>> Narrator: Live from Washington, D.C., it's the Cube covering .conf 2017 brought to you by Splunk. (electronic music) >> Welcome back to our nation's capitol. Here in Washington, D.C., the Cube which is Silicon Angle TV's flagship broadcast, broadcasting live today and tomorrow from D.C. here at .conf 2017, Splunk's annual get-together. Along with Dave Vellante, I'm John Walls. Now, we're joined by Chidi Alams who is the Head of IT and Security for Heartland Jiffy Lube. We all know Jiffy Lube for sure. Chidi, thanks for being with us. Good to see you. >> Of course, thanks for having me. >> Before I jump in, I was looking at your, kind of the portfolio of responsibilities earlier. Information security, application development, database development, reporting services, enterprise PM, blah, on and on and on. When do you sleep, Chidi? >> I don't. (laughing) That's the easy answer. The reality is I also have two young children at home, so between work and the family life, I'm up all the time. >> John: I imagine so. >> But I would have it no other way. >> Dave: How old are your kids? >> Three and two. >> Oh, you won't sleep for a decade. >> Right. >> I know. >> Wait til they start driving. >> That's what they tell me. >> Then it gets even better or worse, depends on how you look at it. >> That's how you learn how to sleep on airplanes. (laughing) >> Well, let's look at the big picture of security at Jiffy Lube. Your primary concerns these days, I assume, are very much laser-focused on security and what you're seeing. What are the kinds of things that keep you up at night? Other than kids these days? >> So, we're a very large retailer and brand recognition is something that we're very proud of, however, with that comes a considerable amount of risk. So the bad guys are also aware of Jiffy Lube. They understand that as a retailer, we have credit cards, we have very sensitive data. When I started with Jiffy Lube about two and a half years ago, I started a program to focus not only on keeping the bad guys out, right, that's essentially table stakes in any security program, but also implementing a discipline approach around insider threat. Frankly, that's where Splunk has proved to be a significant value for our organization because now we have visibility with respect to both of those risks. Additionally, we've spent a lot of time just taking more of a risk-based approach to security. Quite often what happens, technologists tend to focus on implementing technology and kind of filling gaps that way. The first thing that we did was assess organizational risk based on our most critical assets. Once we were able to determine asset X, in most cases a data asset, was really critical to the organization, credit card data, we were able to build a unified solution and program to ensure that we protect not only our brand, but our customers' data all the time. >> So, first of all I'll say, I love Jiffy Lube. I'm a customer. I go there all the time. It's so convenient, great service. Generally, very customer service oriented, but I see your challenge with all this distributed infrastructure and retail shops around. I would imagine there's somewhat of a transient, some turnover in employee base. >> Chidi: Yeah. >> The bad guys can target folks and say, "Hey, here's a few bucks. "Let me in." So how do you use data and analytics? I'm sure you have all kinds of screening and all kinds of corporate policies around that that's sort of one layer, but it's multi-dimensional. So how do you use technology and data to thwart that risk internally? >> Sure. So I think the key there is having a holistic program. That's a term that's thrown around a lot, so for me, that means a clear focus on people-processed technology. As I mentioned earlier, the tendency is to start with your comfort zone, so with us as technologists, it's technology, but the people aspect, I have found in my career, is always the largest variable that you have to account for. So disgruntled employees. In retail, regardless of how robust and how strong a culture you create, you're always going to have higher turnover than any industry, particularly in the field. Having very tight alignment with HR, Operations, other stakeholders to ensure that, look, when someone leaves, we track that effectively. That's all data-driven, by the way, so that we're able to track the lifecycle of an employee not only on the positive side when they enter the organization, but when they exit. If the exit is immediate, we have triggers and data-driven events that alert us to that so we can respond immediately. Then, I mentioned insider threat. It's not just employees out in the field. Globally, insider threat is probably the biggest blind spots for organizations. Again, the focus is on the outside, so when we look at things like data exfiltration which is a risk in any large organization where there's a lot of change and transformation, you have to have a good baseline of activity that's going on and understand what activity is truly normal versus activity that could be anomalous and an indicator of a bad actor within the enterprise. We have all that visibility and more now with Splunk. >> What is the role that Splunk plays? How has that journey evolved? I don't know if you've been there long enough, but pre-Splunk, post-Splunk, maybe you could describe that. >> Yeah, so pre-Splunk we were very, very reactive. Let me answer that by providing a little more context