>> Announcer: Live, from Las Vegas, it's theCUBE, covering Fortinet Accelerate18. Brought to you buy Fortinet. (upbeat digital music) >> Welcome back to theCUBE's continuing coverage of Fortinet Accelerate 2018. I'm Lisa Martin, with my co-host Peter Burris, and we are now joined by the CISO of Ingram Micro Kevin Kealy. Welcome to theCUBE. >> Thank you both very much. It's nice to be here. >> I love your title, the Prince of Security Weirdness, your other title. >> Yeah, right. >> Tell us about where you got that and why you like it. >> I was at a customer engagement years ago, when I was working for AT&T, in of all places, Moline, Illinois, and I was working with a lady whose business card actually said Protocol Princess. And the customers, based on what we were actually there to do, the customer decided that if she was the Protocol Princess, then I had to be the Prince of Security Weirdness, because the problem ended up being a combination of something very odd that was happening with their security appliances plus the network itself. And so, of course she spread that when we got back to the office and it just kind of stuck from thereon. I kind of like it. If a company found something weird that was going on with security, they'd just go, "Send him, he'll sort it out." And I did. >> So you've seen probably a really interesting evolution of security. >> Kevin: Oh yeah. >> You've been the CISO for almost a couple years. >> Kevin: Yep, almost two years, yeah. Longest tenured one in a while, I think. >> And you have an interesting kind of strategic perspective. Tell us a little bit about that and what makes that unique. >> Sure, so from a CISO perspective it used to be the CISO was the C-E NO. You know, the place where business goes to die. My feeling is, if I'm not adding lift to the business, then I'm adding drag. And if you're adding drag then you're not being a responsible custodian of the company's money or it's direction. So my feeling is, and my strategic objective is, always partner with business to help them achieve what they need to achieve, but to do it safely and in a way that doesn't add risk to the company. So, I like to say you look through your lens at something, it looks ridiculous. Somebody's doing something truly stupid. But if you pivot your perspective and you look at what they're doing it for, they have a perfectly reasonable and rational expectation of their results and what they're trying to achieve. What you need to do is to adjust your thinking to understand what you currently don't understand in order to pivot them to get to a safe perspective, and therefore business. >> So one of the key differences between business and digital business, is the role that data plays. But we could also take a security perspective. Business was about securing and limiting access. Digital business is about sharing and making possible access. >> Kevin: Right. >> So is that kind of what you mean when you say that you're not the C-NO? You're not the C-YES necessarily, but you're really focused on how to appropriately share? >> Completely agree. My approach is always, let's consult with each other, tell me what you're trying to achieve and let's not look at what's caused me to be in your business today, let's look at what you're trying to achieve. What's your end goal? Right, now let's work together to achieve that in a way that adds limited... 'cuz you can't ever have a solution that exposes stuff without adding any risk,. But there's always an acceptable risk appetite that you have to maintain in order to do business, right? With risk comes opportunity and reward, right? So you can never eliminate all risk. So my approach is, understand what they're trying to do. Look at how much risk there is in any different way of doing it, and then choose the way that offers you the most risk reduction for the least capital expenditure and operational expenditure. And gets them to market the quickest. At that point now, I know I've done my responsible part of keeping risk under control. I maintain a risk register, tells me as a whole the company has accepted this much risk. If we do this extra thing, this might put you over what you, the board of directors and management have accepted before. Let's see what we can do to reign that back in here. I have a solution here that's nearly what you want, will that do? You know, another mantra I cite is, don't let perfect be the enemy of good enough. Too many of my peers in the CISO realm keep chasing perfection. You know they see NIST 800 as an achievable goal. They see, you know, total PCI compliance as an achievable goal. My feeling is, as soon as you get to the point where you are PCI compliant, and you still have things to do, then you need to start concentrating on other more risky things that are going on in your business. You can never achieve NIST 800 unless you have a government's funding. I don't know too many CISOs who have a government's funding, right? So my feeling is never let good enough fail to be good enough. Achieve good enough then go and solve other riskier things, and then come back, maybe in a year, couple of years, when it's time to refresh that solution, and see if now that's not good enough anymore. Maybe you need to do something different. But in all cases I'm partnering with business to make sure that whatever I'm doing is adding lift for them, not drag. >> So, Ingram Micro, we just had Eric Kohl on a little bit ago. So Ingram's been a partner with Fortinet for 10 years or so, but you, on your side and your CISO role, are a customer of Fortinet. >> Kevin: Absolutely. >> So in the last couple of years when you came on board, some of the things I'm hearing that you're talking about, sounds like potentially a cultural shift. Talk to us about maybe some of the weirdness that you found in from a