>>Fly from San Francisco. It's the cube covering RSA conference 2020 San Francisco brought to you by Silicon angled medias >>live in. Welcome to the cube coverage here in San Francisco at Moscone hall for RSA 2020 I'm John furrier, host of the cube. We're here breaking down all the actions in cyber security. I'll say three days of wall-to-wall cube coverage. You got two great guests here, experts in the cybersecurity enterprise security space. Over 25 years. We've got two gurus and experts. We've got Bob Mindell, executive vice president of North America cyber practice for cap Gemini and Joe McMahon, head of North America cyber strategy, even a practitioner in the intelligence community. Langley, you've been in the business for 25 years. You've seen the waves guys, welcome to the cube. Thank you John. Thanks for having us. So first let's just take a step back. A cyber certainly on the number one agenda kind of already kind of broken out of it in terms of status, board level conversation, every CSO, risk management and a lot of moving parts. >>Now, cyber is not just a segment in the industry. It is the industry. Bob, this is a big part of business challenge today. What's your view? What was going on? So John has a great point. It's actually a business challenge and that's one of the reasons why it's now the top challenge. It's been a tech challenge for a long time. It wasn't always a business challenge for you as was still considered an it challenge and once it started impacting business and got into a board level discussion, it's now top of mind as a business challenge and how it can really impact the business continuity. Joe is talking before we came on camera about you know CEOs can have good days here and there and bad days then but sees us all have bad days all the time because there's so much, it's so hard. You're on the operations side. >>You see a day to day in the trenches as well as the strategy. This is really an operations operationalizing model. As new technology comes out, the challenge is operationalizing them for not only a business benefit but business risk management. It's like changing an airplane engine out at 35,000 feet. It's really hard. What are you seeing as the core challenge? This is not easy. It's a really complex industry. I mean, you take the word cybersecurity, right? Ready? Cybersecurity conference. I see technology, I see a multitude of different challenges that are trying to be solved. It means something different to everybody, and that's part of the problem is it's a really broad ecosystem that we're in. If you meet one person that says, I know all of cyber, they're lying, right? It's just like saying, I know active directory and GRC and I know DNS and I know how to, how to code, right? >>Those people don't exist and cyber is a little bit the same way. So for me, it's just recognizing the intricacies. It's figuring out the complexities, how people processing technology really fit together and it's an operation. It is an ongoing, and during operation, this isn't a program that you can run. You run it for a year, you install and you're done. There's ebbs and flows. You talked about the CISOs and the bad days. There's wins and there's losses. Yeah. And I think part of that is just having the conversation with businesses. Just like in it, you have bad days and good days wins and losses. It's the same thing in cybersecurity and we've got to set that expectation. Yeah, you didn't bring up a good point. I've been saying this on the cube and we've been having conversations around this. It used to be security as part of it, right? >>But now that it's part of the business, the things that you're mentioning around people, process, technology, the class, that kind of transformational formula, it is business issues, organizational behavior. Not everyone's an expert specialism versus generalists. So this is like not just a secure thing, it's the business model of a company is changing. So that's clear. There's no doubt. And then you've got the completion of the cloud coming, public cloud, hybrid multi-cloud. Bob, this is a number one architectural challenge. So outside of the blocking and tackling basics, right, there's now the future business is at risk. What does cap Gemini do? And because you guys are well known, great brand, helping companies be successful, how do you guys go to customers and say, Hey, here's what you do. What's the, what's the cap Gemini story? >>So the cat termini stories is really about increasing your cybersecurity maturity, right? As Joe said, starting out at the basics. If you look at a lot of the breaches that have occurred today have occurred because we got away from the basics and the fundamentals, right? Shiny new ball syndrome. Really. Exactly exasperates that getting away from the basics. So the technology is an enabler, but it's not the be all and end all right, go into the cloud is absolutely a major issue. That's increasing the perimeter, right? We've gone through multiple ways as we talked about, right? So now cloud is is another way, cloud, mobile, social. How do you deal with those from on prem, off prem. But ultimately it's about increasing your cyber cyber security maturity and using the cloud as just increasing the perimeter, right? So you need to, you really need to understand, you have your first line defense and then your maturity is in place. Whether the data resides in your organization, in the cloud, on a mobile device, in a social media, you're responsible for it all. And if you don't have the basics, then you're, you're really, and you guys bring a playbook, is that what you guys come in and do? Correct. Correct. Right. So our goal is to coordinate people, process technology and leverage