(upbeat music) >> Hey everyone, welcome to this CUBE conversation. I'm John Furrier, your host of theCUBE here in Palo Alto, California. We've got Sam Kassoumeh, co-founder and chief operating office at SecurityScorecard here remotely coming in. Thanks for coming on Sam. Security, Sam. Thanks for coming on. >> Thank you, John. Thanks for having me. >> Love the security conversations. I love what you guys are doing. I think this idea of managed services, SaaS. Developers love it. Operation teams love getting into tools easily and having values what you guys got with SecurityScorecard. So let's get into what we were talking before we came on. You guys have a unique solution around ratings, but also it's not your grandfather's pen test want to be security app. Take us through what you guys are doing at SecurityScorecard. >> Yeah. So just like you said, it's not a point in time assessment and it's similar to a traditional credit rating, but also a little bit different. You can really think about it in three steps. In step one, what we're doing is we're doing threat intelligence data collection. We invest really heavily into R&D function. We never stop investing in R&D. We collect all of our own data across the entire IPV force space. All of the different layers. Some of the data we collect is pretty straightforward. We might crawl a website like the example I was giving. We might crawl a website and see that the website says copyright 2005, but we know it's 2022. Now, while that signal isn't enough to go hack and break into the company, it's definitely a signal that someone might not be keeping things up to date. And if a hacker saw that it might encourage them to dig deeper. To more complex signals where we're running one of the largest DNS single infrastructures in the world. We're monitoring command and control malware and its behaviors. We're essentially collecting signals and vulnerabilities from the entire IPV force space, the entire network layer, the entire web app player, leaked credentials. Everything that we think about when we talk about the security onion, we collect data at each one of those layers of the onion. That's step one. And we can do all sorts of interesting insights and information and reports just out of that thread intel. Now, step two is really interesting. What we do is we go identify the attack surface area or what we call the digital footprint of any company in the world. So as a customer, you can simply type in the name of a company and we identify all of the domains, sub domains, subsidiaries, organizations that are identified on the internet that belong to that organization. So every digital asset of every company we go out and we identify that and we update that every 24 hours. And step three is the rating. The rating is probabilistic and it's deterministic. The rating is a benchmark. We're looking at companies compared to their peers of similar size within the same industry and we're looking at how they're performing. And it's probabilistic in the sense that companies that have an F are about seven to eight times more likely to experience a breach. We're an A through F scale, universally understood. Ds and Fs, more likely to experience a breach. A's we see less breaches now. Like I was mentioning before, it doesn't mean that an F is always going to get hacked or an A can never get hacked. If a nation state targets an A, they're going to eventually get in with enough persistence and budget. If the pizza shop on the corner has an F, they may never get hacked because no one cares, but natural correlation, more doors open to the house equals higher likelihood someone unauthorized is going to walk in. So it's really those three steps. The collection, we map it to the surface area of the company and then we produce a rating. Today we're rating about 12 million companies every single day. >> And how many people do you have as customers? >> We have 50,000 organizations using us, both free and paid. We have a freemium tier where just like Yelp or a LinkedIn business profile. Any company in the world has a right to go claim the score. We never extort companies to fix the score. We never charge a company to see the score or fix it. Any company in a world without paying us a cent can go in. They can understand what we're seeing about them, what a hacker could see about their environment. And then we empower them with the tools to fix it and they can fix it and the score will go up. Now companies pay us because they want enterprise capabilities. They want additional modules, insights, which we can talk about. But in total, there's about 50,000 companies that at any given point in time, they're monitoring about a million and a half organizations of the 12 million that we're rating. It sounds like Google. >> If you want to look at it. >> Sounds like Google Search you got going on there. You got a lot of search and then you create relevance, a score, like a ranking. >> That's precisely it. And that's exactly why Google ventures invested in us in our Series B