(upbeat music) >> Welcome back to theCUBE's continuing coverage of Snowflake Summit 22 live from Caesars Forum in Las Vegas. I'm Lisa Martin with Dave Vellante. We've got a couple of guests joining us now. We're going to be talking about financial services. Rinesh Patel joins us, the Global Head of Financial Services for Snowflake, and Jack Berkowitz, Chief Data Officer at ADP. Guys, welcome to the program. >> Thanks, thanks for having us. >> Thanks for having us. >> Talk to us about what's going on in the financial services industry as a whole. Obviously, we've seen so much change in the last couple of years. What does the data experience look like for internal folks and of course, for those end user consumers and clients? >> So, one of the big things happening inside of the financial services industry is overcoming the COVID wait, right? A lot of banks, a lot of institutions like ours had a lot of stuff on-prem. And then the move to the Cloud allows us to have that flexibility to deal with it. And out of that is also all these new capabilities. So the machine learning revolution has really hit the services industry, right? And so it's affecting how our IT teams or our data teams are building applications. Also really affecting what the end consumers get out of them. And so there's all sorts of consumerization of the experience over the past couple of years much faster than we ever expected it to happen. >> Right, we have these expectations as consumers that bleed into our business lives that I can do transactions. It's going to be on the swipe in terms of checking authenticity, fraud detection, et cetera. And of course we don't want things to go back in terms of how brands are serving us. Talk about some of the things that you guys have put in place with Snowflake in the last couple of years, particularly at ADP. >> Yeah, so one of the big things that we've done, is, one of the things that we provide is compensation data. So we issue a thing called the National Employment Report that informs the world as to what's happening in the U.S. economy in terms of workers. And then we have compensation data on top of that. So the thing that we've been able to do with Snowflake is to lower the time that it takes us to process that and get that information out into the fingertips of people. And so people can use it to see what's changed in terms of with the worker changes, how much people are making. And they can get it very, very quickly. And we're able to do that with Snowflake now. Used to take us weeks, now it's in a matter of moments we can get that updated information out to people. >> Interesting. It helps with the talent war and- >> Helps in the talent war, helps people adjust, even where they're going to put supply chain in reaction to where people are migrating. We can have all of that inside of the Snowflake system and available almost instantaneously. >> You guys announced the Financial Data Cloud last year. What was that like? 'Cause I know we had Frank on early, he clearly was driving the verticalization of Snowflake if you will, which is kind of rare for a relatively new software company but what's that been like? Give us the update on where you're at and biggest vertical, right? >> Absolutely, it's been an exciting 12 months. We're a platform, but the journey and the vision is more. We're trying to bring together a fragmented ecosystem across financial services. The aim is really to bring together key customers, key data providers, key solution providers all across the different Clouds that exist to allow them to collaborate with data in a seamless way. To solve industry problems. To solve industry problems like ESG, to solve industry problems like quantitative research. And we're seeing a massive groundswell of customers coming to Snowflake, looking at the Financial Services Data Cloud now to actually solve business problems, business critical problems. That's really driving a lot of change in terms of how they operate, in terms of how they win customers, mitigate risk and so forth. >> Jack, I think, I feel like the only industry that's sometimes more complicated than security, is data. Maybe not, security's still maybe more fragmented- >> Well really the intersection of the two is a nightmare. >> And so as you look out on this ecosystem, how do you as the chief data officer, how do you and your organization, what process do you use to decide, okay, which of the, like a chef, which of these ingredients am I going to put together for my business. >> It's a great question, right? There's been explosion of companies. We kind of look at it in two ways. One is we want to make sure that the software and the data can interoperate because we don't want to be in the business of writing bridge code. So first thing is, is having the ecosystem so that the things are tested and can work together. The other area is, and it's important to us is understanding the risk profile of that company. We process about 20% of the U.S. payroll, another 25% of the taxes. And so there's a risk to us that we have an imperative to protect. So we're looking at those companies are they financed, what's their management team. What's the sales experience like, that's important to us. And so technology and the experience of the company coming together are super important to us. >> What's your purview as a chief data officer, I mean, a lot of CDOs that I know came out of the back office and it was a compliance or data quality. You come out of industry from a technology company. So you're sort of the modern... You're like the modern CDO. >> Thanks. Thanks. >> Dave: What's your role? >> I appreciate that. >> You know what I'm saying though? >> And for a while it was like, oh yeah, compliance. >> So I actually- >> And then all of a sudden, boom, big deal. >> Yeah, I really have two jobs. So I have that job with data governance but a lot of data security. But I also have a product development unit, a massive business in monetization of data or people analytics or