security perspective, and how Fortinet is helping you guys on the Ingram, achieve security transformations so that you can evolve. >> Sure, so, Fortinet's been a great partner for me. They have a truly wonderful suite of products. I mean, everything from the edge protection for the dissolving perimeter, all the way out to small and SOHO type firewalls. And then we have wireless access points that are strong and well fortified with the ability to separate between multiple networks, all the way down to FortiDB, which I use to protect our databases. So we do our database monitoring for our critical databases. As a suite of things that I can manage with one console, it helps me minimize the number of operational staff and the operational training they have to do. And then, from my perspective as a customer, Fortinet's always there for me. I know that I can just call them, and within five minutes somebody's calling me back and we can get the right resources right on the phone. That kind of partnership, you can't put a price on that. You know, everybody's at some point in their lives, bought a product that's failed, and then you can't get any customer support on it, and eventually you have to toss it out. Fortinet's always there for me. They're always checking to make sure that we're doing the right thing. And to give you an example of how Fortinet is part of our company fabric, and I use the word in both it's terms, we chose Fortinet gear to protect our CEO's house. Alright? Our CEO, of course, has a lot of, you know, he's a high net worth individual. He has a lot of high value assets that he takes home to work from home. You know he's clearly a target. So for protecting his home and infrastructure there, we deployed Fortinet gear. >> That's a very interesting use case. >> Yeah, and all my staff, including myself, we have Fortinet gear at home as well. So this is the stuff we trust to protect ourselves, when we're in our most vulnerable environment. A lot of people don't think about that. You take these well secured devices and you take them outside the company perimeter. Now they're on their own. You know, if you can take them to a safe environment though, it makes them a lot safer. From an engagement perspective, as the buyer of things for a company like Ingram, one of the first partnerships I made when I first joined the company was with Eric. Because I want to make sure that I'm supporting our sales side as well. So if anybody comes to me and says, "Hey, I have the perfect solution for you." The very first question I ask them is, "Are you a re-seller with us?" And if the answer is no, it's like, call this guy. This Eric Kohl chap, he'll be able to have a very interesting conversation with you. So, Fortinet being such a long-term partner with Ingram, it's an easy purchasing decision for me. Number one on the technology side. Number on on the partner side. You know what that old story is, nobody got fired for buying IBM? At Ingram, nobody got fired for buying Fortinet gear. And it helps that it's the best on the books, for me anyway, for the stuff that I use it for. I'm very excited about the new Fabric. >> Tell us about that, from a visibility perspective internally, complexity, mitigation standpoint, TCO. How is that going to help you at Ingram? >> So, you said the word, visibility. One of the first things I did when I got to Ingram, was I realized I couldn't see all the way to the edges and to the bottom of my network. So I started to increase the visibility with a combination of the Fortinet product suite, I think I'll be able to get the edge-to-edge, top-to-bottom visibility. And I'm really excited about the web-based CASD solution. 'Cuz what I really don't want to do, and one of the talks this morning, the keynote was talking about it, is the vendor, just the vendor pile of different things that have to be managed. All the different people we have to get training from. All of the currency that you have to maintain. If I can manage it all through one console, And I only have to train my staff in one suite of products, that makes the overall work that they do that much simpler to execute. And I love the concept of being able to make those contextual rules. You know, if this device is in this class then don't let it go over to this data that's in this class. That's so simple to describe. And I love the fact that you can then orchestrate that deployment. So when as we go to a virtualized environment, and we roll into cloud and so on, being able to push a policy like that and being able to push that context is going to be so exciting for me. >> One of the challenges of integration is that you get dependencies. >> Yes. >> So as a CISO, and you start looking at a fabric, and as you said, it's a very rich fabric, it does a lot of work. How do you ensure that you don't find, 'cuz if there's a vulnerability inside the fabric, then the whole fabric gets affected. So what is that trade-off between integration and dependency for you? >> So, that's a great question. Back in 1998,'99, I was at AT&T during what was, it became known as the Great Frame Relay Outage, that AT&T had. Many people will remember that. >> Not to laugh at you. >> Do you remember it, though? >> I do remember it. >> Right? >> Kevin: And the cause of that was, the company was entirely CISCO on the back burner. I was one of the engineers that was there trying to fix it all. CISCO had a self-deploying patch protocol where you drop a patch onto a device and it would automatically push the patch to all its neighboring devices and so on. Well you dropped the patch on this device, it would push the patch towards its neighbors, then it would crash and reboot. But it had already had time to push the patch to all its neighbors. So one by one, every single router and switch in the entire network, received