round. And they're on our board. They looked and they said, wow, you guys are building like a Google Search engine over some really impressive threat intelligence. And then you're distilling it into a score which anybody in the world can easily understand. >> Yeah. You obviously have page rank, which changed the organic search business in the late 90s, early 2000s and the rest is history. AdWords. >> Yeah. >> So you got a lot of customer growth there potentially with the opt-in customer view, but you're looking at this from the outside in. You're looking at companies and saying, what's your security posture? Getting a feel for what they got going on and giving them scores. It sounds like it's not like a hacker proof. It's just more of a indicator for management and the team. >> It's an indicator. It's an indicator. Because today, when we go look at our vendors, business partners, third parties were flying blind. We have no idea how they're doing, how they're performing. So the status quo for the last 20 years has been perform a risk assessments, send a questionnaire, ask for a pen test and an audit evidence. We're trying to break that cycle. Nobody enjoys it. They're long tail. It's a trust without verification. We don't really like that. So we think we can evolve beyond this point in time assessment and give a continuous view. Now, today, historically, we've been outside in. Not intrusive, and we'll show you what a hacker can see about an environment, but we have some cool things percolating under the hood that give more of a 360 view outside, inside, and also a regulatory compliance view as well. >> Why is the compliance of the whole third party thing that you're engaging with important? Because I mean, obviously having some sort of way to say, who am I dealing with is important. I mean, we hear all kinds of things in the security landscape, oh, zero trust, and then we hear trust, supply chain, software risk, for example. There's a huge trust factor there. I need to trust this tool or this container. And then you got the zero trust, don't trust anything. And then you've got trust and verify. So you have all these different models and postures, and it just seems hard to keep up with. >> Sam: It's so hard. >> Take us through what that means 'cause pen tests, SOC reports. I mean the clouds help with the SOC report, but if you're doing agile, anything DevOps, you basically would need to do a pen test like every minute. >> It's impossible. The market shifted to the cloud. We watched and it still is. And that created a lot of complexity, not to date myself. But when I was starting off as a security practitioner, the data center used to be in the basement and I would have lunch with the database administrator and we talk about how we were protecting the data. Those days are long gone. We outsource a lot of our key business practices. We might use, for example, ADP for a payroll provider or Dropbox to store our data. But we've shifted and we no longer no who that person is that's protecting our data. They're sitting in another company in another area unknown. And I think about 10, 15 years ago, CISOs had the realization, Hey, wait a second. I'm relying on that third party to function and operate and protect my data, but I don't have any insight, visibility or control of their program. And we were recommended to use questionnaires and audit forms, and those are great. It's good hygiene. It's good practice. Get to know the people that are protecting your data, ask them the questions, get the evidence. The challenge is it's point in time, it's limited. Sometimes the information is inaccurate. Not intentionally, I don't think people intentionally want to go lie, but Hey, if there's a $50 million deal we're trying to close and it's dependent on checking this one box, someone might bend a rule a little bit. >> And I said on theCUBE publicly that I think pen test reports are probably being fudged and dates being replicated because it's just too fast. And again, today's world is about velocity on developers, trust on the code. So you got all kinds of trust issues. So I think verification, the blue check mark on Twitter kind of thing going on, you're going to see a lot more of that and I think this is just the beginning. I think what you guys are doing is scratching the surface. I think this outside in is a good first step, but that's not going to solve the internal problem that still coming and have big surface areas. So you got more surface area expanding. I mean, IOT's coming in, the Edge is coming fast. Never mind hybrid on-premise cloud. What's your organizations do to evaluate the risk and the third party? Hands shaking, verification, scorecards. Is it like a free look here or is it more depth to it? Do you double click on it? Take us through how this evolves. >> John it's become so disparate and so complex, Because in addition to the market moving to the cloud, we're now completely decentralized. People are working from home or working hybrid, which adds more endpoints. Then what we've learned