they don't necessarily trust or have the confidence that when the balloon goes up, when the attack is happening, is my team ready? And so being able to use AI to help simulate these attacks against their own teams so they can show the board actually our guys are at this level of tested-ness and readiness. >> It's interesting Hal's talking to me in the background as you're talking about the cyber threat, but there's another twist on that, right, which is where machines aren't tired, they didn't have a bad day, they didn't have a fight with the kids in the morning. So you've got that kind of human frailty which machines don't have, right, that's not part of the algorithm generally. But it's interesting to me that it usually comes down to, as most things of any importance, right, it's not really a technical decision. The technical pieces was actually pretty easy. The hard part is what are the moral considerations, what are the legal considerations, what are the governance considerations, and those are what really ultimately drive the decision to go or no-go. >> I absolutely agree. One of the challenges that we face is what is our level of interaction between the machine and the human, and how does that evolve over time. You know, people talk about the centaur model, where the centaur, the mythical horse and human, where you have this same kind of thing with the machine and human, right? You want this seamless type of interaction, but what does that really mean, and who does what? What they've found is you've got machines have beaten, obviously, our human chest masters, they've beaten our goal masters. But the things that seems to work best is when there's some level of teaming between the human and the machine. What does that mean? And I think that's going to be a challenge going forward is how we start understanding what that frontier is where the human and machine have to have this really seamless interaction. How do we train for that, how do we build for that? >> So, give your last thoughts before I let you go. The chime is running, they want you back. As you look down the road, just a couple years, I would never say more than a couple years, and, you know, Moore's Law is not slowing down people argue will argue they're crazy, you know, chips are getting faster, networks are getting faster, data systems are getting faster, computers are getting faster, we're all carrying around mobile phones and just blowing off tons of digital exhaust as our systems. What do you tell people, how do boards react in this rapidly evolving, you know, on like an exponential curve environment in which we're living, how do they not just freeze? >> Well if you look at it, I think, to use a financial analogy and almost every board knows the basic foundational formula for accounting which is assets equals liabilities plus equity. I think in the future because no business today is immune from the digital economy every business is being disrupted by the digital economy and it's-- there are businesses that are underpinned by the trust of the digital economy. So, every board I think going forward has to become literate on cybersecurity and Artificial Intelligence will be part of that board conversation, and they'll need to learn that fundamental formula of risk, which is risk equals threat, times vulnerability, times consequence. So in the months ahead part of what the Chertoff Group will be doing is playing a key role in helping to be an educator of those boards and a facilitator in these important strategic discussions. >> Alright, we'll leave it there. Chad Sweet, Reggie Brothers thanks for stopping by. >> Thank you. >> Thank you, appreciate it. >> Alright, I'm Jeff Frick, you're watching theCube. We're at the Chertoff event, it's security in the boardroom. Think about it, we'll catch ya next time.

>> Welcome back everybody. Jeff Frick here with theCUBE, we're at Security in the Boardroom. It's a Chertoff event, they go all around the country and have these small intimate events talking about security, and today it's really about the boardroom, and escalating the conversation into the boardroom. So it's not a tech conversation, it's not a mobile phone management conversation, but really how do we get it up into the boardroom. And I'm really excited for our next guest. He's Michael Chertoff, he's the Co-Founder, Executive Chairman of the Chertoff Group, with a long established career, and I'll let you go check out his LinkedIn. He's been Homeland Security, and it's a long, long list, so I won't even go there. And Jim Pflaging, he's the Principal, Technology Sector and Strategy Performance Lead also for the Chertoff Group. Thanks, Jim kicked it off this morning. And welcome both of you. So first off, Jim, a little bit about this event. What is this event? And what is Chertoff trying to accomplish with this little bit of a road tour? >> So I think it's important to know that we're passionate about the importance of security. I mean, with Secretary Chertoff and Chad Sweet's background, they were at the ground floor of seeing the importance to our country. So we created the firm to focus wholly on security, and to help firms with the whole lifecycle of issues. As a risk, as a business opportunity, as a catalyst for growth. And it was back in 2013 when some stakeholders around said, "Hey you guys have a bunch of ex-DHS folks, there's a bunch of interesting identity technology issues that are coming to the surface, and other technology issues, why don't you bring a group together and do it?" >> Jeff: Right. >> We said, well, we're not an event company. But we went ahead and had a conversation back in D.C. It was a big success, and then it was a little bit like that line from the Godfather, you know when they say, "They keep pulling me back, they keep pulling me back". (laughs) So here we are on our tenth event, we've been to Silicon Valley three times, New York, Houston, and then D.C. And each time, the idea is, make it topical to the local community, and make it topical for the issues at hand at the moment. >> Yeah, it's interesting, the relationship and security. Specifically between government and technology