from New York it's the cube covering escape 19 okay welcome back to the cube coverage New York City for the inaugural multi-cloud conference the first one ever in the industry is called escape 2019 we're in New York so escapee from New York City from cloud that's the conversation all the thought leaders are here and executives people thinking about the next generation architecture and top tracks are all here if it's Wednesday who's the chief information security officer for Flextronics flex let's thank you for coming on love to have see so some because security seems to be there always a top conversation you got a very busy job I do yes you heard a lot of pressure all the time it's fun it's so fun for me so yeah as a Caesar and it's always like security stop in mind right of everyone out these days yeah and it's very sir one of the most interesting job I think most of the interesting for my trophies I learned so much about our business and they have insight into so many things that's actually really great you know one of the things I was just talking about on the kind of cube conversation was you know how date is really important part of it and how data backup and recovery was built on old thinking around you know data centers failing floods hurricanes electricity gets outages but the biggest disruption in business today is security security threats and so that's the cyber security pressure it's causing CISOs to to be mindful of the best architecture the best platform do we have the right tools so I wanna get your thoughts how are you thinking about that as an organization because you are you building in-house developers are you how you how are you organizing how are you gearing up to fight the battles that need to be fought so I am and I'm with the company so if Lex is a big manufacturing company right 26 billion so we have a lot of p2p business not consumer business which is I believe a different perspective of security versus actually like a consumer company facing so and I'm if in a security team for 15 years so we put it up like security operations and the orders kind of things really right we're old school I am what school learnt everything in that right but you a lot of IOT I mean you just really achieve oh yeah Industrial tea it's one of the topic but coming back to you you're right data is actually the center in Flour business data is getting more center right you collect data from the machine you collect data actually for the business actually to make more decisions right and could be predictive maintenance could be inventory management there could be a lot of things right you have to think about it so and the funny thing is I'm real I'm the seasonal for five years 15 years with the security team 20 years with the company so I rebuilt the team always like every three four years you like it's a kind of rebirth of the team we renew we add new skills right and cloud is one of the things which I think it's a fundamental change and the change is actually with it's actually on the development side what it means with that it's a security team has to move to serve the developers and the problem if the wood school was always like it's after sort so why I secured to such an issue because we had to do patching after we found vulnerabilities right and then old network is unsecure you need to wrap something around that like we did firewall so it was always an after sort now with the cloud it's changing because you have a lot of different things to do but basically we need to enable developers to be very quick and deploy their software very quickly so you know it is a fundamental change in the way you have to think the particular yeah and then that brings up the good question love to ask you because given you guys again not a consumer like Capital One yeah they don't challenge they got they weren't hacked Amazon actually the firewall was misconfigured an s3 bucket but that's a consumer company you have data though you're an industrial company got a lot of industrial IOT ransomware folks are targeting data yes and everyone's a target it's your surface area is large but you probably lock that down in the past so how are you thinking about all this new stuff so yeah I mean IOT it's I mean I would tease the problem as you said Industrial right it's not solved yet completely right because they still have to rethink a lot of the vendors providing this machinery which you've purchased for 25-30 years right this Silla wood school right sometimes like the one witness you can't upgrade or whatever such basic things they'd be lacking actually in terms of security there still has to be a shift in this you know not just in the industry but in a general thinking how you do that yes I have a big environment so we locked it down we use a lot of innovative technologies actually preventive measurements was also detected measuring and you need to create kind of mightily a concept where you actually start okay what is if this figures how we test it okay this face do we have other measurements where we can try to prevent measure stop those kind of things right but Wrentham is a big one there's other things as you know like hacking I mean they're kept in I was healing probably the capital one was an