over time is that it's not just a third party problem, because guess what? My third parties behind the scenes are also using third parties. So while I might be relying on them to process my customer's payment information, they're relying on 20 vendors behind the scene that I don't even know about. I might have an A, they might have an A. It's really important that we expand beyond that. So coming out of our innovation hub, we've developed a number of key capabilities that allow us to expand the value for the customer. One, you mentioned, outside in is great, but it's limited. We can see what a hacker sees and that's helpful. It gives us pointers where to maybe go ask double click, get comfort, but there's a whole nother world going on behind the firewall inside of an organization. And there might be a lot of good things going on that CISO security teams need to be rewarded for. So we built an inside module and component that allows teams to start plugging in the tools, the capabilities, keys to their cloud environments. And that can show anybody who's looking at the scorecard. It's less like a credit score and more like a social platform where we can go and look at someone's profile and say, Hey, how are things going on the inside? Do they have two-factor off? Are there cloud instances configured correctly? And it's not a point in time. This is a live connection that's being made. This is any point in time, we can validate that. The other component that we created is called an evidence locker. And an evidence locker, it's like a secure vault in my scorecard and it allows me to upload things that you don't really stand for or check for. Collateral, compliance paperwork, SOC 2 reports. Those things that I always begrudgingly email. I don't want to share with people my trade secrets, my security policies, and have it sit on their exchange server. So instead of having to email the same documents out, 300 times a month, I just upload them to my evidence locker. And what's great is now anybody following my scorecard can proactively see all the great things I'm doing. They see the outside view. They see the inside view. They see the compliance view. And now they have the holy grail view of my environment and can have a more intelligent conversation. >> Access to data and access methods are an interesting innovation area around data lineage. Tracing is becoming a big thing. We're seeing that. I was just talking with the Snowflake co-founder the other day here in theCUBE about data access and they're building a proprietary mesh on top of the clouds to figure out, Hey, I don't want to give just some tool access to data because I don't know what's on the other side of those tools. Now they had a robust ecosystem. So I can see this whole vendor risk supply chain challenge around integration as a huge problem space that you guys are attacking. What's your reaction to that? >> Yeah. Integration is tricky because we want to be really particular about who we allow access into our environment or where we're punching holes in the firewall and piping data out out of the environment. And that can quickly become unwieldy just with the control that we have. Now, if we give access to a third party, we then don't have any control over who they're sharing our information with. When I talk to CISOs today about this challenge, a lot of folks are scratching their head, a lot of folks treat this as a pet project. Like how do I control the larger span beyond just the third parties? How do I know that their software partners, their contractors that they're working with building their tools are doing a good job? And even if I know, meaning, John, you might send me a list of all of your vendors. I don't want to be the bad guy. I don't really have the right to go reach out to my vendors' vendors knocking on their door saying, hi, I'm Sam. I'm working with John and he's your customer. And I need to make sure that you're protecting my data. It's an awkward chain of conversation. So we're building some tools that help the security teams hold the entire ecosystem accountable. We actually have a capability called automatic vendor discovery. We can go detect who are the vendors of a company based on the connections that we see, the inbound and outbound connections. And what often ends up happening John is we're bringing to the attention to our customers, awareness about inbound and outbound connections. They had no idea existed. There were the shadow IT and the ghost vendors that were signed without going through an assessment. We detect those connections and then they can go triage and reduce the risk accordingly. >> I think that risk assessment of vendors is key. I was just reading a story about this, about how a percentage, I forget the number. It was pretty large of applications that aren't even being used that are still on in companies. And that becomes a safe haven for bad actors to hang out and penetrate 'cause they get overlooked 'cause no one's using them, but they're still online. And so there's a whole, I