(upbeat music) >> Announcer: From New York, it's The Cube. Covering ESCAPE/19. (upbeat music) >> Welcome back to The Cube coverage New York City for the inaugural multi-cloud conference. The first one ever in the industry. It's called Escape 2019. We're in New York so escaping from New York, escaping from cloud, that's the conversation. All the thought leaders are here and executives. People thinking about the next generation architecture and talk tracks are all here. Fritz Wetschnig who's the Chief Information Security Officer for Flextronics. >> Flex, yes. >> Flex, thank you for coming on. Love to have CISOs on because security seems to be always the top conversation. You got a very busy job. >> I do yes. (laughing) >> You're under a lot of pressure all the time >> It's fun, it's still fun for me. So, yeah, a CISO, it's always like security's top in mind, right, of everyone now these days. But it's still one of the most interesting jobs. The most interesting for my job is, I learn so much about our business and to have insight into so many things that's actually really great. >> You know, one of the things I was just talking about on a Cube conversation was, you know, how data is a really important part of it and how data backup and recovery was built on old thinking around, you know, data centers failing, floods, hurricanes, electricity gets outages, but the biggest disruption in business today is security, security threats and so that's cybersecurity pressure is causing CISOs to be mindful of the best architecture the best platform. Do we have the right tools? So I want to get your thoughts. How are you thinking about that as an organization, because are you building in-house developers? Are you, how are you organizing, how are you gearing up to fight the battles that need to be fought? >> So, I am with the company, So Flex is a big manufacturing company, right. 26 billion, so we have a lot of P2P business not consumer business, which is I believe a different perspective of security versus actually like a consumer company facing, so and I'm in a security team for 15 years, so we built it up like security operations and all those kind of things we do, right. >> You're old school. >> I am old school learned everything and that, right? >> But you're lot are IOT, I mean, you're Industrial IOT. >> Oh yeah, Industrial IOT it's one of the topics but coming back to you, you're right, data is actually the center even for our business, data is getting more and more center, right. You collect data from the machine, you collect data actually for the business actually to do make more decisions, right. And it could be predictive maintenance, could be inventory management. There could be a lot of things, right. You have to think about it. So, and the funny thing is, I'm real, I'm the CISO now for 5 years, 15 years with the security team, 20 years with the company, So I rebuilt the team always like every three, four years like as a kind of rebirth of the team. We renew, we add new skills, right. And cloud is one of the things, which I think it's a fundamental change and the change is actually, it's actually on the development side. What it means with that is the security team has to move to serve the developers. And the problem with the old school was always like it's afterthought. So why is security such an issue? Because we had to do patching after we found vulnerabilities, right. And then old network is not secure you need to wrap something around it like we did firewalls. So it was always an afterthought. Now with the cloud, it's changing because you have a lot of different things to do but basically we need to enable developers to be very quick and deploy their software very quickly, so I think it's a fundamental change in the way you have to think about security. >> And yeah, that brings up the good question I would love to ask you 'cause you've given, again you're not a consumer, like Capital One with in-house, they had their own channel, they weren't hacked. Amazon, actually the firewall was misconfigured, on an SV Bucket but that's a consumer company. You have data though, you're an industrial company, got a lot of industrial IOT. Ransomware folks are targeting data. >> Yes. >> And everyone's a target. Your service area is large. But you probably lock that down in the past. So how are you thinking about all this new stuff? >> So yeah, I mean, IOT it's, I mean, IOT's a problem, as you said, the industrial right. And it's not solved yet completely, right. Because they still have to rethink a lot of the vendors providing this machinery, which you purchase for twenty five, thirty years, right. They still are old school, right, sometimes, like, the one on Windows you can't upgrade or whatever. So it's basic things they're lacking actually in terms of security. There's still, has to be a shift in this, not just in industry but in a general thinking, how you do that. Yes, I have a big environment, so we locked it down, we use a lot of innovative technologies, actually preventive measurements plus also detective measurements. And you need to create kind of mightily a concept where you actually start, okay, what is if this fails? How we test it? Okay, this fails, do we have other measurements where we can try to prevent, stop those kind of things, right. But ransom is a big one. There's other things, as you know, like hacking, I mean, like Capitol One. >> Malware's a big problem. >> The Capital One was an interesting one in my belief and that's for the cloud is configuration issues, right, which I think it comes with cloud security. It's about policy and configuration management, right. How you manage that and how you think about it, but it's not, it's was not that. >> Automation could have solve that, I mean, that's an open S3 bucket, that's trivial. It wasn't a big, technical. >> Yes and no, if you look at that it was a little bit more in detail, >> Okay. >> So it was actually, their back firewall was misconfigured, which is about security running on a back check, but the misconfiguration was actually is, as (mumbles) force request issue, which means, like, you tricked this firewall into giving you information you shouldn't give information, right. >> John: Okay, so it was a little bit more. So, it was a little bit more granular as people think it was, right. Just as 3-pocket configuration. So it was a little bit more granular, but I think that's the really difficultly comes about whichever security. It's a complex program, right. It's mainly things you have. >> But it was a configuration error? >> It was a configuration. >> It wasn't as dumb as an S3 bucket. >> No, it wasn't dumb. >> But it was a bit more sophisticated, but not that sophisticated, was it? On a scale of 1 to 10. >> It was not