these compensation benchmarks or helping people get mortgages. So providing that information, so that people can get their mortgage, or their bank loans, or all this other type of transactional data. *So it's both sides of that equation is my reading inside. >> You're responsible for building data products? >> That's right. >> Directly. >> That's right. I've got a massive team that builds data products. >> Okay. That's somewhat unique in your... >> I think it's where CDOs need to be. So we build data products. We build, and we assist as a hub to allow other business units to build analytics that help them either optimize their cost or increase their sales. And then we help with all that governance and communication, we don't want to divide it up. There's a continuum to it. >> And you're a peer of the CIO and the CISO? >> Yeah, exactly. They're my peers. I actually talk to them almost every day. So I've got the CIO as a peer. >> It's a team. >> I've got the security as a peer and we get things done together. >> Talk about the alignment with business. We've been talking a lot about alignment with the data folks, the business folks, the technical folks to identify the right solutions, to be able to govern data, to monetize it, to create data products. What does that... You mentioned a couple of your cohorts, but on the business side, who are some of those key folks? >> So we're like any other big, big organization. We have lots of different business units. So we work directly with either the operational team or the heads of those business units to divine analytic missions that they'll actually execute. And at the same time, we actually have a business unit that's all around data monetization. And so I work with them every single day. And so these business units will come together. I think the big thing for us is to define value and measure that value as we go. As long as we're measuring that value as we go, then we can continue to see improvements. And so, like I said, sometimes it's bottom line, sometimes it's top line, but we're involved. Data is actually a substrate of the company. It's not a side thing to the company. >> Yeah, you are. >> ADP. >> Yeah but if they say data first but you really are data first. >> Yeah. I mean, our CEO says- >> Data's your product. >> Data's our middle name. And it literally is. >> Well, so what do you do in the Snowflake financial services data Cloud? Are you monetizing? >> Yeah. >> What's the plan? >> Yeah, so we have clients. So part of our data monetization is actually providing aggregate and anonymized information that helps other clients make business decisions. So they'll take it into their analytics. So, supply chain optimization, where should we actually put the warehouses based on the population shifts? And so we're actually using the file distribution capabilities or the information distribution, no longer files, where we use Snowflake to actually be that data cloud for those clients. So the data just pops up for our other clients. >> I think the industry's existed a lot with the physical movement of data. When you physically move data, you also physically move the data management challenges. Where do you store it? How do you map it? How do you concord it? And ultimately data sharing is taking away that friction that exists. So it's easier to be able to make informed decisions with the data at hand across two counterparties. >> Yeah, and there's a benefit to us 'cause it lowers our friction. We can have a conversation and somebody can be... Obviously the contracts have to be signed, but once they get done, somebody's up and running on it within minutes. And where it used to be, as you were saying, the movement of data and loss of control, we never actually lose control of it. We know where it is. >> Or yeah, contracts signed, now you got to go through this long process of making sure everything's cool, or a lot of times it could slow down the sale. >> That's right. >> Let's see how that's going to... Let's do a little advanced work. Now you're working without a contract. Here, you can say, "Hey, we're in the Snowflake data cloud. It's governed, you're a part of the ecosystem." >> Yeah, and the ecosystem we announced, oh gee, I think it's probably almost a year and a half ago, a relationship with ICE, Intercontinental Exchange, where they're actually taking our information and their information and creating a new data product that they in turn sell. So you get this sort of combination. >> Absolutely. The ability to form partnerships and monetize data with your partners vastly increases as a consequence. >> Talk to us about the adoption of the financial services data cloud in the last what, maybe nine months or so, since it was announced? And also in terms of the its value proposition, how does the ADP use case articulate that? >> So, very much so. So in terms of momentum, we're a global organization, as you mentioned, we are verticalized. So we have increasingly more expertise and expertise experience now within financial services that allows us to really engage and accelerate our momentum with the top banks, with the biggest asset managers by AUM, insurance companies, sovereign wealth funds on Snowflake. And obviously those data providers and solution providers that we engage with. So the momentum's really there. We're really moving very, very fast in a great market because we've got great opportunity with the capabilities that we have. I mean, ADP is just one of many use cases that we're working with and collaborations that we're taking to market. So yeah, the opportunity to monetize data and help our partners monetize the data has vastly increased within this space. >> When you think about... Oh go ahead, please. >> Yeah I was just going to say, and from our perspective, as we were getting into this, Snowflake was with us on the journey. And that's been a big deal. >> So when you think about data privacy, governance, et cetera, and public policy, it seems like you have, obviously you got