playbooks, leverage the run books that we had been using for many years. >>I want to get down to you on this one because of what happens when you take that to the, into the practitioner mode or at implementation. Customers want the best technology possible. They go for the shiny new choice. Bob just laid out. There's also risks too because it may or may not be big. So you've got to balance out. I got to get an edge technically because the perimeters becoming huge surface area now or some say has gone. Now you've got edge, just all one big exposed environment, surface area for vulnerabilities is massive. So I need better tech. How do you balance and obtain the best tech and making sure it works and it's in production and secure. So there's a couple of things, right, and this is not, it's not just our, and you'll hear it from other people that have been around a long time, but a lot of organizations that we see have built themselves so that their cybersecurity organization is supporting all these tools that we see. >>That's the wrong way to do it. The tools should support the mission of the organization, right? If my mission is to defend my enterprise, there are certain things that I need to do, right? There's questions I need to be able to ask and get answers to. There's data I need visibility into. There's protections and controls I need to be able to implement. If I can lay those out in some coordinated strategic fashion and say, here's all the things I'm trying to accomplish, here's who's going to do it. Here's my really good team, here's my skilled resources, here's my workflows, my processes, all that type of stuff. Then I can go find the right technology to put into that. And I can actually measure if that technology is effective in supporting my mission. But too often we start with the technology and then we hammer against it and we run into CISOs and they say, I bought all this stuff and it's not working and come hell yeah. >>And that's backing into it the wrong. So I've heard from CSOs, I'd like they buying all these tools. It's like a tool shed. Don't be the fool with the wrong tool as they I say. But that brings up the question of, okay, as you guys go to customers, what are some of the main pain points or issues that they're trying to overcome that that are opportunities that you guys are helping with? Uh, on the business side and on the technical side, what are some of the things? So on the business side, you know, one is depending on their level of maturity and the maturity of the organization and the board of directors and their belief in, in how they need to help fund this. We can start there. We can start by helping draw out the threat landscape within that organization where they are maturity-wise and where they need to go and help them craft that message to the board of directors and get executive sponsorship from the board down in order to take them from baby, a very immature organization or you know, a reactive organization to an adaptive organization, right. >>And really become defenders. So from a business perspective, we can help them there. From the technology perspective, Joe, uh, you know, or an implementation perspective. I think, you know, it's been a really interesting road like being in this a long time, you know, late two thousands when nation States were first really starting to become a thing. All the industries we were talking to, every customer is like, I want to be the best in my industry. I want to be the shining example. And boards in leadership were throwing money at it and everybody was on this really aggressive path to get there. The conversation is shifted a little bit with a lot of the leadership we talked to. It's, I just want to be good enough, maybe a little bit better than good enough, but my, my objective anymore is it to leave the industry. Cause that's really expensive and there's only one of those. >>My objective is to complete my mission maybe a little bit above and beyond, but I need the right size and right. So we spent a lot of time helping organizations, I would say optimize, right? It's what is the right level of people, what is the right amount of resources, what's the right spend, what's the right investment, the right allocation of technology and mix of everything, right? And sometimes it's finding the right partner. Sometimes it's doing certain things in house. It's, there's no one way to solve this problem, but you've got to go look at the business challenges. Look at the operational realities of the customer, their budgets, all those, their geographies mattered, right? Some places it's easy to hire talent. Some places it's not so easy to hire talent. And that's a good point, right? Some organizations, >>they just need to understand what does good look like and we can, we have so many years of experience. We have so many customers use skates is we've been there and we've done that. We can bring the band and show them this is what good looks like and this is sustainable >>of what good looks like. I want to get your reactions to, I was talking to Keith Alexander, general Keith Alexander, a former cyber command had last night and we were talking about officers, his defense and that kind of reaction. How the Sony hack was was just was just, they just went after him as an example. Everyone knows about that hack, but he really was getting at the idea of human efficiency, the human equation, which is if you have someone working on something that here, but their counterpart might be working on it maybe from a different company or in the same company, they're redundant. So there's a lot of burnout, a lot of people putting out fires. So reactive is clearly, I see as a big trend that the conversation's shifting towards