called cleaning up the old dead applications that are still connected. >> That happens all the time. Those applications also have applications that are dead and applications that are alive may also have users that are dead as well. So you have that problem at the application level, at the user level. We also see a permutation of what you describe, which is leftover artifacts due to configuration mistakes. So a company just put up a new data center, a satellite office in Singapore and they hired a team to go install all the hardware. Somebody accidentally left an administrative portal exposed to the public internet and nobody knew the internet works, the lights are on, the office is up and running, but there was something that was supposed to be turned off that was left turned on. So sometimes we bring to company's attention and they say, that's not mine. That doesn't belong to me. And we're like, oh, well, we see some reason why. >> It's his fault. >> Yeah and they're like, oh, that was the contractor set up the thing. They forgot to turn off the administrative portal with the default login credentials. So we shut off those doors. >> Yeah. Sam, this is really something that's not talked about a lot in the industry that we've become so reliant on managed services and other people, CISOs, CIOs, and even all departments that have applications, even marketing departments, they become reliant on agencies and other parties to do stuff for them which inherently just increases the risk here of what they have. So there inherently could be as secure as they could be, but yet exposed completely on the other side. >> That's right. We have so many virtual touch points with our partners, our vendors, our managed service providers, suppliers, other third parties, and all the humans that are involved in that mix. It creates just a massive ripple effect. So everybody in a chain can be doing things right. And if there's one bad link, the whole chain breaks. I know it's like the cliche analogy, but it rings true. >> Supply chain trust again. Trust who you trust. Let's see how those all reconcile. So Sam, I have to ask you, okay, you're a former CISO. You've seen many movies in the industry. Co-founded this company. You're in the front lines. You've got some cool things happening. I can almost imagine the vision is a lot more than just providing a rating and score. I'm sure there's more vision around intelligence, automation. You mentioned vault, wallet capabilities, exchanging keys. We heard at re:Inforce automated reasoning, metadata reasoning. You got all kinds of crypto and quantum. I mean, there's a lot going on that you can tap into. What's your vision where you see SecurityScorecard going? >> When we started the company, the rating was the thing that we sold and it was a language that helped technical and non-technical folks alike level the playing field and talk about risk and use it to drive their strategy. Today, the rating just opens the door to that discussion and there's so much additional value. I think in the next one to two years, we're going to see the rating becomes standardized. It's going to be more frequently asked or even required or leveraged by key decision makers. When we're doing business, it's going to be like, Hey, show me your scorecard. So I'm seeing the rating get baked more and more the lexicon of risk. But beyond the rating, the goal is really to make a world a safer place. Help transform and rise the tide. So all ships can lift. In order to do that, we have to help companies, not only identify the risk, but also rectify the risk. So there's tools we build to really understand the full risk. Like we talked about the inside, the outside, the fourth parties, fifth parties, the real ecosystem. Once we identified where are all the Fs and bad things, will then what? So couple things that we're doing. We've launched a pro serve arm to help companies. Now companies don't have to pay to fix the score. Anybody, like I said, can fix the score completely free of charge, but some companies need help. They ask us and they say, Hey, I'm looking for a trusted advisor. A Sherpa, a guide to get me to a better place or they'll say, Hey, I need some pen testing services. So we've augmented a service arm to help accelerate the remediation efforts. We're also partnered with different industries that use the rating as part of a larger picture. The cyber rating isn't the end all be all. When companies are assessing risk, they may be looking at a financial ratings, ESG ratings, KYC AML, cyber security, and they're trying to form a complete risk profile. So we go and we integrate into those decision points. Insurance companies, all the top insurers, re-insurers, brokers are leveraging SecurityScorecard as an ingredient to help underwrite for cyber liability insurance. It's not the only ingredient, but it helps them underwrite and identify the help and price the risk so they can push out a policy faster. First policy is usually the one that's signed. So time to quote is an important