about how we're leveraging Splunk. So Splunk Enterprise Security is our centralized hub. Data across the enterprise comes to Splunk Enterprise Security. We have a team of SOC analysts that work around the clock to monitor events that, again, could be indicators of something bad happening. So with that infrastructure in place, we've gone from a very reactive situation where we had analysts and engineers going to disparate systems and having to manually triangulate and figure out, hey, is this an event? Is this something worthy of escalation? How do we handle this? Now, we have a platform not only in Splunk, but with some other solutions that gives us data, one, that's actionable. It's not hard to aggregate data, but to make that data meaningful and expose only what's legitimate from a triage and troubleshooting perspective. So those are some of the things we've done that Splunk has played a role in that. >> Okay. Talk about the regime for cybersecurity within your organization. It used to be, oh, it's an IT problem. In your organization, is it still an IT problem? Is the balance of the organization taking more responsibility? Is there a top-down initiative? I wonder if you could talk about how you guys approach that? >> That's a great question because it speaks to governance. One of the things that I did almost immediately when I started with Jiffy Lube was worked very closely with the senior leadership team to define what proper governance looks like because with governance, you've got accountability. So what happens all too often is security is just this thing that's kind of under-the-table. It's understood we've got some technology and some processes and policies in place, however, the question of accountability doesn't arise until there is a problem, especially in the case of a breach and most certainly when that breach leads to front-page exposure which was something I was very concerned about, again, Jiffy Lube being a very large retailer. Worked very closely with the senior leadership team to first of all, identify the priorities. We can't boil the ocean, there are a lot of gaps. There were a lot of gaps, but working as a team, we said, "Look, these are the priorities." Obviously, customer data, that's everything. That's our brand. We want to protect our customers, right. It's not just about keeping their vehicles running as long as possible. We want to be good stewards of their data. So with that, we implemented a very robust data-management strategy. We had regular meetings with business stakeholders and education also played a critical role. So taking technology and security out of the dark room of IT and bringing it to the senior leadership team and then, of course, being a member of that senior leadership team and speaking to these things in a way that my colleagues in Operations or Finance or Supply Chain could readily connect with. Then, translating that to risk that they can understand. >> So it's a shared responsibility? >> Absolutely. >> A big part of security. You talked before about keeping the bad guys out. That's table stakes. Big part of security, at least this day and age, seems to be response, how effectively the organization responds and, as you well know, it's got to be a team sport. It's kind of a bro mod, but the response mechanism, is it rehearsed? It is trained? Can you describe that? >> Both. I agree, response is critical, so you have to plan for everything. You have to be ready. Some of the things that we've done: one, we created a crisis management team, an incident response team. We have a very deliberate focus and a disciplined approach to disaster recovery and business continuity which is often left out of security conversations. Which is fascinating because the classic security triad is confidentiality, integrity, and availability. So the three have to be viewed in light of each other. With that, we not only created the appropriate incident response teams and processes within IT, but then created very clear links between other parts of the business. So if we have a security event or an availability event, how do we communicate that internally? Who is in charge? Who manages the incident? Who decides that we communicate with legal, HR? What is that ecosystem look like? All of that is actually clearly defined in our security policy and we rehearse it at least twice a year. >> You know, we just had Robert Herjavec on from the Herjavec Group just a few minutes ago. He brought up a point I thought pretty interesting. He says, "Security, obviously, is a huge concern." Obviously, it's his focus, but he said, "A problem is that the bad guys, the bad actors, "are extremely inventive and innovative "and keep coming up with new entry points, "new intrusion points." That's the big headache is they invent these really newfangled ways to thwart our systems that were unpredicted. So how does that sit with you? You say you've got all of these policies in place, you've got every protocol aligned, and all-of-a-sudden the door opens a different way that you didn't expect. >> Yeah, one of my favorite topics that really speaks to the future and where I believe the industry is going. So traditionally, security has been very signature-based. In other words, we alert against known patterns of behavior that are understood to be malicious or bad. A growing trend is machine learning, artificial intelligence. In fact, at Jiffy Lube, we are experimenting with a concept