let's be proactive, let's get more efficient in the collaboration as well as the technology. What you, how do you guys react to that? What's your view on that statement? So >>people is the number one issue, in my opinion. In this space, there's a shortage of people. The people that are in it are working very long hours. They're burnt out. So we constantly need to be training and bringing more people into the industry. Then there's the scenario around information sharing, right? Threat information sharing, and then what levels are you comfortable with as an organization to share that information? How can you share best practices? So that's where the ice sacks come into play. That's also where us as a practitioner and we have communities, we have customers, we bring them together to really information, share, share, best practice. It's in all of our best interests. We all have the same goal and the goal is to protect our assets, especially in the United States. We have to protect our assets. So we need, the good thing is that it's a pretty open community in that regards and sharing the information, training people, getting people more mature in their people, process technology, how they can go execute it. >>Yeah. What's your take on the whole human equation piece? Right? So sharing day, you probably heard a word and the word goes back to where I came from, from my heritage as well, but I'm sure general Alexander used the word mission at some point, right? So to me, that's the single biggest rallying point for all of the people in this. If you're in this for the right reasons, it's because you care about the mission. The mission is to defend us. Stop the bad guys from doing days, right? Whether you're defending the government, whether you're defending a commercial enterprise, whether you're defending the general public, right? Whatever the case is, if you're concerned, you know, if you believe in the mission, if you're committed to the mission, that's where the energy comes from. You know, there's a lot of, there's a lot of talk about the skill gap and the talent gap and all of those types of things. >>To me, it's more of a mindset issue than anything. Right? The skill sets can be taught. They can be picked up over time. I was a philosophy major. All right? Somehow I ended up here. I have no idea how, um, but it's because I cared about the mission and everybody has a part to play. If you build that peer network, uh, both at an individual level and at an organizational and a company level, that's really important in this. Nobody's, nobody's an expert at everything. Like we said, you brought a philosophy. I think one of the things I have observed in interviewing and talking to people is that the world's changed so much that you almost need those fresh perspectives because the problems are new problems, statements, technology is just a part of the problem set back to the culture. The customer problem, Bob, is that they got to get all this work done. >>And so what are some of the use cases that you guys are working on that that is a low hanging fruit in the industry or our customer base? How do you guys engage with customers? So our target market is fortune 500 global 1000 so the biggest of the big enterprises in the world, right? And because of that, we've seen a lot of a complex environments, multinational companies as our customers. Right? We don't go at it from a pure vertical base scenario or a vertical base solution. We believe that horizontal cybersecurity can it be applied to most verticals. Right. And there's some tweaking along the way. Like in financial services, there's regulars and FFIC that you need to be sure you adapt to. But for the most part the fundamentals are applicable. All right. With that said, you know, large multinational manufacturing organization, right? They have a major challenge in that they have manufacturing sites all over the world. >>They building something that is, you know, unique. It has significant IP to it, but it's not secure. Historically they would have said, well, nobody's really gonna just deal steal what we do because it's really not differentiated in the world, but it is differentiated and it's a large corporation making a lot of money. Unfortunately ransomware, that'd be a photographer. Ransomware immediately, right? Like exact down their operations and their network, right? So their network goes down. They can have, they can, they can not have zero downtown and their manufacturing plants around the world. So for us, we're implementing solutions and it's an SLA for them is less than six seconds downtime by two that help secure these global manufacturing environment. That's classic naive when they are it. Oh wow. We've got to think about security on a much broader level. I guess the question I have for you guys, Joe, you talk about when do you guys get called in? >>I mean what's your main value proposition that you guys, cause you guys got a broad view of the industry, that expertise. Why do, why are customers calling you guys and what do you guys deliver? They need something that actually works, right? It's, it's you mentioned earlier, I think when we were talking how important experiences, right? And it's, Bob said it too, having been there, done that I think is really important. The fact that we're not chasing hype, we're not selling widgets. That we have an idea of what good looks like and we can help an organization kind of, you know, navigate that path to get there is really important. So, uh, you know, one of our other customers, large logistics company, been operating for a very long time. You know, very, very mature in terms of their, it operations, those types of things. But they've also grown through merger and