interesting money my I believe in that for the cloud its configuration issues right which I think it comes with cloud security it's about policy and configuration management right how you manage that and how you think about it but it's not it was not a nation gonna solve that I mean that's a open s3 bucket that's trivial I wasn't a big yes and no you look if you look at that it was a little bit more in detail so it was actually the back firewall was misconfigured which is a mod security running on a fresh air but the Miss configuration was actually a SS as server surgery force request issue which means like you tricked this firewall in giving you information you shouldn't give you so it was a little bit more granular as people think it was right just as free pocket configuration so it was a little bit more greener but I think that's the word the difficult comes about it which every security it's a complex problem right it's the many things you have - configuration error it was a configuration dumb as an s3 bucket no it was not rounded more sophisticated but not that sophisticated was it yellow what the change I would not sophisticated but something it's not easy to solve so you have to think about it but you're right it's still something exploit from a corner case it's still something you could have I mean I I'm careful to say you could have avoided yes you could because that's for sure but I know it's a complex environment right I'm not a human as humans involved and I know I don't know that eaters exactly we only know that once it's published right so it's very hard to to charge well let's bring some cloud security so let me ask you on multi-cloud this is a multi cloud conference what's your definition of multi-cloud how do you look at the multiple clouds for me more debris cloud is actually doesn't matter we had the good keynote where I said it's a bunch of service right that's how I see my two cloud it's a bunch of service could be my data centers in the public cloud data centers with different vendors that's what a cow is where I move my services should be actually independent from the public hybrid on-premise whatever it is right that's basically how I see it so it doesn't matter it's infrastructure on demand leverage it leverage it it could be say hey today I spin off this test server but you know what today it seems to be a cheaper all running on the Eva Lovelace versus CPC let's do it here next day next week we might do it somewhere else whatever you trigger whatever what is your requirements so you'd only look at that resource that like that how do you think about the cloud security then because the configurations compliance how do you how do you stay on top of that so that's an interesting thing because we a big enterprise but we as you said know consumer business so our problem is to find the right skill set to attract the right people to our company to do that right because this is our we have some cloud but it's not yet there's a journey we are trying to do as most of the enterprise so we're looking into startups managed services we say okay where are the gaps where we have to really have to outsource some of the things and gaps where we need to get information what's your advice to other CISOs out there that are in the b2b space of none other deal to consumer but I have to get serious that is now becoming more industrialized on the IOT side because you guys have been you know been there done that you have a big footprint on the IOT because you're history but as people get more facilities and they have more virtual offices more people working the edge is extending what's your advice to those CEOs who have to deal with this industrial and IOT edge I think you have to visibility is the key ingredient is first right if you don't know what you have it's very hard to understand what's the risk portfolios right so you need to find the right to set and don't believe you know what they have it's fantastic what you see when you use the right tool what this is everything is connected I mean basically even like I found like this coffee market I connect the devices right it's like like everyone just don't understand like it's kind of light poles get both wake multi-threaded processor what is that doing so there's I mean but visibility is a key ingredient so you have to understand and then you have to look into how you might take a terrace what is your risk about it right I mean if the coffee mug goes down I don't really care but if my testicles sound and I shut down the production I really care about that so you need to understand that risk and say how can i mitigating risk so while I got you here what's your final question what's your message to suppliers out there that all want to sell you something they want to sell you another tool you know an another tool you know I got a platform I got a tool you mean this here 750 which is existing now like the cybersecurity if you go to I say conferences unbelievable right it's like I want to sell you something you're the top dog I use shrinking suppliers down are you looking at some sort of standard API way to deal with them because you know you're obviously probably thinking about platforming and data visibility is critical what's