that I refer to now as the security immune system. So leveraging machine data to proactively asses potential threats versus waiting for those threats to materialize and then kind of building that into our response going forward. I think a lot of that is still in the early phases, but I imagine that in the very near future that'll be a mandatory part of every security plan. We've got to go beyond two-dimensional signature-based to true AI, machine learning. Taking action, not just providing visibility via response and alerts, but taking action based on that data proactively in a way that might not include a human actor, at least initially. >> What's the organizational structure at your shop? Are you the de-facto CISO? >> Chidi: I am. >> And the CIO? >> Chidi: I am. I wear both hats. >> Yeah, so that's interesting. You know where I'm going with this. There's always the discussion about should you separate those roles. I can make a case for either way, that if you want the best security in IT, have the security experts managing that. The same time, people say, "Well, it's like the fox "watching the hen house and there's lack of transparency." I think I know where you fall on this, but how do you address the guys that say that function should be split? What's the advantage of keeping them together in your view? >> Yeah, so I think you have to marry best practice with the realities of a particular organization. That's the mistake that I think many make when they set about actually defining the appropriate org structure. There's no such thing as a copy and paste org structure. I actually believe, and I have no problem going on record with this, that the best practice does represent in reality a division between IT and security, particularly in larger organizations. Now, for us, that is more of a journey. What you do initially and your end-state are two different things, but the way you get there is incrementally. You don't go big bang out of the gate. Right now, they both roll up to me. Foreseeably, they will roll up to me, but that works best for the Jiffy Lube organization because of some interesting dynamics. The board of directors by the way, given the visibility of security, does have a say on that. Now that we're in transformation mode, they do want one person kind of overseeing the entire transformation of IT and security. Now, in the future, if we decide to split that up and I think we have to be at the right place as an organization to ensure that that transition is successful. >> I'm glad you brought up the board, Chidi, because to me, it's all about transparency. If the CIO can go to the board and say, "Hey, here's the deal. "We're going to get hacked, we have been hacked, "and here's what we're doing about it. "Here's our response routine," and in a transparent way has an open conversation with the board, that's different than historically. A lot of times CIOs would say, "Alright, we've got this covered," because failure meant fired. That's a mistake that a lot of boards made. Now, eventually, over time the board may decide, look, the job's too big to have one person which is kind of what you're ... But how do you feel about that? What's your sentiment on that transparency piece? How often do you meet with the board and what are the discussions like? >> Yeah, great topic. So, a few things. One, and you've hinted to this, it's very important for the CIO or the CISO to have board-level visibility, board-level access. I have that at Jiffy Lube. I've had to present to the board regarding the IT strategy. I think it's also important to be an effective communicator of risk. So when you're talking to the board, what I've done is I've highlighted two things and I believe this very strongly. As a security leader, you have to practice due care and due diligence. So due care represents doing your job within the scope of whatever your role is. Due diligence involves maintaining that over a period of time, including product evaluations. If you have due care and due diligence and you're able to demonstrate that, even if your environment is compromised, you have to have the enterprise including the board realize that as long as those two things are in place, then a security officer is doing his job. Now, what's fascinating is many breaches can be mapped back to a lack of due care and due diligence. That's why the security officer gets fired to be very blunt, but as long as you have those things and you articulate very clearly what that represents to the board and the senior leadership team, then I think you just focus on doing your job and continuing to communicate. >> John wanted to know if you had any Jiffy Lube coupons before we go. >> Yeah, 'cause in my car on the way home I thought I'd just jump in there. >> I'm all out, but I'll (laughs). >> You got one right down the street from the house. They probably know me all too well because I take the kids' cars there too. >> That's right. We'll hook you up, don't worry about it. >> We appreciate the time. >> Thank you. >> Thank you. A newly-converted Dallas Cowboys fan, by the way. >> That's right. Very proud. >> Perhaps here in Washington, we can work on that. >> We'll see about that. >> Alright, we'll see. Chidi, thanks for being with us. >> Thank you, appreciate it. >> Thank you very much. Chidi Alams from Heartland Jiffy Lube. Back with more here on the Cube in Washington, D.C. at .conf 2017 right after this. (electronic music)