acquisition. >>That's a challenge, uh, cause you're taking on somebody else's problem set and they just realize, simply put that their existing security operations wasn't meeting their needs. So we didn't come in and do anything fancy necessarily. It's put a strategic plan in place, figure out where they are today, what are the gaps, what do they need to do to overcome those gaps? Let's go look at their daily operations, their concept of operations, their mission, their vision, all of that stuff down to the individual analysts. Like we talked about the mindset and skillset. But then frankly it's putting in the hard work, right? And nobody wants to put in the heart. I don't want to say nobody wants to put in the hard work. That's fun. There's a lot of words that's gets done I guess by the questions that you guys getting called in on from CSOs chief and Mason security officers. >>Guess who calls you? So usually we're in talking to the Cisco, right? We're having the strategic level conversation with the Cisco because the Cisco either has come in new or has been there. They may have had a breach. Then whatever that compelling event may be, they've come to the realization that they're not where they need to be from a maturity perspective and their cyber defense needs revamping. So that's our opportunity for us to help them really increase the maturity and help them become defenders. Guys, great for the insight. Thanks for coming on the cube. Really appreciate you sharing the insights. Guys. Give a quick plug for what you guys are doing. Cap Gemini, you guys are growing. What do you guys look to do? What are some of the things that's going on? Give the company plug. Thanks Sean show. It's been a very interesting journey. >>You know this business started out from Lockheed Martin to Leidos cyber. We were acquired by cap Gemini a year ago last week. It's a very exciting time. We're growing the business significantly. We have huge growth targets for 2020 and beyond, right? We're now over 800 practitioners in North America, over 2,500 practitioners globally, and we believe that we have some very unique differentiated skill sets that can help large enterprises increase their maturity and capabilities plug there. Yeah, I mean, look, nothing makes us happier than getting wins when we're working with an organization and we get to watch a mid level analyst brief the so that they just found this particular attack and Oh by the way, because we're mature and we're effective, that we were able to stop it and prevent any impact to the company. That's what makes me proud. That's what makes it so it makes it fun. >>Final question. We got a lot of CSOs in our community. They're watching. What's the pitch to the CSO? Why, why you guys, we'd love to come in to understand what are their goals, how can we help them, but ultimately where do they believe they think they are and where do they need to go and we can help them walk that journey. Whether it's six months, a year, three years, five years. We can take them along that journey and increase the cyber defense maturity. Joe, speak to the CSO. What are they getting? They're getting confidence. They're getting execution. They're getting commitment to delivery. They're getting basically a, a partner in this whole engagement. We're not a vendor. We're not a service provider. We are a partner. A trusted partner. Yeah, partnerships is key. Building out in real time. A lot new threats. Got to be on offense and defense going on. A lot of new tech to deal with. I mean, it's a board level for a long time. Guys, thanks for coming on. Cap Gemini here inside the cube, bringing their practices, cybersecurity, years of experience with big growth targets. Check them out. I'm John with the cube. Thanks for watching.

(uptempo orchestral music) >> Welcome to theCubeConversations here in Palo Alto, California. theCube Studios, I'm John Furrier. The co-host of theCube, and co-founder of SiliconANGLE Media. Junaid Islam is the present CTO of Vidder that supports the public sector as well as the defense community as well as other criminalist oriented security paradigms. Expert in the field. Also part of coming Vidder that's doing a lot of work in the area. Thanks for sharing your time here with us. >> Well thanks for having me. >> We had a segment earlier on cybersecurity and the government. So that was phenomenal and also, we talked on the impact of hacking on business. So the number one issue on the boardroom agenda is security. Data, security, it's a big data problem. It's an AI opportunity, some things that are coming out. Embryonic, it's an early shift. Security is a challenge. The old model, the firewall, a moot, doors, access, you get in then you're done. It's over, it's a criminalist world. People can get access to these networks. Security is screwed right now. And we generally feels that. So the question for you is the Enterprise and in business as we're looking to show up security. Isn't it a do-over? >> Yeah, yeah, I think like other industries. Whether you talk about the PBS. Yes, yes, where you talk about computers shifting to the data center and then the cloud. I think last year or this year, Gartner said 100 billion will be spent on security. I cannot believe anybody who was involved in that 100 billion dollar expenditure is happy. In fact we have something interesting. Security expenditure has risen consistently over the past five or six years, and cyber attacks have also risen consistently. So that's not the kind of correlation you want. >> And they're buying anything that moves basically, they're desperate so it seems like they're like drunken sailors. Just like give me something. They're thirsty for solutions. So they're groping for something. >> Yeah