companies. You know, we do a lot of big technology shows, and at IBM and HP. With the customers that we have distributed around the world and the regulations and compliance issues, in some ways we know more from a broad base of these global international customers than the government. On the other hand, the government's driving the compliance, and has the privacy issues, and hopefully looking out for people, so how do the two work more closely together to deliver better solutions? >> Well, in fairness to the government, the government also has access to information and intelligence that the private sector doesn't have. >> That's true >> So each brings to the table a certain set of capabilities, and part of the challenge is to have people speak the same language. The government has tended over the years to develop a very rigid system of procuring, of interacting with the private sector. Out here in Silicon Valley and in other tech centers there's a lot of focus on being innovative and nimble, and sometimes those two cultures need to be bridged. And actually one of the things that we started out doing, was trying to bridge those cultures. Helping the technology companies understand some of the objectives that the government had in terms of security and the economy. And helping the government understand what's out there, what are the capabilities and the techniques that you might use. Because without an awareness of the art of the possible, it's very hard to lay out a strategy for securing cyberspace. >> Right. And the whole security space to me, we talked a little bit before we put the cameras on, feels like insurance. You know you got to do something, right, you can't go unprotected, but by the same token, you can't be 100%, but do you invest forever? Because at the end of the day, for a private company, you know you have limited resources, government too. So, when these conversations are happening, and then what we're talking about here, the boardroom, the worst way a board member wants to get involved is when he reads the Wall Street Journal on Monday morning and he sees that his company has been breached, and he's in big, big trouble. So, how is the relative importance of security investment changing in the boardrooms? What are you seeing? How is that evolving? >> So, from my standpoint, it's about, first of all, understanding that it's a risk, not security. You're managing the risk, you're not guaranteeing people nothing bad will ever happen. And now, GI uses, I say to people it's like physical health. You don't go to your doctor and say, "Doctor, I want you to guarantee I'll never get sick". The doctor would throw you out of the office, or he'd have you committed. What you do, is you say, "Look Doctor, I'd like to be healthy, I'd like to have a healthy immune system, I'd like to keep most of the bacteria and the viruses out of my body, but I'd like to know if I do get invaded by bacterial viruses, which will inevitably happen, I've got a system that can detect it and white blood cells will eliminate it. That's why I get vaccinated, that's why I do other things to keep my immune system up." And that sense of managing expectations I think is critical for the board. If the board wants a guarantee we will never get hacked, then it's not realistic. If the board wants to understand what are the most important parts of our body politic, or our corporate body, we have to protect, and how do we build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough. >> Right. But then as you said, you want to be healthy, but then we still go to bars and have a drink, and we eat ice cream when we probably shouldn't. And the security, so many percentages of the security problems are caused by people didn't update their patches, or they're respondent to this great opportunity to get a bunch of money out of an African Prince. So how are we changing the culture on the people process? You made an interesting comment about culture. We always talk about people process and technology, but you threw the culture piece in it. Which I though was a pretty interesting twist on just people. >> I think that's a key piece, and it's an area where the board can actually lead. This is when it has to start from the top. You know, if management and the board says, "Hey this is a technical issue, we're just gonnna leave it for that security team down the hall". I think you've failed right out of the gate. You need a CEO-lead, cyber-conscious culture, security-conscious culture, that shows that we value it. And that ultimately, you're going to spend time and money to reward the behavior that you're looking for, to then retain and grow that organization. But it's then looking at it both as a risk, as Secretary said, but increasingly, it's part of an opportunity. It's part of an opportunity to engage your customers in new way. Show that you're really a trusted partner. You value, and will hold private, the information that you're collecting about them. As we hurdle into IOT and driverless cars, that are generating massive amounts of information, more and more, people are going to want to do business with people that are good stewards of that information. >> Right. And I think the interesting thing that came up, as well, is it's not even the technology is not even the breaches, you know we talked a little bit about the whole iPhone encryption thing. Now we all have Alexa sitting at our house, you know, is Alexa listening all the time? I heard of a case where they actually went back to the Alexa on a domestic dispute, or domestic violence to see if Alexa had collected evidence and listened in to this domestic violence attack. But the privacy issues are tremendous. So as all these things get weighed, again, you made an interesting comment, how do we define success? What does success look like? Cause it's not never. In the financial services industry, your worst nightmare is too many false positives, if your turning down people's bank account credit card. So what does success look like? How should people be thinking about success? >> I think there's a couple different dimensions to this. As Jim mentioned earlier, to