sophisticated, but something, it's not easy to solve. So you have to think about it, but you're right, it's still something. >> John: It's an exploit from a corner case. >> Yeah, it's still something you could have. I mean, I'm careful to say you could have avoided it, yes you could, because that's for sure, but I know it's a complex environment, right. >> It's a human, there's humans involved. >> And I don't know the details exactly, we only know that what was published, right, so it's very hard to check. >> Well, it brings up cloud security, so let me ask you, on multi-cloud, this is a multi-cloud conference. What's your definition of multi-cloud? How do you look at the multiple-clouds? >> For me, multiple-cloud is, actually it doesn't matter. We had a good keynote words, it's a bunch of servers, right. That's how I see multi-cloud. It's a bunch of servers. Could be my data centers in a public cloud data centers with different vendors, that's what a cloud is. Where I move my services should be actually independent from the public hyper on premise, whatever it is, right. That's basically how I see it. >> So it doesn't matter, it's infrastructure. >> Yeah. >> On demand, leverage it. >> Leverage it, it could be say, hey today, I spin of this test server, but you know what, today it seems to be a bit cheaper running on (mumbles) verses GBC, let's do it here. Next day, next week we might do it somewhere else, whatever you trigger, whatever what is your requirements. >> So if going to look at that resource at like that, how do you think about the cloud security then, because the configurations, compliance, how do you, how do you stay on top of that? >> So, that's an interesting thing because we have begun to prioritize but we, as you said, no consumer business, so our problem is to find the right skill set, to attract the right people to our company to do that right because this is our, we have some cloud, but it's not yet, there's a journey we are trying to do, as most of the enterprise, so we're looking into startups, manage services, We say, okay what are gaps that we have to maybe have to outsource some of the things and gaps where we need to get internal source of supply. >> What's you're advice to other CISOs out there that are in the B2B space of don't have to deal with the consumer but have to get serious, that is now becoming more industrialized on the IOT side because you guys have been, you know, been there, done that, you have a big footprint on the IOT, 'cause you have a history. But as people get more facilities and they have more virtual offices, more people working, the edge is extending. What's your advice to those CISOs who have to deal with this industrial end IOT edge? >> I think you have to, visibility is the key ingredient is first, right. If you don't know what you have, it's very hard to understand what's a risk portfolio, right. So, you need to find the right toolset, and don't believe you know what you have. It's fantastic what you see when you use the right tool what distance everything is connected. I mean, basically even, like, I found like, this coffee mug, you know. I connect it to devices, right. It's like, not like everyone, not just that they don't understand my coffee mug is connected to (laughing). >> That light bulb's got multithreaded processor. What is that doing? >> So, so there's concerns, I may, but visibility is a key ingredient you have to understand. And then you have to look into how you mitigate a risk. What is a risk about it, right. I mean, if the government goes down, I don't really care, but if my testos goes down and does shut down the production, I really care about that. So you need to understand that the risk and say, how can I mitigate the risk? >> So while I got you here, what's you final question? What's your message to suppliers out there that all want to sell you something? Want to sell you another tool, you know. Want another tool? You know, I got a platform. I got a tool. Buy from me. >> You mean, to sell 750 watches (drowned out by laughter) If you go to ISA conferences, unbelievable, right. >> I want to sell you something. You're the top dog, I promise. >> Don't send me an email. >> Don't send them an email. Are you shrinking suppliers down? Are you looking at some kind of standard API way to deal with them? >> Yes. >> Because, you know, you're probably thinking about platforming, and date of visibility's critical. >> Yes. >> What's you philosophy on how to support video suppliers? >> So usually, honestly, the most time I really go it so for in the weight of technology we built in our company is called the Strategic Partnership Program where we can get for startups, and most of the time we engage, we startups overseas, or as through other channels, right. Where you get introduced, and you review, with the proof of work concept or value, the technology, and we try to keep it like a mini product, very short time, and say, okay, let's show what you can, where your gaps are, and can we get with you guys and can we get you. But don't send me an email, don't call me because I usually not react. I have a job to do. (laughing) >> Yeah, exactly. >> So that's most of the time, whatever we sees, what comes or if, a guy said hey, I found another CISOs tell me there's great technology, you should leap into that. >> And what shows do you go to? What events do you hang out in? What are good events for you in the space, RSA, Red Hat, Black Defcon? Are there certain events you go to that you think are valuable? >> I mean, as a CISO, I go to the RSA Conference, which I should because it's actually very close to me as well, and being part, being out of San Jose, I recommend the BSides, actually. I like the BSides. >> John: The BSides are great. >> The BSides are great. I think they are real, really. And then I try to smaller circles, right. We have our personal round tables. >> BSides for folks watching is an alternative group of community, industry participants, they have kind of a B-side, an A-side, like an album. But it's such a community event. They do hacker funds and a variety of other cool things where people get together, very unstructured kind of, cool conference, in addition to bigger conferences. >> I can recommend this. >> Yeah, awesome. Fritz, thanks for coming on and sharing your insights. >> Thanks. >> Been a pleasure. The Cube coverage in New York City, we're not escaping from New York but this is the Escape Conference, the first multi-cloud conference in the industry, we'll see how it goes. If they're successful, they might be back next year. If not, they won't be. But I think multi-cloud's going to stay. What do you think? >> I am think so too, yes. >> Okay, Fritz, thanks for coming on. I'm John Furrier, thanks for watching. (upbeat music)