your philosophy on how to support medieval suppliers so usually honestly the most time I really go in so for innovative technology we built in our company our so-called strategic partnership program were being it for startups and most of the time we engage we start of services or through other channels right but you get introduced and you review with a proof of concept of value the technology and we try to keep it like as a minimum value product very short time and say okay let's show what you can where your gaps are and can we get with you guys and come and get you but don't send me an email don't call me because I usually not react I have a job to do so that's most of the time where the disease were what comes all of the guys that hey I found another scissors tell me there's great technology you should look into that and what shows do you go to what events do you hang out and what are good events for you in this in the space RSA Red Hat black depth on are there certain events that you go to that you think are valuable I mean it's easily I go to the to the RSA Conference ership because actually it's very close to me as well yeah and being part being out of Santa C I recommend the b-sides actually I like the peace sign that these guys are great the pieces are great I think they are real value and then I try to a smaller circus I'd be a fun person around papers there's b-sides for folks watching is an alternative group of community industry participants they have kind of a b-side of a side like an album but it's essentially community event they do hackathons and variety of other cool things where people get together very unstructured kind of cool conference addition to bigger conferences I can't recommend desk yeah bitch thanks for coming on and sharing your insights there's pleasure there's a cube coverage here in New York City we're not escaping from the University escape conference the first multi-cloud conference in the industry we'll see how it goes if they're successful they might be back next year if not they won't be but I think multi-class here today what do you think okay great thanks for coming on I'm John Fourier thanks for watching

(upbeat music) >> Announcer: From New York, it's The Cube. Covering ESCAPE/19. (upbeat music) >> Welcome back to The Cube coverage New York City for the inaugural multi-cloud conference. The first one ever in the industry. It's called Escape 2019. We're in New York so escaping from New York, escaping from cloud, that's the conversation. All the thought leaders are here and executives. People thinking about the next generation architecture and talk tracks are all here. Fritz Wetschnig who's the Chief Information Security Officer for Flextronics. >> Flex, yes. >> Flex, thank you for coming on. Love to have CISOs on because security seems to be always the top conversation. You got a very busy job. >> I do yes. (laughing) >> You're under a lot of pressure all the time >> It's fun, it's still fun for me. So, yeah, a CISO, it's always like security's top in mind, right, of everyone now these days. But it's still one of the most interesting jobs. The most interesting for my job is, I learn so much about our business and to have insight into so many things that's actually really great. >> You know, one of the things I was just talking about on a Cube conversation was, you know, how data is a really important part of it and how data backup and recovery was built on old thinking around, you know, data centers failing, floods, hurricanes, electricity gets outages, but the biggest disruption in business today is security, security threats and so that's cybersecurity pressure is causing CISOs to be mindful of the best architecture the best platform. Do we have the right tools? So I want to get your thoughts. How are you thinking about that as an organization, because are you building in-house developers? Are you, how are you organizing, how are you gearing up to fight the battles that need to be fought? >> So, I am with the company, So Flex is a big manufacturing company, right. 26 billion, so we have a lot of P2P business not consumer business, which is I believe a different perspective of security versus actually like a consumer company facing, so and I'm in a security team for 15 years, so we built it up like security operations and all those kind of things we do, right. >> You're old school. >> I am old school learned everything and that, right? >> But you're lot are IOT, I mean, you're Industrial IOT. >> Oh yeah, Industrial IOT it's one of the topics but coming back to you, you're right, data is actually the center even for our business, data is getting more and more center, right. You collect data from the machine, you collect data actually for the business actually to do make more decisions, right. And it could be predictive maintenance, could be inventory management. There could be a lot of things, right. You have to think about it. So, and the funny thing is, I'm real, I'm the CISO now for 5 years, 15 years with the security team, 20 years with the company, So I rebuilt the team always like every three, four years like as a kind of rebirth of the team. We renew, we add new skills, right. And cloud is one of the things, which I think it's