a patch and then crashed and rebooted. And that became a three-week problem known as The Great Frame Relay Outage of 1998. So at that point, our then CISO, Edward Amoroso, he decided that we wanted vendor diversity in our network. And at AT&T at the time, then, we went to CISCO on the edge, Juniper in the core. And the reason was, we wanted the network to be able to stay up and routing, even if we has a problem on the edge. And of course, automatic patch push protocol was disabled. (laughing) From my perspective, I think, there's a fine line to be managed here. Southwest Airlines has made a very concrete and a very risky, but certainly it's worked out for them right now, decision. All their aircraft are Boeing 737s. So they only have to train their maintenance staff to maintain one airplane. All their pilots can fly all their airplanes. >> Lisa: My brother's a pilot for them, yes. >> Right? >> Yeah. >> Kevin: All of them are 737s, but if the FAA grounds 737s, all of Southwest is out of business, for the duration of the flying ban, right? So Southwest has decided they don't need vendor diversity across their fleet. I know they bought Allegiant, and that's got a number of Boeing aircraft, however, from the perspective of their original business plan, all 737s because they now have a very, very well defined TCO. From my perspective I think, there's a line to be drawn here, but Fortinet has me covered. They have their APIs. They work with the other vendors. So if I have a SIM or a log manager or something like Splunk deployed, they already have that partnership in place. It means they can manage the data within the device as though it's my own data, as though it's within the Fortinet Fabric. And that then keeps me happy. Because I then get the benefits of the additional features perhaps that I would get from a Splunk rather than a Fortinet tool, but I also get the vendor diversity that's there. See Splunk for me is not just a security tool, it's a VI tool and there are many other groups that are leveraging the capabilities that it has. So for me, if I went to something like the Fortinet SIM, that would be a very selfish solution. It would be just a security thing. That's not really partnering with business. My investment in Splunk, I've got six other groups within the company leveraging it, and I just invited the seventh one in today. Now those people are all using Splunk for their own things. I'm footing the bill for them so they get all this VI for free. That's been a real big win for me, because I'm now known as the guy that's providing stuff that the company can actually use. That's a very powerful position to be in as the CISO because when I come asking for something that normally they would've said no to, all I have to do is remind them, "Hey, you know you're using my Splunk solution? "Well now, would you mind helping me out? "I need you to do this thing "with your laptops in your organization." And they're much more receptive because they know of me as a partner. >> So would you say, one of the things we were talking about a number of times today, Peter, with guests, is getting, how, does a CISO get this, well maybe it's enable the balance, at the speed at which a business needs to transform digitally to be profitable and grow and compete and manage that with risk? Where do you think that your are on getting that balance? Sounds like there's a lot of collaboration within what you've been able to achieve. >> So, there's a couple of rules that I go with. The first is I go meet the business leaders and introduce myself. And I say, I know you may have heard this before, but this time I mean it, I'm here to help. Tell me what your pain points are. How can I help you, right? And that's a very powerful question. I always try to end every meeting with "How can I help you?" Alright. If you end the meeting with that question, that last memory they have of you will be, you were offering to help last time I saw you. I'm willing to give you another audience. And then, it's by action. Like my Splunk investment. I invested in it, and now other people are using it. I'm showing by my actions that I'm actually not just all talk. And other people have noticed. They would come to one of my predecessors and say, "Hey, I want to do X." and they would be told straight out, "No." My answer is always, okay. How are you planning to do it? Something brought you here today. Let's talk about it. And then when they show me how they are planning to do it, it's like, you know what, I see opportunity here. You guys can do it in three fewer steps and at significantly less risk if you just let me help you in this area, and then we do it this way, and we use this tool that I've already bought and you don't have to pay for. Now all of a sudden they've got a yes. It's already through. It's through architecture review. They've got the solution in place, but I get the logs and I get to put my own encryption solution in or whatever else it is, and I get to absorb the risk for the company. And again, it's all by actions too. You know, if you make sure that you never say the word no. People say, "No, because." Try to change it to, "Yes, and." And by pivoting the conversation that way all of a sudden people aren't arguing with you. They're trying to sell you something. And when somebody's trying to sell you something and you're buying it now you've got the upper hand, right? So now I'm the buyer. Right, it's like, "Let's buy it, but let's do it like this." >> So I have another question for you. Something that's related to one of the conversations that we've had many times today. I'm going to paint a scenario for you. A CEO is sitting in front of a group of investors. And talking about strategic flexibility and the things that their assets allows her to do. My balance sheet will allow