things going on in Europe, and you got California, you have other states, there's increasing in complexity. You guys probably love that. (Dave laughs) More data warehouses, but where are we at with that whole? >> It's a great question. Privacy is... We hold some of the most critical information about people because that's our job to help people get paid. And we respect that as sort of our prime agenda. Part of it deals with the technology. How do you monitor, how do you see, make sure that you comply with all these regulations, but a lot of it has to do with the basic ethics of why you're doing and what you're doing. So we have a data and AI ethics board that meets and reviews our use cases. Make sure not only are we doing things properly to the regulation, but are these the types of products, are these the types of opportunities that we as a company want to stand behind on behalf of the consumers? Our company's been around 75 years. We talk about ourselves as a national asset. We have a trust relationship. We want to ensure that that trust relationship is never violated. >> Are you in a position where you can influence public policy and create more standards or framework. >> We actually are, right. We issue something every month called the National Employment Report. It actually tells you what's happening in the U.S. economy. We also issue it in some overseas countries like France. Because of that, we work a lot with various groups. And we can help shape, either data policy, we're involved in understanding although we don't necessarily want to be out in the front, but we want to learn about what's happening with federal trade commission, EOC, because at the end of the day we serve people, I always joke ADP, it's my grandfather's ADP. Well, it was actually my grandfather's ADP. (Dave laughs) He was a small businessman, and he used a ADP all those years ago. So we want to be part of that conversation because we want to continue to earn that trust every day. >> Well, plus your observation space is pretty wide. >> And you've got context and perspective on that that you can bring. >> We move somewhere between two, two and a half trillion dollars a year through our systems. And so we understand what's happening in the economy. >> What are some of the, oh sorry. >> Can your National Employment Report combined with a little Snowflake magic tell us what the hell's going to happen with this economy? >> It's really interesting you say that. Yeah, we actually can. >> Okay. (panelists laugh) >> I think when you think about the amount of data that we are working with, the types of partners that we're working with, the opportunities are infinite. They really, really are. >> So it's either a magic eight ball or it's a crystal ball, but you have it. >> We think- >> We've just uncovered that here on theCUBE. >> We think we have great partners. We have great data. We have a set of industry problems out there that we're working, collaboration with the community to be able to solve. >> What are some of the upcoming use cases Rinesh, that excite you, that are coming up in financial services- >> Great question. >> That snowflake is just going to knock out of the park. >> So look, I think there's a set of here and now problems that the industry faces, ESG's a good one. If you think about ESG, it means many different things from business ethics, to diversity, to your carbon footprint and every asset manager has to make sure they have now some form of green strategy that reflects the values of their investors. And every bank is looking to put in place sustainable lending to help their corporate customers transition. That's a big data problem. And so we're very much at the center of helping those organizations support those informed investors and help those corporates transition to a more sustainable landscape. >> Let me give you an example on Snowflake, we launched capabilities about diversity benchmarks. The first time in the industry companies can understand for their industry, their size, their location what their diversity profile looks like and their org chart profile looks like to differentiate or at least to understand are they doing the right things inside the business. The ability for banks to understand that and everything else, it's a big deal. And that was built on Snowflake. >> I think it's massive, especially in the context of the question around regulation 'cause we're seeing more and more disclosure agreements come out where regulators are making sure that there's no greenwashing taking place. So when you have really strong sources of data that are standardized, that allow that investment process to ingest that data, it does allow for a better outcome for investors. >> Real data, I mean, that diversity example they don't have to rely on a survey. >> It's not a survey. >> Anecdotes. >> It's coming right out of the transactional systems and it's updated, whenever those paychecks are run, whether it's weekly, whether it's biweekly or monthly, all that information gets updated and it's available. >> So it sounds like ADP is a facilitator of a lot of companies ESG initiatives, at least in part? >> Well, we partner with companies all the time. We have over 900,000 clients and all of them are... We've never spoken to a client who's not concerned about their people. And that's just good business. And so, yeah we're involved in that and we'll see where it goes over time now. >> I think there's tremendous opportunity if you think about the data that the ADP have in terms of diversity, in terms of gender pay gap. Huge, huge opportunity to incorporate that, as I said into the ESG principles and criteria. >> Good, 'cause that definitely is what needs to be addressed. (Lisa laughs) Guys thank you so much for joining Dave and me on the program, talking about Snowflake ADP, what you're doing together, and the massive potential that you're helping unlock with the value of data. We appreciate your insights and your time. >> Thank you for having us. >> Dave: Thanks guys. >> Thank you so much. >> For our guests, and Dave Vellante, I'm Lisa Martin. You're watching theCUBE, live in Las Vegas at Snowflake Summit 22. Dave and I will be right back with our next guest. (upbeat music)