metric. We help to accelerate that. We partner with credit rating agencies like Fitch, who are talking to board members, who are asking, Hey, I need a third party, independent verification of what my CISO is saying. So the CISO is presenting the rating, but so are the proxy advisors and the ratings companies to the board. So we're helping to inform the boards and evolve how they're thinking about cyber risk. We're helping with the insurance space. I think that, like you said, we're only scratching the surface. I can see, today we have about 50,000 companies that are engaging a rating and there's no reason why it's not going to be in the millions in just the next couple years here. >> And you got the capability to bring in more telemetry and see the new things, bring that into the index, bring that into the scorecard and then map that to potential any vulnerabilities. >> Bingo. >> But like you said, the old days, when you were dating yourself, you were in a glass room with a door lock and key and you can see who's two folks in there having lunch, talking database. No one's going to get hurt. Now that's gone, right? So now you don't know who's out there and machines. So you got humans that you don't know and you got machines that are turning on and off services, putting containers out there. Who knows what's in those payloads. So a ton of surface area and complexity to weave through. I mean only is going to get done with automation. >> It's the only way. Part of our vision includes not attempting to make a faster questionnaire, but rid ourselves of the process all altogether and get more into the continuous assessment mindset. Now look, as a former CISO myself, I don't want another tool to log into. We already have 50 tools we log into every day. Folks don't need a 51st and that's not the intent. So what we've done is we've created today, an automation suite, I call it, set it and forget it. Like I'm probably dating myself, but like those old infomercials. And look, and you've got what? 50,000 vendors business partners. Then behind there, there's another a hundred thousand that they're using. How are you going to keep track of all those folks? You're not going to log in every day. You're going to set rules and parameters about the things that you care about and you care depending on the nature of the engagement. If we're exchanging sensitive data on the network layer, you might care about exposed database. If we're doing it on the app layer, you're going to look at application security vulnerabilities. So what our customers do is they go create rules that say, Hey, if any of these companies in my tier one critical vendor watch list, if they have any of these parameters, if the score drops, if they drop below a B, if they have these issues, pick these actions and the actions could be, send them a questionnaire. We can send the questionnaire for you. You don't have to send pen and paper, forget about it. You're going to open your email and drag the Excel spreadsheet. Those days are over. We're done with that. We automate that. You don't want to send a questionnaire, send a report. We have integrations, notify Slack, create a Jira ticket, pipe it to ServiceNow. Whatever system of record, system of intelligence, workflow tools companies are using, we write in and allow them to expedite the whole. We're trying to close the window. We want to close the window of the attack. And in order to do that, we have to bring the attention to the people as quickly as possible. That's not going to happen if someone logs in every day. So we've got the platform and then that automation capability on top of it. >> I love the vision. I love the utility of a scorecard, a verification mark, something that could be presented, credential, an image, social proof. To security and an ongoing way to monitor it, observe it, update it, add value. I think this is only going to be the beginning of what I would see as much more of a new way to think about credentialing companies. >> I think we're going to reach a point, John, where and some of our customers are already doing this. They're publishing their scorecard in the public domain, not with the technical details, but an abstracted view. And thought leaders, what they're doing is they're saying, Hey, before you send me anything, look at my scorecard securityscorecard.com/securityrating, and then the name of their company, and it's there. It's in the public domain. If somebody Googles scorecard for certain companies, it's going to show up in the Google Search results. They can mitigate probably 30, 40% of inbound requests by just pointing to that thing. So we want to give more of those tools, turn security from a reactive to a proactive motion. >> Great stuff, Sam. I love it. I'm going to make sure when you hit our site, our company, we've got camouflage sites so we can make sure you get the right ones. I'm sure we got some copyright dates. >> We can navigate the decoys. We can navigate the decoys sites. >> Sam, thanks for coming on. And looking forward to speaking more in depth on showcase that we have upcoming Amazon Startup Showcase where you guys are going to be presenting. But I really appreciate this conversation. Thanks for sharing what you guys are working on. We really appreciate. Thanks for coming on. >> Thank you so much, John. Thank you for having me. >> Okay. This is theCUBE conversation here in Palo Alto, California. Coming in from New York city is the co-founder, chief operating officer of securityscorecard.com. I'm John Furrier. Thanks for watching. (gentle music)