and what we're seeing is a couple of things. One is the attackers have gotten much more sophisticated. And they basically can bypass all of the existing security appliances. So what we need is a new approach or a new security stack that really fits both the architectural environment of American companies where they use Clouds and data centers, and they have employees and contractors. But also cyber attacks which have gone much more sophisticated. The classic cyber attack used to be connecting to the Server remotely or stealing a password. We still have the classics but we have some new ones where we have malware that can actually go from the user's device to inside the network. And you find that existing security products just don't work well in this environment. >> What are some of the do over ideas? >> Absolutely malware, we see it ransomware, super hot, the HBO example recently. They didn't given, who knows what they actually did. They weren't public about it but actually they maybe get a little bit in but these are organized businesses. They're targeting with the Sony hacks well documented but again businesses, I'm not always funded this. And then you got the move to the clouds. Couple dynamics. Cloud computing. Amazon has done extremely well, they're leading. Now getting a lot more of the Enterprise. They won the CIA deal a few years ago over IBM. And you see a lot of government Cloud rocking and rolling, and then you've got the on premise data center challenges. That's the situation of the customer then now you have potentially an understaffed security force. >> Well actually so, I think let's start with that point. In terms of our theme of a do over. Talk about that first and then let's talk the techno part. I think one do over that America needs is security has to move out of the IT department, and become a stand alone department reporting ideally to the executive staff and not being on it. I think one of the unfortunate things is because security is a cost center within IT, it competes with other IT expenditures such as new applications, which are revenue generating. It's very hard to be a cost center asking for money when there's a guy sitting next to you who's doing something to make money. But unfortunately, unless security is properly funded and staffed, it never happens. And this unfortunately is a chronic issue through all US companies. One of the things we've seen that has worked for example in the financial world is most financial institutions, probably all now security is a pure organization to IT, that helps a lot. This is actually not a new idea, this was something the intelligence community probably started-- >> Cost structures, it's just the cost structures. Reduce the cost is the optimization behavior. What you're saying is just like applications are tied to top line in revenue, which gives them top line mojo. You got to think of security as a money saving table stake. >> That's right. >> People are losing money. The cost are now becoming obvious, in some cases crippling. >> Yeah so I think people need to think of security as fundamental to the life of a company, number one. I think the other thing that needs to happen from a security perspective. Now that we've broken off this entity is it security needs to become a threat based or risk based. Too much of security in the United States is based on compliance models. Unfortunately cyber attackers do not follow that model when they want to attack us. They basically work outside the model and come up with creative ways to get inside of organizations. >> Basically blindside. >> That's right. >> The company. >> I can't tell you how many meetings probably all where I meet the security team and they're totally busy just going through the list of 20 or 50 things that they're are supposed to do. So when you talk about attack vectors. They say you know that's really great and I know it's important but we can't get to it. So this is another important shift organizationally. First you break it out. Second, get focus on something that's important. once we have that we get to the next part which is technologies. And right now what happens is people buy a security point product for different networks. One for data center or one for Cloud. And this doesn't work so I think we have to move to security solutions that can work across hybrid environments, and can also work across different roles. I think that is critical and unless we get that in technically. >> Yeah, this is the thing with Cloud and (indistinct talking). I want to bring this up. I had multiple change to sit down with Andy Jassy. The CEO of Amazon web services. Fantastic executive, built a great business there. On his mind, what's been important for him for many years has been security, and Amazon has done an amazing job with security. But that's in the Cloud. Now Andy Jassy and Amazon thinks everyone should be in the public Cloud. Now they have a deal with VMware but they're just powering VMware's on prem in their Cloud. It's not really a VMware issue but Amazon's world is raising the public Cloud. But they've done really, really good on security, but yet most of the buyers would say hey, the Cloud is unsecure I can't trust it. So you have the dynamic between the data center on premise resource. So people default to the behavior of and leaving here with the on premise. Or I'll put a little bit in the cloud, a little bit of workloads here. A little bit in the Microsoft. Google's got some, I'll keep the tire on Google. But they never really leaving the home base of the data center. But yet some are arguing and Dave Vellante, my co-host on theCube talks about this all the time. There's actually more scale in the Cloud. More data sharing going