>>Welcome everyone to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series and we're covering exciting and innovative startups from the AWS ecosystem. Today. We're going to focus on the open source community. I'm your host, Dave Vellante. And right now we're going to talk about open source security and mitigating risk in light of a recent discovery of a zero day flaw in log for J a Java logging utility and a related white house executive order that points to the FTC pursuing companies that don't properly secure consumer data as a result of this vulnerability and with me to discuss this critical issue and how to more broadly address software supply chain risk is Don Fisher. Who's the CEO of tide lift. Thank you for coming on the program, Donald. >>Thanks for having me excited to be here. Yeah, pleasure. >>So look, there's a lot of buzz. You open the news, you go to your favorite news site and you see this, you know, a log for J this is an, a project otherwise known as logged for shell. It's this logging tool. My understanding is it's, it's both ubiquitous and very easy to exploit. Maybe you could explain that in a little bit more detail. And how do you think this vulnerability is going to affect things this year? >>Yeah, happy to, happy to dig in a little bit in orient around this. So, you know, just a little definitions to start with. So log for J is a very widely used course component that's been around for quite a while. It's actually an amazing piece of technology log for J is used in practically every serious enterprise Java application over the last 10 going on 20 years. So it's, you know, log for J itself is fantastic. The challenge that organization organizations have been facing relate to a specific security vulnerability that was discovered in log for J and that has been given this sort of brand's name as it happens these days. Folks may remember Heartbleed around the openness to sell vulnerability some years back. This one has been dubbed logged for shell. And the reason why it was given that name is that this is a form of security vulnerability that actually allows attackers. >>You know, if a system is found that hasn't been patched to remediate it, it allows hackers to get full control of a, of a system of a server that has the software running on it, or includes this log for J component. And that means that they can do anything. They can access, you know, private customer data on that system, or really do anything and so-called shell level access. So, you know, that's the sort of definitions of what it is, but the reason why it's important is in the, in the small, you know, this is a open door, right? It's a, if, if organizations haven't patched this, they need to respond to it. But one of the things that's kind of, you know, I think important to recognize here is that this log for J is just one of literally thousands of independently created open source components that flow into the applications that almost every organization built and all of them all software is going to have security vulnerabilities. And so I think that log for J is, has been a catalyst for organizations to say, okay, we've got to solve this specific problem, but we all also have to think ahead about how is this all gonna work. If our software supply chain originates with independent creators across thousands of projects across the internet, how are we going to put a better plan in place to think ahead to the next log for J log for shell style incident? And for sure there will be more >>Okay. So you see this incident as a catalyst to maybe more broadly thinking about how to secure the, the digital supply chain. >>Absolutely. Yeah, it's a, this is proving a point that, you know, a variety of folks have been making for a number of years. Hey, we depend, I mean, honestly these days more than 70% of most applications, most custom applications are comprised of this third party open source code. Project's very similar in origin and governance to log for J that's just reality. It's actually great. That's an amazing thing that the humans collaborating on the internet have caused to be possible that we have this rich comments of open source software to build with, but we also have to be practical about it and say, Hey, how are we going to work together to make sure that that software as much as possible is vetted to ensure that it meets commercial standards, enterprise standards ahead of time. And then when the inevitable issues arise like this incident around the log for J library, that we have a great plan in place to respond to it and to, you know, close the close the door on vulnerabilities when they, when they show up. >>I mean, you know, when you listen to the high level narrative, it's easy to point fingers at organizations, Hey, you're not doing enough now. Of course the U S government has definitely made attempts to emphasize this and, and shore up in, in, in, in, in push people to shore up the software supply chain, they've released an executive order last may, but, but specifically, I mean, it's just a complicated situation. So what steps should organizations really take to make sure that they don't fall prey to these future supply chain attacks, which, you know, are, as you pointed out are inevitable. >>Yeah. I mean, it's, it's a great point that you make that the us federal government has taken proactive steps starting last year, 2021 in the fallout of the solar winds breach, you know, about 12 months ago from the time that we're talking, talking here, the U S government actually was a bit ahead of the game, both in flagging the severity of this, you know, area of concern and also directing organizations on how to respond to it. So the, in May, 2021, the white house issued an executive order on cybersecurity and it S