>> From theCUBE Studios in Palo Alto in Boston, bringing you data driven insights from theCUBE and ETR, this is Breaking Analysis with Dave Vellante. >> Last year in 2020 it was good to be in tech and even better to be in the cloud, as organizations had to rely on remote cloud services to keep things running. We believe that tech spending will increase seven to 8% in 2021. But we don't expect investments in cloud computing to sharply attenuate, when workers head back to the office. It's not a zero sum game, and we believe that pent up demand in on-prem data centers will complement those areas of high growth that we saw last year, namely cloud, AI, security, data and automation. Hello everyone, and welcome to this week's Wikibon CUBE Insights powered by ETR. In this breaking analysis we'll provide our take on the latest ETR COVID survey, and share why we think the tech boom will continue, well into the future. So let's take a look at the state of tech spending. Fitch Ratings has upped its outlook for global GDP to 6.1% for January's 5.3% projection. We've always expected tech spending to outperform GDP by at least 100 to 200 basis points, so we think 2021 could see 8% growth for the tech sector. That's a massive swing from last year's,5% contraction, and it's being powered by spending in North America, a return of small businesses, and, the massive fiscal stimulus injection from the U.S led central bank actions. As we'll show you, the ETR survey data suggests that cloud spending is here to stay, and a dollar spent back in the data center doesn't necessarily mean less spending on digital initiatives, generally and cloud specifically. Moreover, we see pent up demand for core on-prem data center infrastructure, especially networking. Now one caveat, is we continue to have concerns for the macro on-prem data storage sector. There are pockets of positivity, for example, pure storage seems to have accelerating momentum. But generally the data suggests the cloud and flash headroom, continue, to pressure spending on storage. Now we don't expect the stock market's current rotation out of tech. We don't expect that that changes the fundamental spending dynamic. We see cloud, AI and ML, RPA, cybersecurity and collaboration investments still hovering above, that 40% net score. Actually cybersecurity is not quite there, but it is a priority area for CIOs. We'll talk about that more later. And we expect that those high growth sectors will stay steady in ETRs April survey along with continued spending on application modernization in the form of containers. Now let me take a moment to comment on the recent action in tech stocks. If you've been following the market, you know that the rate on the 10-year Treasury note has been rising. This is important, because the 10 years of benchmark, and it affects other interest rates. As interest rates rise, high growth tech stocks, they become less attractive. And that's why there's been a rotation, out of the big tech high flyer names of 2020. So why do high growth stocks become less attractive to investors when interest rates rise? Well, it's because investors are betting on the future value of cash flows for these companies, and when interest rates go up, the future values of those cash flows shrink, making the valuations less attractive. Let's take an example. Snowflake is a company with a higher revenue multiple than pretty much any other stock, out there in the tech industry. Revenues at the company are growing more than 100%, last quarter, and they're projected to have a revenue of a billion dollars next year. Now on March 8th, Snowflake was valued at around $80 billion and was trading at roughly 75x forward revenue. Today, toward the middle the end of March. Snowflake is valued at about 50 billion or roughly 45x forward revenue. So lower growth companies that throw off more cash today, become more attractive in a rising rate climate because, the cash they throw off today is more valuable than it was in a low rate environment. The cash is there today versus, a high flying tech company where the cash is coming down the road and doesn't have to be discounted on a net present value basis. So the point is, this is really about math, not about fundamental changes in spending. Now the ETR spending data has shown, consistent upward momentum, and that cycle is continuing, leading to our sanguine outlook for the sector. This chart here shows the progression of CIO expectations on spending over time, relative to previous years. And you can see