us to do this. My sales force will allow us to do this. When are we going to see the first CEO say, "My security, my digital security, "will allow us to do this, "things that our competitors can't do." >> That's an excellent question, I hope it's soon. I'd like to be right in the vanguard of that. Ingram Micro already uses us as an enabler. >> I'm sorry, what was that? >> Ingram Micro already uses me and my group as an enabler. This year we've been able to negotiate a reduction in our corporate insurance rates, for cyber risk, simply because I was able to show the value in what we've achieved over the last two years. And show how materially we've affected the company's risk envelope and our acceptance of risk. So by doing that, I've already added value to the bottom line because insurance costs money and it's a dead sunk cost, right? So I've already reduced the cost of that. So now all of a sudden I'm enabling the business. And I'm also meaning that we can actually uplift our coverage too, so now we're reducing risk even more. We can displace more risk to the outside of the business. This conversation with Eric, you know, I'm about to award an RFP. Before I award an RFP, I'll go and see Eric. Is there a strategic reason for me to award it to this vendor or this other vendor? Now of course we're negotiating on the sale side and the buy side together. That's a very powerful story. So certainly at Ingram, I think I'm already partnering with the business in such a way that we can make that a compelling message. In terms of the overall industry, I really hope that it'll be soon. I think the CISO and the CIO roles are merging together. I think as the CIO is rolling less hardware and is rolling more into virtual and policy and direction and technology choices, I think people are going to have to realize that security has to be built into that. Because if you try to bake it on later, or bolt it on, it's never as effective. It's always more expensive. You look at something like the Fortinet Fabric, you roll that as part of your orchestrated virtual environment, you've turned the whole attack chain on it's head, now. Now it's going to cost so much to try and compromise any part of that infrastructure, you're going to see it so quickly, you've turned it all around. Now it's way too expensive to try and attack companies with that kind of fabric. Now the boot is on the foot. Okay, so invent something I can't see. You know, we've got contextual threat intelligence here, that's able to spot patterns. We've got polyform on the outside here. Everything's working in concert, okay. >> So you're not worried about being put out of a job any time soon. >> I think sadly this job is around for a while. I used to joke that it was Bill Gates and his company that provided us with permanent job security. Now it's the cyber criminals. I tell you what though, today the simplest attacks are still the ones that work. It's phishing, phishing, phishing, phishing, phishing. People clicking on links. >> Human beings. >> Human beings are always easier to hack than computers. >> So you've given us, last question as we have a minute or so left, you've given us a great perspective of the impact that you've been able to make using Fortinet on the customer side. You talk to a lot of partners in Ingram's ecosystem. How do you impart your wisdom and your expertise on the partners from that enablement, such so that they can go and talk to customers and really share best practices from the CISO suite? >> So again, I partner with Eric's cybersecurity advisory committee, where he has a number of our key security partners who come along. And for two years running now, I've participated. I've spoken. I spent two days with those folks. I'll answer any question they have. I'll spend the evenings with them. We'll have a beer together. And I'll do a panel and I'll have discussions just like this with them. And share with them some of the things that I've done with the company that have worked, and some of the things that haven't worked out quite so well. No holds barred. I'm a big believer in herd immunity. You know, it's an old joke, you don't want to be the fastest antelope, but you sure as hell don't want to be the slowest one either. So from my perspective, the more of us that share that kind of intel, the easier things will be as we go forward. Because together as a herd we'll be more immune. So from my perspective, even if it's a competitor's CISO, I'll still sit down, have a coffee with them and chat with them. And it will be very much open kimono. Because I feel like we can never share enough of this intelligence with each other. We're not seeking to gain a competitive advantage individually. We're seeking to make the field and the companies, and if you like, the white hats, less vulnerable. And I think that's a compelling value message. >> I noticed your clothes. I guess you're an All Blacks fan? >> Well, you know, being South African I have to be a Springboks, but, uh, you know, it was such a sad day when Jonha Lumo died. That was such a sad day. I got to meet him once and he was a mountain of a man, but such a gentleman. Yep, that was good. But yes, rugby is definitely my sport, so thank you. >> Well, Kevin, thank you so much for stopping by theCUBE and sharing your insights, what you've been able to achieve on the consumer side, or consuming Fortinet's technology and what you're able to impart on your partners. We wish you great success in 2018 and look forward to having you back on the show. >> That sounds great, thank you very much. Thanks for having me, it's been a great pleasure, thanks. >> Excellent. And we want to thank you for watching theCUBE from Fortinet Accelerate 2018. I'm Lisa Martin with my cohost Peter Burris, after this short break we will be right back. (upbeat digital music)