directed federal agencies to undertake a whole bunch of new measures to ensure the security of different aspects of their technology and software supply chain specifically called out open source software as an area where they put, you know, hard requirements around federal agencies when they're acquiring technology. And one of the things that the federal government that the white house cybersecurity executive order directed was that organizations need to start with creating a list of the third-party open source. >>That's flowing into their applications, just that even have a table of contents or an index to start working with. And that's, that's called a, a software bill of materials or S bomb is how some people pronounce that acronym. So th the federal government basically requires federal agencies to now create Nessbaum for their applications to demand a software bill of materials from vendors that are doing business with the government and the strategy there has been to expressly use the purchasing power of the us government to level up industry as a whole, and create the necessary incentives for organizations to, to take this seriously. >>You know, I, I feel like the solar winds hack that you mentioned, of course it was widely affected the government. So we kind of woke them up, but I feel like it was almost like a stuck set Stuxnet moment. Donald were very sophisticated. I mean, for the first time patches that were supposed to be helping us protect, now we have to be careful with them. And you mentioned the, the bill of its software, bill of materials. We have to really inspect that. And so let's get to what you guys do. How do you help organizations deal with this problem and secure their open source software supply chain? >>Yeah, absolutely happy to tell you about, about tide lift and, and how we're looking to help. So, you know, the company, I co-founded the company with a couple of colleagues, all of whom are long-term open source folks. You know, I've been working in around commercializing open source for the last 20 years that companies like red hat and, and a number of others as have my co-founders the opportunity that we saw is that, you know, while there have been vendors for some of the traditional systems level, open source components and stacks like Linux, you know, of course there's red hat and other vendors for Linux, or for Kubernetes, or for some of the databases, you know, there's standalone companies for these logs, for shell style projects, there just hasn't been a vendor for them. And part of it is there's a challenge to cover a really vast territory, a typical enterprise that we inspect has, you know, upwards of 10,000 log for shell log for J like components flowing into their application. >>So how do they get a hand around their hands around that challenge of managing that and ensuring it needs, you know, reasonable commercial standards. That's what tide lifts sets out to do. And we do it through a combination of two elements, both of which are fairly unique in the market. The first of those is a purpose-built software solution that we've created that keeps track of the third-party open source, flowing into your applications, inserts itself into your DevSecOps tool chain, your developer tooling, your application development process. And you can kind of think of it as next to the point in your release process, where you run your unit test to ensure the business logic in the code that your team is writing is accurate and sort of passes tests. We do a inspection to look at the state of the third-party open source packages like Apache log for J that are flowing into your, into your application. >>So there's a software element to it. That's a multi-tenant SAS service. We're excited to be partnered with, with AWS. And one of the reasons why we're here in this venue, talking about how we are making that available jointly with AWS to, to drink customers deploying on AWS platforms. Now, the other piece of the, of our solution is really, really unique. And that's the set of relationships that Tyler has built directly with these independent open source maintainers, the folks behind these open source packages that organizations rely on. And, you know, this is where we sort of have this idea. Somebody is making that software in the first place, right? And so would those folks be interested? Could we create a set of aligned incentives to encourage them, to make sure that that software meets a bunch of enterprise standards and areas around security, like, you know, relating to the log for J vulnerability, but also other complicated parts of open source consumption like licensing and open source license, accuracy, and compatibility, and also maintenance. >>Like if somebody looking after the software going forward. So just trying to basically invite open source creators, to partner with us, to level up their packages through those relationships, we get really, really clean, clear first party data from the folks who create, maintain the software. And we can flow that through the tools that I described so that end organizations can know that they're building with open source components that have been vetted to meet these standards, by the way, there's a really cool side effect of this business model, which is that we pay these open source maintainers to do this work with us. And so now we're creating a new income stream around what previously had been primarily a volunteer activity done for impact in this universe of open source software. We're helping these open source maintainers kind of GoPro on an aspect of what they do around open source. And that means they can spend more time applying more process and tools and methodology to making that open source software even better. And that's good for our customers. And it's good for everyone who relies on open source software, which is really everyone in society these days. That's interesting. I >>Was going to ask you what's their incentive other than doing the right thing. Can