the extent that you are a steward of other people's data, your ability to promise them that it'll be secure, it'll be private, and execute on the promise, is an important part of your business proposition. To the extent that you have your own business secrets, and your own business confidences you want to protect, that's important. But you raise a somewhat different issue, which is, we do make deliberate decisions sometimes to bring into our homes, into our lives, the kind of collection of information that is a feature, not bug. That's got to be a deliberate decision, because once you collect the information, as in the example of the Alexa recording some domestic disturbance, that's going to be there for somebody else to get using a lawful process or otherwise. So, part of, again, the process of culture and education is always asking, "Why do we want to collect?" Why do we want to hold? What are we connecting to?" You can make an intelligent decision, but you've got to ask the question first. >> Right. Although I heard an interesting twist on that one time. Even if you go through that analysis, and you say, okay, based on these, on yes, yes, and this is why, we're going to collect this data, which you don't know, is what someone else might do with that data in a different scenario down the road. So even if you're a responsible steward of that activity, there's always a chance that something else could happen. So there's even kind of a double whammy. >> I mean, this is one of the byproducts that people talk about with big data. And it's techy term, but people talk about a data lake, where we're collecting this, we're collecting this, we're collecting that. In and of itself, it's not sensitive information. But if you connect different breadcrumbs about a person's activity, and their identity, wow, all of sudden that could be incredibly sensitive. >> Right. >> So that's one of the issues that we've been dealing with in the tech community is how to enable us to collect that information, make good decisions from it, but understand the resulting security issues that come. >> Yeah, that's a fascinating issue because, I think that what a lot of people don't understand is although individual items collected may seem fairly benign, the ability to aggregate, and store all the amount of data is huge. And a perfect example is, you know, people are always walking around taking selfies, or pictures, or putting things in their social media, and the third parties and everybody get into that. And normally you'd say, "That's fine, somebody took a picture of me, it's going to be in their house or whatever, who cares." But if it's all up in the cloud, and someone has the ability to aggregate all that, and all of a sudden get a picture of everybody who's ever taken a photograph of me, or mentioned me, or have had some interaction with, all of a sudden, unbeknownst to me, someone could really get a 24/7 picture of all of my life. So how do you deal with those issues? Some of these are legal questions, some of them are technical questions, but I do think we're on the cusp of having some serious conversations about this. >> So they're going to come yank you guys back into the conference. So thank you for taking a few minutes to come sit down with us. So I just want to wrap up again with the board. As you talk to the boards, we've talked about things that are happening now, and things that are happening in the relative recent past, as you look forward, what's your take away for them as you've sat around, you've talked about all this crazy, scary stuff, and how they should think about it. As you tell them to look forward, what's your advice? >> Well, if I could start with that, so today we released some results from a study we did around this topic. What do boards really think about security? Is it discussed? Is it a boardroom competency? And we interviewed over a hundred senior execs, a vast percentage, forty percent, who were responding as a board member. And what we found was, there's a tale of two cities, two cyber cities. If you're in a large public, US company, in what would be called critical infrastructure, finance, healthcare, telecom, yeah, the directors and the board, they're very well versed in cyber, it's been discussed, it's part of a risk management program, and they have very good CSOs, good interaction with the board. Then there's everybody else. And I would say this actually reflects the boards that I sit on. Is that, you know, cyber's not discussed, it's maybe in reaction to a breach, but it's a technical discussion. And most directors self report, we're not where we need to be on education. So then, just quickly, as a finish, what we launched today was a seven point plan, a blueprint for directors, to help guide areas that they can ask questions, document, review. Kind of move them up their cyber-literacy curve. >> The other thing that I would say, is this, I really sympathize with that small and medium enterprises, which simply don't have the money to invest in terms of building up a whole stand alone security system. I think that takes is more and more to outsourcing some of these functions. Some of it is the cloud, because you put your data up there. Some of it is outsourcing the intelligence and information to know what's coming. It's managed services. Because most of these smaller companies, even if their heart is in the right place, they just don't have the scale to do what a major bank, for example, can do in terms of an operation center. >> Yeah, I think that's such a big piece of the cloud story, is sitting through some of the James Hamilton Tuesday night. If you ever get a chance to go to that He's talks about the investment, infrastructure, security, networking, you name it. That Amazon can make at scale, nobody else, except a very small group of companies can make type of investment. >> Exactly. >> There's just not enough money. Alright, we'll leave it there for now. Really appreciate you stopping by, great event, and thanks for having theCUBE. >> Michael: Great, thanks for having us. >> Okay, it's Michael, Jim, I'm Jeff, you're watching theCUBE. We'll be right back.