the steady growth in expectations each quarter, hitting 6% growth in 2021 versus 2020 for the full year. ETR estimates show and they do this with a 95% confidence level, that spending is going to be up between 5.1 to 6.8% this year. We are even more up optimistic accounting for recent upward revisions in GDP. And spending outside the purview of traditional IT, which we think will be a tailwind, due to digital initiatives and shadow tech spending. ETR covers some of that, but it is really a CIO heavy survey. So there's some parts that we think can grow even faster, than ETR survey suggests. Now the positive spending outlook, it's broad based across virtually all industries that ETR tracks. Government spending leads the pack by a wide margin, which probably gives you a little bit of heartburn. I know it does for me, yikes. Healthcare is interesting. Perhaps due to pent up demand, healthcare has been so busy saving lives, that it has some holes to fill. But look at the sectors at 5% or above. Only education really lags notably. Even energy which got crushed last year, showing a nice rebound. Now let's take a look at some of the strategies that organizations have employed during COVID, and see how they've changed. Look, the picture is actually quite positive in our view. This data shows the responses over five survey snapshots, starting in March of 2020. Most people are still working from home that really hasn't changed much. But we're finally seeing some loosening of the travel restrictions imposed last year, is a notable drop in canceled business trips. It's still high, but it's very promising trend. Quick aside, looks like Mobile World Congress is happening in late June in Barcelona. The host of the conference just held a show in Shanghai and 20,000 attendees showed up. theCube is planning to be there in Barcelona along with TelcoDr, Who took over Ericsson's 65,000 square foot space, when Ericsson tapped out of the conference. We are good together we're going to lay out the future of the digital telco, in a hybrid: physical slash virtual event. With the ecosystem of telcos, cloud, 5G and software communities. We're very excited to be at the heart of reinventing the event experience for the coming decade. Okay, back to the data. Hiring freezes, way down. Look at new IT deployments near flat from last quarter, with big uptick from a year ago. Layoffs, trending downward, that's really a positive. Hiring momentum is there. So really positive signs for tech in this data. Now let's take a look at the work from home, survey data. We've been sharing this for several quarters now, remember, the data showed that pre pandemic around 15 to 16% of employees worked remotely. And we had been sharing the CIO is expected that figure to slowly decline from the 70% pandemic levels and come into the spring in the summer, hovering in the 50% range. But then eventually landing in the mid 30s. Now the current survey shows 31%. So, essentially, it's exactly double from the pre COVID levels. It's going to be really interesting to see because across the board organizations are reporting, big increases in productivity as a result of how they've responded to COVID in the remote work practices and the infrastructure that's been put in place. And look, a lot of workers are expecting to stay remote. So we'll see where this actually lands. My personal feelings, the number is going to be higher than the low 30s. Perhaps well into the mid to upper 30s. Now let's take a look at the cloud and on-prem MCS. So were a little bit out on a limb here with a can't have a cake and eat it too scenario. Meaning pent up demand for data center infrastructure on-prem is going to combine with the productivity benefits of cloud in the digital imperative. So that means that technology budgets are going to get a bigger piece of the overall spending pie, relative to other initiatives. At least for the near term. ETR asked respondents about how the return to physical, is going to impact on-prem architectures and applications. You can see 63% of the respondents, had a cloud friendly answer, as shown in the first two bars. Whereas 30% had an on-prem friendly answer, as shown in the next three bars. Now, what stands out, is that only 5% of respondents plan to increase their on-prem spend to above pre COVID levels. Sarbjeet Johal pinged me last night and asked me to jump into a clubhouse session with Martin Casado and the other guys from Andreessen Horowitz. They were having this conversation about the coming cloud backlash. And how cloud native companies are spending so much, too much, in their opinion, on AWS and other clouds. And at some point, as they scale, they're going to have to claw back technology infrastructure on-prem, due to their AWS vague. I don't know. This data, it certainly does not suggest that that is happening today. So the cloud vendors, they keep getting more volume, you would think they're going to have better prices and better economies of scales than we'll see on-prem. And as we pointed out, the repatriation