you give us an example of, of maybe a example of an open source maintainer that you're working with? >>Yeah. I mean, w we're working with hundreds of open source maintainers and a few of the key open source foundations in different areas across JavaScript, Java PHP, Ruby python.net, and, you know, like examples of categories of projects that we're working with, just to be clear, are things like, you know, web frameworks or parser libraries or logging libraries, like a, you know, log for J and all the other languages, right? Or, you know, time and date manipulation libraries. I mean, they, these are sort of the, you know, kind of core building blocks of applications and individually, they, you know, they may seem like, you know, maybe a minor, a minor thing, but when you multiply them across how many applications these get used in and log for J is a really, really clarifying case for folks to understand this, you know, what can seemingly a small part of your overall application estate can have disproportionate impact on, on your operations? As we saw with many organizations that spent, you know, a weekend or a week, or a large part of the holidays, scrambling to patch and remediate this, a single vulnerability in one of those thousands of packages in that case log. >>Okay, got it. So you have this two, two headed, two vectors that I'm going to call it, your ecosystem, your relationship with these open source maintainers is kind of a, that just didn't happen overnight, and it develop those relationships. And now you get first party data. You monetize that with a software service that is purpose built as the monitor of the probe that actually tracks that third, third party activity. So >>Exactly right. Got it. >>Okay. So a lot of companies, Donald, I mean, this is, like I said before, it's a complicated situation. You know, a lot of people don't have the skillsets to deal with this. And so many companies just kind of stick their head in the sand and, you know, hope for the best, but that's not a great strategy. What are the implications for organizations if they don't really put the tools and processes into place to manage their open source, digital supply chain. >>Yeah. Ignoring the problem is not a viable strategy anymore, you know, and it's just become increasingly clear as these big headline incidents that happened like Heartbleed and solar winds. And now this logged for shell vulnerability. So you can, you can bet on that. Continuing into the future and organizations I think are, are realizing the ones that haven't gotten ahead of this problem are realizing this is a critical issue that they need to address, but they have help, right. You know, the federal government, another action beyond that cybersecurity executive order that was directed at federal agencies early last year, just in the last week or so, the FTC of the U S federal trade commission has made a much more direct warning to private companies and industry saying that, you know, issues like this log for J vulnerability risk exposing private, you know, consumer data. That is one of the express mandates of the FTC is to avoid that the FTC has said that this is, you know, bears on both the federal trade commission act, as well as the Gramm-Leach-Bliley act, which relates to consumer data privacy. >>And the FTC just came right out and said it, they said they cited the $700 million settlements that Equifax was subject to for their data breach that also related to open source component, by the way, that that had not been patched by, by Equifax. And they said the FTC intents to use its full legal authority to pursue companies that failed to take reasonable steps, to protect consumer data from exposure as a result of log for J or similar known vulnerabilities in the future. So the FTC is saying, you know, this is a critical issue for consumer privacy and consumer data. We are going to enforce against companies that do not take reasonable precautions. What are reasonable precautions? I think it's kind of a mosaic of solutions, but I'm glad to say tide lift is contributing a really different and novel solution to the mix that we hope will help organizations contend with this and avoid that kind of enforcement action from FTC or other regulators. >>Well, and the good news is that you can tap a tooling like tide lift in the cloud as a service and you know, much easier today than it was 10 or 15 years ago to, to resolve, or at least begin to demonstrate that you're taking action against this problem. >>Absolutely. There's new challenges. Now I'm moving into a world where we build on a foundation of independently created open source. We need new solutions and new ideas, and that's a, you know, that's part of what we're, we're, we're showing up with from the tide lift angle, but there's many other elements that are going to be necessary to provide the full solution around securing the open source supply chain going forward. >>Well, Donald Fisher of tide lift, thanks so much for coming to the cube and best of luck to your organization. Thanks for the good work that you guys do. >>Thanks, Dave. Really appreciate your partnership on this, getting the word out and yeah, thanks so much for today. >>Very welcome. And you are watching the AWS startup showcase open cloud innovations. Keep it right there for more action on the cube, your leader in enterprise tech coverage.