in the cloud and that the cloud actually got better security. So how do you see that resolving because this is a key architectural opportunity and challenge for Enterprise. >> Actually I think there's an optimal model which is if you think about what the data center gives you. It gives you a lot of visibility and physical control as in with your hands. The problem is when you put everything in the data center. You don't have enough people to manage it all properly. The Cloud on the other hand gives you a lot of scale but you can't actually touch the Cloud. So the optimal mix is imagine your encryption and access control solutions live in your data center. But what they control access to is to Cloud resources. So you can actually, if you're just open your mind conceptually. >> So it's like saying, it's like segmenting a network. You're segmenting feasibility. >> That's right, so now you don't need a gigantic data center because what's in your data center which can be a lot smaller now are things like your identity-based access management solutions. You can keep your cryptographic elements. You can have your HSM, things that generate random numbers and search there. But now this is actually can be very tiny. It can just be a rack of gear. But through that rack of gear, you can have very fine control of people accessing Cloud resources. And I think this idea of building, it's not so much a hybrid network, but it's a notion that a small physically locked down asset can control a lot of virtual assets. It's gaining mind share in the banking world. In fact, just this summer, there was bank that implemented such an architecture where the control elements were the Cloud were their FFIC data center. And it include, it basically managed access to Amazon VPC and it worked well. >> So interlocking is a strategy. I can see that, by the way I see that playing out pretty well. So I got to ask the next question which comes to mind is that sounds great on paper. Or actually in certain situations it might perfect. But what about the geo-political landscape? because Amazon has people that develop on the Cloud that aren't US citizens. So the government might say wait a minute, you got to only employ Americans so they got to carve out and do some whatever weird doings with the numbers to get that certification. But they need data centers in Germany because the German government wants certain things. So you have geo-political issues now on the companies. How does that affect security? Because now a Cloud like Amazon or a multinational company has two things going on. I have multiple offices and I'm operating in multiple geo-political landscapes with these regional centers. The regional clouds, or at Amazon they're called regions. >> So actually Amazon has actually done a great job. They basically have their global market, but they also have data centers now which are only opened to US persons in US companies like Globe Cloud. As well as well as they support the C2S which is the intelligence communities Black Cloud, which is basically off net so I think now-- >> John: So they're doing a good job? >> Yeah, they're doing a good job but the key thing is how you use that resource is really still up to the enterprise. And that's where enterprises have to get good at creating the architecture and policies to be able to harness Amazon's compute capacity. Amazon, is the foundation but you really have to finish off the solution and the other thing going back full circle to your first question. Unless the security team has their freedom and the mandate to do that, they'll actually never get there. >> So it's staffing and architecture. >> That's right. >> Well they both architecture. It's one's organizational architecture. Debt funding and one is more of a hardcore virtual and physical touching. >> And you know what I put in the middle? I'd say know your risks and develop counter measures to them. because if you go to that security team and you say you have to build a counter measure for every attack. That's not going to work either. A company has to be realistic is what is really important? Maybe it's the data of our customers. >> So the answer to the first question then obviously is yes a security do over is needed. But there is no silver bullet and you can't buy an application, it's an architectural framework holistically >> Junaid: That's right. >> That everyone has to do, okay cool. So the question I have on the Amazon, I want to get your thoughts 'cause it's a debate we have all the time on theCube is. And certainly Amazon has competitors that say, Amazon is really not winning in the enterprise. They've got thousand of Enterprise customers. They are winning in the Enterprise so Oracle is catching up, barely in fourth place. But trying to get there and they're actually making that transformation. Looking pretty good, what more now assume that Oracle will (indistinct talking). But Amazon has one great gov Cloud deals. So they're convinced the government that they could do it. >> Junaid: Yeah. >> So to me that's, my argument is if the government is winning with Amazon. It should be a no brainer for the Enterprises so this comes back down to the number one question that's been holding back Cloud growth. Whoa, security, I don't want to put it in the Cloud. How real is that objection now? 