narrative that you hear from many on-prem vendors is kind of dubious. Look, if AWS Azure, and Google can't provide IT infrastructure and better security than I can on-prem, then something is amiss. Now however, they are creating an oligopoly. And if they get too greedy and get hooked on the margin crack, of cloud, they'd better be careful, or they're going to become the next regulated utility? So, it's going to be interesting to see if the Andreessen scenario has (laughs) legs, maybe they have another agenda, maybe a lot of their portfolio companies, have ideas are around doing things to help on-prem? Why are we so optimistic that we'll see a stronger 2021 on-prem spend if the cloud continues to command so much attention? Well, first, because nearly 20% of customers say there will be an uptick in on-prem spending. Second, we saw in 2020, that the big on-prem players, Dell, VMware, Oracle, and SAP in particular, and even IBM made it through, okay. And they've managed to figure out how to work through the crisis. And finally, we think that the lines between on-prem and cloud, and hybrid and cross cloud and edge will blur over the next five years. We've talked about this a lot, that abstraction layer that we see coming, and there's some real value opportunities there. It'll take some time. But we do see there, that the traditional vendors, are going to attack those new opportunities and create value across clouds and hybrid systems and out to the edge. Now, as those demarcation lines become more gray, a hybrid world is emerging that is going to require hardware and software investments that reduce latency and are proximate to users buildings and distributed infrastructure. So we see spending in certain key areas, continuing to be strong across the board, will require connecting on-prem to cloud in edge workloads. Here's where it CIOs see the action, asked to cite the technologies that will get the most attention in the next 12 months. These seven stood out among the rest. No surprise that cyber comes out as top priority, with cloud pretty high as well. But interesting to see the uptick in collaboration in networking. Execs are seeing the importance of collaboration technologies for remote workers. No doubt, there's lots of Microsoft Teams in that bar. But there's some pent up demand it seems for networking, we find that very interesting. Now, just to put this in context, in a spending context. We'll share a graphic from a previous breaking analysis episode. This chart shows the net score or spending momentum on the vertical axis. And the market share or pervasiveness in the ETR data set on the horizontal axis. The big four areas of spend momentum are cloud, ML and AI, containers in RPA. This is from the January survey, we don't expect a big change in the upcoming April data, we'll see. But these four stand out above the 40% line that we've highlighted, which to us is an indicator of elevated momentum. Now, note on the horizontal axis only cloud, cloud is the only sector that enjoys both greater than 60% market share on the x axis, and is above the 40% net score line and the y axis. So even though security is a top priority as we were talking about earlier. It competes with other budget items, still right there certainly on the horizontal axis, but it competes with other initiatives for that spend momentum. Okay, so key takeaways. Seven to 8% tech spending growth expected for 2021. Cloud is leading the charge, it's big and it has spending momentum, so we don't expect a big rotation out of cloud back to on-prem. Now, having said that, we think on-prem will benefit from a return to a post isolation economy. Because of that pent up demand. But we caution we think there are some headwinds, particularly in the storage sector. Rotation away from tech in the stock market is not based on a fundamental change in spending in our view, or demand, rather it's stock market valuation math. So there should be some good buying opportunities for you in the coming months. As money moves out of tech into those value stocks. But the market is very hard to predict. Oh 2020 was easy to make money. All you had to do is buy high growth and momentum tech stocks on dips. 2021 It's not that simple. So you got to do your homework. And as we always like to stress, formulate a thesis and give it time to work for you. Iterate and improve when you feel like it's not working for you. But stay current, and be true to your strategy. Okay, that's it for today. Remember, these episodes are all available as podcasts wherever you listen. So please subscribe. I publish weekly in siliconangle.com and wikibond.com and always appreciate the comments on LinkedIn. You can DM me @dvellante or email me at david.vellante@siliconangle.com. Don't forget to check out etr.plus where all the survey data science actually resides. Some really interesting things that they're about to launch. So do follow that. This is Dave vellante. Thanks for watching theCube Insights powered by ETR. Good health to you, be safe and we'll see you next time.