(soft click) >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We're at downtown San Francisco, at Twitter's World Headquarters. It's a beautiful building. Find a reason to get up here and check it out. But they have Data Privacy Day here today. It's an all day seminar session, series of conversations about data privacy. And even though Scott McNealy said, "Data privacy is dead, get over it." Everyone here would beg to differ. So we're excited to have our next guest Eva Velasquez. Shes' the President and CEO of ITRC, welcome. >> Thank you, thank you for having me and for covering this important topic. >> Absolutely, so what is ITRC? >> We are the Identity Theft Resource Center. And the name, exactly what it is. We're a resource for the public when they have identity theft or fraud, privacy data breach issues, and need help. >> So this begs an interesting question. How do people usually find out that their identity has been compromised? And what is usually the first step they do take? And maybe what's the first step they should take? >> Well, it's interesting because there isn't one universal pathway that people discover it. It's usually a roadblock. So, they're trying to move forward in their lives in some manner. Maybe trying to rent an apartment, get a new job, buy a car or a house. And during that process they find out that there's something amiss. Either in a background check or a credit report. And at that point it creates a sense of urgency because they must resolve this issue. And prove to whoever they're trying to deal with that actually wasn't me, somebody used my identity. And that's how they find out, generally speaking. >> So, you didn't ask their credit scores. Something in a way that they had no idea, this is how they. What usually triggers it? >> Right, right, or a background check. You know, appearing in a database. It's just, when we think about how pervasive our identity is out there in the world now. And how it's being used by a wide swath of different companies. To do these kind of background checks and see who we are. That's where that damage comes in. >> Talking about security and security breaches at a lot of shows, you know. It's many hundred of days usually before companies know that they've been breached. Or a particular breach, I think now we just assume they're breached all the time. And hopefully they'd minimize damage. But an identity theft, what do you find is kind of the average duration between the time something was compromised before somebody actually figures it out? Is there kind of an industry mean? >> It's really wildly inconsistent from what we see. Because sometimes if there is an issue. Let's say that a wallet is stolen and they're on high alert, they can often discover it within a week or 10 days. Because they are looking for those things. But sometimes if it's a data breach that they were unaware of or have no idea how their information was compromised. And especially in the case of child identity theft, it can go on for years and years before they find out that something's amiss. >> Child identity theft? >> Mhmm. >> And what's going with? I've never heard of child identity theft. They usually don't have credit cards. What's kind of the story on child identity cut theft? Which is their PayPal account or their Snapchat account (laughs). >> Well, you're right, children don't have a credit file or a credit history. But they do have a social security number. And that is being issued within the first year of their life because their parents need to use it on their tax returns and other government documents. Well, because the Social Security Administration and the credit reporting agencies, they don't interface. So, if a thief gets ahold of that social security number. That first record that's created is what the credit bureaus will use. So they don't even need a legitimate name or date of birth. Obviously, the legitimate date of birth isn't going to go through those filters because it is for someone who's under 18. So, kid goes all through life, maybe all through school. And as they get out and start doing things like applying for student loans. Which is one of the really common ways we see it in our call center. Then they come to find out, I have this whole credit history. And guess what? It's a terrible credit history. And they have to clean that up before they can even begin to launch into adulthood. >> (chuckles) Okay, so, when people find out. What should they do? What's the right thing to do? I just get rejected on a credit application. Some weird thing gets flagged. What should people do first? >> There's a couple things and the first one is don't panic. Because we do have resources out there to help folks. One of them is the Identity Theft Resource Center. All of our services are completely free to the public. We're a charity, non-profit, funded by grants, donations, and sponsorships. They should also look into what they might have in their back pocket already. There are a lot of insurance policy writers for things like your home owners insurance, sometimes even your renters insurance. So, you might already have a benefit that you pay for in another way. There are a lot of plans within employee benefit packages. So, if you work for a company that has a reasonable robust package, you might have that help there as well. And then the other thing is if you really feel like you're overwhelmed and you don't have the time. You can always look into hiring a service provider and that's legitimate thing to do as long as you know who you're doing business with. And realize you're going to be paying for that convenience. But there are plenty of free resources out there. And then the last one is the Federal Trade Commission. They have some wonderful remediation plans online. That you can just plug in right there. >> And which is a great segway, 'cause you're doing a panel later today, you mentioned, with the FTC. Around data privacy and identity theft. You know, what role does the federal government have? And what is cleaning up my identity theft? What actually happens? >> Well, the federal government is one of the many stakeholders in this process. And we really believe that everybody has to be involved. So, that includes our government, that includes industry, and the individual consumers or victims themselves. So, on the government end, things like frameworks for how we need to treat data, have resources available to folks, build an understanding in a culture in our country that really understands the convenience versus security conundrum. Of course industry needs to protect and safeguard that data. And be