a fundamental change and the change is actually, it's actually on the development side. What it means with that is the security team has to move to serve the developers. And the problem with the old school was always like it's afterthought. So why is security such an issue? Because we had to do patching after we found vulnerabilities, right. And then old network is not secure you need to wrap something around it like we did firewalls. So it was always an afterthought. Now with the cloud, it's changing because you have a lot of different things to do but basically we need to enable developers to be very quick and deploy their software very quickly, so I think it's a fundamental change in the way you have to think about security. >> And yeah, that brings up the good question I would love to ask you 'cause you've given, again you're not a consumer, like Capital One with in-house, they had their own channel, they weren't hacked. Amazon, actually the firewall was misconfigured, on an SV Bucket but that's a consumer company. You have data though, you're an industrial company, got a lot of industrial IOT. Ransomware folks are targeting data. >> Yes. >> And everyone's a target. Your service area is large. But you probably lock that down in the past. So how are you thinking about all this new stuff? >> So yeah, I mean, IOT it's, I mean, IOT's a problem, as you said, the industrial right. And it's not solved yet completely, right. Because they still have to rethink a lot of the vendors providing this machinery, which you purchase for twenty five, thirty years, right. They still are old school, right, sometimes, like, the one on Windows you can't upgrade or whatever. So it's basic things they're lacking actually in terms of security. There's still, has to be a shift in this, not just in industry but in a general thinking, how you do that. Yes, I have a big environment, so we locked it down, we use a lot of innovative technologies, actually preventive measurements plus also detective measurements. And you need to create kind of mightily a concept where you actually start, okay, what is if this fails? How we test it? Okay, this fails, do we have other measurements where we can try to prevent, stop those kind of things, right. But ransom is a big one. There's other things, as you know, like hacking, I mean, like Capitol One. >> Malware's a big problem. >> The Capital One was an interesting one in my belief and that's for the cloud is configuration issues, right, which I think it comes with cloud security. It's about policy and configuration management, right. How you manage that and how you think about it, but it's not, it's was not that. >> Automation could have solve that, I mean, that's an open S3 bucket, that's trivial. It wasn't a big, technical. >> Yes and no, if you look at that it was a little bit more in detail, >> Okay. >> So it was actually, their back firewall was misconfigured, which is about security running on a back check, but the misconfiguration was actually is, as (mumbles) force request issue, which means, like, you tricked this firewall into giving you information you shouldn't give information, right. >> John: Okay, so it was a little bit more. So, it was a little bit more granular as people think it was, right. Just as 3-pocket configuration. So it was a little bit more granular, but I think that's the really difficultly comes about whichever security. It's a complex program, right. It's mainly things you have. >> But it was a configuration error? >> It was a configuration. >> It wasn't as dumb as an S3 bucket. >> No, it wasn't dumb. >> But it was a bit more sophisticated, but not that sophisticated, was it? On a scale of 1 to 10. >> It was not sophisticated, but something, it's not easy to solve. So you have to think about it, but you're right, it's still something. >> John: It's an exploit from a corner case. >> Yeah, it's still something you could have. I mean, I'm careful to say you could have avoided it, yes you could, because that's for sure, but I know it's a complex environment, right. >> It's a human, there's humans involved. >> And I don't know the details exactly, we only know that what was published, right, so it's very hard to check. >> Well, it brings up cloud security, so let me ask you, on multi-cloud, this is a multi-cloud conference. What's your definition of multi-cloud? How do you look at the multiple-clouds? >> For me, multiple-cloud is, actually it doesn't matter. We had a good keynote words, it's a bunch of servers, right. That's how I see multi-cloud. It's a bunch of servers. Could be my data centers in a public cloud data centers with different vendors, that's what a cloud is. Where I move my services should be actually independent from the public hyper on premise, whatever it is, right. That's basically how I see it. >> So it doesn't matter, it's infrastructure. >> Yeah. >> On demand, leverage it. >> Leverage it, it could be say, hey today, I spin of this test server, but you know what, today it seems to be a bit cheaper running on (mumbles) verses GBC, let's do it here. Next day, next week we might do it somewhere else, whatever you trigger, whatever what is your requirements. >> So if going to look at that resource at like that, how do you