'Cause the knee jerk reaction is you know what, I got an on prem, I don't trust the Cloud. But it seems like the Cloud is getting more trust. What's your thoughts on that objection? >> So one of the things as even though when we use the word Cloud, generically or Amazon generically. Amazon has evolved a lot in the last three to four years that I've been working on it. The number of embedded tools in Amazon is vast now. If we were having this conversation two years ago. The notion that granular encryption modules would be there and Amazon is apart of an offering. It would have been science fiction or the fact that-- >> More that S3 and AC2, what else could there be? >> That's right or they have things like virtual HSM. They have embedded identity and access control tools all there so I think first of all. All of the building blocks that you would want are there. Now unfortunately there's no short cuts. Amazon is not going to do the work for you, you still need a staff that knows how to use digital certificates. You still need your own identity based access control system to manage access of your employees and contractors and people in India to these assets in the Cloud. But having said that, we now actually have a model that is much cheaper than the classic data center model. That's basically usable. >> I'm smirking some people think I'm an Amazon web services fan boy but besides the fact that I love the company. They've done well and there's so many new services, and they literally have been skating rings around the competition. If you look at the complexity that they have been dealing with and the innovations. So the outputs put that out there. I'm a little biased 'cause I think they're doing a great job. But now, the game start to shift as Amazon continues to add more services. Welcome to the big leagues called the Enterprise and government, which they're doing some business in now. So the question is besides Amazon, those other guys. Verizon, the Telecos have really trying to figure out what to do with over the top for years. Now they're also powering a lot of multi tenet workloads as well, including their own stuff. So telecos and service providers out there, what are they doing because they're still critical infrastructure around the world. >> Actually, I think if we just use Amazon as a reference point or example. Amazon initially didn't worry about security but then over the last few years, worked hard to integrate security into their offering. We're now in the early stages of seeing that from for example carriers like Verizon. Where in the past Verizon was saying first secure yourself then in the last two years. Version okay, here's some products and services you can buy. But now where we're heading is they're trying to make the network inherently secure. A lot of the basic components like device matching to identity matching basically making that apart of the underlying fabric. So I think the good news is as-- >> So they're making advances there. They have networks. They know networking. >> So the good news is as bleak as it all seems as we are making significant progress as an industry and as a country. Having said that, my only and warning is you still need an executive team. A security team that knows how to leverage all of these components and pull them together. And that goes back to having a risk based approach and protecting the most important things. I think you can do that, I think the tool set that's come out now is actually pretty sophisticated. >> So final question, I want to get your thoughts and we can end the segment and then we'll take a little bit about Vidder, your company. But I asked Pat Gelsinger, CEO of VMware at VM World just recently about the security duo 'cause Dave Vellante asked him years ago. He said absolutely it's going to be (indistinct talking) so Pat Gelsinger has it right again. The guy is like Nostradamus when it comes to tech trend. He's a wave guy from Intel, so he gets the waves. But I asked him about that question again this year and I'll send the tip out on Twitter. I'll put it out on Twitter, I'll make a link to it. He said that 5G is going to be the big kahuna of the next 30 years. He thinks that as 5G starts to get out, it's going to develop 10X number of antennas, 100X of bandwidth, new spectrum allocations, 100X new devices, they're all going to be connected as well. As you mentioned we're a connected world. This brings up the edges of the network where he says, "Next thirty years is going to be massive build out." So okay, 5G is coming. Industrial IoT, IoT internet of things is happening. How is this going to change a security game because now you have networking and you see VMware. We're doing NSX and Cisco has been trying to the Enterprise figuring out the virtualization of network level. Everything comes back down to the network. Is that where the action is because it seems to me that the network guys have to figure this out. And that seems to be the point of reference in terms of opportunity. Or is it a challenge or is it moving up the stack. How does all the networking changes happen? >> So for IoT, we really need two things to happen. I think one is we actually don't have a security standard for IoT devices. And specifically the issue is malware. IoT devices and softwares made worldwide and I think one of the biggest policy weaknesses we have right now is there's no minimum standard. This needs to be solved, otherwise we're in a lot of problem but in parallel to that. There is a lot of technical development. One of the things that's happening in the networking world is for the past 20 years. We were driven by what's called a network VPN of Layer 3 VPN, it's your classic VPN, that connects a device to a server. The problem with that is if you have malware on the device it gets through. So there's this new kind of VPN which is an application VPN or we call it a Layer 4, which is basically a softer process in the device tool. A softer process in a server. So that's the new model, which is-- >> They're making them as dumb as possible and go up the stat. >> Not so much-- >> There were guys that are going to roll-- >> I