good stewards of it, when people give it to them. And then individual consumers really need to pay attention and understand what choice they're making. It's their choice to make but it should be an educated one. >> Right, right. And it just, the whole social security card thing, is just, I find fascinating. It's always referenced as kind of the anchor data point of your identity. At the same time, you know, it's a paper card that comes after your born. And people ask for the paper card. I mean, I got a chip on my ATM card. It just seems so archaic, the amount of times it's asked in kind of common everyday, kind of customer service engagements with your bank or whatever. Just seems almost humorous in the fact that this is supposed to be such an anchor point of security. Why? You know, when is the Social Security Administration or that record, either going to come up to speed or do you see is there a different identity thing? With biometrics or a credit card? Or your fingerprint or your retina scan? I mean, I have clear, your Portican, look at my... Is that ever going to change or is it just always? It's such a legacy that's so embedded in who we are that it's just not going to change? It just seems so bizarre to me. >> Well, it's a classic case of we invented a tool for one purpose. And then industry decided to repurpose it. So the social security number was simply to entitle you to social security benefits. That was the only thing it was created for. Then, as we started building the credit and credit file industry, we needed an initial authenticator. And hey, look at this great thing. This is a number, it's issued to one individual. We know that there's some litmus test that they have to pass in order to get one. There's a great tool, let's use it. But nobody started talking about that. And now that we're looking at things like other type, government benefits being offered. And now, you know, credit is issued based on this number. It really kind of got away from everybody. And think about it, it used to be your military ID. And you would have your social security number painted on your rucksack, there for the world to see. It's still on our Medicare cards. It used to be on our checks. Lot of that has changed. >> That's right it was on our checks. >> It was, it was. So, we have started shifting into this. At least the thought process of, "If we're going to use something as an initial authenticator, we probably should not be displaying it, ready for anyone to see." And the big conversation, you know, you were talking about biometrics and other ways to authenticate people. That's one of the big conversations we're having right now is, "What is the solution?" Is it a repurposing of the social security number? Is it more sharing within government agencies and industry of that data, so we can authenticate people through that? Is it a combination of things? And that's what we're trying to wrestle with and work out. But it is moving forward, I'll be it, very very slowly. >> Yeah, they two factor authentication seems to have really taken off recently. >> Thankfully. >> You get the text and here's your secret code and you know, at least it's another step that's relatively simple to execute. >> Something you are, something you have, something you know. >> There you go. >> That's kind of the standard we're really trying to push. >> So, on the identity theft bad guys, how is their behavior changed since you've been in this business? Has it changed dramatically? Is the patterns of theft pretty similar? You know, how's that world evolving? 'Cause generally these things are little bit of an arm race, you know. And often times the bad guys are one step ahead of the good guys. 'Cause the good guys are reacting to the last thing that the bad guys do. How do you see that world kind of changing? >> Well, I've been in the fraud space for over 20 years. Which I hate to admit but it's the truth. >> Jeff: Ooh, well, tell me about it. >> And we do look at it sort of like a treadmill and I think that's just the nature of the beast. When you think about the fact that the thieves are they're, you know, they're doing penetration testing. And we, as the good guys, trying to prevent it. Have to be right a hundred percent of the time. The thieves only have to be right once, they know it. They also spend an extraordinary amount of time being creative about how they're going to monetize our information. The last big wave on new types of identity theft, was tax identity theft. And the federal government never really thought that that would be a thing. So when we went to online filing, there really weren't any fraud analytics. There wasn't any verification of it. So, that first filing was the one that was processed. Well, fast forward to now, we've started to address that it's still a huge problem and the number one type of identity theft. But if you had asked me ten years ago, if that would be something, I don't think I would have said yes. It seems, you know, so, you know. How do you create money out of something like that? And so, to me, what is moving forward is that I think we just have to be really vigilant for when we leave that door unlocked, the thieves are going to push it open and burst through. And we just have to make sure we notice when it's cracked. So that we can push it closed. Because that's really I think the only way we're going to be able to address this. Is just to be able to detect and react much more quickly than we do now. >> Right, right, 'cause going to come through, right? >> Exactly they are. >> There's no wall thick enough, right? Right and like you said they only have to be right once. >> Nothings impenetrable. >> Right, crazy. Alright Eva, we're going to leave it there and let you go off to your session. Have fun at your session and thanks for spending a few minutes with us. >> Thank you. >> Alright, she's Eva Velasquez, President and CEO of the ITRC. I'm Jeff Frick, you're watching theCUBE. Catch you next time. (upbeat electronic music)