(clicking sound) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in Palo Alto at the Four Seasons Hotel at the Chertoff Event is called Security in the Boardroom. Its a annual event they do they do a couple every year and we're excited to be here because the security conversation doesn't really go to the boardroom that often in most of the shows that we go to. So we're excited to be here. Steve Daly is our next guest. He's the President and CEO of Ivanti. Steve, welcome. >> Well, thank you, glad to be here. >> Absolutely. So they said you're the ransomware guy when we were preparing to come in here. >> Right on, right on. >> What special relationship does Ivanti have with ransomware? >> We do a lot of it. >> You do a lot of it? (laughing) >> No we actually, we have a number of solutions to help customers so that they don't fall prey >> Right. >> to these phishing attacks, the stuff that kind of allows somebody to come in and hijack your systems and be able to ransom you >> Right. >> for this stuff. >> So why do you see from where you're sitting the growth in the ransomware in terms of, used to always be hacking and phishing and people doing stupid things. >> Steve: Yeah. >> Clicking on things you're not supposed to. But now suddenly its gotten much more aggressive, now it's got this kind of ransomware piece to it. Why do you see that evolving? >> Well, I see a couple things happening in the industry. One is, I like to think of it is... You think about medieval times, right? You have these castles, and the castles had these walls, their moats, they're very well protected. That's what our data centers have become like. We've got really good security, we've got really good ability to keep the assets that are behind the firewall in the data center very secure. So as the bad guys keep trying to attack and they keep falling against the wall and getting crushed, they start to look at different ways to get past the walls. What they realize is that, you and me, as we're out in the wild. We're like the guys go outside of the wall, we're out there and we're getting infected, we're getting attacked, we're getting... They realize that's the easiest way for us, for them, to get back in behind the wall because if they can infect us, >> Right. >> Then we'll take them back behind the wall through our credentials and our security and get them in to where they really want to be which is where personal identifiable information is, or the high value assets are. And so, I think they've recognized that it is harder and harder to attack directly into the data centers and so let's go at the endpoints. Let's go attack the weak point and get on those and let them take us back into the data center. And so they look at us and they say, "Okay, well how are we going to get Steve to let us use his credentials?" And the best way for them to do that is to phish us. And to bring in technology that we accidentally click on. >> Right, right. >> And once they get there, then they've got access to us. >> And so, this is just an evolution of that idea that says, "Okay, well I can get back in the data center, why don't I just charge this guy just to let me let him get back to the data that he wants access to." And so I think it's just an evolution, sophistication if you will. >> Right. >> Steve: And the bad actors and their ability to extort... extort value out of companies. >> The other trend we hear about is kind of a rise in the state sponsored. It's not just the kid living in his mom's basement anymore who's hacking around, maybe even for fun, right? Just because he could and to brag to other hackers. But really, it's state sponsored, so the motivations behind, the powers behind, the investment behind, the resources behind, >> Steve: They become different. >> is very very different. >> Yeah, and in that case when you think about ransomware, this really is about somebody trying to make some money. State sponsored isn't, they're not trying to make money, right? It's not they're trying to cut their budget deficit by ransomwaring a bunch of Americans type of thing. What they're after is they really are trying to get behind the moat, behind the walls of the castle. And they know the best way for that to do is to infect me, so that I take that virus, so I take that sickness back into the data center because when I come to the door, they're going to drop the drawbridge, they're going to let me in because they know me. >> Right. >> And so, the idea of phishing, the idea of getting me to click on something that I shouldn't click on is... Those techniques are really powerful. >> Right. >> Because, one, you can either ransom somebody to get their data back, or you can use that as a vehicle to slip back in to the... >> Right. >> Steve: Behind the wall. >> But it's so interesting, the more you read up on this topic, there's so many just big gaping holes, where people are just not applying patches, and they're not doing a lot of really simple things. And then on the the other hand, you have people in processing culture. And like you said, people are the weakest link. My favorite story somebody said one time, they came to the company picnic website which was hanging off the corporate website. I don't know if they said they were the plastic fork vendor or something, but that was the way... >> (laughing) They got in.. >> They infiltrated