think about the cloud security then, because the configurations, compliance, how do you, how do you stay on top of that? >> So, that's an interesting thing because we have begun to prioritize but we, as you said, no consumer business, so our problem is to find the right skill set, to attract the right people to our company to do that right because this is our, we have some cloud, but it's not yet, there's a journey we are trying to do, as most of the enterprise, so we're looking into startups, manage services, We say, okay what are gaps that we have to maybe have to outsource some of the things and gaps where we need to get internal source of supply. >> What's you're advice to other CISOs out there that are in the B2B space of don't have to deal with the consumer but have to get serious, that is now becoming more industrialized on the IOT side because you guys have been, you know, been there, done that, you have a big footprint on the IOT, 'cause you have a history. But as people get more facilities and they have more virtual offices, more people working, the edge is extending. What's your advice to those CISOs who have to deal with this industrial end IOT edge? >> I think you have to, visibility is the key ingredient is first, right. If you don't know what you have, it's very hard to understand what's a risk portfolio, right. So, you need to find the right toolset, and don't believe you know what you have. It's fantastic what you see when you use the right tool what distance everything is connected. I mean, basically even, like, I found like, this coffee mug, you know. I connect it to devices, right. It's like, not like everyone, not just that they don't understand my coffee mug is connected to (laughing). >> That light bulb's got multithreaded processor. What is that doing? >> So, so there's concerns, I may, but visibility is a key ingredient you have to understand. And then you have to look into how you mitigate a risk. What is a risk about it, right. I mean, if the government goes down, I don't really care, but if my testos goes down and does shut down the production, I really care about that. So you need to understand that the risk and say, how can I mitigate the risk? >> So while I got you here, what's you final question? What's your message to suppliers out there that all want to sell you something? Want to sell you another tool, you know. Want another tool? You know, I got a platform. I got a tool. Buy from me. >> You mean, to sell 750 watches (drowned out by laughter) If you go to ISA conferences, unbelievable, right. >> I want to sell you something. You're the top dog, I promise. >> Don't send me an email. >> Don't send them an email. Are you shrinking suppliers down? Are you looking at some kind of standard API way to deal with them? >> Yes. >> Because, you know, you're probably thinking about platforming, and date of visibility's critical. >> Yes. >> What's you philosophy on how to support video suppliers? >> So usually, honestly, the most time I really go it so for in the weight of technology we built in our company is called the Strategic Partnership Program where we can get for startups, and most of the time we engage, we startups overseas, or as through other channels, right. Where you get introduced, and you review, with the proof of work concept or value, the technology, and we try to keep it like a mini product, very short time, and say, okay, let's show what you can, where your gaps are, and can we get with you guys and can we get you. But don't send me an email, don't call me because I usually not react. I have a job to do. (laughing) >> Yeah, exactly. >> So that's most of the time, whatever we sees, what comes or if, a guy said hey, I found another CISOs tell me there's great technology, you should leap into that. >> And what shows do you go to? What events do you hang out in? What are good events for you in the space, RSA, Red Hat, Black Defcon? Are there certain events you go to that you think are valuable? >> I mean, as a CISO, I go to the RSA Conference, which I should because it's actually very close to me as well, and being part, being out of San Jose, I recommend the BSides, actually. I like the BSides. >> John: The BSides are great. >> The BSides are great. I think they are real, really. And then I try to smaller circles, right. We have our personal round tables. >> BSides for folks watching is an alternative group of community, industry participants, they have kind of a B-side, an A-side, like an album. But it's such a community event. They do hacker funds and a variety of other cool things where people get together, very unstructured kind of, cool conference, in addition to bigger conferences. >> I can recommend this. >> Yeah, awesome. Fritz, thanks for coming on and sharing your insights. >> Thanks. >> Been a pleasure. The Cube coverage in New York City, we're not escaping from New York but this is the Escape Conference, the first multi-cloud conference in the industry, we'll see how it goes. If they're successful, they might be back next year. If not, they won't be. But I think multi-cloud's going to stay. What do you think? >> I am think so too, yes. >> Okay, Fritz, thanks for coming on. I'm John Furrier, thanks for watching. (upbeat music)