could have used different terms. I could have say make the app network application aware so that it only lets the applications get through. Not any kind of connection, so I think that is something. >> Well the networks have to smarter and enable the smartness. >> So smarter networks are happening and it's an area that I worked in. It's very excited. >> John: I don't mean to offend you by saying dumb network-- >> But the application but to be clear though that's just one piece of the puzzle. The other piece of the puzzle which unfortunately is a little bit lacking is there's no standards for IoT software today. And unless we have concepts like secure boot, that is the software can't be tampered with. I think I've unfortunately there's a bit of risk but I'm hopeful-- >> And then IoT for folks watching, there might be any inside baseball. It's a surface area problem. There's more points of attack vectors, so we talk about the compliance thing. >> Not only are there more attacks, by and large IoT devices are made outside of the United States. Physically they are made in China and a lot of the software comes from India. And there's nothing wrong with that, but the global supply chain provides plenty of opportunities for cyber attackers to inject in their code. And this is something we need to watch very carefully and then like I said-- >> So this is actually one of those weird derivative results of outsourcing that American companies have realized that's a problem. >> Yeah so. >> Is that right? >> Yeah so it's something we need to watch carefully. >> Okay, thanks for coming on the theCube. Really appreciate you sharing your perspectives. Talk about Vidder, you're the president and CTO. You guys in the security business. Obviously you're an expert with (indistinct talking). We'll have you back and multiple times. I'd love to get your company as we follow all the security trends. We have a cyber connect conference with Centrified coming up in New York. We're covering gov Cloud AWS and other players out there. What's Vidder doing? What's the company do for products? How do you guys sell? Who's your customers and what are the cool things you're doing? >> We've developed a access control solution based on a new standard called software defined parameter. And there's two things that are unique about it. First with technology like software defined parameter. We work in the Cloud in the data center, but more importantly, we're able to stop existing attacks and emerging attacks. So things like password theft, credential theft of server exploitation we stop because we don't want to allow connections from unknown devices or people. The other thing is say you're known, and you connect with server. We basically look inside your laptop and only allow the authorized process to connect to the server. So if there's malware on the device, it can't actually make it through. >> John: So it shuts down the malware. >> That's right. >> John: So you're trying sneak through. >> That's right, the malware. We can't stop the malware from getting on the device, but we can make sure it doesn't get to the other side. >> So it doesn't cross pollinate. It doesn't go viral. >> That right so a lot of the stuff we do is very important. We work with a range of-- >> You have government, obviously contracts. I'm sure you have that can't talk about but you do right? >> Yeah we do a little bit of work with the government and we're just start working with Verizon, which is public. Where they wish to create services where malware actually can't go through the connections. So we're doing exciting stuff and we're-- >> Enterprise customers at all? >> Yeah, yeah we have banks. >> Who are on high alert. >> That's right. >> You guys do tier one or it's the houses are burning down, you're there. So we do banks and we're just started doing some work in a hospital were again it's (indistinct talking) compliant, and they need to make sure that data doesn't leave the hospital. >> So what's the number one thing that you guys have as ransomware something that you solve. What areas do you guys being called in? What's the big fire bell, if you will? They ring the bell when do you come in? What the thing, just in general? >> Our number one reason for existing is stopping attacks on application servers or service that old data. That's our focus. So if you have data or an application that someone is after. We will make sure nobody gets to that data. In fact, we'll even make sure if there's a spy, or insider attack, who comes into your organization. They'll only be able to what their allowed to do and won't be able to do anything else. >> So on the weekly Fox that was big. Would you guys have helped there is they were a customer or is that just different thing? >> I know we could have helped because one of the things that happened is they used their server exploit to basically propagate through their data center. So we probably wouldn't have done much on the initial exploit, but we would have kept it from going deeper into the system. >> And they hid for four months and they were poking around so you would have detected. >> Yeah and we certainly would have stopped all the poking around. Because we basically, you can think of us as an identity based access control mechanism. So based on your identity, you can only do very specific things. And in their case, they had the identity of the user. We wouldn't have let them do anything except maybe just go to one website. >> Yeah you would have shut them down. They should have been doing business with Vidder. Jay thank you for coming on theCube here for theCubeConversation in Palo Alto, California. I'm Jon Furrier with theCubeConversation. Thanks for watching. (slow orchestral music)