the company... right. >> The spork. Spork vendor. >> They got in the company, right, with the spork. So as you're talking to clients, how often do you see that they are just taking care of the basics before you can really even start to get in to some of the more advanced techniques? >> I think that's a big challenge for companies. I think it comes back to, particularly when we start to talk about end user computing, the way that the industry has evolved is very fragmented in IT. The way that IT decides to support us, and our devices >> Right. >> You think about it, in an IT organization they'll be a Desktop Operations group, they'll be a Mobile group if we're using our mobile phones instead of our desktops. There's a Security group, there's a Service Delivery, there's a Service Support group, they're all separate siloed organizations that are responsible for ultimately keeping us up and running, and secure. But, when they're siloed like that, it's really hard for IT to be able to say, "Okay, well let's do the basic hygiene. Let's make sure that the Desktop Operations group is patching these things in a normal way. Let's make sure the Asset Team is bringing in assets and they're tracking through the lifecycle, making sure that the software on there is up to date, those types of things. Making sure that the Security team has visibility across all of it." It's so siloed... >> Right. >> There's no way that IT can... It's really hard for IT to really bring that together. And I think that's a fundamental problem with the way that we're organized, and I think that has to change. I think that the people, process, side of thing is we have to start to bring and unify IT, particularly when you're talking about end user compute environments. Because the way it's fragmented is one, it's really expensive, its costly, right? You've got all these different teams that have to talk and, you have to stitch technology together, and IT's responsible for that. And two, it becomes really, really risky just because, what you brought up. This team is concerned, has their own remit, it's not necessarily 100% security and so patching falls to the bottom of the list. And, yet, for the security guy, most patches, most exploits are done on exploits that have had a patch available for at least nine months. So it's not that it's a brand new thing, zero day that just pops in, it's that the teams haven't patched the systems. >> Right. >> In nine months, it's crazy. So I think if we can break down, we can unify IT, we can break down those silos, then I think we've got a much better chance of doing the basic hygiene and getting all the technologies together in a way that allows IT to really address this problem and really focus, it's really a cultural change. IT's going to have to change. And the only way for a CIO to be able to affect this change is there has to be some organizational consolidation. >> Right. As you've seen kind of the growth of cloud, right? Public clouds and private clouds, where some of that security responsibility can be shifted off to Microsoft Azure team, or to the AWS team. Now it's interesting, on one hand, they've got massive resources that they can deploy that no individual company, or very few individual companies have, on the other hand, you still have to hit the knobs even the most recent AWS breach is somebody just didn't turn the knob on to close it down, so, are you seeing, because I imagine from a smaller mid-sized company, the security challenge is across all these fronts that are escalating at a rapid rate, really tough to have the resources to fight. >> That's right. >> So, are they adopting more, not necessarily the always cloud, but the kind of larger solutions that they can leverage so that they don't have all that responsibility on their own heads. >> I think that's some of the impetus to move to cloud. I think the challenge is still, when you're talking about end user computing, all we're talking about is moving the castle and the moat to somebody else's castle and moat, right? You still as a company, you still got all these users of IT that have their own devices that are wandering around out in the forest >> Got their own pipe... >> Right and maybe they can get you back in, and maybe that moat might be a little better than the one I could build myself. I'm still held responsible for... A ransomware attack doesn't matter if I'm using Azure. >> Right. >> Right? If I'm using a Windows laptop, and somebody tells me I can win a million dollars and I click on that, bang, right? That's a problem for me as a healthcare provider for instance, right? >> (laughs) >> It doesn't matter what kind of castle I got built by Microsoft or Amazon or Google or whoever. I'm still responsible for that >> Right. >> Piece of it, and that's not going to change. >> Steve, so much to talk about, and we didn't even get into IoT and the increasing attacks, surface area of our cars, and washing machines, and watches. >> That's right. >> Alright, we'll leave it there. Thanks for stopping by enjoy the rest of the show. >> Yes, good to meet you. >> Looking forward to our next conversation we'll jump into the IoT. >> Steve: Alright. >> Alright, he's Steve Daly, I'm Jeff Frick. You're watching theCUBE. We're at the Chertoff Security in the Boardroom event in Palo Alto. Thanks for watching. (clicking sound)